controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/certificate/EndpointCertificatesHandler.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.controller.restapi.certificate;

import com.yahoo.config.provision.ApplicationId;
import com.yahoo.container.jdisc.HttpRequest;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.container.jdisc.ThreadedHttpRequestHandler;
import com.yahoo.restapi.RestApiException;
import com.yahoo.restapi.StringResponse;
import com.yahoo.vespa.flags.BooleanFlag;
import com.yahoo.vespa.flags.FetchVector;
import com.yahoo.vespa.flags.PermanentFlags;
import com.yahoo.vespa.flags.StringFlag;
import com.yahoo.vespa.hosted.controller.Controller;
import com.yahoo.vespa.hosted.controller.api.integration.ServiceRegistry;
import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificate;
import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateProvider;
import com.yahoo.vespa.hosted.controller.api.integration.certificates.EndpointCertificateRequest;
import com.yahoo.vespa.hosted.controller.application.TenantAndApplicationId;
import com.yahoo.vespa.hosted.controller.certificate.AssignedCertificate;
import com.yahoo.vespa.hosted.controller.persistence.CuratorDb;
import com.yahoo.vespa.hosted.controller.persistence.EndpointCertificateSerializer;
import com.yahoo.vespa.hosted.controller.routing.EndpointConfig;

import java.util.List;
import java.util.Optional;
import java.util.concurrent.Executor;
import java.util.stream.Collectors;

import static com.yahoo.jdisc.http.HttpRequest.Method.GET;
import static com.yahoo.jdisc.http.HttpRequest.Method.POST;

/**
 * List all certificate requests for a system, with their requested DNS names.
 * Used for debugging, and verifying basic functionality of Cameo client in CD.
 *
 * @author andreer
 */

public class EndpointCertificatesHandler extends ThreadedHttpRequestHandler {

    private final EndpointCertificateProvider endpointCertificateProvider;
    private final CuratorDb curator;
    private final BooleanFlag useAlternateCertProvider;
    private final StringFlag endpointCertificateAlgo;
    private final Controller controller;

    public EndpointCertificatesHandler(Executor executor, ServiceRegistry serviceRegistry, CuratorDb curator, Controller controller) {
        super(executor);
        this.endpointCertificateProvider = serviceRegistry.endpointCertificateProvider();
        this.curator = curator;
        this.controller = controller;
        this.useAlternateCertProvider = PermanentFlags.USE_ALTERNATIVE_ENDPOINT_CERTIFICATE_PROVIDER.bindTo(controller.flagSource());
        this.endpointCertificateAlgo = PermanentFlags.ENDPOINT_CERTIFICATE_ALGORITHM.bindTo(controller.flagSource());
    }

    public HttpResponse handle(HttpRequest request) {
        if (request.getMethod().equals(GET)) return listEndpointCertificates();
        if (request.getMethod().equals(POST)) return reRequestEndpointCertificateFor(request.getProperty("application"), request.getProperty("ignoreExistingMetadata") != null);
        throw new RestApiException.MethodNotAllowed(request);
    }

    public HttpResponse listEndpointCertificates() {
        List<EndpointCertificateRequest> request = endpointCertificateProvider.listCertificates();

        String requestsWithNames = request.stream()
                                          .map(r -> r.requestId() + " : " +
                                                    String.join(", ", r.dnsNames().stream()
                                                                       .map(EndpointCertificateRequest.DnsNameStatus::dnsName)
                                                                       .collect(Collectors.joining(", "))))
                                          .collect(Collectors.joining("\n"));

        return new StringResponse(requestsWithNames);
    }

    public StringResponse reRequestEndpointCertificateFor(String instanceId, boolean ignoreExisting) {
        ApplicationId applicationId = ApplicationId.fromFullString(instanceId);
        if (controller.routing().endpointConfig(applicationId) == EndpointConfig.generated) {
            throw new IllegalArgumentException("Cannot re-request certificate. " + instanceId + " is assigned certificate from a pool");
        }
        try (var lock = curator.lock(TenantAndApplicationId.from(applicationId))) {
            AssignedCertificate assignedCertificate = curator.readAssignedCertificate(TenantAndApplicationId.from(applicationId), Optional.of(applicationId.instance()))
                                                             .orElseThrow(() -> new RestApiException.NotFound("No certificate found for application " + applicationId.serializedForm()));

            String algo = this.endpointCertificateAlgo.with(FetchVector.Dimension.INSTANCE_ID, applicationId.serializedForm()).value();
            boolean useAlternativeProvider = useAlternateCertProvider.with(FetchVector.Dimension.INSTANCE_ID, applicationId.serializedForm()).value();
            String keyPrefix = applicationId.toFullString();

            EndpointCertificate cert = endpointCertificateProvider.requestCaSignedCertificate(
                    keyPrefix, assignedCertificate.certificate().requestedDnsSans(),
                    ignoreExisting ?
                            Optional.empty() :
                            Optional.of(assignedCertificate.certificate()),
                    algo, useAlternativeProvider);

            curator.writeAssignedCertificate(assignedCertificate.with(cert));

            return new StringResponse(EndpointCertificateSerializer.toSlime(cert).toString());
        }
    }
}