From 5396a7c1aad6c471f16be1e555dd752009053858 Mon Sep 17 00:00:00 2001 From: Morten Tokle Date: Fri, 28 Apr 2023 11:00:39 +0200 Subject: Include roles from logfwarder config in identity document --- .../athenz/identityprovider/api/EntityBindingsMapper.java | 6 +++++- .../vespa/athenz/identityprovider/api/IdentityDocument.java | 10 +++++++--- .../api/bindings/IdentityDocumentEntity.java | 9 ++++++--- .../identityprovider/api/EntityBindingsMapperTest.java | 5 +++++ .../identityprovider/client/IdentityDocumentSignerTest.java | 12 +++++++----- 5 files changed, 30 insertions(+), 12 deletions(-) (limited to 'vespa-athenz/src') diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java index a695e10a29c..786a4213adf 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapper.java @@ -22,6 +22,7 @@ import java.nio.file.Path; import java.nio.file.StandardCopyOption; import java.time.Instant; import java.util.Base64; +import java.util.List; import java.util.Optional; import static com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId.fromDottedString; @@ -67,6 +68,7 @@ public class EntityBindingsMapper { Optional.ofNullable(docEntity.clusterType()).map(ClusterType::from).orElse(null), docEntity.ztsUrl(), Optional.ofNullable(docEntity.serviceIdentity()).map(AthenzIdentities::from).orElse(null), + List.of(), docEntity.unknownAttributes()); return new LegacySignedIdentityDocument( docEntity.signature(), @@ -146,6 +148,7 @@ public class EntityBindingsMapper { Optional.ofNullable(docEntity.clusterType()).map(ClusterType::from).orElse(null), docEntity.ztsUrl(), Optional.ofNullable(docEntity.serviceIdentity()).map(AthenzIdentities::from).orElse(null), + docEntity.roles(), docEntity.unknownAttributes()); } @@ -160,7 +163,8 @@ public class EntityBindingsMapper { identityDocument.identityType().id(), Optional.ofNullable(identityDocument.clusterType()).map(ClusterType::toConfigValue).orElse(null), identityDocument.ztsUrl(), - identityDocument.serviceIdentity().getFullName()); + identityDocument.serviceIdentity().getFullName(), + identityDocument.roles()); try { byte[] bytes = mapper.writeValueAsBytes(documentEntity); return Base64.getEncoder().encodeToString(bytes); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java index 577584db185..7caa4555f25 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/IdentityDocument.java @@ -6,7 +6,9 @@ import com.yahoo.vespa.athenz.api.AthenzService; import java.time.Instant; import java.util.HashMap; +import java.util.List; import java.util.Map; +import java.util.Optional; import java.util.Set; /** @@ -16,7 +18,7 @@ import java.util.Set; public record IdentityDocument(VespaUniqueInstanceId providerUniqueId, AthenzService providerService, String configServerHostname, String instanceHostname, Instant createdAt, Set ipAddresses, IdentityType identityType, ClusterType clusterType, String ztsUrl, - AthenzIdentity serviceIdentity, Map unknownAttributes) { + AthenzIdentity serviceIdentity, List roles, Map unknownAttributes) { public IdentityDocument { ipAddresses = Set.copyOf(ipAddresses); @@ -27,13 +29,14 @@ public record IdentityDocument(VespaUniqueInstanceId providerUniqueId, AthenzSer }); // Map.copyOf() does not allow null values unknownAttributes = Map.copyOf(nonNull); + roles = Optional.ofNullable(roles).orElse(List.of()); } public IdentityDocument(VespaUniqueInstanceId providerUniqueId, AthenzService providerService, String configServerHostname, String instanceHostname, Instant createdAt, Set ipAddresses, IdentityType identityType, ClusterType clusterType, String ztsUrl, - AthenzIdentity serviceIdentity) { - this(providerUniqueId, providerService, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, Map.of()); + AthenzIdentity serviceIdentity, List roles) { + this(providerUniqueId, providerService, configServerHostname, instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, roles, Map.of()); } @@ -49,6 +52,7 @@ public record IdentityDocument(VespaUniqueInstanceId providerUniqueId, AthenzSer this.clusterType, this.ztsUrl, athenzService, + roles, this.unknownAttributes); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java index 946eacc67eb..263708f1ace 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/api/bindings/IdentityDocumentEntity.java @@ -9,6 +9,7 @@ import com.fasterxml.jackson.annotation.JsonProperty; import java.time.Instant; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Set; @@ -19,7 +20,7 @@ import java.util.Set; @JsonInclude(JsonInclude.Include.NON_NULL) public record IdentityDocumentEntity(String providerUniqueId, String providerService, String configServerHostname, String instanceHostname, Instant createdAt, Set ipAddresses, - String identityType, String clusterType, String ztsUrl, String serviceIdentity, Map unknownAttributes) { + String identityType, String clusterType, String ztsUrl, String serviceIdentity, List roles, Map unknownAttributes) { @JsonCreator public IdentityDocumentEntity(@JsonProperty("provider-unique-id") String providerUniqueId, @@ -31,9 +32,10 @@ public record IdentityDocumentEntity(String providerUniqueId, String providerSer @JsonProperty("identity-type") String identityType, @JsonProperty("cluster-type") String clusterType, @JsonProperty("zts-url") String ztsUrl, - @JsonProperty("service-identity") String