From 1954ef4d591876623799907b5260fbf9573a28b8 Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Tue, 24 Oct 2017 12:38:03 +0200 Subject: Export AthenzIdentityProvider --- .../jdisc/athenz/AthenzIdentityProvider.java | 6 +++ .../container/jdisc/athenz/AthenzService.java | 44 ----------------- .../container/jdisc/athenz/InstanceIdentity.java | 55 ---------------------- .../jdisc/athenz/InstanceRegisterInformation.java | 38 --------------- .../container/jdisc/athenz/ServiceProviderApi.java | 46 ------------------ .../container/jdisc/athenz/impl/AthenzService.java | 42 +++++++++++++++++ .../jdisc/athenz/impl/InstanceIdentity.java | 55 ++++++++++++++++++++++ .../athenz/impl/InstanceRegisterInformation.java | 38 +++++++++++++++ .../jdisc/athenz/impl/ServiceProviderApi.java | 44 +++++++++++++++++ .../yahoo/container/jdisc/athenz/package-info.java | 9 ++++ .../jdisc/athenz/AthenzIdentityProviderTest.java | 5 +- 11 files changed, 198 insertions(+), 184 deletions(-) delete mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java delete mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java delete mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceRegisterInformation.java delete mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/ServiceProviderApi.java create mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java create mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java create mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java create mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java create mode 100644 container-disc/src/main/java/com/yahoo/container/jdisc/athenz/package-info.java diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java index 45b08c74688..63b0accbdd2 100644 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProvider.java @@ -2,11 +2,16 @@ package com.yahoo.container.jdisc.athenz; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.annotations.Beta; import com.google.inject.Inject; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.cloud.config.ConfigserverConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.container.core.identity.IdentityConfig; +import com.yahoo.container.jdisc.athenz.impl.AthenzService; +import com.yahoo.container.jdisc.athenz.impl.InstanceIdentity; +import com.yahoo.container.jdisc.athenz.impl.InstanceRegisterInformation; +import com.yahoo.container.jdisc.athenz.impl.ServiceProviderApi; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.operator.OperatorCreationException; @@ -18,6 +23,7 @@ import java.security.NoSuchAlgorithmException; /** * @author mortent */ +@Beta public final class AthenzIdentityProvider extends AbstractComponent { private InstanceIdentity instanceIdentity; diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java deleted file mode 100644 index 06dd698988a..00000000000 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/AthenzService.java +++ /dev/null @@ -1,44 +0,0 @@ -package com.yahoo.container.jdisc.athenz; - -import com.fasterxml.jackson.databind.ObjectMapper; -import org.apache.http.client.methods.CloseableHttpResponse; -import org.apache.http.client.methods.HttpUriRequest; -import org.apache.http.client.methods.RequestBuilder; -import org.apache.http.entity.ContentType; -import org.apache.http.entity.StringEntity; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.util.EntityUtils; -import org.eclipse.jetty.http.HttpStatus; - -import java.io.IOException; - -/** - * @author mortent - */ -public class AthenzService { - - /** - * Send instance register request to ZTS, get InstanceIdentity - */ - InstanceIdentity sendInstanceRegisterRequest(InstanceRegisterInformation instanceRegisterInformation, String athenzUrl) { - try(CloseableHttpClient client = HttpClientBuilder.create().build()) { - ObjectMapper objectMapper = new ObjectMapper(); - System.out.println(objectMapper.writeValueAsString(instanceRegisterInformation)); - HttpUriRequest postRequest = RequestBuilder.post() - .setUri(athenzUrl + "/instance") - .setEntity(new StringEntity(objectMapper.writeValueAsString(instanceRegisterInformation), ContentType.APPLICATION_JSON)) - .build(); - CloseableHttpResponse response = client.execute(postRequest); - if(HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) { - return objectMapper.readValue(response.getEntity().getContent(), InstanceIdentity.class); - } else { - String s = EntityUtils.toString(response.getEntity()); - System.out.println("s = " + s); - throw new RuntimeException(response.toString()); - } - } catch (IOException e) { - throw new RuntimeException(e); - } - } -} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java deleted