diff options
Diffstat (limited to 'vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index 813941ac9b2..ce0743021ff 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -16,12 +16,15 @@ import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.ServiceIdentityProviderListenerHelper; +import com.yahoo.vespa.athenz.identity.SiaIdentityProvider; import com.yahoo.vespa.athenz.tls.KeyStoreType; import com.yahoo.vespa.athenz.tls.SslContextBuilder; +import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; import javax.net.ssl.SSLContext; import java.io.File; +import java.net.URI; import java.security.PrivateKey; import java.security.cert.X509Certificate; import java.time.Clock; @@ -55,24 +58,26 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen private final Clock clock; private final AthenzService identity; private final ServiceIdentityProviderListenerHelper listenerHelper; + private final String dnsSuffix; + private final URI ztsEndpoint; private final LoadingCache<AthenzRole, SSLContext> roleSslContextCache; private final static Duration roleSslContextExpiry = Duration.ofHours(24); - // TODO IdentityConfig should contain ZTS uri and dns suffix @Inject public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) { this(config, metric, new AthenzCredentialsService(config, - new IdentityDocumentClient(config.loadBalancerAddress()), - new ZtsClient(), - getDefaultTrustStoreLocation()), + createNodeIdentityProvider(config), + getDefaultTrustStoreLocation(), + Defaults.getDefaults().vespaHostname()), new ScheduledThreadPoolExecutor(1), Clock.systemUTC()); } // Test only + AthenzIdentityProviderImpl(IdentityConfig config, Metric metric, AthenzCredentialsService athenzCredentialsService, @@ -84,6 +89,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen this.clock = clock; this.identity = new AthenzService(config.domain(), config.service()); this.listenerHelper = new ServiceIdentityProviderListenerHelper(this.identity); + this.dnsSuffix = config.athenzDnsSuffix(); + this.ztsEndpoint = URI.create(config.ztsUrl()); registerInstance(); roleSslContextCache = CacheBuilder.newBuilder() .refreshAfterWrite(roleSslContextExpiry.dividedBy(2).toMinutes(), TimeUnit.MINUTES) @@ -150,8 +157,8 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen PrivateKey privateKey = credentials.getKeyPair().getPrivate(); X509Certificate roleCertificate = ztsClient.getRoleCertificate( role, - credentials.getIdentityDocument().dnsSuffix(), - credentials.getIdentityDocument().ztsEndpoint(), + dnsSuffix, + ztsEndpoint, identity, privateKey, credentials.getIdentitySslContext()); @@ -166,7 +173,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen return ztsClient .getRoleToken( new AthenzDomain(domain), - credentials.getIdentityDocument().ztsEndpoint(), + ztsEndpoint, credentials.getIdentitySslContext()) .getRawToken(); } @@ -177,7 +184,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen .getRoleToken( new AthenzDomain(domain), role, - credentials.getIdentityDocument().ztsEndpoint(), + ztsEndpoint, credentials.getIdentitySslContext()) .getRawToken(); } @@ -193,6 +200,11 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen } } + private static SiaIdentityProvider createNodeIdentityProvider(IdentityConfig config) { + return new SiaIdentityProvider( + new AthenzService(config.nodeIdentityName()), SiaUtils.DEFAULT_SIA_DIRECTORY, getDefaultTrustStoreLocation()); + } + private static File getDefaultTrustStoreLocation() { return new File(Defaults.getDefaults().underVespaHome("share/ssl/certs/yahoo_certificate_bundle.jks")); } |