From 0aea87ce6347b9c2e4d3a09caf58dfb3ceb44931 Mon Sep 17 00:00:00 2001
From: Ola Aunronning <olaa@yahooinc.com>
Date: Fri, 28 Apr 2023 12:11:01 +0200
Subject: AthenzCredentialsMaintainer maintains role certificates

---
 .../api/IdentityDocumentClient.java                |  2 ++
 .../identityprovider/api/bindings/RolesEntity.java | 10 +++++++
 .../client/DefaultIdentityDocumentClient.java      | 35 ++++++++++++++++++++++
 3 files changed, 47 insertions(+)
 create mode 100644 vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/RolesEntity.java

(limited to 'vespa-athenz/src/main/java/com/yahoo')

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
index a3c2f0264d3..522f40bc37d 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocumentClient.java
@@ -1,6 +1,7 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.identityprovider.api;
 
+import java.util.List;
 import java.util.Optional;
 import java.util.OptionalInt;
 
@@ -12,4 +13,5 @@ import java.util.OptionalInt;
 public interface IdentityDocumentClient {
     SignedIdentityDocument getNodeIdentityDocument(String host, int documentVersion);
     Optional<SignedIdentityDocument> getTenantIdentityDocument(String host, int documentVersion);
+    List<String> getNodeRoles(String hostname);
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/RolesEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/RolesEntity.java
new file mode 100644
index 00000000000..220d291a93b
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/RolesEntity.java
@@ -0,0 +1,10 @@
+package com.yahoo.vespa.athenz.identityprovider.api.bindings;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+
+/**
+ * @author olaa
+ */
+public record RolesEntity(@JsonProperty("roles") List<String> roles) {}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
index f95a3335c24..749faf23254 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java
@@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
 import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
 import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
+import com.yahoo.vespa.athenz.identityprovider.api.bindings.RolesEntity;
 import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.CloseableHttpResponse;
@@ -23,6 +24,7 @@ import java.io.IOException;
 import java.io.UncheckedIOException;
 import java.net.URI;
 import java.time.Duration;
+import java.util.List;
 import java.util.Optional;
 import java.util.function.Supplier;
 
@@ -66,6 +68,39 @@ public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
         return getIdentityDocument(host, "tenant", documentVersion);
     }
 
+    @Override
+    public List<String> getNodeRoles(String hostname) {
+        try (var client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) {
+            var uri = configserverUri
+                    .resolve(IDENTITY_DOCUMENT_API)
+                    .resolve("roles/")
+                    .resolve(hostname);
+
+            var request = RequestBuilder.get()
+                    .setUri(uri)
+                    .addHeader("Connection", "close")
+                    .addHeader("Accept", "application/json")
+                    .build();
+            try (var response = client.execute(request)) {
+                String responseContent = EntityUtils.toString(response.getEntity());
+                int statusCode = response.getStatusLine().getStatusCode();
+                if (statusCode >= 200 && statusCode <= 299) {
+                    var rolesEntity = objectMapper.readValue(responseContent, RolesEntity.class);
+                    return rolesEntity.roles();
+                } else {
+                    throw new RuntimeException(
+                            String.format(
+                                    "Failed to retrieve roles for host %s: %d - %s",
+                                    hostname,
+                                    statusCode,
+                                    responseContent));
+                }
+            }
+        } catch (IOException e) {
+            throw new UncheckedIOException(e);
+        }
+    }
+
     private Optional<SignedIdentityDocument> getIdentityDocument(String host, String type, int documentVersion) {
 
         try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) {
-- 
cgit v1.2.3