From 0150ceec2523c02853a14d0ddf483a73b1640dd5 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@oath.com>
Date: Thu, 31 May 2018 11:00:26 +0200
Subject: Remove parent hostname from identity document

---
 .../identitydocument/IdentityDocumentGenerator.java               | 8 --------
 .../identitydocument/IdentityDocumentGeneratorTest.java           | 4 ++--
 2 files changed, 2 insertions(+), 10 deletions(-)

(limited to 'athenz-identity-provider-service')

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index 728406c297f..ffe604247ae 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -87,15 +87,7 @@ public class IdentityDocumentGenerator {
                 zone.region().value(),
                 zone.environment().value());
 
-        // TODO: Hack to allow access from docker containers to non-ipv6 services.
-        // Remove when yca-bridge is no longer needed
         Set<String> ips = new HashSet<>(node.ipAddresses());
-        if(node.parentHostname().isPresent()) {
-            String parentHostName = node.parentHostname().get();
-            nodeRepository.getNode(parentHostName)
-                    .map(Node::ipAddresses)
-                    .ifPresent(ips::addAll);
-        }
         return new IdentityDocument(
                 providerUniqueId,
                 HostName.getLocalhost(),
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
index d7b061ca2f1..f595289f8af 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
@@ -95,8 +95,8 @@ public class IdentityDocumentGeneratorTest {
                 new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment);
         assertEquals(expectedProviderUniqueId, signedIdentityDocument.providerUniqueId());
 
-        // Validate that both parent and container ips are present
-        assertThat(signedIdentityDocument.identityDocument().ipAddresses(), Matchers.containsInAnyOrder("127.0.0.1", "::1"));
+        // Validate that container ips are present
+        assertThat(signedIdentityDocument.identityDocument().ipAddresses(), Matchers.containsInAnyOrder("::1"));
 
         SignedIdentityDocumentEntity signedIdentityDocumentEntity = EntityBindingsMapper.toSignedIdentityDocumentEntity(signedIdentityDocument);
 
-- 
cgit v1.2.3


From 48ea96e26f4cc037f0cf81a303b4617ea8e2441d Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@oath.com>
Date: Thu, 31 May 2018 11:24:01 +0200
Subject: Prepare for inlining of 'IdentityDocument' into
 'SignedIdentityDocument'

---
 athenz-identity-provider-service/pom.xml           |  8 +++++
 .../IdentityDocumentGenerator.java                 |  7 +++-
 .../InstanceValidatorTest.java                     |  6 +++-
 .../identityprovider/api/EntityBindingsMapper.java | 12 +++++--
 .../identityprovider/api/IdentityDocument.java     |  2 ++
 .../api/SignedIdentityDocument.java                | 32 +++++++++++++++++-
 .../api/bindings/IdentityDocumentEntity.java       |  2 ++
 .../api/bindings/SignedIdentityDocumentEntity.java | 39 ++++++++++++++++++++--
 .../client/AthenzCredentialsService.java           |  3 +-
 .../client/DefaultIdentityDocumentClient.java      | 13 +-------
 .../client/AthenzIdentityProviderImplTest.java     |  6 +++-
 11 files changed, 108 insertions(+), 22 deletions(-)

(limited to 'athenz-identity-provider-service')

diff --git a/athenz-identity-provider-service/pom.xml b/athenz-identity-provider-service/pom.xml
index 86d4defa861..982cb89f2bf 100644
--- a/athenz-identity-provider-service/pom.xml
+++ b/athenz-identity-provider-service/pom.xml
@@ -131,6 +131,14 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <compilerArgs>
+                        <arg>-Xlint:all</arg>
+                        <arg>-Xlint:-deprecation</arg>
+                        <arg>-Xlint:-serial</arg>
+                        <arg>-Werror</arg>
+                    </compilerArgs>
+                </configuration>
             </plugin>
         </plugins>
     </build>
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index ffe604247ae..ffeca67645b 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -28,6 +28,7 @@ import java.util.Set;
 
 /**
  * @author mortent
+ * @author bjorncs
  */
 public class IdentityDocumentGenerator {
 
@@ -70,7 +71,11 @@ public class IdentityDocumentGenerator {
                     toZoneDnsSuffix(zone, zoneConfig.certDnsSuffix()),
                     new AthenzService(zoneConfig.domain(), zoneConfig.serviceName()),
                     URI.create(zoneConfig.ztsUrl()),
-                    SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION);
+                    SignedIdentityDocument.DEFAULT_DOCUMENT_VERSION,
+                    identityDocument.configServerHostname(),
+                    identityDocument.instanceHostname(),
+                    identityDocument.createdAt(),
+                    identityDocument.ipAddresses());
         } catch (Exception e) {
             throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e);
         }
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
index 54786c86cd3..1ac9ff6f83a 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
@@ -143,7 +143,11 @@ public class InstanceValidatorTest {
                                                      "dnssuffix",
                                                      "service",
                                                      URI.create("http://localhost/zts"),
-                                                     1));
+                                                     1,
+                                                     identityDocument.configServerHostname,
+                                                     identityDocument.instanceHostname,
+                                                     identityDocument.createdAt,
+                                                     identityDocument.ipAddresses));
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
index 1504119d9cc..9f065e7285d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
@@ -54,7 +54,11 @@ public class EntityBindingsMapper {
                 entity.dnsSuffix,
                 (AthenzService) AthenzIdentities.from(entity.providerService),
                 entity.ztsEndpoint,
-                entity.documentVersion);
+                entity.documentVersion,
+                entity.configServerHostname,
+                entity.instanceHostname,
+                entity.createdAt,
+                entity.ipAddresses);
     }
 
