diff options
Diffstat (limited to 'athenz-identity-provider-service/src/main')
4 files changed, 23 insertions, 53 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java index da16bfe3c24..31e1a8519f4 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/AthenzSslKeyStoreConfigurator.java @@ -5,6 +5,7 @@ import com.google.inject.Inject; import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.config.provision.Zone; +import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.jdisc.http.ssl.SslKeyStoreConfigurator; import com.yahoo.jdisc.http.ssl.SslKeyStoreContext; import com.yahoo.log.LogLevel; @@ -57,13 +58,14 @@ public class AthenzSslKeyStoreConfigurator extends AbstractComponent implements private volatile KeyStore currentKeyStore; @Inject - public AthenzSslKeyStoreConfigurator(KeyProvider keyProvider, + public AthenzSslKeyStoreConfigurator(AthenzIdentityProvider bootstrapIdentity, + KeyProvider keyProvider, AthenzProviderServiceConfig config, Zone zone, ConfigserverConfig configserverConfig) { AthenzProviderServiceConfig.Zones zoneConfig = getZoneConfig(config, zone); Path keystoreCachePath = createKeystoreCachePath(configserverConfig); - AthenzCertificateClient certificateClient = new AthenzCertificateClient(config, zoneConfig); + AthenzCertificateClient certificateClient = new AthenzCertificateClient(bootstrapIdentity, zoneConfig); Duration updatePeriod = Duration.ofDays(config.updatePeriodDays()); this.certificateClient = certificateClient; this.keyProvider = keyProvider; diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 4dd6881c07e..e3a937919fe 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -23,26 +23,17 @@ public class IdentityDocumentGenerator { private final NodeRepository nodeRepository; private final Zone zone; private final KeyProvider keyProvider; - private final String dnsSuffix; - private final String providerService; - private final String ztsUrl; - private final String providerDomain; - private final int signingSecretVersion; + private final AthenzProviderServiceConfig.Zones zoneConfig; @Inject public IdentityDocumentGenerator(AthenzProviderServiceConfig config, NodeRepository nodeRepository, Zone zone, KeyProvider keyProvider) { - AthenzProviderServiceConfig.Zones zoneConfig = Utils.getZoneConfig(config, zone); + this.zoneConfig = Utils.getZoneConfig(config, zone); this.nodeRepository = nodeRepository; this.zone = zone; this.keyProvider = keyProvider; - this.dnsSuffix = config.certDnsSuffix(); - this.providerService = zoneConfig.serviceName(); - this.ztsUrl = config.ztsUrl(); - this.providerDomain = zoneConfig.domain(); - this.signingSecretVersion = zoneConfig.secretVersion(); } public SignedIdentityDocument generateSignedIdentityDocument(String hostname) { @@ -55,7 +46,7 @@ public class IdentityDocumentGenerator { Base64.getEncoder().encodeToString(identityDocumentString.getBytes()); Signature sigGenerator = Signature.getInstance("SHA512withRSA"); - PrivateKey privateKey = keyProvider.getPrivateKey(signingSecretVersion); + PrivateKey privateKey = keyProvider.getPrivateKey(zoneConfig.secretVersion()); sigGenerator.initSign(privateKey); sigGenerator.update(encodedIdentityDocument.getBytes()); String signature = Base64.getEncoder().encodeToString(sigGenerator.sign()); @@ -65,9 +56,9 @@ public class IdentityDocumentGenerator { signature, SignedIdentityDocument.DEFAULT_KEY_VERSION, identityDocument.providerUniqueId.asString(), - toZoneDnsSuffix(zone, dnsSuffix), - providerDomain + "." + providerService, - ztsUrl, + toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()), + zoneConfig.domain() + "." + zoneConfig.serviceName(), + zoneConfig.ztsUrl(), SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION); } catch (Exception e) { throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java index c849de481dc..ca5c776bf3c 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/impl/AthenzCertificateClient.java @@ -1,60 +1,40 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.athenz.instanceproviderservice.impl; -import com.yahoo.athenz.auth.impl.PrincipalAuthority; -import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.zts.InstanceRefreshRequest; import com.yahoo.athenz.zts.ZTSClient; +import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; +import javax.net.ssl.SSLContext; import java.security.PrivateKey; import java.security.cert.X509Certificate; -import java.time.temporal.ChronoUnit; -import java.time.temporal.TemporalAmount; -import java.util.concurrent.TimeUnit; /** * @author bjorncs */ public class AthenzCertificateClient { - private final AthenzProviderServiceConfig config; - private final AthenzPrincipalAuthority authority; private final AthenzProviderServiceConfig.Zones zoneConfig; + private final AthenzIdentityProvider bootstrapIdentity; - public AthenzCertificateClient(AthenzProviderServiceConfig config, AthenzProviderServiceConfig.Zones zoneConfig) { - this.config = config; - this.authority = new AthenzPrincipalAuthority(config.athenzPrincipalHeaderName()); + public AthenzCertificateClient(AthenzIdentityProvider bootstrapIdentity, + AthenzProviderServiceConfig.Zones zoneConfig) { + this.bootstrapIdentity = bootstrapIdentity; this.zoneConfig = zoneConfig; } public X509Certificate updateCertificate(PrivateKey privateKey) { - SimpleServiceIdentityProvider identityProvider = new SimpleServiceIdentityProvider( - authority, zoneConfig.domain(), zoneConfig.serviceName(), - privateKey, Integer.toString(zoneConfig.secretVersion()), TimeUnit.MINUTES.toSeconds(10)); - ZTSClient ztsClient = new ZTSClient( - config.ztsUrl(), zoneConfig.domain(), zoneConfig.serviceName(), identityProvider); + SSLContext bootstrapSslContext = bootstrapIdentity.getIdentitySslContext(); + ZTSClient ztsClient = new ZTSClient(zoneConfig.ztsUrl(), bootstrapSslContext); InstanceRefreshRequest req = ZTSClient.generateInstanceRefreshRequest( - zoneConfig.domain(), zoneConfig.serviceName(), privateKey, - config.certDnsSuffix(), /*expiryTime*/0); + zoneConfig.domain(), zoneConfig.serviceName(), privateKey, zoneConfig.certDnsSuffix(), /*expiryTime*/0); + req.setKeyId(Integer.toString(zoneConfig.secretVersion())); String pemEncoded = ztsClient.postInstanceRefreshRequest(zoneConfig.domain(), zoneConfig.serviceName(), req) .getCertificate(); return Crypto.loadX509Certificate(pemEncoded); } - private static class AthenzPrincipalAuthority extends PrincipalAuthority { - private final String headerName; - - public AthenzPrincipalAuthority(String headerName) { - this.headerName = headerName; - } - - @Override - public String getHeader() { - return headerName; - } - } - } diff --git a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def index d3f758a2240..281db6fb43d 100644 --- a/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def +++ b/athenz-identity-provider-service/src/main/resources/configdefinitions/athenz-provider-service.def @@ -13,14 +13,11 @@ zones{}.secretName string # Secret version zones{}.secretVersion int -# Athenz principal authority header name -athenzPrincipalHeaderName string default="Athenz-Principal-Auth" +# Certificate DNS suffix +zones{}.certDnsSuffix string # Athenz ZTS server url -ztsUrl string - -# Certificate DNS suffix -certDnsSuffix string +zones{}.ztsUrl string # Path to Athenz CA JKS trust store athenzCaTrustStore string |