From 01e1c1bfc9180c62d88501d9c4c29585cdca46fc Mon Sep 17 00:00:00 2001
From: Tor Brede Vekterli <vekterli@yahooinc.com>
Date: Thu, 15 Jun 2023 14:46:15 +0200
Subject: Simplify token API by using fixed context for fingerprints

Fingerprints are now always derived using the a fixed context
of `Vespa token fingerprint`. Enforcement has been added that a
`TokenDomain` cannot be initialized with a context equal to the
fingerprint context.

This changes the fingerprint outputs from their previous values,
but that's fine since they are not yet in use anywhere.
---
 .../yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java  | 2 +-
 .../jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'jdisc-security-filters')

diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
index b2a71d2e1b9..07f586b2123 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilter.java
@@ -63,7 +63,7 @@ public class CloudDataPlaneFilter extends JsonSecurityRequestFilterBase {
 
     CloudDataPlaneFilter(CloudDataPlaneFilterConfig cfg, X509Certificate reverseProxyCert) {
         this.legacyMode = cfg.legacyMode();
-        this.tokenDomain = new TokenDomain(new byte[0], cfg.tokenContext().getBytes(StandardCharsets.UTF_8));
+        this.tokenDomain = TokenDomain.of(cfg.tokenContext());
         if (legacyMode) {
             allowedClients = List.of();
             log.fine(() -> "Legacy mode enabled");
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java
index e81ef45d3af..d05baccc069 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cloud/CloudDataPlaneFilterTest.java
@@ -53,9 +53,9 @@ class CloudDataPlaneFilterTest {
     private static final String TOKEN_CONTEXT = "my-token-context";
     private static final String TOKEN_ID = "my-token-id";
     private static final Token VALID_TOKEN =
-            TokenGenerator.generateToken(TokenDomain.of("fp-ctx", TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES);
+            TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES);
     private static final Token UNKNOWN_TOKEN =
-            TokenGenerator.generateToken(TokenDomain.of("fp-ctx", TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES);
+            TokenGenerator.generateToken(TokenDomain.of(TOKEN_CONTEXT), "vespa_token_", CHECK_HASH_BYTES);
 
     @Test
     void accepts_any_trusted_client_certificate_in_legacy_mode() {
-- 
cgit v1.2.3