IAM generate certificate fingerprint identifiers on upgrade - EUCA-10628

clc/modules/autoscaling-backend/src/test/java/com/eucalyptus/autoscaling/AutoScalingServiceTest.groovy

@@ -525,7 +525,7 @@ class AutoScalingServiceTest {
       }
 
       @Override
-      Certificate lookupCertificate(final X509Certificate cert) {
+      Certificate lookupCertificateByHashId(final String certificateId) {
         throw new UnsupportedOperationException()
       }
 

clc/modules/autoscaling-backend/src/test/java/com/eucalyptus/autoscaling/activities/ActivityManagerTest.groovy

@@ -1334,7 +1334,7 @@ class ActivityManagerTest {
       }
 
       @Override
-      Certificate lookupCertificate(final X509Certificate cert) {
+      Certificate lookupCertificateByHashId(final String certificateId) {
         throw new UnsupportedOperationException()
       }
 

clc/modules/euare/src/main/java/com/eucalyptus/auth/euare/persist/DatabaseAuthProvider.java

@@ -409,16 +409,16 @@ public List<Account> listAllAccounts( ) throws AuthException {
   }
 
   @Override
-  public Certificate lookupCertificate( X509Certificate cert ) throws AuthException {
-    if ( cert == null ) {
-      throw new AuthException( "Empty input cert" );
+  public Certificate lookupCertificateByHashId( String certificateId ) throws AuthException {
+    if ( certificateId == null ) {
+      throw new AuthException( "Certificate identifier required" );
     }
     try ( final TransactionResource db = Entities.transactionFor( CertificateEntity.class ) ) {
-      CertificateEntity certEntity = DatabaseAuthUtils.getUnique( CertificateEntity.class, "pem", X509CertHelper.fromCertificate( cert ) );
+      CertificateEntity certEntity = DatabaseAuthUtils.getUnique( CertificateEntity.class, "certificateHashId", certificateId );
       db.commit( );
       return new DatabaseCertificateProxy( certEntity );
     } catch ( Exception e ) {
-      Debugging.logError( LOG, e, "Failed to lookup cert " + cert );
+      Debugging.logError( LOG, e, "Failed to lookup cert " + certificateId );
       throw new AuthException( AuthException.NO_SUCH_CERTIFICATE, e );
     }
   }

clc/modules/euare/src/main/java/com/eucalyptus/auth/euare/persist/DatabaseIdentityProvider.java

@@ -79,7 +79,7 @@ public UserPrincipal lookupPrincipalByAccessKeyId( final String keyId, final Str
 
   @Override
   public UserPrincipal lookupPrincipalByCertificateId( final String certificateId ) throws AuthException {
-    final Certificate certificate = Accounts.lookupCertificateById( certificateId );
+    final Certificate certificate = Accounts.lookupCertificateByHashId( certificateId );
     if ( !certificate.isActive( ) ) {
       throw new AuthException( "Certificate is inactive or revoked: " + certificate.getX509Certificate().getSubjectX500Principal( ) );
     }

clc/modules/euare/src/main/java/com/eucalyptus/auth/euare/persist/entities/CertificateEntity.java

@@ -66,6 +66,7 @@
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.Date;
+import java.util.List;
 import javax.persistence.Column;
 import javax.persistence.Entity;
 import javax.persistence.FetchType;
@@ -75,12 +76,20 @@
 import javax.persistence.PersistenceContext;
 import javax.persistence.Table;
 import javax.persistence.Transient;
+import org.apache.log4j.Logger;
 import org.hibernate.annotations.Cache;
 import org.hibernate.annotations.CacheConcurrencyStrategy;
 import org.hibernate.annotations.Type;
+import org.hibernate.criterion.Restrictions;
+import com.eucalyptus.auth.euare.common.identity.Certificate;
 import com.eucalyptus.auth.util.Identifiers;
 import com.eucalyptus.auth.util.X509CertHelper;
+import com.eucalyptus.component.id.Euare;
 import com.eucalyptus.entities.AbstractPersistent;
+import com.eucalyptus.entities.Entities;
+import com.eucalyptus.entities.TransactionResource;
+import com.eucalyptus.upgrade.Upgrades;
+import com.google.common.base.Predicate;
 
