Remove ZtsClient in controller-api/controller-server

- Replace old ZtsClient with new one from vespa-athenz module
- Add getControllerIdentity() to AthenzClientFactory
- Remove dependency on athenz-zts-java-client

6 files changed, 85 insertions, 98 deletions

diff --git a/controller-server/pom.xml b/controller-server/pom.xml
index 93204845fbe..66fefd6f2fe 100644
--- a/controller-server/pom.xml
+++ b/controller-server/pom.xml
@@ -174,31 +174,6 @@
             </exclusions>
         </dependency>
 
-        <dependency>
-            <groupId>com.yahoo.athenz</groupId>
-            <artifactId>athenz-zts-java-client</artifactId>
-            <scope>compile</scope>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.slf4j</groupId>
-                    <artifactId>slf4j-api</artifactId>
-                </exclusion>
-                <!--Exclude all Jackson bundles provided by JDisc -->
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-annotations</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-
         <!-- test -->
 
         <dependency>
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
index bd746a2fa8d..228ca01e764 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
@@ -5,6 +5,7 @@ import com.yahoo.config.provision.TenantName;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.api.NToken;
+import com.yahoo.vespa.athenz.client.zts.ZtsClient;
 import com.yahoo.vespa.curator.Lock;
 import com.yahoo.vespa.hosted.controller.api.identifiers.UserId;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
@@ -69,12 +70,13 @@ public class TenantController {
     /** Returns a list of all tenants accessible by the given user */
     public List<Tenant> asList(UserId user) {
         AthenzUser athenzUser = AthenzUser.fromUserId(user.id());
-        Set<AthenzDomain> userDomains = new HashSet<>(athenzClientFactory.createZtsClientWithServicePrincipal()
-                                                                         .getTenantDomainsForUser(athenzUser));
-        return asList().stream()
-                       .filter(tenant -> isUser(tenant, user) ||
-                                         userDomains.stream().anyMatch(domain -> inDomain(tenant, domain)))
-                       .collect(Collectors.toList());
+        try (ZtsClient ztsClient = athenzClientFactory.createZtsClientWithServicePrincipal()) {
+            Set<AthenzDomain> userDomains = new HashSet<>(ztsClient.getTenantDomains(athenzClientFactory.getControllerIdentity(), athenzUser, "admin"));
+            return asList().stream()
+                           .filter(tenant -> isUser(tenant, user) ||
+                                             userDomains.stream().anyMatch(domain -> inDomain(tenant, domain)))
+                           .collect(Collectors.toList());
+        }
     }
 
     /** Create an user tenant with given username */
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
index 159a4f11619..633c0470080 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java
@@ -8,16 +8,19 @@ import com.yahoo.athenz.auth.impl.SimplePrincipal;
 import com.yahoo.athenz.auth.token.PrincipalToken;
 import com.yahoo.athenz.auth.util.Crypto;
 import com.yahoo.athenz.zms.ZMSClient;
-import com.yahoo.athenz.zts.ZTSClient;
 import com.yahoo.container.jdisc.secretstore.SecretStore;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.api.NToken;
+import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
+import com.yahoo.vespa.athenz.client.zts.ZtsClient;
 import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
 import com.yahoo.vespa.athenz.utils.AthenzIdentities;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient;
 import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
 
+import java.net.URI;
 import java.security.PrivateKey;
 
 /**
@@ -38,6 +41,11 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory {
         this.athenzPrincipalAuthority = new AthenzPrincipalAuthority(config.principalHeaderName());
     }
 
+    @Override
+    public AthenzIdentity getControllerIdentity() {
+        return identityProvider.identity();
+    }
+
     /**
      * @return A ZMS client instance with the service identity as principal.
      */
@@ -51,7 +59,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory {
      */
     @Override
     public ZtsClient createZtsClientWithServicePrincipal() {
-        return new ZtsClientImpl(new ZTSClient(config.ztsUrl(), identityProvider.getIdentitySslContext()), config);
+        return new DefaultZtsClient(URI.create(config.ztsUrl()), identityProvider);
     }
 
