athenz-identity-provider-service/src/test/java/com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiTest.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.ca.restapi;

import com.yahoo.application.container.handler.Request;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.Pkcs10Csr;
import com.yahoo.security.Pkcs10CsrUtils;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
import com.yahoo.vespa.config.SlimeUtils;
import com.yahoo.vespa.hosted.ca.CertificateTester;
import org.junit.Before;
import org.junit.Test;

import javax.net.ssl.SSLContext;
import java.net.URI;
import java.nio.charset.StandardCharsets;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;

/**
 * @author mpolden
 */
public class CertificateAuthorityApiTest extends ContainerTester {

    @Before
    public void before() {
        setCaCertificateAndKey();
    }

    @Test
    public void register_instance() throws Exception {
        // POST instance registration
        var csr = CertificateTester.createCsr("node1.example.com");
        assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/",
                                           instanceRegistrationJson(csr),
                                           Request.Method.POST));

        // POST instance registration with ZTS client
        var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault());
        var instanceIdentity = ztsClient.registerInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"),
                                                          new AthenzService("vespa.external", "tenant"),
                                                          "identity document generated by config server",
                                                          csr);
        assertEquals("CN=Vespa CA", instanceIdentity.certificate().getIssuerX500Principal().getName());
    }

    @Test
    public void refresh_instance() throws Exception {
        // POST instance refresh
        var csr = CertificateTester.createCsr("node1.example.com");
        assertIdentityResponse(new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com",
                                           instanceRefreshJson(csr),
                                           Request.Method.POST));

        // POST instance refresh with ZTS client
        var ztsClient = new DefaultZtsClient(URI.create("http://localhost:12345/ca/v1/"), SSLContext.getDefault());
        var instanceIdentity = ztsClient.refreshInstance(new AthenzService("vespa.external", "provider_prod_us-north-1"),
                                                          new AthenzService("vespa.external", "tenant"),
                                                          "node1.example.com",
                                                          csr);
        assertEquals("CN=Vespa CA", instanceIdentity.certificate().getIssuerX500Principal().getName());
    }

    @Test
    public void invalid_requests() {
        // POST instance registration with missing fields
        assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: Missing required field 'provider'\"}",
                       new Request("http://localhost:12345/ca/v1/instance/",
                                   new byte[0],
                                   Request.Method.POST));

        // POST instance registration without DNS name in CSR
        var csr = CertificateTester.createCsr();
        var request = new Request("http://localhost:12345/ca/v1/instance/",
                                  instanceRegistrationJson(csr),
                                  Request.Method.POST);
        assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/ failed: DNS name not found in CSR\"}", request);

        // POST instance refresh with missing field
        assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com failed: Missing required field 'csr'\"}",
                       new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node1.example.com",
                                   new byte[0],
                                   Request.Method.POST));

        // POST instance refresh where instanceId does not match CSR dnsName
        csr = CertificateTester.createCsr("node1.example.com");
        assertResponse(400, "{\"error-code\":\"BAD_REQUEST\",\"message\":\"POST http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node2.example.com failed: Mismatched instance ID and SAN DNS name [instanceId=node2.example.com,dnsName=node1.example.com]\"}",
                       new Request("http://localhost:12345/ca/v1/instance/vespa.external.provider_prod_us-north-1/vespa.external/tenant/node2.example.com",
                                   instanceRefreshJson(csr),
                                   Request.Method.POST));
    }

    private void setCaCertificateAndKey() {
        var keyPair = KeyUtils.generateKeypair(KeyAlgorithm.EC, 256);
        var caCertificatePem = X509CertificateUtils.toPem(CertificateTester.createCertificate("Vespa CA", keyPair));
        var privateKeyPem = KeyUtils.toPem(keyPair.getPrivate());
        secretStore().setSecret("vespa.external.main.configserver.ca.cert.cert", caCertificatePem)
                     .setSecret("vespa.external.main.configserver.ca.key.key", privateKeyPem);
    }

    private void assertIdentityResponse(Request request) {
        assertResponse(200, (body) -> {
            var slime = SlimeUtils.jsonToSlime(body);
            var root = slime.get();
            assertEquals("vespa.external.provider_prod_us-north-1", root.field("provider").asString());
            assertEquals("tenant", root.field("service").asString());
            assertEquals("node1.example.com", root.field("instanceId").asString());
            var pemEncodedCertificate = root.field("x509Certificate").asString();
            assertTrue("Response contains PEM certificate",
                       pemEncodedCertificate.startsWith("-----BEGIN CERTIFICATE-----") &&
                       pemEncodedCertificate.endsWith("-----END CERTIFICATE-----\n"));
        }, request);
    }

    private static byte[] instanceRefreshJson(Pkcs10Csr csr) {
        var csrPem = Pkcs10CsrUtils.toPem(csr);
        var json  = "{\"csr\": \"" + csrPem + "\"}";
        return json.getBytes(StandardCharsets.UTF_8);
    }

    private static byte[] instanceRegistrationJson(Pkcs10Csr csr) {
        var csrPem = Pkcs10CsrUtils.toPem(csr);
        var json  = "{\n" +
               "  \"provider\": \"vespa.external.provider_prod_us-north-1\",\n" +
               "  \"domain\": \"vespa.external\",\n" +
               "  \"service\": \"tenant\",\n" +
               "  \"attestationData\": \"identity document generated by config server\",\n" +
               "  \"csr\": \"" + csrPem + "\"\n" +
               "}";
        return json.getBytes(StandardCharsets.UTF_8);
    }

}