file mode 100644 index 45ef4c68d8e..00000000000 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceIdentity.java +++ /dev/null @@ -1,55 +0,0 @@ -package com.yahoo.container.jdisc.athenz; - -import com.fasterxml.jackson.annotation.JsonIgnoreProperties; -import com.fasterxml.jackson.annotation.JsonInclude; -import com.fasterxml.jackson.annotation.JsonProperty; - -import java.util.Map; - -/** - * Used for deserializing response from ZTS - * - * @author mortent - */ -@JsonIgnoreProperties(ignoreUnknown = true) -@JsonInclude(JsonInclude.Include.NON_NULL) -class InstanceIdentity { - @JsonProperty("attributes") private final Map attributes; - @JsonProperty("provider") private final String provider; - @JsonProperty("name") private final String name; - @JsonProperty("instanceId") private final String instanceId; - @JsonProperty("x509Certificate") private final String x509Certificate; - @JsonProperty("x509CertificateSigner") private final String x509CertificateSigner; - @JsonProperty("sshCertificate") private final String sshCertificate; - @JsonProperty("sshCertificateSigner") private final String sshCertificateSigner; - @JsonProperty("serviceToken") private final String serviceToken; - - public InstanceIdentity( - @JsonProperty("attributes") Map attributes, - @JsonProperty("provider") String provider, - @JsonProperty("name") String name, - @JsonProperty("instanceId") String instanceId, - @JsonProperty("x509Certificate") String x509Certificate, - @JsonProperty("x509CertificateSigner") String x509CertificateSigner, - @JsonProperty("sshCertificate") String sshCertificate, - @JsonProperty("sshCertificateSigner") String sshCertificateSigner, - @JsonProperty("serviceToken") String serviceToken) { - this.attributes = attributes; - this.provider = provider; - this.name = name; - this.instanceId = instanceId; - this.x509Certificate = x509Certificate; - this.x509CertificateSigner = x509CertificateSigner; - this.sshCertificate = sshCertificate; - this.sshCertificateSigner = sshCertificateSigner; - this.serviceToken = serviceToken; - } - - String getX509Certificate() { - return x509Certificate; - } - - String getServiceToken() { - return serviceToken; - } -} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceRegisterInformation.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceRegisterInformation.java deleted file mode 100644 index 2fa3c598c58..00000000000 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/InstanceRegisterInformation.java +++ /dev/null @@ -1,38 +0,0 @@ -package com.yahoo.container.jdisc.athenz; - -import com.fasterxml.jackson.annotation.JsonIgnoreProperties; -import com.fasterxml.jackson.annotation.JsonInclude; -import com.fasterxml.jackson.annotation.JsonProperty; - -/** - * Used for serializing request to ZTS - * - * @author mortent - */ -@JsonIgnoreProperties(ignoreUnknown = true) -@JsonInclude(JsonInclude.Include.NON_NULL) -class InstanceRegisterInformation { - @JsonProperty("provider") - private final String provider; - @JsonProperty("domain") - private final String domain; - @JsonProperty("service") - private final String service; - @JsonProperty("attestationData") - private final String attestationData; - @JsonProperty("ssh") - private final String ssh = null; // Not needed - @JsonProperty("csr") - private final String csr; - @JsonProperty("token") - private final boolean token; - - public InstanceRegisterInformation(String provider, String domain, String service, String attestationData, String csr, boolean token) { - this.provider = provider; - this.domain = domain; - this.service = service; - this.attestationData = attestationData; - this.csr = csr; - this.token = token; - } -} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/ServiceProviderApi.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/ServiceProviderApi.java deleted file mode 100644 index 74e3cfa4a89..00000000000 --- a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/ServiceProviderApi.java +++ /dev/null @@ -1,46 +0,0 @@ -package com.yahoo.container.jdisc.athenz; - -import org.apache.http.client.methods.CloseableHttpResponse; -import org.apache.http.client.methods.RequestBuilder; -import org.apache.http.impl.client.CloseableHttpClient; -import org.apache.http.impl.client.HttpClientBuilder; -import org.apache.http.util.EntityUtils; -import org.eclipse.jetty.http.HttpStatus; - -import java.io.IOException; -import java.net.URI; - -/** - * @author mortent - */ -public class ServiceProviderApi { - - private final URI providerUri; - - public ServiceProviderApi(String providerAddress) { - providerUri = URI.create(String.format("https://%s:8443/athenz/v1/provider", providerAddress)); - } - - - /** - * Get