Skip to content

Commit

Permalink
[HWORKS-825] Add parameter to set region in SAN FQDN (#1608)
Browse files Browse the repository at this point in the history
  • Loading branch information
@SirOibaf
SirOibaf committed Oct 31, 2023
1 parent a8202ec commit 23accc5
Show file tree
Hide file tree
Showing 9 changed files with 71 additions and 54 deletions.
2 changes: 1 addition & 1 deletion hopsworks-ca/src/main/java/io/hops/hopsworks/ca/api/certificates/AppCertsResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ public Response signCSR(CSRView csrView) throws CAException {
}

try {
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), APP);
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), APP, null);
String stringifiedCert = pkiUtils.convertToPEM(signedCert);
Pair<String, String> chainOfTrust = pki.getChainOfTrust(pkiUtils.getResponsibleCA(APP));
CSRView signedCsr = new CSRView(stringifiedCert, chainOfTrust.getLeft(), chainOfTrust.getRight());
Expand Down
10 changes: 10 additions & 0 deletions hopsworks-ca/src/main/java/io/hops/hopsworks/ca/api/certificates/CSRView.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ public class CSRView {
private String keyStore;
private String trustStore;
private String password;
private String region;

public CSRView() {

Expand Down Expand Up @@ -150,4 +151,13 @@ public String getPassword() {
public void setPassword(String password) {
this.password = password;
}

@ApiModelProperty(value = "Consul region to inject in the SAN Domain names")
public String getRegion() {
return region;
}

public void setRegion(String region) {
this.region = region;
}
}
2 changes: 1 addition & 1 deletion hopsworks-ca/src/main/java/io/hops/hopsworks/ca/api/certificates/HostCertsResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ public Response signCSR(CSRView csrView) throws CAException {
}

try {
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), HOST);
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), HOST, csrView.getRegion());
String stringifiedCert = pkiUtils.convertToPEM(signedCert);
Pair<String, String> chainOfTrust = pki.getChainOfTrust(pkiUtils.getResponsibleCA(HOST));
CSRView signedCsr = new CSRView(stringifiedCert, chainOfTrust.getLeft(), chainOfTrust.getRight());
Expand Down
2 changes: 1 addition & 1 deletion hopsworks-ca/src/main/java/io/hops/hopsworks/ca/api/certificates/KubeCertsResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ public Response signCSR(CSRView csrView) throws CAException {
}

try {
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), KUBE);
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), KUBE, csrView.getRegion());
String stringifiedCert = pkiUtils.convertToPEM(signedCert);
Pair<String, String> chainOfTrust = pki.getChainOfTrust(pkiUtils.getResponsibleCA(KUBE));
CSRView signedCsr = new CSRView(stringifiedCert, chainOfTrust.getLeft(), chainOfTrust.getRight());
Expand Down
2 changes: 1 addition & 1 deletion hopsworks-ca/src/main/java/io/hops/hopsworks/ca/api/certificates/ProjectCertsResource.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public Response signCSR(CSRView csrView) throws IOException, CAException {
}

try {
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), PROJECT);
X509Certificate signedCert = pki.signCertificateSigningRequest(csrView.getCsr(), PROJECT, null);
String stringifiedCert = pkiUtils.convertToPEM(signedCert);
Pair<String, String> chainOfTrust = pki.getChainOfTrust(pkiUtils.getResponsibleCA(PROJECT));
CSRView signedCsr = new CSRView(stringifiedCert, chainOfTrust.getLeft(), chainOfTrust.getRight());
Expand Down
83 changes: 43 additions & 40 deletions hopsworks-ca/src/main/java/io/hops/hopsworks/ca/controllers/PKI.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,6 @@
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
Expand Down Expand Up @@ -779,11 +778,9 @@ protected X509Certificate generateCertificate(CertificateGenerationParameters pa
return certificate;
}