     public static VespaUniqueInstanceIdEntity toVespaUniqueInstanceIdEntity(VespaUniqueInstanceId model) {
@@ -84,7 +88,11 @@ public class EntityBindingsMapper {
                     model.dnsSuffix(),
                     model.providerService().getFullName(),
                     model.ztsEndpoint(),
-                    model.documentVersion());
+                    model.documentVersion(),
+                    model.configServerHostname(),
+                    model.instanceHostname(),
+                    model.createdAt(),
+                    model.ipAddresses());
         } catch (JsonProcessingException e) {
             throw new RuntimeException(e);
         }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java
index 8da2bd0a343..82d0a3d622c 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java
@@ -8,7 +8,9 @@ import java.util.Set;
  * The identity document that contains the instance specific information
  *
  * @author bjorncs
+ * @deprecated Will soon be inlined into {@link SignedIdentityDocument}
  */
+@Deprecated
 public class IdentityDocument {
     private final VespaUniqueInstanceId providerUniqueId;
     private final String configServerHostname;
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
index d184efc0221..6372c2202f0 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
@@ -4,6 +4,8 @@ package com.yahoo.vespa.athenz.identityprovider.api;
 import com.yahoo.vespa.athenz.api.AthenzService;
 
 import java.net.URI;
+import java.time.Instant;
+import java.util.Set;
 
 /**
  * A signed identity document which contains a {@link IdentityDocument}
@@ -22,6 +24,10 @@ public class SignedIdentityDocument {
     private final AthenzService providerService;
     private final URI ztsEndpoint;
     private final int documentVersion;
+    private final String configServerHostname;
+    private final String instanceHostname;
+    private final Instant createdAt;
+    private final Set<String> ipAddresses;
 
     public SignedIdentityDocument(IdentityDocument identityDocument,
                                   String signature,
@@ -30,7 +36,11 @@ public class SignedIdentityDocument {
                                   String dnsSuffix,
                                   AthenzService providerService,
                                   URI ztsEndpoint,
-                                  int documentVersion) {
+                                  int documentVersion,
+                                  String configServerHostname,
+                                  String instanceHostname,
+                                  Instant createdAt,
+                                  Set<String> ipAddresses) {
         this.identityDocument = identityDocument;
         this.signature = signature;
         this.signingKeyVersion = signingKeyVersion;
@@ -39,6 +49,10 @@ public class SignedIdentityDocument {
         this.providerService = providerService;
         this.ztsEndpoint = ztsEndpoint;
         this.documentVersion = documentVersion;
+        this.configServerHostname = configServerHostname;
+        this.instanceHostname = instanceHostname;
+        this.createdAt = createdAt;
+        this.ipAddresses = ipAddresses;
     }
 
     public IdentityDocument identityDocument() {
@@ -72,4 +86,20 @@ public class SignedIdentityDocument {
     public int documentVersion() {
         return documentVersion;
     }
+
+    public String configServerHostname() {
+        return configServerHostname;
+    }
+
+    public String instanceHostname() {
+        return instanceHostname;
+    }
+
+    public Instant createdAt() {
+        return createdAt;
+    }
+
+    public Set<String> ipAddresses() {
+        return ipAddresses;
+    }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java
index 58a4f1e24bf..b4b2e82ab0e 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java
@@ -10,8 +10,10 @@ import java.util.Set;
 
 /**
  * @author bjorncs
+ * @deprecated Will soon be inlined into {@link SignedIdentityDocumentEntity}
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated
 public class IdentityDocumentEntity {
 
     @JsonProperty("provider-unique-id")
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
index e397b81ef9e..5b8ea681b25 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
@@ -11,8 +11,10 @@ import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.URI;
+import java.time.Instant;
 import java.util.Base64;
 import java.util.Objects;
+import java.util.Set;
 
 /**
  * @author bjorncs
@@ -31,6 +33,10 @@ public class SignedIdentityDocumentEntity {
     @JsonProperty("provider-service") public final String providerService;
     @JsonProperty("zts-endpoint") public final URI ztsEndpoint;
     @JsonProperty("document-version") public final int documentVersion;
+    @JsonProperty("configserver-hostname") public final String configServerHostname;
+    @JsonProperty("instance-hostname") public final String instanceHostname;
+    @JsonProperty("created-at") public final Instant createdAt;
+    @JsonProperty("ip-addresses") public final Set<String> ipAddresses;
 
     @JsonCreator
     public SignedIdentityDocumentEntity(@JsonProperty("identity-document") String rawIdentityDocument,
@@ -40,7 +46,11 @@ public class SignedIdentityDocumentEntity {
                                         @JsonProperty("dns-suffix") String dnsSuffix,
                                         @JsonProperty("provider-service") String providerService,
                                         @JsonProperty("zts-endpoint") URI ztsEndpoint,
-                                        @JsonProperty("document-version") int documentVersion) {
+                                        @JsonProperty("document-version") int documentVersion,
+                                        @JsonProperty("configserver-hostname") String configServerHostname,
+                                        @JsonProperty("instance-hostname") String instanceHostname,
+                                        @JsonProperty("created-at") Instant createdAt,
+                                        @JsonProperty("ip-addresses") Set<String> ipAddresses) {
         this.rawIdentityDocument = rawIdentityDocument;
         this.identityDocument = parseIdentityDocument(rawIdentityDocument);
         this.signature = signature;
@@ -50,6 +60,10 @@ public class SignedIdentityDocumentEntity {
         this.providerService = providerService;
         this.ztsEndpoint = ztsEndpoint;
         this.documentVersion = documentVersion;
+        this.configServerHostname = configServerHostname;
+        this.instanceHostname = instanceHostname;
+        this.createdAt = createdAt;
+        this.ipAddresses = ipAddresses;
     }
 
