1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.identityprovider.client;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
import com.yahoo.vespa.athenz.identityprovider.api.bindings.SignedIdentityDocumentEntity;
import com.yahoo.vespa.athenz.utils.AthenzIdentities;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.DefaultHttpRequestRetryHandler;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.eclipse.jetty.http.HttpStatus;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.util.function.Supplier;
/**
* Default implementation of {@link IdentityDocumentClient}
*
* @author bjorncs
*/
public class DefaultIdentityDocumentClient implements IdentityDocumentClient {
private static final String IDENTITY_DOCUMENT_API = "/athenz/v1/provider/identity-document/";
private static final ObjectMapper objectMapper = new ObjectMapper();
private final Supplier<SSLContext> sslContextSupplier;
private final HostnameVerifier hostnameVerifier;
private final URI configserverUri;
public DefaultIdentityDocumentClient(URI configserverUri,
SSLContext sslContext,
HostnameVerifier hostnameVerifier) {
this.configserverUri = configserverUri;
this.sslContextSupplier = () -> sslContext;
this.hostnameVerifier = hostnameVerifier;
}
public DefaultIdentityDocumentClient(URI configserverUri,
ServiceIdentityProvider identityProvider,
HostnameVerifier hostnameVerifier) {
this.configserverUri = configserverUri;
this.sslContextSupplier = identityProvider::getIdentitySslContext;
this.hostnameVerifier = hostnameVerifier;
}
@Override
public SignedIdentityDocument getNodeIdentityDocument(String host) {
return getIdentityDocument(host, "node");
}
@Override
public SignedIdentityDocument getTenantIdentityDocument(String host) {
return getIdentityDocument(host, "tenant");
}
private SignedIdentityDocument getIdentityDocument(String host, String type) {
try (CloseableHttpClient client = createHttpClient(sslContextSupplier.get(), hostnameVerifier)) {
URI uri = configserverUri
.resolve(IDENTITY_DOCUMENT_API)
.resolve(type + '/')
.resolve(host);
HttpUriRequest request = RequestBuilder.get()
.setUri(uri)
.addHeader("Connection", "close")
.addHeader("Accept", "application/json")
.build();
try (CloseableHttpResponse response = client.execute(request)) {
String responseContent = EntityUtils.toString(response.getEntity());
if (HttpStatus.isSuccess(response.getStatusLine().getStatusCode())) {
SignedIdentityDocumentEntity entity = objectMapper.readValue(responseContent, SignedIdentityDocumentEntity.class);
return new SignedIdentityDocument(
EntityBindingsMapper.toIdentityDocument(entity.identityDocument),
entity.signature,
entity.signingKeyVersion,
VespaUniqueInstanceId.fromDottedString(entity.providerUniqueId),
entity.dnsSuffix,
(AthenzService) AthenzIdentities.from(entity.providerService),
entity.ztsEndpoint,
entity.documentVersion);
} else {
throw new RuntimeException(
String.format(
"Failed to retrieve identity document for host %s: %d - %s",
host,
response.getStatusLine().getStatusCode(),
responseContent));
}
}
} catch (IOException e) {
throw new UncheckedIOException(e);
}
}
private static CloseableHttpClient createHttpClient(SSLContext sslContext,
HostnameVerifier hostnameVerifier) {
return HttpClientBuilder.create()
.setRetryHandler(new DefaultHttpRequestRetryHandler(3, /*requestSentRetryEnabled*/true))
.setSSLContext(sslContext)
.setSSLHostnameVerifier(hostnameVerifier)
.setUserAgent("default-identity-document-client")
.build();
}
}
|