aboutsummaryrefslogtreecommitdiffstats
path: root/vespa-athenz/src/main/java/com/yahoo
diff options
context:
space:
mode:
Diffstat (limited to 'vespa-athenz/src/main/java/com/yahoo')
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AccessTokenResponseEntity.java5
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java34
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java2
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java10
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java6
5 files changed, 29 insertions, 28 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AccessTokenResponseEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AccessTokenResponseEntity.java
index a3063524b93..785c215df18 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AccessTokenResponseEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AccessTokenResponseEntity.java
@@ -9,6 +9,7 @@ import com.yahoo.vespa.athenz.api.AthenzRole;
import java.time.Instant;
import java.util.List;
+import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@@ -19,6 +20,7 @@ import java.util.stream.Stream;
public class AccessTokenResponseEntity {
private final AthenzAccessToken accessToken;
private final Instant expiryTime;
+ // roles can be null (not set in the json response)
private final List<AthenzRole> roles;
public AccessTokenResponseEntity(
@@ -29,7 +31,8 @@ public class AccessTokenResponseEntity {
this.accessToken = new AthenzAccessToken(accessToken);
// We do not know from when, so best we can do is assume now ...
this.expiryTime = Instant.now().plusSeconds(expiresIn);
- this.roles = Stream.of(roles.split(" "))
+ this.roles = Optional.ofNullable(roles).stream()
+ .flatMap(r -> Stream.of(r.split(" ")))
.map(AthenzResourceName::fromString)
.map(AthenzRole::fromResourceName)
.toList();
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
index 2c8908a89a6..085e9973cab 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
@@ -42,28 +42,25 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
this(new AthenzService(config.athenzDomain(), config.athenzService()),
SiaUtils.getPrivateKeyFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())),
SiaUtils.getCertificateFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())),
- Paths.get(config.trustStorePath()), config.publicSystem());
+ Paths.get(config.trustStorePath()));
}
public SiaIdentityProvider(AthenzIdentity service,
Path siaPath,
- Path clientTruststoreFile,
- boolean publicSystem) {
+ Path clientTruststoreFile) {
this(service,
SiaUtils.getPrivateKeyFile(siaPath, service),
SiaUtils.getCertificateFile(siaPath, service),
- clientTruststoreFile,
- publicSystem);
+ clientTruststoreFile);
}
public SiaIdentityProvider(AthenzIdentity service,
Path privateKeyFile,
Path certificateFile,
- Path clientTruststoreFile,
- boolean publicSystem) {
+ Path clientTruststoreFile) {
this.service = service;
this.keyManager = AutoReloadingX509KeyManager.fromPemFiles(privateKeyFile, certificateFile);
- this.sslContext = createIdentitySslContext(keyManager, clientTruststoreFile, publicSystem);
+ this.sslContext = createIdentitySslContext(keyManager, clientTruststoreFile);
this.certificateFile = certificateFile;
this.privateKeyFile = privateKeyFile;
}
@@ -83,26 +80,23 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
@Override public Path privateKeyPath() { return privateKeyFile; }
public SSLContext createIdentitySslContextWithTrustStore(Path trustStoreFile) {
- return createIdentitySslContext(keyManager, trustStoreFile, false);
+ return createIdentitySslContext(keyManager, trustStoreFile);
}
/**
* Create an SSL context with the given trust store and the key manager from this provider.
- * If the {code includeDefaultTruststore} is true, the default trust store will be included.
+ * Include default trust store
*
* @param keyManager the key manager
* @param trustStoreFile the trust store file
- * @param includeDefaultTruststore whether to include the default trust store
*/
- private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile, boolean includeDefaultTruststore) {
- List<X509Certificate> defaultTrustStore = List.of();
- if (includeDefaultTruststore) {
- try {
- // load the default java trust store and extract the certificates
- defaultTrustStore = Stream.of(TrustManagerUtils.createDefaultX509TrustManager().getAcceptedIssuers()).toList();
- } catch (Exception e) {
- throw new RuntimeException("Failed to load default trust store", e);
- }
+ private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile) {
+ List<X509Certificate> defaultTrustStore;
+ try {
+ // load the default java trust store and extract the certificates
+ defaultTrustStore = Stream.of(TrustManagerUtils.createDefaultX509TrustManager().getAcceptedIssuers()).toList();
+ } catch (Exception e) {
+ throw new RuntimeException("Failed to load default trust store", e);
}
try {
List<X509Certificate> caCertList = Stream.concat(
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java
index 34324ef18e6..c00149e0e4b 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java
@@ -362,7 +362,7 @@ public final class LegacyAthenzIdentityProviderImpl extends AbstractComponent im
private static SiaIdentityProvider createNodeIdentityProvider(IdentityConfig config) {
return new SiaIdentityProvider(
- new AthenzService(config.nodeIdentityName()), SiaUtils.DEFAULT_SIA_DIRECTORY, CLIENT_TRUST_STORE, false);
+ new AthenzService(config.nodeIdentityName()), SiaUtils.DEFAULT_SIA_DIRECTORY, CLIENT_TRUST_STORE);
}
private boolean isExpired(AthenzCredentials credentials) {
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
index cc4711c2056..f3cebd5256e 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/tls/AthenzX509CertificateUtils.java
@@ -68,12 +68,16 @@ public class AthenzX509CertificateUtils {
/** @return Athenz unique instance id from the Subject Alternative Name extension */
public static Optional<String> getInstanceId(List<SubjectAlternativeName> sans) {
// Prefer instance id from SAN URI over the legacy DNS entry
- return getAthenzUniqueInstanceIdFromSanUri(sans)
+ return getLastSegmentFromSanUri(sans, "athenz://instanceid/")
.or(() -> getAthenzUniqueInstanceIdFromSanDns(sans));
}
- private static Optional<String> getAthenzUniqueInstanceIdFromSanUri(List<SubjectAlternativeName> sans) {
- String uriPrefix = "athenz://instanceid/";
+ /** @return Athenz unique instance name from the Subject Alternative Name extension */
+ public static Optional<String> getInstanceName(List<SubjectAlternativeName> sans) {
+ return getLastSegmentFromSanUri(sans, "athenz://instancename/");
+ }
+
+ private static Optional<String> getLastSegmentFromSanUri(List<SubjectAlternativeName> sans, String uriPrefix) {
return sans.stream()
.filter(san -> {
if (san.getType() != Type.URI) return false;
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java
index af0da93edc3..56e64b2261d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/utils/SiaUtils.java
@@ -1,10 +1,10 @@
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.utils;
-import com.yahoo.vespa.athenz.api.AthenzIdentity;
-import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzService;
import java.io.IOException;
import java.io.UncheckedIOException;
@@ -132,7 +132,7 @@ public class SiaUtils {
try (DirectoryStream<Path> directoryStream = Files.newDirectoryStream(keysDirectory)) {
return StreamSupport.stream(directoryStream.spliterator(), false)
.map(path -> path.getFileName().toString())
- .filter(fileName -> fileName.endsWith(keyFileSuffix))
+ .filter(fileName -> fileName.endsWith(keyFileSuffix) && ! fileName.contains(":role."))
.map(fileName -> fileName.substring(0, fileName.length() - keyFileSuffix.length()))
.map(AthenzService::new)
.collect(toList());