From 6f1b019148425d7d3f4a73670c43a72c27150274 Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Wed, 2 Oct 2019 13:43:51 +0200 Subject: Revert "Revert "Read secret names from config"" --- .../ca/restapi/CertificateAuthorityApiHandler.java | 21 ++++++++++----------- .../ca/restapi/CertificateAuthorityApiTest.java | 4 ++-- .../vespa/hosted/ca/restapi/ContainerTester.java | 13 ++++++++++--- 3 files changed, 22 insertions(+), 16 deletions(-) (limited to 'athenz-identity-provider-service/src') diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java index 28b6c6c0939..ca1697c7bb1 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.java @@ -2,8 +2,6 @@ package com.yahoo.vespa.hosted.ca.restapi; import com.google.inject.Inject; -import com.yahoo.config.provision.SystemName; -import com.yahoo.config.provision.Zone; import com.yahoo.container.jdisc.HttpRequest; import com.yahoo.container.jdisc.HttpResponse; import com.yahoo.container.jdisc.LoggingRequestHandler; @@ -15,6 +13,7 @@ import com.yahoo.security.KeyUtils; import com.yahoo.security.X509CertificateUtils; import com.yahoo.slime.Slime; import com.yahoo.vespa.config.SlimeUtils; +import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig; import com.yahoo.vespa.hosted.ca.Certificates; import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity; import com.yahoo.yolean.Exceptions; @@ -42,18 +41,20 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { private final SecretStore secretStore; private final Certificates certificates; - private final SystemName system; + private final String caPrivateKeySecretName; + private final String caCertificateSecretName; @Inject - public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Zone zone) { - this(ctx, secretStore, new Certificates(Clock.systemUTC()), zone.system()); + public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, AthenzProviderServiceConfig athenzProviderServiceConfig) { + this(ctx, secretStore, new Certificates(Clock.systemUTC()), athenzProviderServiceConfig); } - CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, SystemName system) { + CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, AthenzProviderServiceConfig athenzProviderServiceConfig) { super(ctx); this.secretStore = secretStore; this.certificates = certificates; - this.system = system; + this.caPrivateKeySecretName = athenzProviderServiceConfig.secretName(); + this.caCertificateSecretName = athenzProviderServiceConfig.domain() + ".ca.cert"; } @Override @@ -101,14 +102,12 @@ public class CertificateAuthorityApiHandler extends LoggingRequestHandler { /** Returns CA certificate from secret store */ private X509Certificate caCertificate() { - var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase()); - return X509CertificateUtils.fromPem(secretStore.getSecret(keyName)); + return X509CertificateUtils.fromPem(secretStore.getSecret(caCertificateSecretName)); } /** Returns CA private key from secret store */ private PrivateKey caPrivateKey() { - var keyName = String.format("vespa.external.%s.configserver.ca.key.key", system.value().toLowerCase()); - return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName)); + return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(caPrivateKeySecretName)); } private static T deserializeRequest(HttpRequest request, Function serializer) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java index a1d708a1107..8e4605499f7 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java @@ -98,8 +98,8 @@ public class CertificateAuthorityApiTest extends ContainerTester { var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256); var caCertificatePem = X509CertificateUtils.toPem(CertificateTester.createCertificate("Vespa CA", keyPair)); var privateKeyPem = KeyUtils.toPem(keyPair.getPrivate()); - secretStore().setSecret("vespa.external.main.configserver.ca.cert.cert", caCertificatePem) - .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem); + secretStore().setSecret("vespa.external.ca.cert", caCertificatePem) + .setSecret("secretname", privateKeyPem); } private void assertIdentityResponse(Request request) { diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java index 2ca45cf7e56..139314b0f86 100644 --- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java +++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/ContainerTester.java @@ -56,9 +56,16 @@ public class ContainerTester { return "\n" + " \n" + " 10\n" + - " \n" + - " \n" + - " \n" + + " \n" + + " \n" + + " /path/to/file\n" + + " vespa.external\n" + + " servicename\n" + + " secretname\n" + + " 0\n" + + " suffix\n" + + " https://localhost:123/\n" + + " \n" + " \n" + " \n" + " http://*/ca/v1/*\n" + -- cgit v1.2.3