diff options
Diffstat (limited to 'vespa-athenz')
4 files changed, 32 insertions, 34 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 7d4901f163a..dc82ed7fcb9 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -24,7 +24,6 @@ import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.ServiceIdentitySslSocketFactory; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; -import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; import org.apache.http.HttpResponse; import org.apache.http.client.ResponseHandler; import org.apache.http.client.config.RequestConfig; @@ -40,7 +39,6 @@ import org.eclipse.jetty.http.HttpStatus; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.SSLContext; -import javax.security.auth.x500.X500Principal; import java.io.IOException; import java.io.UncheckedIOException; import java.net.URI; @@ -50,9 +48,6 @@ import java.time.Duration; import java.util.List; import java.util.function.Supplier; -import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; -import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; import static java.util.stream.Collectors.toList; /** @@ -163,15 +158,7 @@ public class DefaultZtsClient implements ZtsClient { } @Override - public X509Certificate getRoleCertificate(AthenzRole role, - Duration expiry, - KeyPair keyPair, - String cloud) { - X500Principal principal = new X500Principal(String.format("cn=%s:role.%s", role.domain().getName(), role.roleName())); - Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) - .addSubjectAlternativeName(DNS_NAME, String.format("%s.%s.%s", identity.getName(), identity.getDomainName().replace('.', '-'), cloud)) - .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), cloud)) - .build(); + public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry) { RoleCertificateRequestEntity requestEntity = new RoleCertificateRequestEntity(csr, expiry); URI uri = ztsUrl.resolve(String.format("domain/%s/role/%s/token", role.domain().getName(), role.roleName())); HttpUriRequest request = RequestBuilder.post(uri) @@ -184,10 +171,8 @@ public class DefaultZtsClient implements ZtsClient { } @Override - public X509Certificate getRoleCertificate(AthenzRole role, - KeyPair keyPair, - String cloud) { - return getRoleCertificate(role, null, keyPair, cloud); + public X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr) { + return getRoleCertificate(role, csr, null); } @Override diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 5c0e21bfa97..2ef6039ddc8 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -1,7 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zts; -import com.yahoo.athenz.zts.TenantDomains; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; @@ -84,27 +83,20 @@ public interface ZtsClient extends AutoCloseable { * Fetch role certificate for the target domain and role * * @param role Target role + * @param csr Certificate signing request matching role * @param expiry Certificate expiry - * @param keyPair Key pair which will be used to generate CSR (certificate signing request) - * @param cloud The cloud suffix used in DNS SAN entries * @return A role certificate */ - X509Certificate getRoleCertificate(AthenzRole role, - Duration expiry, - KeyPair keyPair, - String cloud); + X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry); /** * Fetch role certificate for the target domain and role * * @param role Target role - * @param keyPair Key pair which will be used to generate CSR (certificate signing request) - * @param cloud The cloud suffix used in DNS SAN entries + * @param csr Certificate signing request matching role * @return A role certificate */ - X509Certificate getRoleCertificate(AthenzRole role, - KeyPair keyPair, - String cloud); + X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr); /** * For a given provider, get a list of tenant domains that the user is a member of diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java index 9b4bdd35e8e..00fb3f80bee 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImpl.java @@ -22,6 +22,7 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.identity.SiaIdentityProvider; import com.yahoo.security.KeyStoreType; import com.yahoo.security.SslContextBuilder; +import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import