Merge pull request #28000 from vespa-engine/ean/zkbackup-gcp-athenz

WIP: GcpCredentials retriever

4 files changed, 208 insertions, 0 deletions

diff --git a/parent/pom.xml b/parent/pom.xml
index df20b94ec79..f2d9f71d553 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -1161,6 +1161,16 @@
                 <artifactId>checker-qual</artifactId>
                 <version>3.30.0</version>
             </dependency>
+            <dependency>
+                <groupId>com.google.http-client</groupId>
+                <artifactId>google-http-client-apache-v2</artifactId>
+                <version>1.43.2</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.auth</groupId>
+                <artifactId>google-auth-library-oauth2-http</artifactId>
+                <version>1.15.0</version>
+            </dependency>
 
         </dependencies>
     </dependencyManagement>
diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml
index 7c3c982af84..e6e4a0a17b7 100644
--- a/vespa-athenz/pom.xml
+++ b/vespa-athenz/pom.xml
@@ -275,6 +275,14 @@
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.google.http-client</groupId>
+            <artifactId>google-http-client-apache-v2</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.auth</groupId>
+            <artifactId>google-auth-library-oauth2-http</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
new file mode 100644
index 00000000000..bbdc3c2b372
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
@@ -0,0 +1,180 @@
+package com.yahoo.vespa.athenz.gcp;
+
+import com.google.api.client.http.apache.v2.ApacheHttpTransport;
+import com.google.auth.http.HttpTransportFactory;
+import com.google.auth.oauth2.ExternalAccountCredentials;
+import com.yahoo.security.token.TokenDomain;
+import com.yahoo.security.token.TokenGenerator;
+import com.yahoo.slime.Cursor;
+import com.yahoo.slime.Slime;
+import com.yahoo.slime.SlimeUtils;
+import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.HttpClientBuilder;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Objects;
+
+public class GcpCredentials {
+    private static final TokenDomain domain = TokenDomain.of("athenz-gcp-oauth2-nonce");
+
+    final private InputStream tokenApiStream;
+    private final HttpTransportFactory httpTransportFactory;
+
+    private GcpCredentials(Builder builder) {
+        String clientId = builder.athenzDomain.getName() + ".gcp";
+        String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s",
+                builder.projectNumber, builder.workloadPoolName, builder.workloadProviderName);
+        String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken",
+                builder.serviceAccountName, builder.projectName);
+        String scope = URLEncoder.encode(generateIdTokenScope(builder.athenzDomain.getName(), builder.role), StandardCharsets.UTF_8);
+        String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, builder.redirectURISuffix), StandardCharsets.UTF_8);
+        String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json",
+                builder.ztsUrl, clientId, redirectUri, scope, TokenGenerator.generateToken(domain, "", 32).secretTokenString());
+
+        tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, builder.tokenLifetimeSeconds);
+        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.identityProvider.getIdentitySslContext());
+        HttpClientBuilder httpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder()
+                .setSSLSocketFactory(sslConnectionSocketFactory);
+        httpTransportFactory = () -> new ApacheHttpTransport(httpClientBuilder.build());
+    }
+
+    public ExternalAccountCredentials getCredential() throws IOException {
+        return ExternalAccountCredentials.fromStream(tokenApiStream, httpTransportFactory);
+    }
+
+    private InputStream createTokenAPIStream(final String audience, final String serviceUrl, final String tokenUrl,
+                                     int tokenLifetimeSeconds) {
+
+        Slime root = new Slime();
+        Cursor c = root.setObject();
+
+        c.setString("type", "external_account");
+        c.setString("audience", audience);
+        c.setString("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
+        c.setString("token_url", "https://sts.googleapis.com/v1/token");
+
+        c.setString("service_account_impersonation_url", serviceUrl);
+        Cursor sai = c.setObject("service_account_impersonation");
+        sai.setLong("token_lifetime_seconds", tokenLifetimeSeconds);
+
+        Cursor credentialSource = c.setObject("credential_source");
+        credentialSource.setString("url", tokenUrl);
+
+        Cursor credentialSourceFormat = credentialSource.setObject("format");
+        credentialSourceFormat.setString("type", "json");
+        credentialSourceFormat.setString("subject_token_field_name", "id_token");
+
+        try {
+            return new ByteArrayInputStream(SlimeUtils.toJsonBytes(root));
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static String generateIdTokenScope(final String domainName, String roleName) {
+        StringBuilder scope = new StringBuilder(256);
+        scope.append("openid");