public X509Certificate signCertificateSigningRequest(String csrStr, CertificateType certificateType)
throws CAInitializationException, IOException, CertificateEncodingException, CACertificateNotFoundException,
CertificateAlreadyExistsException, KeyException, NoSuchAlgorithmException, CertIOException,
OperatorCreationException, CertificateException, InvalidKeyException, SignatureException,
CertificationRequestValidationException {
public X509Certificate signCertificateSigningRequest(String csrStr, CertificateType certificateType, String region)
throws CAInitializationException, IOException, KeyException, NoSuchAlgorithmException,
OperatorCreationException, CertificateException, SignatureException, CertificationRequestValidationException {
try {
maybeInitializeCA();
} catch (Exception ex) {
Expand All @@ -793,8 +790,8 @@ public X509Certificate signCertificateSigningRequest(String csrStr, CertificateT
CAType caType = pkiUtils.getResponsibleCA(certificateType);
Function<ExtensionsBuilderParameter, Void>[] certificateExtensionsBuilder = getExtensionsBuilders(caType,
certificateType);
X509Certificate certificate = signCertificateSigningRequest(csrStr, certificateType, caType,
certificateExtensionsBuilder);
X509Certificate certificate =
signCertificateSigningRequest(csrStr, certificateType, caType, region, certificateExtensionsBuilder);
LOGGER.log(Level.FINE, "Signed certificate and going to Save");
saveNewCertificate(caType, certificate);
LOGGER.log(Level.FINE, "Saved certificate");
Expand Down Expand Up @@ -861,7 +858,7 @@ public X509Certificate signCertificateSigningRequest(String csrStr, CertificateT

Optional<String> l = parseX509Locality(b.certificationRequest);
if (l.isPresent()) {
GeneralName[] sanForUsername = getSanForUsername(l.get());
GeneralName[] sanForUsername = getSanForUsername(l.get(), b.region);
appendSubjectAlternativeNames(b.certificateBuilder, sanForUsername);

final Set<String> extraSanSet = new HashSet<>();
Expand All @@ -874,7 +871,7 @@ public X509Certificate signCertificateSigningRequest(String csrStr, CertificateT
}
});
if (!extraSanSet.isEmpty()) {
appendSubjectAlternativeNames(b.certificateBuilder, convertToGeneralNames(extraSanSet, false));
appendSubjectAlternativeNames(b.certificateBuilder, convertToGeneralNames(extraSanSet, false, null));
}
}
} catch (CertIOException ex) {
Expand All @@ -884,47 +881,47 @@ public X509Certificate signCertificateSigningRequest(String csrStr, CertificateT
return null;
};