com.yahoo.vespa.athenz.utils.SiaUtils; import com.yahoo.vespa.defaults.Defaults; @@ -69,6 +70,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen private final LoadingCache<AthenzRole, SSLContext> roleSslContextCache; private final LoadingCache<AthenzRole, ZToken> roleSpecificRoleTokenCache; private final LoadingCache<AthenzDomain, ZToken> domainSpecificRoleTokenCache; + private final InstanceCsrGenerator instanceCsrGenerator; @Inject public AthenzIdentityProviderImpl(IdentityConfig config, Metric metric) { @@ -100,6 +102,7 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen roleSslContextCache = createCache(ROLE_SSL_CONTEXT_EXPIRY, this::createRoleSslContext); roleSpecificRoleTokenCache = createCache(ROLE_TOKEN_EXPIRY, this::createRoleToken); domainSpecificRoleTokenCache = createCache(ROLE_TOKEN_EXPIRY, this::createRoleToken); + this.instanceCsrGenerator = new InstanceCsrGenerator(config.athenzDnsSuffix(), config.configserverIdentityName()); registerInstance(); } @@ -174,8 +177,9 @@ public final class AthenzIdentityProviderImpl extends AbstractComponent implemen } private SSLContext createRoleSslContext(AthenzRole role) { + Pkcs10Csr csr = instanceCsrGenerator.generateRoleCsr(identity, role, credentials.getIdentityDocument().providerUniqueId(), credentials.getKeyPair()); try (ZtsClient client = createZtsClient()) { - X509Certificate roleCertificate = client.getRoleCertificate(role, credentials.getKeyPair(), dnsSuffix); + X509Certificate roleCertificate = client.getRoleCertificate(role, csr); return new SslContextBuilder() .withKeyStore(credentials.getKeyPair().getPrivate(), roleCertificate) .withTrustStore(getDefaultTrustStoreLocation().toPath(), KeyStoreType.JKS) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java index cb97c4fb99c..6b6426c0bad 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/InstanceCsrGenerator.java @@ -2,18 +2,20 @@ package com.yahoo.vespa.athenz.identityprovider.client; import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder; -import com.yahoo.vespa.athenz.tls.SignatureAlgorithm; import com.yahoo.vespa.athenz.tls.SubjectAlternativeName; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; import java.util.Set; +import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.IP_ADDRESS; +import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; /** * Generates a {@link Pkcs10Csr} for an instance. @@ -37,7 +39,7 @@ public class InstanceCsrGenerator { X500Principal subject = new X500Principal(String.format("OU=%s, CN=%s", providerService, instanceIdentity.getFullName())); // Add SAN dnsname <service>.<domain-with-dashes>.<provider-dnsname-suffix> // and SAN dnsname <provider-unique-instance-id>.instanceid.athenz.<provider-dnsname-suffix> - Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SignatureAlgorithm.SHA256_WITH_RSA) + Pkcs10CsrBuilder pkcs10CsrBuilder = Pkcs10CsrBuilder.fromKeypair(subject, keyPair, SHA256_WITH_RSA) .addSubjectAlternativeName( DNS_NAME, String.format( @@ -45,8 +47,23 @@ public class InstanceCsrGenerator { instanceIdentity.getName(), instanceIdentity.getDomainName().replace(".", "-"), dnsSuffix)) - .addSubjectAlternativeName(DNS_NAME, String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix)); + .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)); ipAddresses.forEach(ip -> pkcs10CsrBuilder.addSubjectAlternativeName(new SubjectAlternativeName(IP_ADDRESS, ip))); return pkcs10CsrBuilder.build(); } + + public Pkcs10Csr generateRoleCsr(AthenzIdentity identity, + AthenzRole role, + VespaUniqueInstanceId instanceId, + KeyPair keyPair) { + X500Principal principal = new X500Principal(String.format("OU=%s, cn=%s:role.%s", providerService, role.domain().getName(), role.roleName())); + return Pkcs10CsrBuilder.fromKeypair(principal, keyPair, SHA256_WITH_RSA) + .addSubjectAlternativeName(DNS_NAME, getIdentitySAN(instanceId)) + .addSubjectAlternativeName(RFC822_NAME, String.format("%s.%s@%s", identity.getDomainName(), identity.getName(), dnsSuffix)) + .build(); + } + + private String getIdentitySAN(VespaUniqueInstanceId instanceId) { + return String.format("%s.instanceid.athenz.%s", instanceId.asDottedString(), dnsSuffix); + } } |