make cluster name in spiffe uri optional (AthenZ#589)

Author: havetisyan

servers/zts/src/main/java/com/yahoo/athenz/zts/cert/X509CertRequest.java

@@ -309,10 +309,12 @@ public boolean validateIPAddress(final String ip) {
     boolean validateSpiffeURI(final String domain, final String name, final String value) {
 
         // the expected default format is
-        // spiffe://<provider-cluster>/ns/<athenz-domain>/sa/<athenz-service>
-        // spiffe://<provider-cluster>/ns/<athenz-domain>/ra/<athenz-role>
+        // spiffe://[<provider-cluster>/ns/]<athenz-domain>/sa/<athenz-service>
+        // spiffe://[<provider-cluster>/ns/]<athenz-domain>/ra/<athenz-role>
+        //
         // so we'll be validating that our request has:
-        // spiffe://<provider-cluster>/ns/<domain>/<name>/<value>
+        // spiffe://<provider-cluster>/ns/<domain>/<name>/<value> or
+        // spiffe://<domain>/<name>/<value> or
 
         // first extract the URI list from the request
 
@@ -337,25 +339,37 @@ boolean validateSpiffeURI(final String domain, final String name, final String v
             return false;
         }
 
-        if (uri.getScheme() == null || uri.getPath() == null) {
+        final String uriScheme = uri.getScheme();
+        final String uriPath = uri.getPath();
+        final String uriHost = uri.getHost();
+
+        if (uriScheme == null || uriPath == null || uriHost == null) {
             LOGGER.error("validateSpiffeURI: invalid uri {}", spiffeUri);
             return false;
         }
 
-        if (!uri.getScheme().equalsIgnoreCase("spiffe")) {
-            LOGGER.error("validateSpiffeURI: invalid uri scheme: {} in {}",
-                    uri.getScheme(), spiffeUri);
+        if (!uriScheme.equalsIgnoreCase("spiffe")) {
+            LOGGER.error("validateSpiffeURI: invalid uri scheme: {}", spiffeUri);
             return false;
         }
 
-        final String path = "/ns/" + domain + "/" + name + "/" + value;
-        if (!uri.getPath().equalsIgnoreCase(path)) {
-            LOGGER.error("validateSpiffeURI: invalid uri path: {} vs {}",
-                    path, uri.getPath());
-            return false;
+        // let's check to see if our path starts with our
+        // namespace ns field and thus which format we're using
+
+        boolean uriVerified = false;
+        if (uriPath.startsWith("/ns/")) {
+            final String path = "/ns/" + domain + "/" + name + "/" + value;
+            uriVerified = uriPath.equalsIgnoreCase(path);
+        } else {
+            final String path = "/" + name + "/" + value;
+            uriVerified = uriHost.equalsIgnoreCase(domain) && uriPath.equalsIgnoreCase(path);
         }
 
-        return true;
+        if (!uriVerified) {
+            LOGGER.error("validateSpiffeURI: invalid uri path/host: {}", spiffeUri);
+        }
+
+        return uriVerified;
     }
 
     public void setNormCsrPublicKey(String normCsrPublicKey) {

servers/zts/src/test/java/com/yahoo/athenz/zts/cert/X509CertRequestTest.java

@@ -625,6 +625,69 @@ public void testValidateSpiffeServiceCertMismatch() throws IOException {
                 "1001", validOrgs, null, errorMsg));
     }
 
+    @Test
+    public void testValidateSpiffeServiceCertShortValid() throws IOException {
+
+        Path path = Paths.get("src/test/resources/spiffe_short_service.csr");
+        String csr = new String(Files.readAllBytes(path));
+
+        X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr);
+        assertNotNull(certReq);
+
+        Authorizer authorizer = Mockito.mock(Authorizer.class);
+        Principal provider = Mockito.mock(Principal.class);
+        Mockito.when(authorizer.access("launch", "sys.auth:dns.ostk.athenz.cloud", provider, null))
+                .thenReturn(true);
+
+        StringBuilder errorMsg = new StringBuilder(256);
+        HashSet<String> validOrgs = new HashSet<>();
+        validOrgs.add("Athenz");
+        assertTrue(certReq.validate(provider, "athenz", "production",
+                "1001", validOrgs, null, errorMsg));
+    }
+
+    @Test
+    public void testValidateSpiffeServiceCertShortMismatchDomain() throws IOException {
+
+        Path path = Paths.get("src/test/resources/spiffe_service_short_mismatch_domain.csr");
+        String csr = new String(Files.readAllBytes(path));
+
+        X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr);
+        assertNotNull(certReq);
+
+        Authorizer authorizer = Mockito.mock(Authorizer.class);
+        Principal provider = Mockito.mock(Principal.class);
+        Mockito.when(authorizer.access("launch", "sys.auth:dns.ostk.athenz.cloud", provider, null))
+                .thenReturn(true);
+
+        StringBuilder errorMsg = new StringBuilder(256);
+        HashSet<String> validOrgs = new HashSet<>();
+        validOrgs.add("Athenz");
+        assertFalse(certReq.validate(provider, "athenz", "production",
+                "1001", validOrgs, null, errorMsg));
+    }
+
+    @Test
+    public void testValidateSpiffeServiceCertShortMismatchService() throws IOException {
+
+        Path path = Paths.get("src/test/resources/spiffe_service_short_mismatch_service.csr");
+        String csr = new String(Files.readAllBytes(path));
+
+        X509ServiceCertRequest certReq = new X509ServiceCertRequest(csr);
+        assertNotNull(certReq);
+
+        Authorizer authorizer = Mockito.mock(Authorizer.class);
+        Principal provider = Mockito.mock(Principal.class);
+        Mockito.when(authorizer.access("launch", "sys.auth:dns.ostk.athenz.cloud", provider, null))
+                .thenReturn(true);
+
+        StringBuilder errorMsg = new StringBuilder(256);
+        HashSet<String> validOrgs = new HashSet<>();
+        validOrgs.add("Athenz");
+        assertFalse(certReq.validate(provider, "athenz", "production",
+                "1001", validOrgs, null, errorMsg));
+    }
+
     @Test
     public void testValidateSpiffeInvalidScheme() throws IOException {
 