     private static IdentityDocumentEntity parseIdentityDocument(String rawIdentityDocument) {
@@ -73,7 +87,15 @@ public class SignedIdentityDocumentEntity {
                 ", identityDocument=" + identityDocument +
                 ", signature='" + signature + '\'' +
                 ", signingKeyVersion=" + signingKeyVersion +
+                ", providerUniqueId='" + providerUniqueId + '\'' +
+                ", dnsSuffix='" + dnsSuffix + '\'' +
+                ", providerService='" + providerService + '\'' +
+                ", ztsEndpoint=" + ztsEndpoint +
                 ", documentVersion=" + documentVersion +
+                ", configServerHostname='" + configServerHostname + '\'' +
+                ", instanceHostname='" + instanceHostname + '\'' +
+                ", createdAt=" + createdAt +
+                ", ipAddresses=" + ipAddresses +
                 '}';
     }
 
@@ -86,11 +108,22 @@ public class SignedIdentityDocumentEntity {
                 documentVersion == that.documentVersion &&
                 Objects.equals(rawIdentityDocument, that.rawIdentityDocument) &&
                 Objects.equals(identityDocument, that.identityDocument) &&
-                Objects.equals(signature, that.signature);
+                Objects.equals(signature, that.signature) &&
+                Objects.equals(providerUniqueId, that.providerUniqueId) &&
+                Objects.equals(dnsSuffix, that.dnsSuffix) &&
+                Objects.equals(providerService, that.providerService) &&
+                Objects.equals(ztsEndpoint, that.ztsEndpoint) &&
+                Objects.equals(configServerHostname, that.configServerHostname) &&
+                Objects.equals(instanceHostname, that.instanceHostname) &&
+                Objects.equals(createdAt, that.createdAt) &&
+                Objects.equals(ipAddresses, that.ipAddresses);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(rawIdentityDocument, identityDocument, signature, signingKeyVersion, documentVersion);
+
+        return Objects.hash(rawIdentityDocument, identityDocument, signature, signingKeyVersion, providerUniqueId,
+                            dnsSuffix, providerService, ztsEndpoint, documentVersion, configServerHostname,
+                            instanceHostname, createdAt, ipAddresses);
     }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
index 96e93ca419d..e8ef2d9f97e 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzCredentialsService.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.athenz.identityprovider.client;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 import com.yahoo.container.core.identity.IdentityConfig;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
@@ -28,7 +29,7 @@ import static com.yahoo.vespa.athenz.tls.KeyStoreType.JKS;
  */
 class AthenzCredentialsService {
 
-    private static final ObjectMapper mapper = new ObjectMapper();
+    private static final ObjectMapper mapper = new ObjectMapper().registerModule(new JavaTimeModule());
 
     private final IdentityConfig identityConfig;
     private final IdentityDocumentClient identityDocumentClient;
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
index 90d1312c9f9..f92956f7961 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
@@ -2,14 +2,11 @@
 package com.yahoo.vespa.athenz.identityprovider.client;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
-import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
-import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.client.methods.RequestBuilder;
@@ -82,15 +79,7 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
                 String responseContent = EntityUtils.toString(response.getEntity());
                 if (HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) {
                     SignedIdentityDocumentEntity entity = objectMapper.readValue(responseContent, SignedIdentityDocumentEntity.class);
-                    return new SignedIdentityDocument(
-                            EntityBindingsMapper.toIdentityDocument(entity.identityDocument),
-                            entity.signature,
-                            entity.signingKeyVersion,
-                            VespaUniqueInstanceId.fromDottedString(entity.providerUniqueId),
-                            entity.dnsSuffix,
-                            (AthenzService) AthenzIdentities.from(entity.providerService),
-                            entity.ztsEndpoint,
-                            entity.documentVersion);
+                    return EntityBindingsMapper.toSignedIdentityDocument(entity);
                 } else {
                     throw new RuntimeException(
                             String.format(
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
index 2e9b29f5327..a84435f2982 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -141,7 +141,11 @@ public class AthenzIdentityProviderImplTest {
                 "dev-us-north-1.vespa.cloud",
                 new AthenzService("vespa.vespa.provider_dev_us-north-1"),
                 URI.create("https://zts:4443/zts/v1"),
-                1);
+                1,
+                "localhost",
+                "x.y.com",
+                Instant.EPOCH,
+                Collections.emptySet());
 
         return new ObjectMapper().registerModule(new JavaTimeModule())
                 .writeValueAsString(EntityBindingsMapper.toSignedIdentityDocumentEntity(signedIdentityDocument));
-- 
cgit v1.2.3


From cfa6d7bb63402b83c84a16411a207e946de33246 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@oath.com>
Date: Thu, 31 May 2018 15:20:49 +0200
Subject: Add identity type to unique instance id and signed identity document

---
 .../IdentityDocumentGenerator.java                 |  3 +-
 .../InstanceValidatorTest.java                     |  3 +-
 .../identity/AthenzCredentialsMaintainer.java      |  1 +
 .../restapi/v2/filter/NodeIdentifierTest.java      |  3 +-
 .../identityprovider/api/EntityBindingsMapper.java | 14 ++++---
 .../athenz/identityprovider/api/IdentityType.java  | 25 ++++++++++++
 .../api/SignedIdentityDocument.java                |  9 ++++-
 .../api/VespaUniqueInstanceId.java                 | 46 ++++++++++++++++++----
 .../api/bindings/SignedIdentityDocumentEntity.java | 14 ++++---
 .../api/bindings/VespaUniqueInstanceIdEntity.java  | 26 ++++++++++--
 .../api/VespaUniqueInstanceIdTest.java             | 13 ++++++
 .../client/AthenzIdentityProviderImplTest.java     |  6 ++-
 12 files changed, 135 insertions(+), 28 deletions(-)
 create mode 100644 vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityType.java

