vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/DefaultIdentityDocumentClient.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.identityprovider.client;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
import com.yahoo.vespa.athenz.utils.AthenzIdentities;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.eclipse.jetty.http.HttpStatus;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.util.function.Supplier;

/**
 * Default implementation of {@link IdentityDocumentClient}
 *
 * @author bjorncs
 */
public class DefaultIdentityDocumentClient implements IdentityDocumentClient {

    private static final String IDENTITY_DOCUMENT_API = "/athenz/v1/provider/identity-document/";
    private static final ObjectMapper objectMapper = new ObjectMapper();

    private final Supplier<SSLContext> sslContextSupplier;
    private final HostnameVerifier hostnameVerifier;
    private final URI configserverUri;

    public DefaultIdentityDocumentClient(URI configserverUri,
                                         SSLContext sslContext,
                                         HostnameVerifier hostnameVerifier) {
        this.configserverUri = configserverUri;
        this.sslContextSupplier = () -> sslContext;
        this.hostnameVerifier = hostnameVerifier;
    }

    public DefaultIdentityDocumentClient(URI configserverUri,
                                         ServiceIdentityProvider identityProvider,
                                         HostnameVerifier hostnameVerifier) {
        this.configserverUri = configserverUri;
        this.sslContextSupplier = identityProvider::getIdentitySslContext;
        this.hostnameVerifier = hostnameVerifier;
    }

    @Override
    public SignedIdentityDocument getNodeIdentityDocument(String host) {
        return getIdentityDocument(host, "node");
    }

    @Override
    public SignedIdentityDocument getTenantIdentityDocument(String host) {
        return getIdentityDocument(host, "tenant");
    }

    private SignedIdentityDocument getIdentityDocument(String host, String type) {

        try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) {
            URI uri = configserverUri
                    .resolve(IDENTITY_DOCUMENT_API)
                    .resolve(type + '/')
                    .resolve(host);
            HttpUriRequest request = RequestBuilder.get()
                    .setUri(uri)
                    .addHeader("Connection", "close")
                    .addHeader("Accept", "application/json")
                    .build();
            try (CloseableHttpResponse response = client.execute(request)) {
                String responseContent = EntityUtils.toString(response.getEntity());
                if (HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) {
                    SignedIdentityDocumentEntity entity = objectMapper.readValue(responseContent, SignedIdentityDocumentEntity.class);
                    return new SignedIdentityDocument(
                            EntityBindingsMapper.toIdentityDocument(entity.identityDocument),
                            entity.signature,
                            entity.signingKeyVersion,
                            VespaUniqueInstanceId.fromDottedString(entity.providerUniqueId),
                            entity.dnsSuffix,
                            (AthenzService) AthenzIdentities.from(entity.providerService),
                            entity.ztsEndpoint,
                            entity.documentVersion);
                } else {
                    throw new RuntimeException(
                            String.format(
                                    "Failed to retrieve identity document for host %s: %d - %s",
                                    host,
                                    response.getStatusLine().getStatusCode(),
                                    responseContent));
                }
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static CloseableHttpClient createHttpClient(SSLContext sslContext,
                                                        HostnameVerifier hostnameVerifier) {
        return HttpClientBuilder.create()
                .setRetryHandler(new DefaultHttpRequestRetryHandler(3, /*requestSentRetryEnabled*/true))
                .setSSLContext(sslContext)
                .setSSLHostnameVerifier(hostnameVerifier)
                .setUserAgent("default-identity-document-client")
                .build();
    }

}