diff options
Diffstat (limited to 'athenz-identity-provider-service/src')
3 files changed, 22 insertions, 16 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java index 28b6c6c0939..ca1697c7bb1 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java @@ -2,8 +2,6 @@ package com.yahoo.vespa.hosted.ca.restapi; import com.google.inject.Inject; -import com.yahoo.config.provision.SystemName; -import com.yahoo.config.provision.Zone; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.container.jdisc.LoggingRequestHandler; @@ -15,6 +13,7 @@ import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateUtils; import com.yahoo.slime.Slime; import com.yahoo.vespa.config.SlimeUtils; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; import com.yahoo.vespa.hosted.ca.Certificates; import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity; import com.yahoo.yolean.Exceptions; @@ -42,18 +41,20 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { private final SecretStore secretStore; private final Certificates certificates; - private final SystemName system; + private final String caPrivateKeySecretName; + private final String caCertificateSecretName; @Inject - public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Zone zone) { - this(ctx, secretStore, new Certificates(Clock.systemUTC()), zone.system()); + public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, AthenzProviderServiceConfig athenzProviderServiceConfig) { + this(ctx, secretStore, new Certificates(Clock.systemUTC()), athenzProviderServiceConfig); } - CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, SystemName system) { + CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, AthenzProviderServiceConfig athenzProviderServiceConfig) { super(ctx); this.secretStore = secretStore; this.certificates = certificates; - this.system = system; + this.caPrivateKeySecretName = athenzProviderServiceConfig.secretName(); + this.caCertificateSecretName = athenzProviderServiceConfig.domain() + ".ca.cert"; } @Override @@ -101,14 +102,12 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { /** Returns CA certificate from secret store */ private X509Certificate caCertificate() { - var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase()); - return X509CertificateUtils.fromPem(secretStore.getSecret(keyName)); + return X509CertificateUtils.fromPem(secretStore.getSecret(caCertificateSecretName)); } /** Returns CA private key from secret store */ private PrivateKey caPrivateKey() { - var keyName = String.format("vespa.external.%s.configserver.ca.key.key", system.value().toLowerCase()); - return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName)); + return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(caPrivateKeySecretName)); } private static <T> T deserializeRequest(HttpRequest request, Function<Slime, T> serializer) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java index a1d708a1107..8e4605499f7 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java @@ -98,8 +98,8 @@ public class CertificateAuthorityApiTest extends ContainerTester { var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); var caCertificatePem = X509CertificateUtils.toPem(CertificateTester.createCertificate("Vespa CA", keyPair)); var privateKeyPem = KeyUtils.toPem(keyPair.getPrivate()); - secretStore().setSecret("vespa.external.main.configserver.ca.cert.cert", caCertificatePem) - .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem); + secretStore().setSecret("vespa.external.ca.cert", caCertificatePem) + .setSecret("secretname", privateKeyPem); } private void assertIdentityResponse(Request request) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java index 2ca45cf7e56..139314b0f86 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java @@ -56,9 +56,16 @@ public class ContainerTester { return "<container version='1.0'>\n" + " <config name=\"container.handler.threadpool\">\n" + " <maxthreads>10</maxthreads>\n" + - " </config> \n" + - " <component id='com.yahoo.vespa.hosted.provision.testutils.MockNodeFlavors'/>\n" + - " <component id='com.yahoo.config.provision.Zone'/>\n" + + " </config>\n" + + " <config name='vespa.hosted.athenz.instanceproviderservice.config.athenz-provider-service'>\n" + + " <athenzCaTrustStore>/path/to/file</athenzCaTrustStore>\n" + + " <domain>vespa.external</domain>\n" + + " <serviceName>servicename</serviceName>\n" + + " <secretName>secretname</secretName>\n" + + " <secretVersion>0</secretVersion>\n" + + " <certDnsSuffix>suffix</certDnsSuffix>\n" + + " <ztsUrl>https://localhost:123/</ztsUrl>\n" + + " </config>\n" + " <component id='com.yahoo.vespa.hosted.ca.restapi.mock.SecretStoreMock'/>\n" + " <handler id='com.yahoo.vespa.hosted.ca.restapi.CertificateAuthorityApiHandler'>\n" + " <binding>http://*/ca/v1/*</binding>\n" + |