(limited to 'athenz-identity-provider-service')

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index ffeca67645b..947c132167f 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -75,7 +75,8 @@ public class IdentityDocumentGenerator {
                     identityDocument.configServerHostname(),
                     identityDocument.instanceHostname(),
                     identityDocument.createdAt(),
-                    identityDocument.ipAddresses());
+                    identityDocument.ipAddresses(),
+                    null); // TODO Specify identity type
         } catch (Exception e) {
             throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e);
         }
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
index 1ac9ff6f83a..54411b424eb 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidatorTest.java
@@ -147,7 +147,8 @@ public class InstanceValidatorTest {
                                                      identityDocument.configServerHostname,
                                                      identityDocument.instanceHostname,
                                                      identityDocument.createdAt,
-                                                     identityDocument.ipAddresses));
+                                                     identityDocument.ipAddresses,
+                                                     null)); // TODO Remove support for legacy representation without type
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
index f7e9c3ca1d8..bd75368a0dc 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.java
@@ -148,6 +148,7 @@ public class AthenzCredentialsMaintainer {
         }
     }
 
+    @SuppressWarnings("deprecation")
     private VespaUniqueInstanceId getVespaUniqueInstanceId(NodeSpec nodeSpec) {
         NodeSpec.Membership membership = nodeSpec.getMembership().get();
         NodeSpec.Owner owner = nodeSpec.getOwner().get();
diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java
index c0cead74f5f..11c7832091b 100644
--- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java
+++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java
@@ -29,6 +29,7 @@ import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.Optional;
 
+import static com.yahoo.vespa.athenz.identityprovider.api.IdentityType.*;
 import static com.yahoo.vespa.athenz.tls.KeyAlgorithm.RSA;
 import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA;
 import static java.util.Collections.emptySet;
@@ -161,7 +162,7 @@ public class NodeIdentifierTest {
         Pkcs10Csr csr = Pkcs10CsrBuilder
                 .fromKeypair(new X500Principal("CN=" + TENANT_NODE_IDENTITY), KEYPAIR, SHA256_WITH_RSA)
                 .build();
-        VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(clusterIndex, clusterId, INSTANCE_ID, application, tenant, region, environment);
+        VespaUniqueInstanceId vespaUniqueInstanceId = new VespaUniqueInstanceId(clusterIndex, clusterId, INSTANCE_ID, application, tenant, region, environment, NODE);
         X509Certificate certificate = X509CertificateBuilder
                 .fromCsr(csr, ATHENZ_YAHOO_CA_CERT.getSubjectX500Principal(), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), KEYPAIR.getPrivate(), SHA256_WITH_RSA, 1)
                 .addSubjectAlternativeName(vespaUniqueInstanceId.asDottedString() + ".instanceid.athenz.provider-name.vespa.yahoo.cloud")
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
index 9f065e7285d..12389712976 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java
@@ -12,6 +12,8 @@ import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 
 import java.util.Base64;
 
+import static com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId.*;
+
 /**
  * Utility class for mapping objects model types and their Jackson binding versions.
  *
@@ -33,7 +35,7 @@ public class EntityBindingsMapper {
 
     public static VespaUniqueInstanceId toVespaUniqueInstanceId(VespaUniqueInstanceIdEntity entity) {
         return new VespaUniqueInstanceId(
-                entity.clusterIndex, entity.clusterId, entity.instance, entity.application, entity.tenant, entity.region, entity.environment);
+                entity.clusterIndex, entity.clusterId, entity.instance, entity.application, entity.tenant, entity.region, entity.environment, entity.type != null ? IdentityType.fromId(entity.type) : null); // TODO Remove support for legacy representation without type
     }
 
     public static IdentityDocument toIdentityDocument(IdentityDocumentEntity entity) {
@@ -50,7 +52,7 @@ public class EntityBindingsMapper {
                 toIdentityDocument(entity.identityDocument),
                 entity.signature,
                 entity.signingKeyVersion,
-                VespaUniqueInstanceId.fromDottedString(entity.providerUniqueId),
+                fromDottedString(entity.providerUniqueId),
                 entity.dnsSuffix,
                 (AthenzService) AthenzIdentities.from(entity.providerService),
                 entity.ztsEndpoint,
@@ -58,13 +60,14 @@ public class EntityBindingsMapper {
                 entity.configServerHostname,
                 entity.instanceHostname,
                 entity.createdAt,
-                entity.ipAddresses);
+                entity.ipAddresses,
+                entity.identityType != null ? IdentityType.fromId(entity.identityType) : null); // TODO Remove support for legacy representation without type
     }
 
     public static VespaUniqueInstanceIdEntity toVespaUniqueInstanceIdEntity(VespaUniqueInstanceId model) {
         return new VespaUniqueInstanceIdEntity(
                 model.tenant(), model.application(), model.environment(), model.region(),
-                model.instance(), model.clusterId(), model.clusterIndex());
+                model.instance(), model.clusterId(), model.clusterIndex(), model.type() != null ? model.type().id() : null); // TODO Remove support for legacy representation without type
     }
 
