Service Identity X.509 Cert updates (#634)

core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRefreshInformation.java

@@ -22,6 +22,12 @@ public class InstanceRefreshInformation {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public Boolean token;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public Integer expiryTime;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String hostname;
 
     public InstanceRefreshInformation setAttestationData(String attestationData) {
         this.attestationData = attestationData;
@@ -51,6 +57,20 @@ public InstanceRefreshInformation setToken(Boolean token) {
     public Boolean getToken() {
         return token;
     }
+    public InstanceRefreshInformation setExpiryTime(Integer expiryTime) {
+        this.expiryTime = expiryTime;
+        return this;
+    }
+    public Integer getExpiryTime() {
+        return expiryTime;
+    }
+    public InstanceRefreshInformation setHostname(String hostname) {
+        this.hostname = hostname;
+        return this;
+    }
+    public String getHostname() {
+        return hostname;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -71,6 +91,12 @@ public boolean equals(Object another) {
             if (token == null ? a.token != null : !token.equals(a.token)) {
                 return false;
             }
+            if (expiryTime == null ? a.expiryTime != null : !expiryTime.equals(a.expiryTime)) {
+                return false;
+            }
+            if (hostname == null ? a.hostname != null : !hostname.equals(a.hostname)) {
+                return false;
+            }
         }
         return true;
     }

core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRegisterInformation.java

@@ -21,6 +21,12 @@ public class InstanceRegisterInformation {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public Boolean token;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public Integer expiryTime;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String hostname;
 
     public InstanceRegisterInformation setProvider(String provider) {
         this.provider = provider;
@@ -71,6 +77,20 @@ public InstanceRegisterInformation setToken(Boolean token) {
     public Boolean getToken() {
         return token;
     }
+    public InstanceRegisterInformation setExpiryTime(Integer expiryTime) {
+        this.expiryTime = expiryTime;
+        return this;
+    }
+    public Integer getExpiryTime() {
+        return expiryTime;
+    }
+    public InstanceRegisterInformation setHostname(String hostname) {
+        this.hostname = hostname;
+        return this;
+    }
+    public String getHostname() {
+        return hostname;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -100,6 +120,12 @@ public boolean equals(Object another) {
             if (token == null ? a.token != null : !token.equals(a.token)) {
                 return false;
             }
+            if (expiryTime == null ? a.expiryTime != null : !expiryTime.equals(a.expiryTime)) {
+                return false;
+            }
+            if (hostname == null ? a.hostname != null : !hostname.equals(a.hostname)) {
+                return false;
+            }
         }
         return true;
     }

core/zts/src/main/java/com/yahoo/athenz/zts/ZTSSchema.java

@@ -214,13 +214,17 @@ private static Schema build() {
             .field("attestationData", "String", false, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
             .field("csr", "String", false, "the Certificate Signing Request for the expected X.509 certificate in the response")
             .field("ssh", "String", true, "if present, return an SSH host certificate. Format is JSON.")
-            .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service");
+            .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service")
+            .field("expiryTime", "Int32", true, "expiry time in minutes for the certificate (server enforces max expiry)")
+            .field("hostname", "DomainName", true, "optional hostname in case included in the csr SAN dnsName attribute");
 
         sb.structType("InstanceRefreshInformation")
             .field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
             .field("csr", "String", true, "the Certificate Signing Request for the expected X.509 certificate in the response")
             .field("ssh", "String", true, "if present, return an SSH host certificate. Format is JSON.")
-            .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service");
+            .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service")
+            .field("expiryTime", "Int32", true, "expiry time in minutes for the certificate (server enforces max expiry)")
+            .field("hostname", "DomainName", true, "optional hostname in case included in the csr SAN dnsName attribute");
 
         sb.structType("InstanceIdentity")
             .field("provider", "ServiceName", false, "the provider service name (i.e. \"aws.us-west-2\", \"sys.openstack.cluster1\")")

core/zts/src/main/rdl/Instance.rdli

@@ -11,13 +11,17 @@ type InstanceRegisterInformation Struct {
     String csr; //the Certificate Signing Request for the expected X.509 certificate in the response
     String ssh (optional); //if present, return an SSH host certificate. Format is JSON.
     Bool token (optional); //if true, return a service token signed by ZTS for this service
+    Int32 expiryTime (optional); //expiry time in minutes for the certificate (server enforces max expiry)
+    DomainName hostname (optional); //optional hostname in case included in the csr SAN dnsName attribute
 }
 