GeneralName[] getSanForUsername(String username) {
GeneralName[] getSanForUsername(String username, String region) {
String normalizedUsername = usernamesConfiguration.getNormalizedUsername(username);
if (normalizedUsername == null) {
return EMTPY_GENERAL_NAMES;
}
switch (normalizedUsername) {
case "glassfish":
case "glassfishinternal":
return convertToGeneralNames(HopsworksService.GLASSFISH.domains(), true);
return convertToGeneralNames(HopsworksService.GLASSFISH.domains(), true, region);
case "hdfs":
return convertToGeneralNames(mergeSets(
HopsworksService.NAMENODE.domains(),
HopsworksService.SPARK_HISTORY_SERVER.domains()), true);
HopsworksService.SPARK_HISTORY_SERVER.domains()), true, region);
case "hive":
return convertToGeneralNames(HopsworksService.HIVE.domains(), true);
return convertToGeneralNames(HopsworksService.HIVE.domains(), true, region);
case "livy":
return convertToGeneralNames(HopsworksService.LIVY.domains(), true);
return convertToGeneralNames(HopsworksService.LIVY.domains(), true, region);
case "flink":
return convertToGeneralNames(HopsworksService.FLINK.domains(), true);
return convertToGeneralNames(HopsworksService.FLINK.domains(), true, region);
case "consul":
return convertToGeneralNames(HopsworksService.CONSUL.domains(), true);
return convertToGeneralNames(HopsworksService.CONSUL.domains(), true, region);
case "hopsmon":
return convertToGeneralNames(HopsworksService.PROMETHEUS.domains(), true);
return convertToGeneralNames(HopsworksService.PROMETHEUS.domains(), true, region);
case "zookeeper":
return convertToGeneralNames(HopsworksService.ZOOKEEPER.domains(), true);
return convertToGeneralNames(HopsworksService.ZOOKEEPER.domains(), true, region);
case "rmyarn":
return convertToGeneralNames(HopsworksService.RESOURCE_MANAGER.domains(), true);
return convertToGeneralNames(HopsworksService.RESOURCE_MANAGER.domains(), true, region);
case "onlinefs":
Set<String> onlinefsDomain = new HashSet<>();
onlinefsDomain.add(HopsworksService.MYSQL.getNameWithTag(MysqlTags.onlinefs));
return convertToGeneralNames(onlinefsDomain, true);
return convertToGeneralNames(onlinefsDomain, true, region);
case "elastic":
return convertToGeneralNames(HopsworksService.LOGSTASH.domains(), true);
return convertToGeneralNames(HopsworksService.LOGSTASH.domains(), true, region);
case "flyingduck":
return convertToGeneralNames(HopsworksService.FLYING_DUCK.domains(), true);
return convertToGeneralNames(HopsworksService.FLYING_DUCK.domains(), true, region);
case "kagent":
return convertToGeneralNames(HopsworksService.DOCKER_REGISTRY.domains(), true);
return convertToGeneralNames(HopsworksService.DOCKER_REGISTRY.domains(), true, region);
case "mysql":
return convertToGeneralNames(mergeSets(
HopsworksService.MYSQL.domains(),
HopsworksService.RDRS.domains()), true);
HopsworksService.RDRS.domains()), true, region);
default:
return EMTPY_GENERAL_NAMES;
}
Expand All @@ -938,15 +935,17 @@ Set<String> mergeSets(Set<String>... sets) {
return merged;
}

GeneralName[] convertToGeneralNames(Set<String> domains, boolean isServiceDiscoveryDomain) {
GeneralName[] convertToGeneralNames(Set<String> domains, boolean isServiceDiscoveryDomain, String region) {
GeneralName[] names = new GeneralName[domains.size()];
Iterator<String> i = domains.iterator();
int idx = 0;
while (i.hasNext()) {
String domain = i.next();
names[idx] = new GeneralName(GeneralName.dNSName,
isServiceDiscoveryDomain ? Utilities.constructServiceFQDN(domain,
caConf.getString(CAConf.CAConfKeys.SERVICE_DISCOVERY_DOMAIN)) : domain);
String fqdn = domain;
if (isServiceDiscoveryDomain) {
fqdn = Utilities.constructServiceFQDN(domain, caConf.getString(CAConf.CAConfKeys.SERVICE_DISCOVERY_DOMAIN));
}
names[idx] = new GeneralName(GeneralName.dNSName, fqdn);
idx++;
}
return names;
Expand Down Expand Up @@ -992,22 +991,27 @@ static class ExtensionsBuilderParameter {
private final X509v3CertificateBuilder certificateBuilder;
private final PKCS10CertificationRequest certificationRequest;
private final CertificateType certificateType;
private final String region;

private ExtensionsBuilderParameter(X509v3CertificateBuilder certificateBuilder,
PKCS10CertificationRequest certificationRequest, CertificateType certificateType) {
PKCS10CertificationRequest certificationRequest,
CertificateType certificateType, String region) {
this.certificateBuilder = certificateBuilder;
this.certificationRequest = certificationRequest;
this.certificateType = certificateType;
this.region = region;
}

static ExtensionsBuilderParameter of(X509v3CertificateBuilder certificateBuilder,
PKCS10CertificationRequest certificationRequest, CertificateType certificateType) {
return new ExtensionsBuilderParameter(certificateBuilder, certificationRequest, certificateType);
PKCS10CertificationRequest certificationRequest,
CertificateType certificateType,
String region) {
return new ExtensionsBuilderParameter(certificateBuilder, certificationRequest, certificateType, region);
}