+        scope.append(' ').append(domainName).append(":role.").append(roleName);
+        return scope.toString();
+    }
+
+    private static String generateRedirectUri(final String clientId, String uriSuffix) {
+        int idx = clientId.lastIndexOf('.');
+        if (idx == -1) {
+            return "";
+        }
+        final String dashDomain = clientId.substring(0, idx).replace('.', '-');
+        final String service = clientId.substring(idx + 1);
+        return "https://" + service + "." + dashDomain + "." + uriSuffix;
+    }
+
+
+    public static class Builder {
+        private String ztsUrl;
+        private ServiceIdentityProvider identityProvider;
+        private String redirectURISuffix;
+        private AthenzDomain athenzDomain;
+        private String role;
+        private String projectName;
+        private String projectNumber;
+        private String serviceAccountName;
+
+        private int tokenLifetimeSeconds = 3600; // default to 1 hour lifetime
+        private String workloadPoolName = "athenz";
+        private String workloadProviderName = "athenz";
+
+        public GcpCredentials build() {
+            Objects.requireNonNull(ztsUrl);
+            Objects.requireNonNull(identityProvider);
+            Objects.requireNonNull(redirectURISuffix);
+            Objects.requireNonNull(athenzDomain);
+            Objects.requireNonNull(role);
+            Objects.requireNonNull(projectName);
+            Objects.requireNonNull(projectNumber);
+            Objects.requireNonNull(serviceAccountName);
+
+            return new GcpCredentials(this);
+        }
+
+        public Builder setZtsUrl(String ztsUrl) {
+            this.ztsUrl = ztsUrl;
+            return this;
+        }
+
+        public Builder identityProvider(ServiceIdentityProvider provider) {
+            this.identityProvider = provider;
+            return this;
+        }
+
+        public Builder redirectURISuffix(String redirectURISuffix) {
+            this.redirectURISuffix = redirectURISuffix;
+            return this;
+        }
+
+        public Builder athenzDomain(AthenzDomain athenzDomain) {
+            this.athenzDomain = athenzDomain;
+            return this;
+        }
+
+        public Builder role(String gcpRole) {
+            this.role = gcpRole;
+            return this;
+        }
+
+        public Builder projectName(String projectName) {
+            this.projectName = projectName;
+            return this;
+        }
+
+        public Builder projectNumber(String projectNumber) {
+            this.projectNumber = projectNumber;
+            return this;
+        }
+
+        public Builder serviceAccountName(String serviceAccountName) {
+            this.serviceAccountName = serviceAccountName;
+            return this;
+        }
+
+        public Builder tokenLifetimeSeconds(int tokenLifetimeSeconds) {
+            this.tokenLifetimeSeconds = tokenLifetimeSeconds;
+            return this;
+        }
+
+        public Builder workloadPoolName(String workloadPoolName) {
+            this.workloadPoolName = workloadPoolName;
+            return this;
+        }
+
+        public Builder workloadProviderName(String workloadProviderName) {
+            this.workloadProviderName = workloadProviderName;
+            return this;
+        }
+    }
+}
diff --git a/vespa-dependencies-enforcer/allowed-maven-dependencies.txt b/vespa-dependencies-enforcer/allowed-maven-dependencies.txt
index 7684e3ea2ae..729e872053b 100644
--- a/vespa-dependencies-enforcer/allowed-maven-dependencies.txt
+++ b/vespa-dependencies-enforcer/allowed-maven-dependencies.txt
@@ -24,10 +24,17 @@ com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.15.2
 com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.15.2
 com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.15.2
 com.github.spotbugs:spotbugs-annotations:3.1.9
+com.google.auth:google-auth-library-credentials:1.15.0
+com.google.auth:google-auth-library-oauth2-http:1.15.0
+com.google.auto.value:auto-value-annotations:1.10.1
 com.google.code.findbugs:jsr305:3.0.2
+com.google.code.gson:gson:2.10
 com.google.errorprone:error_prone_annotations:2.18.0
 com.google.guava:failureaccess:1.0.1
 com.google.guava:guava:32.1.1-jre
+com.google.http-client:google-http-client:1.43.2
+com.google.http-client:google-http-client-apache-v2:1.43.2
+com.google.http-client:google-http-client-gson:1.42.3
 com.google.inject:guice:4.2.3:no_aop
 com.google.j2objc:j2objc-annotations:2.8
 com.google.protobuf:protobuf-java:3.21.7
@@ -53,6 +60,7 @@ commons-io:commons-io:2.11.0
 commons-logging:commons-logging:1.2
 io.airlift:airline:0.9
 io.dropwizard.metrics:metrics-core:3.2.5
+io.grpc:grpc-context:1.27.2
 io.jsonwebtoken:jjwt-api:0.11.5
 io.jsonwebtoken:jjwt-impl:0.11.5
 io.jsonwebtoken:jjwt-jackson:0.11.5
@@ -67,6 +75,8 @@ io.netty:netty-transport:4.1.94.Final
 io.netty:netty-transport-classes-epoll:4.1.94.Final
 io.netty:netty-transport-native-epoll:4.1.94.Final
 io.netty:netty-transport-native-unix-common:4.1.94.Final
+io.opencensus:opencensus-api:0.31.1
+io.opencensus:opencensus-contrib-http-util:0.31.1
 io.prometheus:simpleclient:0.6.0
 io.prometheus:simpleclient_common:0.6.0
 javax.annotation:javax.annotation-api:1.2