 type InstanceRefreshInformation Struct {
     String attestationData (optional); //identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.
     String csr (optional); //the Certificate Signing Request for the expected X.509 certificate in the response
     String ssh (optional); //if present, return an SSH host certificate. Format is JSON.
     Bool token (optional); //if true, return a service token signed by ZTS for this service
+    Int32 expiryTime (optional); //expiry time in minutes for the certificate (server enforces max expiry)
+    DomainName hostname (optional); //optional hostname in case included in the csr SAN dnsName attribute
 }
 
 type InstanceIdentity Struct {

core/zts/src/test/java/com/yahoo/athenz/zts/InstanceRefreshInformationTest.java

@@ -28,23 +28,69 @@ public void testInstanceRefreshInformation() {
         InstanceRefreshInformation i2 = new InstanceRefreshInformation();
 
         // set
+        i.setAttestationData("doc");
         i.setCsr("sample_csr");
         i.setSsh("ssh");
         i.setToken(false);
+        i.setExpiryTime(180);
+        i.setHostname("host1.athenz.cloud");
+
+        i2.setAttestationData("doc");
         i2.setCsr("sample_csr");
         i2.setSsh("ssh");
         i2.setToken(false);
+        i2.setExpiryTime(180);
+        i2.setHostname("host1.athenz.cloud");
 
         // getter assertion
+        assertEquals(i.getAttestationData(), "doc");
         assertEquals(i.getCsr(), "sample_csr");
         assertEquals(i.getSsh(), "ssh");
         assertEquals(i.getToken(), Boolean.FALSE);
+        assertEquals(i.getExpiryTime(), Integer.valueOf(180));
+        assertEquals(i.getHostname(), "host1.athenz.cloud");
+
+        assertEquals(i2, i);
+        assertTrue(i2.equals(i2));
+        assertFalse(i2.equals(null));
+        assertFalse(i2.equals("string"));
+
+        i2.setAttestationData(null);
+        assertNotEquals(i, i2);
+        i2.setAttestationData("doc2");
+        assertNotEquals(i, i2);
+        i2.setAttestationData("doc");
 
-        assertEquals(i, i2);
-
-        i2.setCsr("sample_csr2");
-        assertNotEquals(i2, i);
         i2.setCsr(null);
-        assertNotEquals(i2, i);
+        assertNotEquals(i, i2);
+        i2.setCsr("csr2");
+        assertNotEquals(i, i2);
+        i2.setCsr("sample_csr");
+
+        i2.setSsh(null);
+        assertNotEquals(i, i2);
+        i2.setSsh("ssh2");
+        assertNotEquals(i, i2);
+        i2.setSsh("ssh");
+
+        i2.setToken(null);
+        assertNotEquals(i, i2);
+        i2.setToken(true);
+        assertNotEquals(i, i2);
+        i2.setToken(false);
+
+        i2.setExpiryTime(null);
+        assertNotEquals(i, i2);
+        i2.setExpiryTime(120);
+        assertNotEquals(i, i2);
+        i2.setExpiryTime(180);
+
+        i2.setHostname(null);
+        assertNotEquals(i, i2);
+        i2.setHostname("host2");
+        assertNotEquals(i, i2);
+        i2.setHostname("host1.athenz.cloud");
+
+        assertEquals(i, i2);
     }
 }

core/zts/src/test/java/com/yahoo/athenz/zts/InstanceRegisterInformationTest.java

@@ -35,13 +35,18 @@ public void testInstanceRegisterInformation() {
         i.setCsr("sample_csr");
         i.setSsh("ssh");
         i.setToken(false);
+        i.setExpiryTime(180);
+        i.setHostname("host1.athenz.cloud");
+
         i2.setProvider("provider");
         i2.setAttestationData("doc");
         i2.setDomain("sample.com");
         i2.setService("sample.service");
         i2.setCsr("sample_csr");
         i2.setSsh("ssh");
         i2.setToken(false);
+        i2.setExpiryTime(180);
+        i2.setHostname("host1.athenz.cloud");
 