@VisibleForTesting
static ExtensionsBuilderParameter of(X509v3CertificateBuilder certificateBuilder) {
return new ExtensionsBuilderParameter(certificateBuilder, null, CertificateType.APP);
return new ExtensionsBuilderParameter(certificateBuilder, null, CertificateType.APP, null);
}
}

Expand All @@ -1034,12 +1038,11 @@ protected Function<ExtensionsBuilderParameter, Void>[] getExtensionsBuilders(CAT
return EMTPY_CERTIFICATES_EXTENSION_BUILDERS;
}

protected X509Certificate signCertificateSigningRequest(String csrStr, CertificateType certificateType, CAType caType,
Function<ExtensionsBuilderParameter, Void>[] extensionsBuilders)
throws IOException, CertificateEncodingException, CACertificateNotFoundException,
CertificateAlreadyExistsException, KeyException, NoSuchAlgorithmException, CertIOException,
OperatorCreationException, CertificateException, InvalidKeyException, SignatureException,
CertificationRequestValidationException {
protected X509Certificate signCertificateSigningRequest(String csrStr, CertificateType certificateType,
CAType caType, String region,
Function<ExtensionsBuilderParameter, Void>[] extensionsBuilders)
throws IOException, KeyException, NoSuchAlgorithmException, OperatorCreationException, CertificateException,
SignatureException, CertificationRequestValidationException {
LOGGER.log(Level.FINE, "Signing CSR for type " + certificateType);
PKCS10CertificationRequest csr = parseCertificateRequest(csrStr);
if (!certificateType.equals(CertificateType.APP)) {
Expand Down Expand Up @@ -1094,7 +1097,7 @@ protected X509Certificate signCertificateSigningRequest(String csrStr, Certifica
extUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo()));
try {
for (Function<ExtensionsBuilderParameter, Void> f : extensionsBuilders) {
f.apply(ExtensionsBuilderParameter.of(builder, csr, certificateType));
f.apply(ExtensionsBuilderParameter.of(builder, csr, certificateType, region));
}
} catch (Exception ex) {
throw new CertIOException("Failed to add extension to certificate", ex);
Expand Down
2 changes: 1 addition & 1 deletion hopsworks-ca/src/test/java/io/hops/hopsworks/ca/controllers/TestCertificateRevocation.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ public void testRevokeCertificate() throws Exception {
new JcaContentSignerBuilder("SHA256withRSA").build(requesterKeypair.getPrivate()));
String stringifiedCSR = stringifyCSR(csr);

pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.HOST);
pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.HOST, null);
Mockito.verify(pkiCertificateFacade, Mockito.atLeastOnce()).saveCertificate(pkiCertificateCaptor.capture());
// First 3 captures come from PKI initialization
PKICertificate pkiCertificate = pkiCertificateCaptor.getAllValues().get(3);
Expand Down
20 changes: 12 additions & 8 deletions hopsworks-ca/src/test/java/io/hops/hopsworks/ca/controllers/TestCertificateSigning.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ public void testSigning() throws Exception {
Assert.assertTrue(l.isPresent());
Assert.assertEquals("hdfs", l.get());

X509Certificate certificate = pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP);
X509Certificate certificate = pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP, null);
Assert.assertEquals(csr.getSubject().toString(), certificate.getSubjectDN().toString());
Assert.assertEquals(pki.getCaCertificates().get(CAType.INTERMEDIATE).getSubjectDN().toString(),
certificate.getIssuerDN().toString());
Expand Down Expand Up @@ -146,7 +146,7 @@ public void testSigningAppCertificateExists() throws Exception {


thrown.expect(CertificateAlreadyExistsException.class);
pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP);
pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP, null);
}