     public static IdentityDocumentEntity toIdentityDocumentEntity(IdentityDocument model) {
@@ -92,7 +95,8 @@ public class EntityBindingsMapper {
                     model.configServerHostname(),
                     model.instanceHostname(),
                     model.createdAt(),
-                    model.ipAddresses());
+                    model.ipAddresses(),
+                    model.identityType() != null ? model.identityType().id() : null); // TODO Remove support for legacy representation without type
         } catch (JsonProcessingException e) {
             throw new RuntimeException(e);
         }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityType.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityType.java
new file mode 100644
index 00000000000..4ca2e34a618
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityType.java
@@ -0,0 +1,25 @@
+// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.identityprovider.api;
+
+import java.util.Arrays;
+
+/**
+ * Represents the types of identities that the configserver can provide.
+ *
+ * @author bjorncs
+ */
+public enum IdentityType {TENANT("tenant"), NODE("node");
+    private final String id;
+
+    IdentityType(String id) { this.id = id; }
+
+    public String id() { return id; }
+
+    public static IdentityType fromId(String id) {
+        return Arrays.stream(values())
+                .filter(v -> v.id.equals(id))
+                .findFirst()
+                .orElseThrow(() -> new IllegalArgumentException("Invalid id: " + id));
+    }
+}
+
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
index 6372c2202f0..60be42544c7 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/SignedIdentityDocument.java
@@ -28,6 +28,7 @@ public class SignedIdentityDocument {
     private final String instanceHostname;
     private final Instant createdAt;
     private final Set<String> ipAddresses;
+    private final IdentityType identityType;
 
     public SignedIdentityDocument(IdentityDocument identityDocument,
                                   String signature,
@@ -40,7 +41,8 @@ public class SignedIdentityDocument {
                                   String configServerHostname,
                                   String instanceHostname,
                                   Instant createdAt,
-                                  Set<String> ipAddresses) {
+                                  Set<String> ipAddresses,
+                                  IdentityType identityType) {
         this.identityDocument = identityDocument;
         this.signature = signature;
         this.signingKeyVersion = signingKeyVersion;
@@ -53,6 +55,7 @@ public class SignedIdentityDocument {
         this.instanceHostname = instanceHostname;
         this.createdAt = createdAt;
         this.ipAddresses = ipAddresses;
+        this.identityType = identityType;
     }
 
     public IdentityDocument identityDocument() {
@@ -102,4 +105,8 @@ public class SignedIdentityDocument {
     public Set<String> ipAddresses() {
         return ipAddresses;
     }
+
+    public IdentityType identityType() {
+        return identityType;
+    }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceId.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceId.java
index 5539ba53882..be94cc59691 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceId.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceId.java
@@ -4,6 +4,8 @@ package com.yahoo.vespa.athenz.identityprovider.api;
 import java.util.Objects;
 
 /**
+ * Represents the unique instance id as used in Vespa's integration with Athenz Copper Argos
+ *
  * @author bjorncs
  */
 public class VespaUniqueInstanceId {
@@ -15,6 +17,7 @@ public class VespaUniqueInstanceId {
     private final String tenant;
     private final String region;
     private final String environment;
+    private final IdentityType type;
 
     public VespaUniqueInstanceId(int clusterIndex,
                                  String clusterId,
@@ -22,7 +25,8 @@ public class VespaUniqueInstanceId {
                                  String application,
                                  String tenant,
                                  String region,
-                                 String environment) {
+                                 String environment,
+                                 IdentityType type) {
         this.clusterIndex = clusterIndex;
         this.clusterId = clusterId;
         this.instance = instance;
@@ -30,21 +34,43 @@ public class VespaUniqueInstanceId {
         this.tenant = tenant;
         this.region = region;
         this.environment = environment;
+        this.type = type;
     }
 
+    // TODO Remove support for legacy representation without type
+    @Deprecated
+    public VespaUniqueInstanceId(int clusterIndex,
+                                 String clusterId,
+                                 String instance,
+                                 String application,
+                                 String tenant,
+                                 String region,
+                                 String environment) {
+        this(clusterIndex, clusterId, instance, application, tenant, region, environment, null);
+    }
+
+
+    // TODO Remove support for legacy representation without type
     public static VespaUniqueInstanceId fromDottedString(String instanceId) {
         String[] tokens = instanceId.split("\\.");
-        if (tokens.length != 7) {
+        if (tokens.length != 7 && tokens.length != 8) {
             throw new IllegalArgumentException("Invalid instance id: " + instanceId);
         }
         return new VespaUniqueInstanceId(
-                Integer.parseInt(tokens[0]), tokens[1], tokens[2], tokens[3], tokens[4], tokens[5], tokens[6]);
+                Integer.parseInt(tokens[0]), tokens[1], tokens[2], tokens[3], tokens[4], tokens[5], tokens[6], tokens.length == 8 ? IdentityType.fromId(tokens[7]) : null);
     }
 
+    // TODO Remove support for legacy representation without type
     public String asDottedString() {
-        return String.format(
-                "%d.%s.%s.%s.%s.%s.%s",
-                clusterIndex, clusterId, instance, application, tenant, region, environment);
+        if (type != null) {
+            return String.format(
+                    "%d.%s.%s.%s.%s.%s.%s.%s",
+                    clusterIndex, clusterId, instance, application, tenant, region, environment, type.id());
+        } else {
+            return String.format(
+                    "%d.%s.%s.%s.%s.%s.%s",
+                    clusterIndex, clusterId, instance, application, tenant, region, environment);
+        }
     }
 
     public int clusterIndex() {
@@ -75,6 +101,8 @@ public class VespaUniqueInstanceId {
         return environment;
     }
 
+    public IdentityType type() { return type; }
+
     @Override
     public String toString() {
         return "VespaUniqueInstanceId{" +
@@ -85,6 +113,7 @@ public class VespaUniqueInstanceId {
                 ", tenant='" + tenant + '\'' +
                 ", region='" + region + '\'' +
                 ", environment='" + environment + '\'' +
+                ", type=" + type +
                 '}';
     }
 
