From 149dac45cedc22a5a7e0dfdcc402cd1780c141ae Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@verizonmedia.com>
Date: Thu, 3 Oct 2019 14:04:24 +0200
Subject: Support internal zts

---
 .../maintenance/identity/AthenzCredentialsMaintainer.java   | 13 +++++++++++--
 .../com/yahoo/vespa/athenz/client/common/ClientBase.java    |  9 +++++----
 .../com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java |  3 +--
 .../com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java | 13 +++++++++----
 4 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index 865bcc61837..058317ffd25 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -27,6 +27,7 @@ import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext;
 import com.yahoo.vespa.hosted.node.admin.task.util.file.FileFinder;
 import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath;
 
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import java.io.IOException;
 import java.io.UncheckedIOException;
@@ -68,6 +69,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
     private final ServiceIdentityProvider hostIdentityProvider;
     private final IdentityDocumentClient identityDocumentClient;
     private final CsrGenerator csrGenerator;
+    private final boolean useInternalZts;
 
     // Used as an optimization to ensure ZTS is not DDoS'ed on continuously failing refresh attempts
     private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap<>();
@@ -76,7 +78,8 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                                        Path trustStorePath,
                                        ConfigServerInfo configServerInfo,
                                        String certificateDnsSuffix,
-                                       ServiceIdentityProvider hostIdentityProvider) {
+                                       ServiceIdentityProvider hostIdentityProvider,
+                                       boolean useInternalZts) {
         this.ztsEndpoint = ztsEndpoint;
         this.trustStorePath = trustStorePath;
         this.configserverIdentity = configServerInfo.getConfigServerIdentity();
@@ -87,6 +90,7 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
                 hostIdentityProvider,
                 new AthenzIdentityVerifier(singleton(configserverIdentity)));
         this.clock = Clock.systemUTC();
+        this.useInternalZts = useInternalZts;
     }
 
     public boolean converge(NodeAgentContext context) {
@@ -157,7 +161,12 @@ public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
         SignedIdentityDocument signedIdentityDocument = identityDocumentClient.getNodeIdentityDocument(context.hostname().value());
         Pkcs10Csr csr = csrGenerator.generateInstanceCsr(
                 context.identity(), signedIdentityDocument.providerUniqueId(), signedIdentityDocument.ipAddresses(), keyPair);
-        try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider)) {
+
+        // Set up a hostname verified for zts if this is configured to use the config server (internal zts) apis
+        HostnameVerifier ztsHostNameVerifier = useInternalZts
+                ? new AthenzIdentityVerifier(singleton(configserverIdentity))
+                : null;
+        try (ZtsClient ztsClient = new DefaultZtsClient(ztsEndpoint, hostIdentityProvider, ztsHostNameVerifier)) {
             InstanceIdentity instanceIdentity =
                     ztsClient.registerInstance(
                             configserverIdentity,
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java
index bda7e41c19b..4cc92828b0e 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java
@@ -36,9 +36,10 @@ public abstract class ClientBase implements AutoCloseable {
 
     protected ClientBase(String userAgent,
                          Supplier<SSLContext> sslContextSupplier,
-                         ClientExceptionFactory exceptionFactory) {
+                         ClientExceptionFactory exceptionFactory,
+                         HostnameVerifier hostnameVerifier) {
         this.exceptionFactory = exceptionFactory;
-        this.client = createHttpClient(userAgent, sslContextSupplier);
+        this.client = createHttpClient(userAgent, sslContextSupplier, hostnameVerifier);
     }
 
     protected  <T> T execute(HttpUriRequest request, ResponseHandler<T> responseHandler) {
@@ -74,11 +75,11 @@ public abstract class ClientBase implements AutoCloseable {
         return statusCode>=200 && statusCode<300;
     }
 
-    private static CloseableHttpClient createHttpClient(String userAgent, Supplier<SSLContext> sslContextSupplier) {
+    private static CloseableHttpClient createHttpClient(String userAgent, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier) {
         return HttpClientBuilder.create()
                 .setRetryHandler(new DefaultHttpRequestRetryHandler(3, /*requestSentRetryEnabled*/true))
                 .setUserAgent(userAgent)
-                .setSSLSocketFactory(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(sslContextSupplier), (HostnameVerifier)null))
+                .setSSLSocketFactory(new SSLConnectionSocketFactory(new ServiceIdentitySslSocketFactory(sslContextSupplier), hostnameVerifier))
                 .setDefaultRequestConfig(RequestConfig.custom()
                                                  .setConnectTimeout((int) Duration.ofSeconds(10).toMillis())
                                                  .setConnectionRequestTimeout((int)Duration.ofSeconds(10).toMillis())
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index da3bd18440b..7b5427216a1 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -5,7 +5,6 @@ import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
-import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
 import com.yahoo.vespa.athenz.client.common.ClientBase;
 import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity;
@@ -45,7 +44,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     private DefaultZmsClient(URI zmsUrl, AthenzIdentity identity, Supplier<SSLContext> sslContextSupplier) {
-        super("vespa-zms-client", sslContextSupplier, ZmsClientException::new);
+        super("vespa-zms-client", sslContextSupplier, ZmsClientException::new, null);
         this.zmsUrl = addTrailingSlash(zmsUrl);
         this.identity = identity;
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 8bd0d0b50d4..6c0348d7aa9 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -26,6 +26,7 @@ import org.apache.http.HttpResponse;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.methods.RequestBuilder;
 
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 import java.io.IOException;
 import java.net.URI;
@@ -49,15 +50,19 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
     private final URI ztsUrl;
 
     public DefaultZtsClient(URI ztsUrl, SSLContext sslContext) {
-        this(ztsUrl, () -> sslContext);
+        this(ztsUrl, () -> sslContext, null);
     }
 
     public DefaultZtsClient(URI ztsUrl, ServiceIdentityProvider identityProvider) {
-        this(ztsUrl, identityProvider::getIdentitySslContext);
+        this(ztsUrl, identityProvider::getIdentitySslContext, null);
     }
 
-    private DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier) {
-        super("vespa-zts-client", sslContextSupplier, ZtsClientException::new);
+    public DefaultZtsClient(URI ztsUrl, ServiceIdentityProvider identityProvider, HostnameVerifier hostnameVerifier) {
+        this(ztsUrl, identityProvider::getIdentitySslContext, null);
+    }
+
+    private DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier) {
+        super("vespa-zts-client", sslContextSupplier, ZtsClientException::new, hostnameVerifier);
         this.ztsUrl = addTrailingSlash(ztsUrl);
     }
 
-- 
cgit v1.2.3