@Test
Expand Down Expand Up @@ -181,7 +181,7 @@ public void testSigningHostCloudCertificateExists() throws Exception {
new JcaContentSignerBuilder("SHA256withRSA").build(requesterKeypair.getPrivate()));
String stringifiedCSR = stringifyCSR(csr);

X509Certificate certificate = pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.HOST);
X509Certificate certificate = pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.HOST, null);
Assert.assertNotNull(certificate);
}

Expand Down Expand Up @@ -216,7 +216,7 @@ public void testCertificateExtensionsBuilderCalled() throws Exception {
return null;
};
Function<PKI.ExtensionsBuilderParameter, Void>[] extensionsBuilders = new Function[]{ extensionsBuilder };
pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP, CAType.INTERMEDIATE, extensionsBuilders);
pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP, CAType.INTERMEDIATE, null, extensionsBuilders);
Assert.assertTrue(check.get());
}

Expand Down Expand Up @@ -525,7 +525,8 @@ public void testSANCertificateExtensionsBuilderDNSSAN() throws Exception {
csr.getSubjectPublicKeyInfo());


pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST));
pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(
PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST, null));
ContentSigner signer = new JcaContentSignerBuilder(PKI.SIGNATURE_ALGORITHM)
.build(keyPair.getPrivate());
X509CertificateHolder holder = builder.build(signer);
Expand Down Expand Up @@ -560,7 +561,8 @@ public void testSANCertificateExtensionsBuilderDNSSAN() throws Exception {
csr.getSubjectPublicKeyInfo());


pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST));
pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(
PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST, null));
signer = new JcaContentSignerBuilder(PKI.SIGNATURE_ALGORITHM).build(keyPair.getPrivate());
holder = builder.build(signer);
Assert.assertEquals(1, holder.getNonCriticalExtensionOIDs().size());
Expand Down Expand Up @@ -594,7 +596,8 @@ public void testSANCertificateExtensionsBuilderDNSSAN() throws Exception {
csr.getSubjectPublicKeyInfo());


pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST));
pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(
PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST, null));
signer = new JcaContentSignerBuilder(PKI.SIGNATURE_ALGORITHM).build(keyPair.getPrivate());
holder = builder.build(signer);
Assert.assertEquals(1, holder.getNonCriticalExtensionOIDs().size());
Expand Down Expand Up @@ -624,7 +627,8 @@ public void testSANCertificateExtensionsBuilderDNSSAN() throws Exception {
csr.getSubjectPublicKeyInfo());


pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST));
pki.SAN_CERTIFICATE_EXTENSIONS_BUILDER.apply(
PKI.ExtensionsBuilderParameter.of(builder, csr, CertificateType.HOST, null));
signer = new JcaContentSignerBuilder(PKI.SIGNATURE_ALGORITHM).build(keyPair.getPrivate());
holder = builder.build(signer);
Assert.assertEquals(1, holder.getNonCriticalExtensionOIDs().size());
Expand Down
2 changes: 1 addition & 1 deletion hopsworks-ca/src/test/java/io/hops/hopsworks/ca/controllers/TestCreateKeystores.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ public void testCreateKeystores() throws Exception {
PKCS10CertificationRequest csr = csrBuilder.build(
new JcaContentSignerBuilder("SHA256withRSA").build(requesterKeypair.getPrivate()));
String stringifiedCSR = stringifyCSR(csr);
X509Certificate certificate = pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP);
X509Certificate certificate = pki.signCertificateSigningRequest(stringifiedCSR, CertificateType.APP, null);
Assert.assertNotNull(certificate);

X509Certificate rootCA = pki.getCaCertificates().get(CAType.ROOT);
Expand Down

0 comments on commit 23accc5

Please sign in to comment.