@@ -99,11 +128,12 @@ public class VespaUniqueInstanceId {
                 Objects.equals(application, that.application) &&
                 Objects.equals(tenant, that.tenant) &&
                 Objects.equals(region, that.region) &&
-                Objects.equals(environment, that.environment);
+                Objects.equals(environment, that.environment) &&
+                type == that.type;
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(clusterIndex, clusterId, instance, application, tenant, region, environment);
+        return Objects.hash(clusterIndex, clusterId, instance, application, tenant, region, environment, type);
     }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
index 5b8ea681b25..aa514b3caf3 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/SignedIdentityDocumentEntity.java
@@ -37,6 +37,7 @@ public class SignedIdentityDocumentEntity {
     @JsonProperty("instance-hostname") public final String instanceHostname;
     @JsonProperty("created-at") public final Instant createdAt;
     @JsonProperty("ip-addresses") public final Set<String> ipAddresses;
+    @JsonProperty("identity-type") public final String identityType;
 
     @JsonCreator
     public SignedIdentityDocumentEntity(@JsonProperty("identity-document") String rawIdentityDocument,
@@ -50,7 +51,8 @@ public class SignedIdentityDocumentEntity {
                                         @JsonProperty("configserver-hostname") String configServerHostname,
                                         @JsonProperty("instance-hostname") String instanceHostname,
                                         @JsonProperty("created-at") Instant createdAt,
-                                        @JsonProperty("ip-addresses") Set<String> ipAddresses) {
+                                        @JsonProperty("ip-addresses") Set<String> ipAddresses,
+                                        @JsonProperty("identity-type") String identityType) {
         this.rawIdentityDocument = rawIdentityDocument;
         this.identityDocument = parseIdentityDocument(rawIdentityDocument);
         this.signature = signature;
@@ -64,6 +66,7 @@ public class SignedIdentityDocumentEntity {
         this.instanceHostname = instanceHostname;
         this.createdAt = createdAt;
         this.ipAddresses = ipAddresses;
+        this.identityType = identityType;
     }
 
     private static IdentityDocumentEntity parseIdentityDocument(String rawIdentityDocument) {
@@ -96,6 +99,7 @@ public class SignedIdentityDocumentEntity {
                 ", instanceHostname='" + instanceHostname + '\'' +
                 ", createdAt=" + createdAt +
                 ", ipAddresses=" + ipAddresses +
+                ", identityType=" + identityType +
                 '}';
     }
 
@@ -116,14 +120,12 @@ public class SignedIdentityDocumentEntity {
                 Objects.equals(configServerHostname, that.configServerHostname) &&
                 Objects.equals(instanceHostname, that.instanceHostname) &&
                 Objects.equals(createdAt, that.createdAt) &&
-                Objects.equals(ipAddresses, that.ipAddresses);
+                Objects.equals(ipAddresses, that.ipAddresses) &&
+                Objects.equals(identityType, identityType);
     }
 
     @Override
     public int hashCode() {
-
-        return Objects.hash(rawIdentityDocument, identityDocument, signature, signingKeyVersion, providerUniqueId,
-                            dnsSuffix, providerService, ztsEndpoint, documentVersion, configServerHostname,
-                            instanceHostname, createdAt, ipAddresses);
+        return Objects.hash(rawIdentityDocument, identityDocument, signature, signingKeyVersion, providerUniqueId, dnsSuffix, providerService, ztsEndpoint, documentVersion, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType);
     }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java
index 3127752ac7d..103c087638d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/VespaUniqueInstanceIdEntity.java
@@ -1,6 +1,7 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.api.bindings;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
 import java.util.Objects;
@@ -24,14 +25,18 @@ public class VespaUniqueInstanceIdEntity {
     public final String clusterId;
     @JsonProperty("cluster-index")
     public final int clusterIndex;
+    @JsonProperty("type")
+    public final String type;
 
+    @JsonCreator
     public VespaUniqueInstanceIdEntity(@JsonProperty("tenant") String tenant,
                                        @JsonProperty("application") String application,
                                        @JsonProperty("environment") String environment,
                                        @JsonProperty("region") String region,
                                        @JsonProperty("instance") String instance,
                                        @JsonProperty("cluster-id") String clusterId,
-                                       @JsonProperty("cluster-index") int clusterIndex) {
+                                       @JsonProperty("cluster-index") int clusterIndex,
+                                       @JsonProperty("type") String type) {
         this.tenant = tenant;
         this.application = application;
         this.environment = environment;
@@ -39,8 +44,21 @@ public class VespaUniqueInstanceIdEntity {
         this.instance = instance;
         this.clusterId = clusterId;
         this.clusterIndex = clusterIndex;
+        this.type = type;
     }
 
+    @Deprecated
+    public VespaUniqueInstanceIdEntity(String tenant,
+                                       String application,
+                                       String environment,
+                                       String region,
+                                       String instance,
+                                       String clusterId,
+                                       int clusterIndex) {
+        this(tenant, application, environment, region, instance, clusterId, clusterIndex, null);
+    }
+
+
     @Override
     public String toString() {
         return "VespaUniqueInstanceIdEntity{" +
@@ -51,6 +69,7 @@ public class VespaUniqueInstanceIdEntity {
                 ", instance='" + instance + '\'' +
                 ", clusterId='" + clusterId + '\'' +
                 ", clusterIndex=" + clusterIndex +
+                ", type='" + type + '\'' +
                 '}';
     }
 