     /**
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java
deleted file mode 100644
index c3ed8f0a99f..00000000000
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.hosted.controller.athenz.impl;
-
-import com.yahoo.athenz.zts.TenantDomains;
-import com.yahoo.athenz.zts.ZTSClient;
-import com.yahoo.athenz.zts.ZTSClientException;
-import com.yahoo.log.LogLevel;
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-import com.yahoo.vespa.athenz.api.AthenzIdentity;
-import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsException;
-import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
-
-import java.util.List;
-import java.util.function.Supplier;
-import java.util.logging.Logger;
-
-import static java.util.stream.Collectors.toList;
-
-/**
- * @author bjorncs
- */
-public class ZtsClientImpl implements ZtsClient {
-
-    private static final Logger log = Logger.getLogger(ZtsClientImpl.class.getName());
-
-    private final ZTSClient ztsClient;
-    private final AthenzService service;
-
-    public ZtsClientImpl(ZTSClient ztsClient, AthenzConfig config) {
-        this.ztsClient = ztsClient;
-        this.service = new AthenzService(config.domain(), config.service().name());
-    }
-
-    @Override
-    public List<AthenzDomain> getTenantDomainsForUser(AthenzIdentity identity) {
-        return getOrThrow(() -> {
-            log.log(LogLevel.DEBUG, String.format(
-                    "getTenantDomains(domain=%s, identity=%s, rolename=admin, service=%s)",
-                    service.getDomain().getName(), identity.getFullName(), service.getFullName()));
-            TenantDomains domains = ztsClient.getTenantDomains(
-                    service.getDomain().getName(), identity.getFullName(), "admin", service.getName());
-            return domains.getTenantDomainNames().stream()
-                    .map(AthenzDomain::new)
-                    .collect(toList());
-        });
-    }
-
-    private static <T> T getOrThrow(Supplier<T> wrappedCode) {
-        try {
-            return wrappedCode.get();
-        } catch (ZTSClientException e) {
-            log.warning("Error from Athenz: " + e.getMessage());
-            throw new ZtsException(e.getCode(), e);
-        }
-    }
-
-}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java
index f7939422170..6f829113016 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java
@@ -3,10 +3,12 @@ package com.yahoo.vespa.hosted.controller.athenz.mock;
 
 import com.google.inject.Inject;
 import com.yahoo.component.AbstractComponent;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.api.NToken;
+import com.yahoo.vespa.athenz.client.zts.ZtsClient;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient;
 import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient;
 
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -34,6 +36,11 @@ public class AthenzClientFactoryMock extends AbstractComponent implements Athenz
     }
 
     @Override
+    public AthenzIdentity getControllerIdentity() {
+        return new AthenzService("vespa.hosting");
+    }
+
+    @Override
     public ZmsClient createZmsClientWithServicePrincipal() {
         log("createZmsClientWithServicePrincipal()");
         return new ZmsClientMock(athenz);
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java
index 4aa1c2b93a5..8b3fb3ca47e 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java
@@ -3,8 +3,17 @@ package com.yahoo.vespa.hosted.controller.athenz.mock;
 
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient;
+import com.yahoo.vespa.athenz.api.AthenzRole;
+import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.api.ZToken;
+import com.yahoo.vespa.athenz.client.zts.Identity;
+import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
+import com.yahoo.vespa.athenz.client.zts.ZtsClient;
+import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
 
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+import java.time.Duration;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -24,12 +33,57 @@ public class ZtsClientMock implements ZtsClient {
     }
 
     @Override
-    public List<AthenzDomain> getTenantDomainsForUser(AthenzIdentity identity) {
-        log.log(Level.INFO, "getTenantDomainsForUser(principal='%s')", identity);
+    public List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName) {
+        log.log(Level.INFO, String.format("getTenantDomains(providerIdentity='%s', userIdentity='%s', roleName='%s')",
+                                          providerIdentity.getFullName(), userIdentity.getFullName(), roleName));
         return athenz.domains.values().stream()
-                .filter(domain -> domain.tenantAdmins.contains(identity) || domain.admins.contains(identity))
+                .filter(domain -> domain.tenantAdmins.contains(userIdentity) || domain.admins.contains(userIdentity))
                 .map(domain -> domain.name)
                 .collect(toList());
     }
 
+    @Override
+    public InstanceIdentity registerInstance(AthenzService providerIdentity, AthenzService instanceIdentity, String instanceId, String attestationData, boolean requestServiceToken, Pkcs10Csr csr) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public InstanceIdentity refreshInstance(AthenzService providerIdentity, AthenzService instanceIdentity, String instanceId, boolean requestServiceToken, Pkcs10Csr csr) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Identity getServiceIdentity(AthenzService identity, String keyId, Pkcs10Csr csr) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public Identity getServiceIdentity(AthenzService identity, String keyId, KeyPair keyPair, String dnsSuffix) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public ZToken getRoleToken(AthenzDomain domain) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public ZToken getRoleToken(AthenzRole athenzRole) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public X509Certificate getRoleCertificate(AthenzRole role, Duration expiry, KeyPair keyPair, String cloud) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public X509Certificate getRoleCertificate(AthenzRole role, KeyPair keyPair, String cloud) {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void close() {
+
+    }
 }