diff options
6 files changed, 80 insertions, 19 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 01b797a54a5..a5f143fe50a 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -87,7 +87,8 @@ public class IdentityDocumentGenerator { providerUniqueId, HostName.getLocalhost(), node.hostname(), - Instant.now()); + Instant.now(), + node.ipAddresses()); } private static String toZoneDnsSuffix(Zone zone, String dnsSuffix) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index 091d309a593..1400dd3e338 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation; import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.ImmutableSet; import com.yahoo.config.model.api.ApplicationInfo; import com.yahoo.config.model.api.HostInfo; import com.yahoo.config.model.api.Model; @@ -9,12 +10,12 @@ import com.yahoo.config.model.api.ServiceInfo; import com.yahoo.config.model.api.SuperModel; import com.yahoo.config.model.api.SuperModelProvider; import com.yahoo.config.provision.ApplicationId; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AutoGeneratedKeyProvider; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; -import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.bindings.ProviderUniqueId; import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocument; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.AutoGeneratedKeyProvider; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl.Utils; import org.junit.Test; import java.net.URI; @@ -121,7 +122,8 @@ public class InstanceValidatorTest { "environment", "region", applicationId.instance().value(), "cluster-id", 0), "hostname", "instance-hostname", - Instant.now()); + Instant.now(), + ImmutableSet.of("127.0.0.1", "::1")); try { ObjectMapper mapper = Utils.getMapper(); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java index 0224761fad8..127a9de16ca 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocument.java @@ -1,14 +1,17 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.identityprovider.api.bindings; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; import java.time.Instant; import java.util.Objects; +import java.util.Set; /** * @author bjorncs */ +@JsonIgnoreProperties(ignoreUnknown = true) public class IdentityDocument { @JsonProperty("provider-unique-id") @@ -19,41 +22,50 @@ public class IdentityDocument { public final String instanceHostname; @JsonProperty("created-at") public final Instant createdAt; + @JsonProperty("ip-addresses") + public final Set<String> ipAddresses; public IdentityDocument( @JsonProperty("provider-unique-id") ProviderUniqueId providerUniqueId, @JsonProperty("configserver-hostname") String configServerHostname, @JsonProperty("instance-hostname") String instanceHostname, - @JsonProperty("created-at") Instant createdAt) { + @JsonProperty("created-at") Instant createdAt, + @JsonProperty("ip-addresses") Set<String> ipAddresses) { this.providerUniqueId = providerUniqueId; this.configServerHostname = configServerHostname; this.instanceHostname = instanceHostname; this.createdAt = createdAt; + this.ipAddresses = ipAddresses; } + @Override public String toString() { return "IdentityDocument{" + - "providerUniqueId=" + providerUniqueId + - ", configServerHostname='" + configServerHostname + '\'' + - ", instanceHostname='" + instanceHostname + '\'' + - ", createdAt=" + createdAt + - '}'; + "providerUniqueId=" + providerUniqueId + + ", configServerHostname='" + configServerHostname + '\'' + + ", instanceHostname='" + instanceHostname + '\'' + + ", createdAt=" + createdAt + + ", ipAddresses=" + ipAddresses + + '}'; } + @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; IdentityDocument that = (IdentityDocument) o; - return Objects.equals(providerUniqueId, that.providerUniqueId) && - Objects.equals(configServerHostname, that.configServerHostname) && - Objects.equals(instanceHostname, that.instanceHostname) && - Objects.equals(createdAt, that.createdAt); + return Objects.equals(providerUniqueId, that.providerUniqueId) && + Objects.equals(configServerHostname, that.configServerHostname) && + Objects.equals(instanceHostname, that.instanceHostname) && + Objects.equals(createdAt, that.createdAt) && + Objects.equals(ipAddresses, that.ipAddresses); } @Override public int hashCode() { - return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt); + + return Objects.hash(providerUniqueId, configServerHostname, instanceHostname, createdAt, ipAddresses); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java index f03fb01c671..6ddbb4af620 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocument.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.athenz.identityprovider.api.bindings; import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; @@ -16,6 +17,7 @@ import java.util.Objects; /** * @author bjorncs */ +@JsonIgnoreProperties(ignoreUnknown = true) public class SignedIdentityDocument { public static final int DEFAULT_KEY_VERSION = 0; diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java index e221ad792b3..f355f96124b 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java @@ -10,6 +10,7 @@ import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; import com.yahoo.vespa.athenz.tls.Pkcs10CsrUtils; import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; +import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; import javax.security.auth.x500.X500Principal; import java.io.IOException; @@ -17,6 +18,9 @@ import java.io.UncheckedIOException; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Clock; +import java.util.Set; + +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; /** * @author bjorncs @@ -48,6 +52,7 @@ class AthenzCredentialsService { identityConfig.service(), document.dnsSuffix, document.providerUniqueId, + document.identityDocument.ipAddresses, keyPair); InstanceRegisterInformation instanceRegisterInformation = new InstanceRegisterInformation(document.providerService, @@ -67,6 +72,7 @@ class AthenzCredentialsService { identityConfig.service(), document.dnsSuffix, document.providerUniqueId, + document.identityDocument.ipAddresses, newKeyPair); InstanceRefreshInformation refreshInfo = new InstanceRefreshInformation(Pkcs10CsrUtils.toPem(csr)); InstanceIdentity instanceIdentity = @@ -101,18 +107,22 @@ class AthenzCredentialsService { String identityService, String dnsSuffix, String providerUniqueId, + Set<String> ipAddresses, KeyPair keyPair) { X500Principal subject = new X500Principal(String.format("CN=%s.%s", identityDomain, identityService)); // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> - return Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) + Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) .addSubjectAlternativeName(String.format("%s.%s.%s", identityService, identityDomain.replace(".", "-"), dnsSuffix)) .addSubjectAlternativeName(String.format("%s.instanceid.athenz.%s", providerUniqueId, - dnsSuffix)) - .build(); + dnsSuffix)); + if(ipAddresses != null) { + ipAddresses.forEach(ipaddress -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ipaddress))); + } + return pkcs10CsrBuilder.build(); } } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java new file mode 100644 index 00000000000..cfc6e33b911 --- /dev/null +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/api/bindings/IdentityDocumentTest.java @@ -0,0 +1,34 @@ +package com.yahoo.vespa.athenz.api.bindings; + +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule; +import com.google.common.collect.ImmutableSet; +import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocument; +import com.yahoo.vespa.athenz.identityprovider.api.bindings.ProviderUniqueId; +import org.junit.Test; + +import java.io.IOException; +import java.time.Instant; + +import static org.junit.Assert.assertEquals; + +public class IdentityDocumentTest { + + @Test + public void test_serialization_deserialization() throws IOException { + IdentityDocument document = new IdentityDocument( + ProviderUniqueId.fromVespaUniqueInstanceId( + VespaUniqueInstanceId.fromDottedString("1.clusterId.instance.application.tenant.region.environment")), + "cfg.prod.xyz", + "foo.bar", + Instant.now(), + ImmutableSet.of("127.0.0.1", "::1")); + + ObjectMapper mapper = new ObjectMapper(); + mapper.registerModule(new JavaTimeModule()); + String documentString = mapper.writeValueAsString(document); + IdentityDocument deserializedDocument = mapper.readValue(documentString, IdentityDocument.class); + assertEquals(document, deserializedDocument); + } +} |