 /**
  * Database X509 certificate entity.
@@ -102,10 +111,14 @@ public class CertificateEntity extends AbstractPersistent implements Serializabl
   @Column( name = "auth_certificate_revoked" )
   Boolean revoked;
 
-  // The certificate
+  // The certificate identifier, random for certificate generated pre 4.2
   @Column( name = "auth_certificate_id" )
   String certificateId;
 
+  // The certificate identifier derived from the certificate content.
+  @Column( name = "auth_certificate_hash_id" )
+  String certificateHashId;
+
   // The certificate
   @Lob
   @Type(type="org.hibernate.type.StringClobType")
@@ -126,6 +139,7 @@ public CertificateEntity( ) {
 
   public CertificateEntity( final String certificateId, final X509Certificate cert ) throws CertificateEncodingException {
     this.certificateId = certificateId;
+    this.certificateHashId = certificateId;
     this.pem = X509CertHelper.fromCertificate( cert );
   }
 
@@ -198,5 +212,27 @@ public void setUser( UserEntity user ) {
   public String getCertificateId( ) {
     return this.certificateId;
   }
-
+
+  @Upgrades.EntityUpgrade(entities = Certificate.class,  since = Upgrades.Version.v4_2_0, value = Euare.class)
+  public enum CertificateEntityUpgrade420 implements Predicate<Class> {
+    INSTANCE;
+    private static Logger logger = Logger.getLogger( CertificateEntityUpgrade420.class );
+    @SuppressWarnings( "unchecked" )
+    @Override
+    public boolean apply( Class arg0 ) {
+      try ( final TransactionResource tx = Entities.transactionFor( CertificateEntity.class ) ) {
+        final List<CertificateEntity> entities = (List<CertificateEntity>)
+            Entities.createCriteria( CertificateEntity.class ).add( Restrictions.isNull( "certificateHashId" ) ).list( );
+        for ( final CertificateEntity entity : entities ) {
+          try {
+            entity.certificateHashId = Identifiers.generateCertificateIdentifier( X509CertHelper.toCertificate( entity.getPem() ) );
+          } catch ( Exception e ) {
+            logger.error( "Error generating fingerprint identifier for certificate", e );
+          }
+        }
+        tx.commit( );
+      }
+      return true;
+    }
+  }
 }

clc/modules/msgs/src/main/java/com/eucalyptus/auth/Accounts.java

@@ -66,7 +66,6 @@
 import java.util.List;
 import java.util.Objects;
 import java.util.ServiceLoader;
-import java.util.Set;
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
 import org.apache.log4j.Logger;
@@ -339,8 +338,8 @@ public static EuareRole lookupRoleById( String roleId ) throws AuthException {
     return Accounts.getAccountProvider( ).lookupRoleById( roleId );
   }
 
-  public static Certificate lookupCertificate( X509Certificate cert ) throws AuthException {
-    return Accounts.getAccountProvider( ).lookupCertificate( cert );
+  public static Certificate lookupCertificateByHashId( String certificateId ) throws AuthException {
+    return Accounts.getAccountProvider( ).lookupCertificateByHashId( certificateId );
   }
 
   public static Certificate lookupCertificateById( String certificateId ) throws AuthException {

clc/modules/msgs/src/main/java/com/eucalyptus/auth/api/AccountProvider.java

@@ -64,7 +64,6 @@
 
 import java.security.cert.X509Certificate;
 import java.util.List;
-import java.util.Set;
 import com.eucalyptus.auth.AuthException;
 import com.eucalyptus.auth.principal.AccessKey;
 import com.eucalyptus.auth.principal.Account;
@@ -97,9 +96,9 @@ public interface AccountProvider {
 
   EuareRole lookupRoleById( String roleId ) throws AuthException;
 
-  Certificate lookupCertificate( X509Certificate cert ) throws AuthException;
   Certificate lookupCertificateById( String certificateId ) throws AuthException;;
-
+  Certificate lookupCertificateByHashId( String certificateId ) throws AuthException;;
+
   AccessKey lookupAccessKeyById( String keyId ) throws AuthException;
 
 }