servers/zts/src/test/resources/spiffe_service_short_mismatch_domain.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBuDCCAWICAQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
+EwZBdGhlbnoxFzAVBgNVBAsTDlRlc3RpbmcgRG9tYWluMRowGAYDVQQDExFhdGhl
+bnoucHJvZHVjdGlvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDCvtASJL3f3dsk
+ZDxuJ5sXRr5PLFX3Q272cgO72gG2IusvoL8I6oL8WGy0ZMCYAOC6fqGaeT8BXvXS
+YmRieKSZAgMBAAGggZwwgZkGCSqGSIb3DQEJDjGBizCBiDCBhQYDVR0RBH4wfIIj
+cHJvZHVjdGlvbi5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSCKDEwMDEuaW5zdGFu
+Y2VpZC5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSHBAoLDA2HBAoLDA6GH3NwaWZm
+ZTovL2NvcmV0ZWNoL3NhL3Byb2R1Y3Rpb24wDQYJKoZIhvcNAQELBQADQQCR5uq8
+yEQJsGXu6Y8jj//kBNSyFTVceWzZ5MqYm80X9+E7R4B7FU3mdYJX1/ghHn8574Pi
+bJA43fVYwnpboAhB
+-----END CERTIFICATE REQUEST-----

servers/zts/src/test/resources/spiffe_service_short_mismatch_service.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBrTCCAVcCAQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
+EwZBdGhlbnoxFzAVBgNVBAsTDlRlc3RpbmcgRG9tYWluMRowGAYDVQQDExFhdGhl
+bnoucHJvZHVjdGlvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDFnIrCLPQaIUt1
+SeTXxFhu8ULxuPbklABGx7s5ypQa3Rdcs4dNpFB2PAygU7NhsSWKUDfD9SJIF460
+ohUzziQrAgMBAAGggZEwgY4GCSqGSIb3DQEJDjGBgDB+MHwGA1UdEQR1MHOCI3By
+b2R1Y3Rpb24uYXRoZW56Lm9zdGsuYXRoZW56LmNsb3VkgigxMDAxLmluc3RhbmNl
+aWQuYXRoZW56Lm9zdGsuYXRoZW56LmNsb3VkhwQKCwwNhwQKCwwOhhZzcGlmZmU6
+Ly9hdGhlbnovc2EvYXBpMA0GCSqGSIb3DQEBCwUAA0EApXOYXJ9MVlxdXI/n94SC
+S9eGMfpdMtrh6SoEJTa/KWNYp7pK9xo8j5FSP6QiddjLZnuz8rxrgqkEPyv+ENyz
+nA==
+-----END CERTIFICATE REQUEST-----

servers/zts/src/test/resources/spiffe_short_service.csr

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBtjCCAWACAQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQ8wDQYDVQQK
+EwZBdGhlbnoxFzAVBgNVBAsTDlRlc3RpbmcgRG9tYWluMRowGAYDVQQDExFhdGhl
+bnoucHJvZHVjdGlvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3gXNrQpZl3j1s
+n/n05BJO+JZQN56cty8WHpmWVNna3EJhGT+C1OSC4mJgO4Bz1UR8w6y0FUxJ6Ge6
+Ep6vQJtjAgMBAAGggZowgZcGCSqGSIb3DQEJDjGBiTCBhjCBgwYDVR0RBHwweoIj
+cHJvZHVjdGlvbi5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSCKDEwMDEuaW5zdGFu
+Y2VpZC5hdGhlbnoub3N0ay5hdGhlbnouY2xvdWSHBAoLDA2HBAoLDA6GHXNwaWZm
+ZTovL2F0aGVuei9zYS9wcm9kdWN0aW9uMA0GCSqGSIb3DQEBCwUAA0EAThxUa0Ca
+1ufMIR2LoDHvdZWYzOyU6w3SL6OnV8BfRS8/gn2j3/uM66CS3QDlpo67sNsnBFYY
+T39E03gcW/b4fA==
+-----END CERTIFICATE REQUEST-----