@@ -65,11 +84,12 @@ public class VespaUniqueInstanceIdEntity {
                 Objects.equals(environment, that.environment) &&
                 Objects.equals(region, that.region) &&
                 Objects.equals(instance, that.instance) &&
-                Objects.equals(clusterId, that.clusterId);
+                Objects.equals(clusterId, that.clusterId) &&
+                Objects.equals(type, that.type);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(tenant, application, environment, region, instance, clusterId, clusterIndex);
+        return Objects.hash(tenant, application, environment, region, instance, clusterId, clusterIndex, type);
     }
 }
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceIdTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceIdTest.java
index 8c4e4c1262d..86b6c566987 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceIdTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/VespaUniqueInstanceIdTest.java
@@ -2,6 +2,7 @@ package com.yahoo.vespa.athenz.identityprovider.api;
 
 import org.junit.Test;
 
+import static com.yahoo.vespa.athenz.identityprovider.api.IdentityType.*;
 import static org.junit.Assert.*;
 
 /**
@@ -11,6 +12,18 @@ public class VespaUniqueInstanceIdTest {
 
     @Test
     public void can_serialize_to_and_deserialize_from_string() {
+        VespaUniqueInstanceId id =
+                new VespaUniqueInstanceId(1, "cluster-id", "instance", "application", "tenant", "region", "environment", TENANT);
+        String stringRepresentation = id.asDottedString();
+        String expectedStringRepresentation = "1.cluster-id.instance.application.tenant.region.environment.tenant";
+        assertEquals(expectedStringRepresentation, stringRepresentation);
+        VespaUniqueInstanceId deserializedId = VespaUniqueInstanceId.fromDottedString(stringRepresentation);
+        assertEquals(id, deserializedId);
+    }
+
+    // TODO Remove support for legacy representation without type
+    @Test
+    public void supports_legacy_representation_without_type() {
         VespaUniqueInstanceId id =
                 new VespaUniqueInstanceId(1, "cluster-id", "instance", "application", "tenant", "region", "environment");
         String stringRepresentation = id.asDottedString();
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
index a84435f2982..7ad465a7d80 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/AthenzIdentityProviderImplTest.java
@@ -11,6 +11,7 @@ import com.yahoo.test.ManualClock;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
@@ -132,7 +133,7 @@ public class AthenzIdentityProviderImplTest {
     }
 
     private static String getIdentityDocument() throws JsonProcessingException {
-        VespaUniqueInstanceId instanceId = new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", "us-north-1", "dev");
+        VespaUniqueInstanceId instanceId = new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", "us-north-1", "dev", IdentityType.TENANT);
         SignedIdentityDocument signedIdentityDocument = new SignedIdentityDocument(
                 new IdentityDocument(instanceId, "localhost", "x.y.com", Instant.EPOCH, Collections.emptySet()),
                 "dummysignature",
@@ -145,7 +146,8 @@ public class AthenzIdentityProviderImplTest {
                 "localhost",
                 "x.y.com",
                 Instant.EPOCH,
-                Collections.emptySet());
+                Collections.emptySet(),
+                IdentityType.TENANT);
 
         return new ObjectMapper().registerModule(new JavaTimeModule())
                 .writeValueAsString(EntityBindingsMapper.toSignedIdentityDocumentEntity(signedIdentityDocument));
-- 
cgit v1.2.3


From 78da30192dad43d338b9e3f04263dd7c83094b90 Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@oath.com>
Date: Thu, 31 May 2018 16:02:27 +0200
Subject: Use identity type to generate identity document

---
 .../identitydocument/IdentityDocumentGenerator.java    | 14 +++++++++-----
 .../identitydocument/IdentityDocumentResource.java     | 18 +++++-------------
 .../instanceconfirmation/InstanceValidator.java        |  1 +
 .../IdentityDocumentGeneratorTest.java                 |  5 +++--
 .../api/bindings/IdentityDocumentApi.java              |  6 ------
 5 files changed, 18 insertions(+), 26 deletions(-)

(limited to 'athenz-identity-provider-service')

diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
index 947c132167f..59126fd023f 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGenerator.java
@@ -7,6 +7,7 @@ import com.yahoo.net.HostName;
 import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.hosted.athenz.instanceproviderservice.KeyProvider;
@@ -27,6 +28,8 @@ import java.util.Objects;
 import java.util.Set;
 
 /**
+ * Generates a signed identity document for a given hostname and type
+ *
  * @author mortent
  * @author bjorncs
  */
@@ -48,10 +51,10 @@ public class IdentityDocumentGenerator {
         this.keyProvider = keyProvider;
     }
 
-    public SignedIdentityDocument generateSignedIdentityDocument(String hostname) {
+    public SignedIdentityDocument generateSignedIdentityDocument(String hostname, IdentityType identityType) {
         Node node = nodeRepository.getNode(hostname).orElseThrow(() -> new RuntimeException("Unable to find node " + hostname));
         try {
-            IdentityDocument identityDocument = generateIdDocument(node);
+            IdentityDocument identityDocument = generateIdDocument(node, identityType);
             String identityDocumentString = Utils.getMapper().writeValueAsString(EntityBindingsMapper.toIdentityDocumentEntity(identityDocument));
 
             String encodedIdentityDocument =
@@ -76,13 +79,13 @@ public class IdentityDocumentGenerator {
                     identityDocument.instanceHostname(),
                     identityDocument.createdAt(),
                     identityDocument.ipAddresses(),
-                    null); // TODO Specify identity type
+                    identityType);
         } catch (Exception e) {
             throw new RuntimeException("Exception generating identity document: " + e.getMessage(), e);
         }
     }
 
