1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.athenz.instanceproviderservice;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import com.google.inject.Inject;
import com.yahoo.container.jdisc.LoggingRequestHandler;
import com.yahoo.restapi.RestApi;
import com.yahoo.restapi.RestApiException;
import com.yahoo.restapi.RestApiRequestHandler;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityType;
import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
import java.util.logging.Level;
/**
* Handler implementing the Athenz Identity Provider API (Copper Argos).
*
* @author bjorncs
*/
public class IdentityProviderRequestHandler extends RestApiRequestHandler<IdentityProviderRequestHandler> {
private final IdentityDocumentGenerator documentGenerator;
private final InstanceValidator instanceValidator;
@Inject
public IdentityProviderRequestHandler(LoggingRequestHandler.Context context,
IdentityDocumentGenerator documentGenerator,
InstanceValidator instanceValidator) {
super(context, IdentityProviderRequestHandler::createRestApi);
this.documentGenerator = documentGenerator;
this.instanceValidator = instanceValidator;
}
private static RestApi createRestApi(IdentityProviderRequestHandler self) {
return RestApi.builder()
.addRoute(RestApi.route("/athenz/v1/provider/identity-document/node/{host}")
.get(self::getNodeIdentityDocument))
.addRoute(RestApi.route("/athenz/v1/provider/identity-document/tenant/{host}")
.get(self::getTenantIdentityDocument))
.addRoute(RestApi.route("/athenz/v1/provider/instance")
.post(InstanceConfirmation.class, self::confirmInstance))
.addRoute(RestApi.route("/athenz/v1/provider/refresh")
.post(InstanceConfirmation.class, self::confirmInstanceRefresh))
.registerJacksonRequestEntity(InstanceConfirmation.class)
.registerJacksonResponseEntity(InstanceConfirmation.class)
.registerJacksonResponseEntity(SignedIdentityDocumentEntity.class)
// Overriding object mapper to change serialization of timestamps
.setObjectMapper(new ObjectMapper()
.registerModule(new JavaTimeModule())
.registerModule(new Jdk8Module())
.configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, true))
.build();
}
private SignedIdentityDocumentEntity getNodeIdentityDocument(RestApi.RequestContext context) {
String host = context.pathParameters().getString("host").orElse(null);
return getIdentityDocument(host, IdentityType.NODE);
}
private SignedIdentityDocumentEntity getTenantIdentityDocument(RestApi.RequestContext context) {
String host = context.pathParameters().getString("host").orElse(null);
return getIdentityDocument(host, IdentityType.TENANT);
}
private InstanceConfirmation confirmInstance(RestApi.RequestContext context, InstanceConfirmation instanceConfirmation) {
log.log(Level.FINE, () -> instanceConfirmation.toString());
if (!instanceValidator.isValidInstance(instanceConfirmation)) {
log.log(Level.SEVERE, "Invalid instance: " + instanceConfirmation);
throw new RestApiException.Forbidden("Instance is invalid");
}
return instanceConfirmation;
}
private InstanceConfirmation confirmInstanceRefresh(RestApi.RequestContext context, InstanceConfirmation instanceConfirmation) {
log.log(Level.FINE, () -> instanceConfirmation.toString());
if (!instanceValidator.isValidRefresh(instanceConfirmation)) {
log.log(Level.SEVERE, "Invalid instance refresh: " + instanceConfirmation);
throw new RestApiException.Forbidden("Instance is invalid");
}
return instanceConfirmation;
}
private SignedIdentityDocumentEntity getIdentityDocument(String hostname, IdentityType identityType) {
if (hostname == null) {
throw new RestApiException.BadRequest("The 'hostname' query parameter is missing");
}
try {
return EntityBindingsMapper.toSignedIdentityDocumentEntity(documentGenerator.generateSignedIdentityDocument(hostname, identityType));
} catch (Exception e) {
String message = String.format("Unable to generate identity document for '%s': %s", hostname, e.getMessage());
log.log(Level.SEVERE, message, e);
throw new RestApiException.InternalServerError(message, e);
}
}
}
|