serviceIdentity) { + @JsonProperty("service-identity") String serviceIdentity, + @JsonProperty("roles") List roles) { this(providerUniqueId, providerService, configServerHostname, - instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, new HashMap<>()); + instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, roles, new HashMap<>()); } @JsonProperty("provider-unique-id") @Override public String providerUniqueId() { return providerUniqueId; } @@ -46,6 +48,7 @@ public record IdentityDocumentEntity(String providerUniqueId, String providerSer @JsonProperty("cluster-type") @Override public String clusterType() { return clusterType; } @JsonProperty("zts-url") @Override public String ztsUrl() { return ztsUrl; } @JsonProperty("service-identity") @Override public String serviceIdentity() { return serviceIdentity; } + @JsonProperty("roles") @Override public List roles() { return roles; } @JsonAnyGetter @Override public Map unknownAttributes() { return unknownAttributes; } @JsonAnySetter public void set(String name, Object value) { unknownAttributes.put(name, value); } } diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapperTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapperTest.java index 513fb4cdbd3..cf5e02bfd79 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapperTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/api/EntityBindingsMapperTest.java @@ -7,9 +7,11 @@ import org.junit.jupiter.api.Test; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.Base64; +import java.util.List; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertInstanceOf; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; /** @@ -47,6 +49,7 @@ class EntityBindingsMapperTest { assertTrue(json.contains(expectedMemberInJson), () -> "Expected JSON to contain '%s', but got \n'%s'".formatted(expectedMemberInJson, json)); assertEquals(EntityBindingsMapper.mapper.readTree(originalJson), EntityBindingsMapper.mapper.readTree(json)); + assertEquals(List.of(), entity.identityDocument().roles()); } @Test @@ -84,4 +87,6 @@ class EntityBindingsMapperTest { assertEquals(EntityBindingsMapper.mapper.readTree(originalJson), EntityBindingsMapper.mapper.readTree(json)); } + + } \ No newline at end of file diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java index acb0905700f..334e0208c77 100644 --- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java +++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identityprovider/client/IdentityDocumentSignerTest.java @@ -19,6 +19,7 @@ import java.security.KeyPair; import java.time.Instant; import java.util.Arrays; import java.util.HashSet; +import java.util.List; import static com.yahoo.vespa.athenz.identityprovider.api.IdentityType.TENANT; import static com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument.LEGACY_DEFAULT_DOCUMENT_VERSION; @@ -44,13 +45,14 @@ public class IdentityDocumentSignerTest { private static final ClusterType clusterType = ClusterType.CONTAINER; private static final String ztsUrl = "https://foo"; private static final AthenzIdentity serviceIdentity = new AthenzService("vespa", "node"); + private static final List roles = List.of(); @Test void legacy_generates_and_validates_signature() { IdentityDocumentSigner signer = new IdentityDocumentSigner(); IdentityDocument identityDocument = new IdentityDocument( id, providerService, configserverHostname, - instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity); + instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, roles); String signature = signer.generateLegacySignature(identityDocument, keyPair.getPrivate()); @@ -65,7 +67,7 @@ public class IdentityDocumentSignerTest { IdentityDocumentSigner signer = new IdentityDocumentSigner(); IdentityDocument identityDocument = new IdentityDocument( id, providerService, configserverHostname, - instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity); + instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, roles); String data = EntityBindingsMapper.toIdentityDocmentData(identityDocument); String signature = signer.generateSignature(data, keyPair.getPrivate()); @@ -81,10 +83,10 @@ public class IdentityDocumentSignerTest { IdentityDocumentSigner signer = new IdentityDocumentSigner(); IdentityDocument identityDocument = new IdentityDocument( id, providerService, configserverHostname, - instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity); + instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, roles); IdentityDocument withoutIgnoredFields = new IdentityDocument( id, providerService, configserverHostname, - instanceHostname, createdAt, ipAddresses, identityType, null, null, serviceIdentity); + instanceHostname, createdAt, ipAddresses, identityType, null, null, serviceIdentity, roles); String signature = signer.generateLegacySignature(identityDocument, keyPair.getPrivate()); @@ -103,7 +105,7 @@ public class IdentityDocumentSignerTest { IdentityDocumentSigner signer = new IdentityDocumentSigner(); IdentityDocument identityDocument = new IdentityDocument( id, providerService, configserverHostname, - instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity); + instanceHostname, createdAt, ipAddresses, identityType, clusterType, ztsUrl, serviceIdentity, roles); String signature = signer.generateLegacySignature(identityDocument, keyPair.getPrivate()); -- cgit v1.2.3