-    private IdentityDocument generateIdDocument(Node node) {
+    private IdentityDocument generateIdDocument(Node node, IdentityType identityType) {
         Allocation allocation = node.allocation().orElseThrow(() -> new RuntimeException("No allocation for node " + node.hostname()));
         VespaUniqueInstanceId providerUniqueId = new VespaUniqueInstanceId(
                 allocation.membership().index(),
@@ -91,7 +94,8 @@ public class IdentityDocumentGenerator {
                 allocation.owner().application().value(),
                 allocation.owner().tenant().value(),
                 zone.region().value(),
-                zone.environment().value());
+                zone.environment().value(),
+                identityType);
 
         Set<String> ips = new HashSet<>(node.ipAddresses());
         return new IdentityDocument(
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
index 93668006e26..219e12c7223 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentResource.java
@@ -6,6 +6,7 @@ import com.yahoo.container.jaxrs.annotation.Component;
 import com.yahoo.jdisc.http.servlet.ServletRequest;
 import com.yahoo.log.LogLevel;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.IdentityDocumentApi;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
 import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal;
@@ -18,7 +19,6 @@ import javax.ws.rs.InternalServerErrorException;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import java.util.logging.Logger;
@@ -41,15 +41,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
         this.request = request;
     }
 
-    /**
-     * @deprecated Use {@link #getNodeIdentityDocument(String)} and {@link #getTenantIdentityDocument(String)} instead.
-     */
-    @GET
-    @Produces(MediaType.APPLICATION_JSON)
-    @Deprecated
-    @Override
-    // TODO Make this method private when the rest api is not longer in use
-    public SignedIdentityDocumentEntity getIdentityDocument(@QueryParam("hostname") String hostname) {
+    private SignedIdentityDocumentEntity getIdentityDocument(String hostname, IdentityType identityType) {
         if (hostname == null) {
             throw new BadRequestException("The 'hostname' query parameter is missing");
         }
@@ -67,7 +59,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
             throw new ForbiddenException();
         }
         try {
-            return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname));
+            return EntityBindingsMapper.toSignedIdentityDocumentEntity(identityDocumentGenerator.generateSignedIdentityDocument(hostname, identityType));
         } catch (Exception e) {
             String message = String.format("Unable to generate identity doument for '%s': %s", hostname, e.getMessage());
             log.log(LogLevel.ERROR, message, e);
@@ -80,7 +72,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
     @Path("/node/{host}")
     @Override
     public SignedIdentityDocumentEntity getNodeIdentityDocument(@PathParam("host") String host) {
-        return getIdentityDocument(host);
+        return getIdentityDocument(host, IdentityType.NODE);
     }
 
     @GET
@@ -88,7 +80,7 @@ public class IdentityDocumentResource implements IdentityDocumentApi {
     @Path("/tenant/{host}")
     @Override
     public SignedIdentityDocumentEntity getTenantIdentityDocument(@PathParam("host") String host) {
-        return getIdentityDocument(host);
+        return getIdentityDocument(host, IdentityType.TENANT);
     }
 
 }
diff --git a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
index e457df37946..0201c46b253 100644
--- a/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
+++ b/athenz-identity-provider-service/src/main/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/instanceconfirmation/InstanceValidator.java
@@ -82,6 +82,7 @@ public class InstanceValidator {
     }
 
     // If/when we dont care about logging exactly whats wrong, this can be simplified
+    // TODO Use identity type to determine if this check should be performed
     boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String domain, String service) {
 
         Optional<ApplicationInfo> applicationInfo = superModelProvider.getSuperModel().getApplicationInfo(applicationId);
diff --git a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
index f595289f8af..078ef1b7e39 100644
--- a/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
+++ b/athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/athenz/instanceproviderservice/identitydocument/IdentityDocumentGeneratorTest.java
@@ -15,6 +15,7 @@ import com.yahoo.config.provision.SystemName;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.config.provision.Zone;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
+import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
 import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
@@ -81,7 +82,7 @@ public class IdentityDocumentGeneratorTest {
         AthenzProviderServiceConfig config = getAthenzProviderConfig("domain", "service", dnsSuffix, ZONE);
         IdentityDocumentGenerator identityDocumentGenerator =
                 new IdentityDocumentGenerator(config, nodeRepository, ZONE, keyProvider);
-        SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname);
+        SignedIdentityDocument signedIdentityDocument = identityDocumentGenerator.generateSignedIdentityDocument(containerHostname, IdentityType.TENANT);
 
         // Verify attributes
         assertEquals(containerHostname, signedIdentityDocument.identityDocument().instanceHostname());
@@ -92,7 +93,7 @@ public class IdentityDocumentGeneratorTest {
         assertEquals(expectedZoneDnsSuffix, signedIdentityDocument.dnsSuffix());
 
         VespaUniqueInstanceId expectedProviderUniqueId =
-                new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment);
+                new VespaUniqueInstanceId(0, "default", "default", "application", "tenant", region, environment, IdentityType.TENANT);
         assertEquals(expectedProviderUniqueId, signedIdentityDocument.providerUniqueId());
 
         // Validate that container ips are present
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java
index 775a49349a3..fc5392411c1 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentApi.java
@@ -5,7 +5,6 @@ import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
-import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
 
 /**
@@ -14,11 +13,6 @@ import javax.ws.rs.core.MediaType;
 @Path("/identity-document")
 public interface IdentityDocumentApi {
 
-    @GET
-    @Produces(MediaType.APPLICATION_JSON)
-    @Deprecated
-    SignedIdentityDocumentEntity getIdentityDocument(@QueryParam("hostname") String hostname);
-
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/node/{host}")
-- 
cgit v1.2.3