diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-03-16 12:45:22 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-03-19 11:16:25 +0100 |
commit | 6487241918444ba7c6e9d3065fd15025e239dd90 (patch) | |
tree | 67db7ebd24c8b8dac267f6de00a26593d5b6af9f | |
parent | 0af7c914e90195daa4b07346cb2518c35e05a312 (diff) |
Use AthenzIdentityProvider unless authorized service token required
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java | 26 |
1 files changed, 6 insertions, 20 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index c3471a40234..2d887f29174 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -5,12 +5,12 @@ import com.google.inject.Inject; import com.yahoo.athenz.auth.Principal; import com.yahoo.athenz.auth.impl.PrincipalAuthority; import com.yahoo.athenz.auth.impl.SimplePrincipal; -import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider; import com.yahoo.athenz.auth.token.PrincipalToken; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.zms.ZMSClient; import com.yahoo.athenz.zts.ZTSClient; import com.yahoo.container.jdisc.Ckms; +import com.yahoo.container.jdisc.athenz.AthenzIdentityProvider; import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; @@ -19,21 +19,21 @@ import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; import java.security.PrivateKey; -import java.time.Duration; /** * @author bjorncs */ -// TODO Use SiaIdentityProvider public class AthenzClientFactoryImpl implements AthenzClientFactory { private final Ckms ckms; private final AthenzConfig config; private final AthenzPrincipalAuthority athenzPrincipalAuthority; + private final AthenzIdentityProvider identityProvider; @Inject - public AthenzClientFactoryImpl(Ckms ckms, AthenzConfig config) { + public AthenzClientFactoryImpl(Ckms ckms, AthenzIdentityProvider identityProvider, AthenzConfig config) { this.ckms = ckms; + this.identityProvider = identityProvider; this.config = config; this.athenzPrincipalAuthority = new AthenzPrincipalAuthority(config.principalHeaderName()); } @@ -43,7 +43,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { */ @Override public ZmsClient createZmsClientWithServicePrincipal() { - return new ZmsClientImpl(new ZMSClient(config.zmsUrl(), createServicePrincipal()), config); + return new ZmsClientImpl(new ZMSClient(config.zmsUrl(), identityProvider.getIdentitySslContext()), config); } /** @@ -51,7 +51,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { */ @Override public ZtsClient createZtsClientWithServicePrincipal() { - return new ZtsClientImpl(new ZTSClient(config.ztsUrl(), createServicePrincipal()), getServicePrivateKey(), config); + return new ZtsClientImpl(new ZTSClient(config.ztsUrl(), identityProvider.getIdentitySslContext()), getServicePrivateKey(), config); } /** @@ -70,20 +70,6 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { } - private Principal createServicePrincipal() { - AthenzConfig.Service service = config.service(); - // TODO bjorncs: Cache principal token - SimpleServiceIdentityProvider identityProvider = - new SimpleServiceIdentityProvider( - athenzPrincipalAuthority, - config.domain(), - service.name(), - getServicePrivateKey(), - service.publicKeyId(), - Duration.ofMinutes(service.credentialsExpiryMinutes()).getSeconds()); - return identityProvider.getIdentity(config.domain(), service.name()); - } - private PrivateKey getServicePrivateKey() { AthenzConfig.Service service = config.service(); String privateKey = ckms.getSecret(service.privateKeySecretName(), service.privateKeyVersion()).trim(); |