From bc89a5c29f5c8c84eee09e3fc46cff1bda524766 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Thu, 19 Apr 2018 13:33:20 +0200 Subject: Retrieve host identity through client certificate --- .../IdentityDocumentGenerator.java | 1 + .../identitydocument/IdentityDocumentResource.java | 22 ++++++++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) (limited to 'athenz-identity-provider-service/src') diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java index 95e9713f335..0ecce2e82c7 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java @@ -96,6 +96,7 @@ public class IdentityDocumentGenerator { * If remote hostname is parent of requested hostname in node repo --> OK * Otherwise NOT OK */ + // TODO Move this check to AuthorizationFilter in node-repository boolean validateAccess(String hostname, String remoteAddr) { try { InetAddress addr = InetAddress.getByName(remoteAddr); diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java index 1d65308577a..943da5cdcb4 100644 --- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java +++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java @@ -3,13 +3,16 @@ package com.yahoo.vespa.hosted.athenz.instanceproviderservice.identitydocument; import com.google.inject.Inject; import com.yahoo.container.jaxrs.annotation.Component; +import com.yahoo.jdisc.http.servlet.ServletRequest; import com.yahoo.log.LogLevel; +import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.BadRequestException; import javax.ws.rs.ForbiddenException; import javax.ws.rs.GET; import javax.ws.rs.InternalServerErrorException; +import javax.ws.rs.NotAuthorizedException; import javax.ws.rs.Path; import javax.ws.rs.PathParam; import javax.ws.rs.Produces; @@ -43,15 +46,22 @@ public class IdentityDocumentResource { // TODO Make this method private when the rest api is not longer in use public SignedIdentityDocument getIdentityDocument(@QueryParam("hostname") String hostname, @Context HttpServletRequest request) { - // TODO Use TLS client authentication instead of blindly trusting hostname - // Until we have distributed Athenz x509 certificates we will validate that remote address - // is authorized to access the provided hostname. This means any container - if (!identityDocumentGenerator.validateAccess(hostname, request.getRemoteAddr())) { - throw new ForbiddenException(); - } if (hostname == null) { throw new BadRequestException("The 'hostname' query parameter is missing"); } + NodePrincipal principal = (NodePrincipal) request.getAttribute(ServletRequest.JDISC_REQUEST_PRINCIPAL); + String remoteHost; + if (principal == null) { + // TODO Remove once self-signed certs are gone + log.warning("Client is not authenticated - fallback to remote ip"); + remoteHost = request.getRemoteAddr(); + } else { + remoteHost = principal.getHostIdentityName(); + } + // TODO Move this check to AuthorizationFilter in node-repository + if (!identityDocumentGenerator.validateAccess(hostname, remoteHost)) { + throw new ForbiddenException(); + } try { return identityDocumentGenerator.generateSignedIdentityDocument(hostname); } catch (Exception e) { -- cgit v1.2.3