1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.ca.restapi;
import com.google.inject.Inject;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.Zone;
import com.yahoo.container.jdisc.HttpRequest;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.container.jdisc.LoggingRequestHandler;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.restapi.Path;
import com.yahoo.restapi.SlimeJsonResponse;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.slime.Slime;
import com.yahoo.vespa.config.SlimeUtils;
import com.yahoo.vespa.hosted.ca.Certificates;
import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
import com.yahoo.vespa.hosted.provision.restapi.v2.ErrorResponse;
import com.yahoo.yolean.Exceptions;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.Optional;
import java.util.function.Function;
import java.util.logging.Level;
/**
* REST API for issuing and refreshing node certificates in a hosted Vespa system.
*
* The API implements the following subset of methods from the Athenz ZTS REST API:
*
* - Instance registration
* - Instance refresh
*
* @author mpolden
*/
public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
private final SecretStore secretStore;
private final Certificates certificates;
private final SystemName system;
@Inject
public CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Zone zone) {
this(ctx, secretStore, new Certificates(Clock.systemUTC()), zone.system());
}
CertificateAuthorityApiHandler(Context ctx, SecretStore secretStore, Certificates certificates, SystemName system) {
super(ctx);
this.secretStore = secretStore;
this.certificates = certificates;
this.system = system;
}
@Override
public HttpResponse handle(HttpRequest request) {
try {
switch (request.getMethod()) {
case POST: return handlePost(request);
default: return ErrorResponse.methodNotAllowed("Method " + request.getMethod() + " is unsupported");
}
} catch (IllegalArgumentException e) {
return ErrorResponse.badRequest(request.getMethod() + " " + request.getUri() + " failed: " + Exceptions.toMessageString(e));
} catch (RuntimeException e) {
log.log(Level.WARNING, "Unexpected error handling " + request.getMethod() + " " + request.getUri(), e);
return ErrorResponse.internalServerError(Exceptions.toMessageString(e));
}
}
private HttpResponse handlePost(HttpRequest request) {
Path path = new Path(request.getUri());
if (path.matches("/ca/v1/instance/")) return registerInstance(request);
if (path.matches("/ca/v1/instance/{provider}/{domain}/{service}/{instanceId}")) return refreshInstance(request, path.get("provider"), path.get("service"), path.get("instanceId"));
return ErrorResponse.notFoundError("Nothing at " + path);
}
private HttpResponse registerInstance(HttpRequest request) {
var instanceRegistration = deserializeRequest(request, InstanceSerializer::registrationFromSlime);
var certificate = certificates.create(instanceRegistration.csr(), caCertificate(), caPrivateKey());
var instanceId = Certificates.extractDnsName(instanceRegistration.csr());
var identity = new InstanceIdentity(instanceRegistration.provider(), instanceRegistration.service(), instanceId,
Optional.of(certificate));
return new SlimeJsonResponse(InstanceSerializer.identityToSlime(identity));
}
private HttpResponse refreshInstance(HttpRequest request, String provider, String service, String instanceId) {
var instanceRefresh = deserializeRequest(request, InstanceSerializer::refreshFromSlime);
var instanceIdFromCsr = Certificates.extractDnsName(instanceRefresh.csr());
if (!instanceIdFromCsr.equals(instanceId)) {
throw new IllegalArgumentException("Mismatched instance ID and SAN DNS name [instanceId=" + instanceId +
",dnsName=" + instanceIdFromCsr + "]");
}
var certificate = certificates.create(instanceRefresh.csr(), caCertificate(), caPrivateKey());
var identity = new InstanceIdentity(provider, service, instanceIdFromCsr, Optional.of(certificate));
return new SlimeJsonResponse(InstanceSerializer.identityToSlime(identity));
}
/** Returns CA certificate from secret store */
private X509Certificate caCertificate() {
var keyName = String.format("vespa.external.%s.configserver.ca.cert.cert", system.value().toLowerCase());
return X509CertificateUtils.fromPem(secretStore.getSecret(keyName));
}
/** Returns CA private key from secret store */
private PrivateKey caPrivateKey() {
var keyName = String.format("vespa.external.%s.configserver.ca.key.key", system.value().toLowerCase());
return KeyUtils.fromPemEncodedPrivateKey(secretStore.getSecret(keyName));
}
private static <T> T deserializeRequest(HttpRequest request, Function<Slime, T> serializer) {
try {
var slime = SlimeUtils.jsonToSlime(request.getData().readAllBytes());
return serializer.apply(slime);
} catch (IOException e) {
throw new UncheckedIOException(e);
}
}
}
|