From b96148d4bc405d7179a7cd670c674d464e28493a Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@verizonmedia.com>
Date: Tue, 26 Nov 2019 09:21:10 +0100
Subject: Read principal from cert CN on refresh

---
 .../hosted/ca/restapi/CertificateAuthorityApiHandler.java | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'athenz-identity-provider-service/src/main/java')

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
index 4c01b0943e4..a1984557c31 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java
@@ -38,6 +38,7 @@ import java.util.Objects;
 import java.util.Optional;
 import java.util.function.Function;
 import java.util.logging.Level;
+import java.util.stream.Stream;
 
 /**
  * REST API for issuing and refreshing node certificates in a hosted Vespa system.
@@ -113,7 +114,9 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
     private HttpResponse refreshInstance(HttpRequest request, String provider, String service, String instanceId) {
         var instanceRefresh = deserializeRequest(request, InstanceSerializer::refreshFromSlime);
         var instanceIdFromCsr = Certificates.instanceIdFrom(instanceRefresh.csr());
-        var athenzService = new AthenzService(request.getJDiscRequest().getUserPrincipal().getName());
+
+        var athenzService = getRequestAthenzService(request);
+
         if (!instanceIdFromCsr.equals(instanceId)) {
             throw new IllegalArgumentException("Mismatch between instance ID in URL path and instance ID in CSR " +
                                                "[instanceId=" + instanceId + ",instanceIdFromCsr=" + instanceIdFromCsr +
@@ -172,6 +175,16 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
                 .orElse(Collections.emptyList());
     }
 
+    private AthenzService getRequestAthenzService(HttpRequest request) {
+        return getRequestCertificateChain(request).stream()
+                .findFirst()
+                .map(X509CertificateUtils::getSubjectCommonNames)
+                .map(List::stream)
+                .flatMap(Stream::findFirst)
+                .map(AthenzService::new)
+                .orElseThrow(() -> new RuntimeException("No certificate found"));
+    }
+
     /** Returns CA private key from secret store */
     private PrivateKey caPrivateKey() {
         return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(caPrivateKeySecretName));
-- 
cgit v1.2.3