signed identity document from config server - */ - String getSignedIdentityDocument() { - - // TODO Use client side auth to establish trusted secure channel - try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) { - - CloseableHttpResponse idDocResponse = httpClient.execute(RequestBuilder.get().setUri(providerUri + "/identity-document").build()); - if (HttpStatus.isSuccess(idDocResponse.getStatusLine().getStatusCode())) { - return EntityUtils.toString(idDocResponse.getEntity()); - } else { - // make sure we have retried a few times (AND logged) before giving up - throw new RuntimeException("Failed to initialize Athenz instance provider"); - } - } catch (IOException e) { - e.printStackTrace(); - throw new RuntimeException(e); - } - } - -} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java new file mode 100644 index 00000000000..69c52e5e639 --- /dev/null +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/AthenzService.java @@ -0,0 +1,42 @@ +package com.yahoo.container.jdisc.athenz.impl; + +import com.fasterxml.jackson.databind.ObjectMapper; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpUriRequest; +import org.apache.http.client.methods.RequestBuilder; +import org.apache.http.entity.ContentType; +import org.apache.http.entity.StringEntity; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.util.EntityUtils; +import org.eclipse.jetty.http.HttpStatus; + +import java.io.IOException; + +/** + * @author mortent + */ +public class AthenzService { + + /** + * Send instance register request to ZTS, get InstanceIdentity + */ + public InstanceIdentity sendInstanceRegisterRequest(InstanceRegisterInformation instanceRegisterInformation, String athenzUrl) { + try(CloseableHttpClient client = HttpClientBuilder.create().build()) { + ObjectMapper objectMapper = new ObjectMapper(); + HttpUriRequest postRequest = RequestBuilder.post() + .setUri(athenzUrl + "/instance") + .setEntity(new StringEntity(objectMapper.writeValueAsString(instanceRegisterInformation), ContentType.APPLICATION_JSON)) + .build(); + CloseableHttpResponse response = client.execute(postRequest); + if(HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) { + return objectMapper.readValue(response.getEntity().getContent(), InstanceIdentity.class); + } else { + String message = EntityUtils.toString(response.getEntity()); + throw new RuntimeException(String.format("Unable to get identity. http code/message: %d/%s" + response.getStatusLine().getStatusCode(), message)); + } + } catch (IOException e) { + throw new RuntimeException(e); + } + } +} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java new file mode 100644 index 00000000000..35986e7276e --- /dev/null +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceIdentity.java @@ -0,0 +1,55 @@ +package com.yahoo.container.jdisc.athenz.impl; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Map; + +/** + * Used for deserializing response from ZTS + * + * @author mortent + */ +@JsonIgnoreProperties(ignoreUnknown = true) +@JsonInclude(JsonInclude.Include.NON_NULL) +public class InstanceIdentity { + @JsonProperty("attributes") private final Map attributes; + @JsonProperty("provider") private final String provider; + @JsonProperty("name") private final String name; + @JsonProperty("instanceId") private final String instanceId; + @JsonProperty("x509Certificate") private final String x509Certificate; + @JsonProperty("x509CertificateSigner") private final String x509CertificateSigner; + @JsonProperty("sshCertificate") private final String sshCertificate; + @JsonProperty("sshCertificateSigner") private final String sshCertificateSigner; + @JsonProperty("serviceToken") private final String serviceToken; + + public InstanceIdentity( + @JsonProperty("attributes") Map attributes, + @JsonProperty("provider") String provider, + @JsonProperty("name") String name, + @JsonProperty("instanceId") String instanceId, + @JsonProperty("x509Certificate") String x509Certificate, + @JsonProperty("x509CertificateSigner") String x509CertificateSigner, + @JsonProperty("sshCertificate") String sshCertificate, + @JsonProperty("sshCertificateSigner") String sshCertificateSigner, + @JsonProperty("serviceToken") String serviceToken) { + this.attributes = attributes; + this.provider = provider; + this.name = name; + this.instanceId = instanceId; + this.x509Certificate = x509Certificate; + this.x509CertificateSigner = x509CertificateSigner; + this.sshCertificate = sshCertificate; + this.sshCertificateSigner = sshCertificateSigner; + this.serviceToken = serviceToken; + } + + public String getX509Certificate() { + return x509Certificate; + } + + public