diff options
Diffstat (limited to 'controller-server')
4 files changed, 21 insertions, 15 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/DeploymentMetricsMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/DeploymentMetricsMaintainer.java index c48f6a34441..322c78aa7c1 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/DeploymentMetricsMaintainer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/DeploymentMetricsMaintainer.java @@ -25,8 +25,8 @@ import java.util.logging.Level; import java.util.logging.Logger; /** - * Retrieve deployment metrics such as QPS and document count from the metric service and - * update applications with this info. + * Retrieves deployment metrics such as QPS and document count from the metric service and + * updates applications with this info. * * @author smorgrav * @author mpolden diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/controller/DecryptionTokenResealer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/controller/DecryptionTokenResealer.java index 7addf83c67c..b3d966d20c9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/controller/DecryptionTokenResealer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/controller/DecryptionTokenResealer.java @@ -21,17 +21,18 @@ import static com.yahoo.vespa.hosted.controller.restapi.controller.RequestUtils. class DecryptionTokenResealer { private static int checkKeyNameAndExtractVersion(KeyId tokenKeyId, String expectedKeyName) { - String[] components = tokenKeyId.asString().split("\\."); - if (components.length != 2) { + String keyStr = tokenKeyId.asString(); + int versionSepIdx = keyStr.lastIndexOf('.'); + if (versionSepIdx == -1) { throw new IllegalArgumentException("Key ID is not of the form 'name.version'"); } - String keyName = components[0]; + String keyName = keyStr.substring(0, versionSepIdx); if (!expectedKeyName.equals(keyName)) { throw new IllegalArgumentException("Token is not generated for the expected key"); } int keyVersion; try { - keyVersion = Integer.parseInt(components[1]); + keyVersion = Integer.parseInt(keyStr.substring(versionSepIdx + 1)); } catch (IllegalArgumentException e) { throw new IllegalArgumentException("Key version is not a valid integer"); } diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java index 48f9d46fefb..7522f42f91b 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java @@ -63,7 +63,7 @@ public class ControllerContainerTest { </rotations> </config> <config name="vespa.hosted.controller.config.core-dump-token-resealing"> - <resealingPrivateKeyName>a-really-cool-key</resealingPrivateKeyName> + <resealingPrivateKeyName>a.really.cool.key</resealingPrivateKeyName> </config> <accesslog type='disabled'/> diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/ControllerApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/ControllerApiTest.java index a4b18a06fb8..e3a0684771c 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/ControllerApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/ControllerApiTest.java @@ -220,11 +220,11 @@ public class ControllerApiTest extends ControllerContainerTest { @Test void decryption_token_reseal_request_succeeds_when_matching_versioned_key_found() { - var reqData = createResealingRequestData("a-really-cool-key.123"); // Must match key name in config + var reqData = createResealingRequestData("a.really.cool.key.123"); // Must match key name in config var secret = hex(reqData.originalSecretSharedKey.secretKey().getEncoded()); var secretStore = (SecretStoreMock)tester.controller().secretStore(); - secretStore.setSecret("a-really-cool-key", KeyUtils.toBase58EncodedX25519PrivateKey((XECPrivateKey)reqData.originalReceiverKeyPair.getPrivate()), 123); + secretStore.setSecret("a.really.cool.key", KeyUtils.toBase58EncodedX25519PrivateKey((XECPrivateKey)reqData.originalReceiverKeyPair.getPrivate()), 123); tester.assertResponse( () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", requestJsonOf(reqData), Request.Method.POST), @@ -238,7 +238,7 @@ public class ControllerApiTest extends ControllerContainerTest { @Test void decryption_token_reseal_request_fails_when_unexpected_key_name_is_supplied() { - var reqData = createResealingRequestData("a-really-cool-but-non-existing-key.123"); + var reqData = createResealingRequestData("a.really.cool.but.non.existing.key.123"); tester.assertResponse( () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", requestJsonOf(reqData), Request.Method.POST), "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Token is not generated for the expected key\"}", @@ -247,10 +247,10 @@ public class ControllerApiTest extends ControllerContainerTest { @Test void secret_key_lookup_does_not_use_key_id_provided_in_user_supplied_token() { - var reqData = createResealingRequestData("a-sneaky-key.123"); + var reqData = createResealingRequestData("a.sneaky.key.123"); var secretStore = (SecretStoreMock)tester.controller().secretStore(); // Token key ID is technically valid, but should not be used. Only config should be obeyed. - secretStore.setSecret("a-sneaky-key", KeyUtils.toBase58EncodedX25519PrivateKey((XECPrivateKey)reqData.originalReceiverKeyPair.getPrivate()), 123); + secretStore.setSecret("a.sneaky.key", KeyUtils.toBase58EncodedX25519PrivateKey((XECPrivateKey)reqData.originalReceiverKeyPair.getPrivate()), 123); tester.assertResponse( () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", requestJsonOf(reqData), Request.Method.POST), @@ -281,17 +281,22 @@ public class ControllerApiTest extends ControllerContainerTest { 400); tester.assertResponse( () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", - requestJsonOf(createResealingRequestData("a-really-cool-key.123asdf")), Request.Method.POST), + requestJsonOf(createResealingRequestData("a.really.cool.key.123asdf")), Request.Method.POST), "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Key version is not a valid integer\"}", 400); tester.assertResponse( () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", - requestJsonOf(createResealingRequestData("a-really-cool-key.-123")), Request.Method.POST), + requestJsonOf(createResealingRequestData("a.really.cool.key.")), Request.Method.POST), + "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Key version is not a valid integer\"}", + 400); + tester.assertResponse( + () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", + requestJsonOf(createResealingRequestData("a.really.cool.key.-123")), Request.Method.POST), "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Key version is out of range\"}", 400); tester.assertResponse( () -> operatorRequest("http://localhost:8080/controller/v1/access/cores/reseal", - requestJsonOf(createResealingRequestData("a-really-cool-key.%d".formatted((long)Integer.MAX_VALUE + 1))), Request.Method.POST), + requestJsonOf(createResealingRequestData("a.really.cool.key.%d".formatted((long)Integer.MAX_VALUE + 1))), Request.Method.POST), "{\"error-code\":\"BAD_REQUEST\",\"message\":\"Key version is not a valid integer\"}", 400); } |