diff --git a/clients/go/zms/client.go b/clients/go/zms/client.go index b85dbb63f76..85cc729f2e1 100644 --- a/clients/go/zms/client.go +++ b/clients/go/zms/client.go @@ -8,6 +8,7 @@ import ( "bytes" "encoding/json" "fmt" + rdl "github.com/ardielle/ardielle-go/rdl" "io" "io/ioutil" "net/http" @@ -15,8 +16,6 @@ import ( "strconv" "strings" "time" - - rdl "github.com/ardielle/ardielle-go/rdl" ) var _ = json.Marshal diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go index 11581bfd865..62d7c99ed27 100644 --- a/clients/go/zms/model.go +++ b/clients/go/zms/model.go @@ -7,7 +7,6 @@ package zms import ( "encoding/json" "fmt" - rdl "github.com/ardielle/ardielle-go/rdl" ) diff --git a/clients/go/zts/model.go b/clients/go/zts/model.go index 906bce24b7d..ffcdceeda14 100644 --- a/clients/go/zts/model.go +++ b/clients/go/zts/model.go @@ -1758,6 +1758,12 @@ func (self *InstanceRegisterInformation) Validate() error { // type InstanceRefreshInformation struct { + // + // identity attestation data including document with its signature containing + // attributes like IP address, instance-id, account#, etc. + // + AttestationData string `json:"attestationData,omitempty" rdl:"optional"` + // // the Certificate Signing Request for the expected X.509 certificate in the // response diff --git a/clients/go/zts/zts_schema.go b/clients/go/zts/zts_schema.go index 9785e3d6dc6..9a3c10670fe 100644 --- a/clients/go/zts/zts_schema.go +++ b/clients/go/zts/zts_schema.go @@ -254,6 +254,7 @@ func init() { sb.AddType(tInstanceRegisterInformation.Build()) tInstanceRefreshInformation := rdl.NewStructTypeBuilder("Struct", "InstanceRefreshInformation") + tInstanceRefreshInformation.Field("attestationData", "String", true, nil, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.") tInstanceRefreshInformation.Field("csr", "String", true, nil, "the Certificate Signing Request for the expected X.509 certificate in the response") tInstanceRefreshInformation.Field("ssh", "String", true, nil, "if present, return an SSH host certificate. Format is JSON.") tInstanceRefreshInformation.Field("token", "Bool", true, nil, "if true, return a service token signed by ZTS for this service") diff --git a/core/zts/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderSchema.java b/core/zts/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderSchema.java index 47a6f532474..8c9fa64075c 100644 --- a/core/zts/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderSchema.java +++ b/core/zts/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderSchema.java @@ -89,6 +89,18 @@ private static Schema build() { .exception("UNAUTHORIZED", "ResourceError", "") ; + sb.resource("InstanceConfirmation", "POST", "/refresh") + .name("PostRefreshConfirmation") + .input("confirmation", "InstanceConfirmation", "") + .auth("", "", true) + .expected("OK") + .exception("BAD_REQUEST", "ResourceError", "") + + .exception("FORBIDDEN", "ResourceError", "") + + .exception("UNAUTHORIZED", "ResourceError", "") +; + return sb.build(); } diff --git a/core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRefreshInformation.java b/core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRefreshInformation.java index d7e76fa36e0..20c23c76781 100644 --- a/core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRefreshInformation.java +++ b/core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRefreshInformation.java @@ -10,6 +10,9 @@ // InstanceRefreshInformation - // public class InstanceRefreshInformation { + @RdlOptional + @JsonInclude(JsonInclude.Include.NON_EMPTY) + public String attestationData; @RdlOptional @JsonInclude(JsonInclude.Include.NON_EMPTY) public String csr; @@ -20,6 +23,13 @@ public class InstanceRefreshInformation { @JsonInclude(JsonInclude.Include.NON_EMPTY) public Boolean token; + public InstanceRefreshInformation setAttestationData(String attestationData) { + this.attestationData = attestationData; + return this; + } + public String getAttestationData() { + return attestationData; + } public InstanceRefreshInformation setCsr(String csr) { this.csr = csr; return this; @@ -49,6 +59,9 @@ public boolean equals(Object another) { return false; } InstanceRefreshInformation a = (InstanceRefreshInformation) another; + if (attestationData == null ? a.attestationData != null : !attestationData.equals(a.attestationData)) { + return false; + } if (csr == null ? a.csr != null : !csr.equals(a.csr)) { return false; } diff --git a/core/zts/src/main/java/com/yahoo/athenz/zts/ZTSSchema.java b/core/zts/src/main/java/com/yahoo/athenz/zts/ZTSSchema.java index a684b7031a9..601bd390d51 100644 --- a/core/zts/src/main/java/com/yahoo/athenz/zts/ZTSSchema.java +++ b/core/zts/src/main/java/com/yahoo/athenz/zts/ZTSSchema.java @@ -217,6 +217,7 @@ private static Schema build() { .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service"); sb.structType("InstanceRefreshInformation") + .field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.") .field("csr", "String", true, "the Certificate Signing Request for the expected X.509 certificate in the response") .field("ssh", "String", true, "if present, return an SSH host certificate. Format is JSON.") .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service"); diff --git a/core/zts/src/main/rdl/Instance.rdli b/core/zts/src/main/rdl/Instance.rdli index 75d6fd89730..0347a296d71 100644 --- a/core/zts/src/main/rdl/Instance.rdli +++ b/core/zts/src/main/rdl/Instance.rdli @@ -14,6 +14,7 @@ type InstanceRegisterInformation Struct { } type InstanceRefreshInformation Struct { + String attestationData (optional); //identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc. String csr (optional); //the Certificate Signing Request for the expected X.509 certificate in the response String ssh (optional); //if present, return an SSH host certificate. Format is JSON. Bool token (optional); //if true, return a service token signed by ZTS for this service diff --git a/core/zts/src/main/rdl/InstanceProvider.rdli b/core/zts/src/main/rdl/InstanceProvider.rdli index 022710943a7..9ddac1eb44a 100644 --- a/core/zts/src/main/rdl/InstanceProvider.rdli +++ b/core/zts/src/main/rdl/InstanceProvider.rdli @@ -21,3 +21,14 @@ resource InstanceConfirmation POST "/instance" { ResourceError UNAUTHORIZED; } } + +resource InstanceConfirmation POST "/refresh" (name=PostRefreshConfirmation) { + InstanceConfirmation confirmation; + authenticate; + expected OK; + exceptions { + ResourceError BAD_REQUEST; + ResourceError FORBIDDEN; + ResourceError UNAUTHORIZED; + } +} diff --git a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderClient.java b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderClient.java index add402dec0d..35980048f18 100644 --- a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderClient.java +++ b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/InstanceProviderClient.java @@ -66,4 +66,22 @@ public InstanceConfirmation postInstanceConfirmation(InstanceConfirmation confir } + public InstanceConfirmation postRefreshConfirmation(InstanceConfirmation confirmation) { + WebTarget target = base.path("/refresh"); + Invocation.Builder invocationBuilder = target.request("application/json"); + if (credsHeader != null) { + invocationBuilder = credsHeader.startsWith("Cookie.") ? invocationBuilder.cookie(credsHeader.substring(7), + credsToken) : invocationBuilder.header(credsHeader, credsToken); + } + Response response = invocationBuilder.post(javax.ws.rs.client.Entity.entity(confirmation, "application/json")); + int code = response.getStatus(); + switch (code) { + case 200: + return response.readEntity(InstanceConfirmation.class); + default: + throw new ResourceException(code, response.readEntity(ResourceError.class)); + } + + } + }