From 95abce019d97868f802570c733312f9bbebae624 Mon Sep 17 00:00:00 2001 From: Bjørn Christian Seime Date: Mon, 6 Aug 2018 17:14:32 +0200 Subject: Stop accepting self-signed certificates in NodeIdentifier --- .../hosted/provision/restapi/v2/filter/NodeIdentifier.java | 7 ++++--- .../provision/restapi/v2/filter/NodeIdentifierTest.java | 14 +++++++++----- 2 files changed, 13 insertions(+), 8 deletions(-) (limited to 'node-repository') diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java index 49f8b704c5e..90c24f6bb23 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.java @@ -65,9 +65,10 @@ class NodeIdentifier { } else if (subjectCommonName.equals(ZTS_ON_PREM_IDENTITY) || subjectCommonName.equals(ZTS_AWS_IDENTITY)) { // ZTS treated as a node principal even though its not a Vespa node return NodePrincipal.withLegacyIdentity(subjectCommonName, certificateChain); - } else { // self-signed where common name is hostname - // TODO Remove this branch once self-signed certificates are gone - return NodePrincipal.withLegacyIdentity(subjectCommonName, certificateChain); + } else { + throw new NodeIdentifierException(String.format("Unknown certificate (subject=%s, issuer=%s)", + subjectCommonName, + X509CertificateUtils.getIssuerCommonNames(clientCertificate))); } } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java index 20168074513..d02a666eb69 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifierTest.java @@ -21,7 +21,9 @@ import com.yahoo.vespa.hosted.provision.NodeRepositoryTester; import com.yahoo.vespa.hosted.provision.node.Allocation; import com.yahoo.vespa.hosted.provision.node.Generation; import com.yahoo.vespa.hosted.provision.provisioning.FlavorConfigBuilder; +import org.junit.Rule; import org.junit.Test; +import org.junit.rules.ExpectedException; import javax.security.auth.x500.X500Principal; import java.security.KeyPair; @@ -49,6 +51,9 @@ import static org.junit.Assert.assertTrue; */ public class NodeIdentifierTest { + @Rule + public final ExpectedException expectedException = ExpectedException.none(); + private static final String CONTROLLER_IDENTITY = "vespa.vespa.hosting"; private static final String HOSTNAME = "myhostname"; @@ -64,17 +69,16 @@ public class NodeIdentifierTest { private static final X509Certificate ATHENZ_AWS_CA_CERT = createDummyCaCertificate("Athenz AWS CA"); @Test - public void accepts_configserver_selfsigned_cert() { + public void rejects_unknown_cert() { NodeRepositoryTester nodeRepositoryDummy = new NodeRepositoryTester(); X509Certificate certificate = X509CertificateBuilder .fromKeypair( KEYPAIR, new X500Principal("CN=" + HOSTNAME), Instant.EPOCH, Instant.EPOCH.plusSeconds(60), SHA256_WITH_RSA, 1) .build(); NodeIdentifier identifier = new NodeIdentifier(ZONE, nodeRepositoryDummy.nodeRepository()); - NodePrincipal identity = identifier.resolveNode(singletonList(certificate)); - assertTrue(identity.getHostname().isPresent()); - assertEquals(HOSTNAME, identity.getHostname().get()); - assertEquals(HOSTNAME, identity.getHostIdentityName()); + expectedException.expect(NodeIdentifier.NodeIdentifierException.class); + expectedException.expectMessage("(subject=myhostname, issuer=[myhostname])"); + identifier.resolveNode(singletonList(certificate)); } @Test -- cgit v1.2.3