From e94792f9392c9648011f2f9c8ddec49262c8c76c Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Wed, 30 Oct 2019 15:54:19 +0100 Subject: Use athenz domain from config to find tenant service --- .../instanceconfirmation/InstanceValidator.java | 14 +++++++++----- .../instanceconfirmation/InstanceValidatorTest.java | 18 ++++++++++-------- .../hosted/ca/restapi/mock/InstanceValidatorMock.java | 2 +- 3 files changed, 20 insertions(+), 14 deletions(-) diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java index 2eae26a814d..a417fc17f3a 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java @@ -14,6 +14,7 @@ import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument; import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId; import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner; import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; @@ -34,7 +35,6 @@ import java.util.stream.Stream; */ public class InstanceValidator { - private static final AthenzService TENANT_DOCKER_CONTAINER_IDENTITY = new AthenzService("vespa.vespa.tenant"); private static final Logger log = Logger.getLogger(InstanceValidator.class.getName()); static final String SERVICE_PROPERTIES_DOMAIN_KEY = "identity.domain"; static final String SERVICE_PROPERTIES_SERVICE_KEY = "identity.service"; @@ -43,6 +43,7 @@ public class InstanceValidator { public static final String SAN_IPS_ATTRNAME = "sanIP"; public static final String SAN_DNS_ATTRNAME = "sanDNS"; + private final AthenzService tenantDockerContainerIdentity; private final IdentityDocumentSigner signer; private final KeyProvider keyProvider; private final SuperModelProvider superModelProvider; @@ -51,18 +52,21 @@ public class InstanceValidator { @Inject public InstanceValidator(KeyProvider keyProvider, SuperModelProvider superModelProvider, - NodeRepository nodeRepository) { - this(keyProvider, superModelProvider, nodeRepository, new IdentityDocumentSigner()); + NodeRepository nodeRepository, + AthenzProviderServiceConfig config) { + this(keyProvider, superModelProvider, nodeRepository, new IdentityDocumentSigner(), new AthenzService(config.domain(), "tenant")); } public InstanceValidator(KeyProvider keyProvider, SuperModelProvider superModelProvider, NodeRepository nodeRepository, - IdentityDocumentSigner identityDocumentSigner){ + IdentityDocumentSigner identityDocumentSigner, + AthenzService tenantIdentity){ this.keyProvider = keyProvider; this.superModelProvider = superModelProvider; this.nodeRepository = nodeRepository; this.signer = identityDocumentSigner; + this.tenantDockerContainerIdentity = tenantIdentity; } public boolean isValidInstance(InstanceConfirmation instanceConfirmation) { @@ -187,7 +191,7 @@ public class InstanceValidator { return false; } - if (TENANT_DOCKER_CONTAINER_IDENTITY.equals(new AthenzService(domain, service))) { + if (tenantDockerContainerIdentity.equals(new AthenzService(domain, service))) { return true; } diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java index 5ce0f3cdd7e..a35dfd878c5 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java @@ -58,10 +58,12 @@ public class InstanceValidatorTest { private final String domain = "domain"; private final String service = "service"; + private final AthenzService vespaTenantDomain = new AthenzService("vespa.vespa.tenant"); + @Test public void application_does_not_exist() { SuperModelProvider superModelProvider = mockSuperModelProvider(); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null, vespaTenantDomain); assertFalse(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -69,7 +71,7 @@ public class InstanceValidatorTest { public void application_does_not_have_domain_set() { SuperModelProvider superModelProvider = mockSuperModelProvider( mockApplicationInfo(applicationId, 5, Collections.emptyList())); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, new IdentityDocumentSigner(), vespaTenantDomain); assertFalse(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -81,7 +83,7 @@ public class InstanceValidatorTest { SuperModelProvider superModelProvider = mockSuperModelProvider( mockApplicationInfo(applicationId, 5, Collections.singletonList(serviceInfo))); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null, vespaTenantDomain); assertFalse(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -99,7 +101,7 @@ public class InstanceValidatorTest { mockApplicationInfo(applicationId, 5, Collections.singletonList(serviceInfo))); IdentityDocumentSigner signer = mock(IdentityDocumentSigner.class); when(signer.hasValidSignature(any(), any())).thenReturn(true); - InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, null, signer); + InstanceValidator instanceValidator = new InstanceValidator(mock(KeyProvider.class), superModelProvider, null, signer, vespaTenantDomain); assertTrue(instanceValidator.isValidInstance(createRegisterInstanceConfirmation(applicationId, domain, service))); } @@ -107,7 +109,7 @@ public class InstanceValidatorTest { @Test public void rejects_invalid_provider_unique_id_in_csr() { SuperModelProvider superModelProvider = mockSuperModelProvider(); - InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null); + InstanceValidator instanceValidator = new InstanceValidator(null, superModelProvider, null, null, vespaTenantDomain); InstanceConfirmation instanceConfirmation = createRegisterInstanceConfirmation(applicationId, domain, service); VespaUniqueInstanceId tamperedId = new VespaUniqueInstanceId(0, "default", "instance", "app", "tenant", "us-north-1", "dev", IdentityType.NODE); instanceConfirmation.set("sanDNS", tamperedId.asDottedString() + ".instanceid.athenz.dev-us-north-1.vespa.yahoo.cloud"); @@ -117,7 +119,7 @@ public class InstanceValidatorTest { @Test public void accepts_valid_refresh_requests() { NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); List nodeList = createNodes(10); Node node = nodeList.get(0); @@ -132,7 +134,7 @@ public class InstanceValidatorTest { @Test public void rejects_refresh_on_ip_mismatch() { NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); List nodeList = createNodes(10); Node node = nodeList.get(0); @@ -149,7 +151,7 @@ public class InstanceValidatorTest { @Test public void rejects_refresh_when_node_is_not_allocated() { NodeRepository nodeRepository = mock(NodeRepository.class); - InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository); + InstanceValidator instanceValidator = new InstanceValidator(null, null, nodeRepository, new IdentityDocumentSigner(), vespaTenantDomain); List nodeList = createNodes(10); when(nodeRepository.getNodes()).thenReturn(nodeList); diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java index 16f489c818f..9c1d4c49b07 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/mock/InstanceValidatorMock.java @@ -10,7 +10,7 @@ import com.yahoo.vespa.hosted.athenz.instanceproviderservice.instanceconfirmatio public class InstanceValidatorMock extends InstanceValidator { public InstanceValidatorMock() { - super(null, null, null, null); + super(null, null, null, null, null); } @Override -- cgit v1.2.3