String getServiceToken() { + return serviceToken; + } +} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java new file mode 100644 index 00000000000..b5258cf793a --- /dev/null +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/InstanceRegisterInformation.java @@ -0,0 +1,38 @@ +package com.yahoo.container.jdisc.athenz.impl; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonProperty; + +/** + * Used for serializing request to ZTS + * + * @author mortent + */ +@JsonIgnoreProperties(ignoreUnknown = true) +@JsonInclude(JsonInclude.Include.NON_NULL) +public class InstanceRegisterInformation { + @JsonProperty("provider") + private final String provider; + @JsonProperty("domain") + private final String domain; + @JsonProperty("service") + private final String service; + @JsonProperty("attestationData") + private final String attestationData; + @JsonProperty("ssh") + private final String ssh = null; // Not needed + @JsonProperty("csr") + private final String csr; + @JsonProperty("token") + private final boolean token; + + public InstanceRegisterInformation(String provider, String domain, String service, String attestationData, String csr, boolean token) { + this.provider = provider; + this.domain = domain; + this.service = service; + this.attestationData = attestationData; + this.csr = csr; + this.token = token; + } +} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java new file mode 100644 index 00000000000..a896106ffdf --- /dev/null +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/impl/ServiceProviderApi.java @@ -0,0 +1,44 @@ +package com.yahoo.container.jdisc.athenz.impl; + +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.RequestBuilder; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.apache.http.util.EntityUtils; +import org.eclipse.jetty.http.HttpStatus; + +import java.io.IOException; +import java.net.URI; + +/** + * @author mortent + */ +public class ServiceProviderApi { + + private final URI providerUri; + + public ServiceProviderApi(String providerAddress) { + providerUri = URI.create(String.format("https://%s:8443/athenz/v1/provider", providerAddress)); + } + + /** + * Get signed identity document from config server + */ + public String getSignedIdentityDocument() { + + // TODO Use client side auth to establish trusted secure channel + try (CloseableHttpClient httpClient = HttpClientBuilder.create().build()) { + + CloseableHttpResponse idDocResponse = httpClient.execute(RequestBuilder.get().setUri(providerUri + "/identity-document").build()); + if (HttpStatus.isSuccess(idDocResponse.getStatusLine().getStatusCode())) { + return EntityUtils.toString(idDocResponse.getEntity()); + } else { + // make sure we have retried a few times (AND logged) before giving up + throw new RuntimeException("Failed to initialize Athenz instance provider"); + } + } catch (IOException e) { + throw new RuntimeException("Failed getting signed identity document", e); + } + } + +} diff --git a/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/package-info.java b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/package-info.java new file mode 100644 index 00000000000..1d59edcbf93 --- /dev/null +++ b/container-disc/src/main/java/com/yahoo/container/jdisc/athenz/package-info.java @@ -0,0 +1,9 @@ +/** + * @author mortent + */ +@ExportPackage +@PublicApi +package com.yahoo.container.jdisc.athenz; + +import com.yahoo.api.annotations.PublicApi; +import com.yahoo.osgi.annotation.ExportPackage; \ No newline at end of file diff --git a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java index 4b351f1d2c0..2651cfd3a63 100644 --- a/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java +++ b/container-disc/src/test/java/com/yahoo/container/jdisc/athenz/AthenzIdentityProviderTest.java @@ -1,6 +1,9 @@ package com.yahoo.container.jdisc.athenz; import com.yahoo.container.core.identity.IdentityConfig; +import com.yahoo.container.jdisc.athenz.impl.AthenzService; +import com.yahoo.container.jdisc.athenz.impl.InstanceIdentity; +import com.yahoo.container.jdisc.athenz.impl.ServiceProviderApi; import org.junit.Assert; import org.junit.Test; @@ -24,7 +27,7 @@ public class AthenzIdentityProviderTest { when(serviceProviderApi.getSignedIdentityDocument()).thenReturn(getIdentityDocument()); when(athenzService.sendInstanceRegisterRequest(any(), anyString())).thenReturn( - new InstanceIdentity(null,null,null,null,null,null, null, null, "TOKEN")); + new InstanceIdentity(null, null, null, null, null, null, null, null, "TOKEN")); AthenzIdentityProvider identityProvider = new AthenzIdentityProvider(config, serviceProviderApi, athenzService); -- cgit v1.2.3