diff options
Diffstat (limited to 'athenz-identity-provider-service')
3 files changed, 55 insertions, 1 deletions
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java index 4c71cb7855d..5c93bf423d3 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceConfirmationResource.java @@ -16,7 +16,7 @@ import java.util.logging.Logger; /** * @author bjorncs */ -@Path("/{path: instance|refresh}") +@Path("/instance") public class InstanceConfirmationResource { private static final Logger log = Logger.getLogger(InstanceConfirmationResource.class.getName()); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java new file mode 100644 index 00000000000..a88bfbc15e6 --- /dev/null +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceRefreshResource.java @@ -0,0 +1,43 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmation; + +import com.google.inject.Inject; +import com.yahoo.container.jaxrs.annotation.Component; +import com.yahoo.log.LogLevel; + +import javax.ws.rs.Consumes; +import javax.ws.rs.ForbiddenException; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; +import java.util.logging.Logger; + +/** + * ZTS calls this resource when it's requested to refresh an instance certificate + * + * @author bjorncs + */ +@Path("/refresh") +public class InstanceRefreshResource { + + private static final Logger log = Logger.getLogger(InstanceRefreshResource.class.getName()); + + private final InstanceValidator instanceValidator; + + @Inject + public InstanceRefreshResource(@Component InstanceValidator instanceValidator) { + this.instanceValidator = instanceValidator; + } + + @POST + @Consumes(MediaType.APPLICATION_JSON) + @Produces(MediaType.APPLICATION_JSON) + public InstanceConfirmation confirmInstanceRefresh(InstanceConfirmation instanceConfirmation) { + if (!instanceValidator.isValidRefresh(instanceConfirmation)) { + log.log(LogLevel.ERROR, "Invalid instance refresh: " + instanceConfirmation); + throw new ForbiddenException("Instance is invalid"); + } + return instanceConfirmation; + } +} diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java index b75f7d05394..dcaf50c1c04 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java @@ -61,6 +61,17 @@ public class InstanceValidator { return false; } + // TODO Add actual validation. Cannot reuse isValidInstance as identity document is not part of the refresh request. + // We'll have to perform some validation on the instance id and other fields of the attribute map. + // Separate between tenant and node certificate as well. + public boolean isValidRefresh(InstanceConfirmation confirmation) { + log.log(LogLevel.INFO, () -> String.format("Accepting refresh for instance with identity '%s', provider '%s', instanceId '%s'.", + new AthenzService(confirmation.domain, confirmation.service).getFullName(), + confirmation.provider, + confirmation.attributes.get("sanDNS").toString())); + return true; + } + // If/when we dont care about logging exactly whats wrong, this can be simplified // TODO Use identity type to determine if this check should be performed boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String domain, String service) { |