Add expiry time

3 files changed, 23 insertions, 2 deletions

diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index 1fe8d73eb44..74d09234902 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -1,6 +1,8 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.jdisc.http.filter.security.athenz;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
 import com.yahoo.container.jdisc.RequestHandlerTestDriver.MockResponseHandler;
 import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
@@ -48,7 +50,7 @@ public class AthenzAuthorizationFilterTest {
 
     private static final AthenzResourceName RESOURCE_NAME = new AthenzResourceName("domain", "my-resource-name");
     private static final ZToken ROLE_TOKEN = new ZToken("v=Z1;d=domain;r=my-role;p=my-domain.my-service");
-    private static final AthenzAccessToken ACCESS_TOKEN = new AthenzAccessToken("access-token");
+    private static final AthenzAccessToken ACCESS_TOKEN = new AthenzAccessToken(JWT.create().sign(Algorithm.none()));
     private static final AthenzIdentity IDENTITY = AthenzIdentities.from("user.john");
     private static final AthenzRole ROLE = new AthenzRole("my.domain", "my-role");
     private static final X509Certificate IDENTITY_CERTIFICATE = createDummyIdentityCertificate(IDENTITY);
diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml
index 0f23eaed964..7d2ad924ae3 100644
--- a/vespa-athenz/pom.xml
+++ b/vespa-athenz/pom.xml
@@ -131,7 +131,17 @@
                     <artifactId>jackson-annotations</artifactId>
                 </exclusion>
             </exclusions>
-    </dependency>
+        </dependency>
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
index 49b10a37329..7ad97f8ac3c 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAccessToken.java
@@ -1,6 +1,10 @@
 // Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.api;
 
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+
+import java.time.Instant;
 import java.util.Objects;
 
 /**
@@ -15,9 +19,11 @@ public class AthenzAccessToken {
     private static final String BEARER_TOKEN_PREFIX = "Bearer ";
 
     private final String value;
+    private final DecodedJWT jwt;
 
     public AthenzAccessToken(String value) {
         this.value = stripBearerTokenPrefix(value);
+        this.jwt = JWT.decode(this.value);
     }
 
     private static String stripBearerTokenPrefix(String rawValue) {
@@ -33,6 +39,9 @@ public class AthenzAccessToken {
 
     public String value() { return value; }
     public String valueWithBearerPrefix() { return BEARER_TOKEN_PREFIX + value; }
+    public Instant getExpiryTime () {
+        return jwt.getExpiresAt().toInstant();
+    }
 
     @Override public String toString() { return "AthenzAccessToken{value='" + value + "'}"; }