         // getter assertion
         assertEquals(i.getAttestationData(), "doc");
@@ -51,22 +56,68 @@ public void testInstanceRegisterInformation() {
         assertEquals(i.getProvider(), "provider");
         assertEquals(i.getSsh(), "ssh");
         assertEquals(i.getToken(), Boolean.FALSE);
+        assertEquals(i.getExpiryTime(), Integer.valueOf(180));
+        assertEquals(i.getHostname(), "host1.athenz.cloud");
+
+        assertEquals(i2, i);
+        assertTrue(i2.equals(i2));
+        assertFalse(i2.equals(null));
+        assertFalse(i2.equals("string"));
 
-        assertEquals(i, i2);
-
         i2.setService(null);
-        assertNotEquals(i2, i);
+        assertNotEquals(i, i2);
+        i2.setService("service2");
+        assertNotEquals(i, i2);
         i2.setService("sample.service");
 
         i2.setDomain(null);
-        assertNotEquals(i2, i);
+        assertNotEquals(i, i2);
+        i2.setDomain("domain2");
+        assertNotEquals(i, i2);
         i2.setDomain("sample.com");
 
         i2.setProvider(null);
-        assertNotEquals(i2, i);
+        assertNotEquals(i, i2);
+        i2.setProvider("provider2");
+        assertNotEquals(i, i2);
         i2.setProvider("provider");
 
         i2.setAttestationData(null);
-        assertNotEquals(i2, i);
+        assertNotEquals(i, i2);
+        i2.setAttestationData("doc2");
+        assertNotEquals(i, i2);
+        i2.setAttestationData("doc");
+
+        i2.setCsr(null);
+        assertNotEquals(i, i2);
+        i2.setCsr("csr2");
+        assertNotEquals(i, i2);
+        i2.setCsr("sample_csr");
+
+        i2.setSsh(null);
+        assertNotEquals(i, i2);
+        i2.setSsh("ssh2");
+        assertNotEquals(i, i2);
+        i2.setSsh("ssh");
+
+        i2.setToken(null);
+        assertNotEquals(i, i2);
+        i2.setToken(true);
+        assertNotEquals(i, i2);
+        i2.setToken(false);
+
+        i2.setExpiryTime(null);
+        assertNotEquals(i, i2);
+        i2.setExpiryTime(120);
+        assertNotEquals(i, i2);
+        i2.setExpiryTime(180);
+
+        i2.setHostname(null);
+        assertNotEquals(i, i2);
+        i2.setHostname("host2");
+        assertNotEquals(i, i2);
+        i2.setHostname("host1.athenz.cloud");
+
+        assertEquals(i, i2);
     }
 }

go.mod

@@ -3,6 +3,7 @@ module github.com/yahoo/athenz
 require (
 	github.com/BurntSushi/toml v0.3.1 // indirect
 	github.com/ardielle/ardielle-go v1.5.1
+	github.com/ardielle/ardielle-tools v1.14.15 // indirect
 	github.com/boynton/repl v0.0.0-20170116235056-348863958e3e
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimfeld/httptreemux v5.0.1+incompatible

go.sum

@@ -2,6 +2,8 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/ardielle/ardielle-go v1.5.1 h1:7vSvfYuByBHGSk+8am0u2DT92+95UFtxdp5fkSEQTII=
 github.com/ardielle/ardielle-go v1.5.1/go.mod h1:I4hy1n795cUhaVt/ojz83SNVCYIGsAFAONtv2Dr7HUI=
+github.com/ardielle/ardielle-tools v1.14.15 h1:BukXV+2FhI3mXbb4x9HdfTDfe9bC2yBhRWxk3Kl9yUA=
+github.com/ardielle/ardielle-tools v1.14.15/go.mod h1:md5tB6Ld1xXeYT0iETNHj4/Dm+funcuxeZn2yXWmvCY=
 github.com/boynton/repl v0.0.0-20170116235056-348863958e3e h1:lFJi7V/jlH3FDeZxW0o/oMfKAjPyc/yifX2z8eBeLt8=
 github.com/boynton/repl v0.0.0-20170116235056-348863958e3e/go.mod h1:Crc/GCZ3NXDVCio7Yr0o+SSrytpcFhLmVCIzi0s49t4=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -12,6 +14,8 @@ github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/jawher/mow.cli v1.0.4 h1:hKjm95J7foZ2ngT8tGb15Aq9rj751R7IUDjG+5e3cGA=
+github.com/jawher/mow.cli v1.0.4/go.mod h1:5hQj2V8g+qYmLUVWqu4Wuja1pI57M83EChYLVZ0sMKk=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=