Add support for AWS temp credentials

author: Morten Tokle <mortent@oath.com> 2019-02-11 09:36:23 +0100
committer: Morten Tokle <mortent@oath.com> 2019-02-12 10:33:19 +0100
commit: 6d2c6b9c3b36e8bc1efd38cc2c4debffabbd3a3a (patch)
tree: 920a2beb2f142bab0077cbe64fedfd17e02d9e04 /vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts
parent: b44d662b4fb2e71c0da0484760194b9d0bc4d21a (diff)
3 files changed, 83 insertions, 1 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 9eef2ff9903..05395947fc1 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -5,9 +5,12 @@ import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.api.AwsRole;
+import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
 import com.yahoo.vespa.athenz.api.NToken;
 import com.yahoo.vespa.athenz.api.ZToken;
 import com.yahoo.vespa.athenz.client.common.ClientBase;
+import com.yahoo.vespa.athenz.client.zts.bindings.AwsTemporaryCredentialsResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.IdentityResponseEntity;
 import com.yahoo.vespa.athenz.client.zts.bindings.InstanceIdentityCredentials;
@@ -31,6 +34,7 @@ import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.List;
+import java.util.Optional;
 import java.util.function.Supplier;
 
 import static java.util.stream.Collectors.toList;
@@ -171,6 +175,23 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
         });
     }
 
+    @Override
+    public AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId) {
+        URI uri = ztsUrl.resolve(
+                String.format("domain/%s/role/%s/creds", athenzDomain.getName(), awsRole.encodedName()));
+        RequestBuilder requestBuilder = RequestBuilder.get(uri);
+
+        // Add optional durationSeconds and externalId parameters
+        Optional.ofNullable(duration).ifPresent(d -> requestBuilder.addParameter("durationSeconds", Long.toString(duration.getSeconds())));
+        Optional.ofNullable(externalId).ifPresent(s -> requestBuilder.addParameter("externalId", s));
+
+        HttpUriRequest request = requestBuilder.build();
+        return execute(request, response -> {
+            AwsTemporaryCredentialsResponseEntity entity = readEntity(response, AwsTemporaryCredentialsResponseEntity.class);
+            return entity.credentials();
+        });
+    }
+
     private InstanceIdentity getInstanceIdentity(HttpResponse response) throws IOException {
         InstanceIdentityCredentials entity = readEntity(response, InstanceIdentityCredentials.class);
         return entity.getServiceToken() != null
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index 0ca2ea2fe69..7b77fccfed6 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -1,12 +1,14 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.client.zts;
 
+import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AthenzService;
+import com.yahoo.vespa.athenz.api.AwsRole;
+import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
 import com.yahoo.vespa.athenz.api.ZToken;
-import com.yahoo.security.Pkcs10Csr;
 
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
@@ -108,5 +110,36 @@ public interface ZtsClient extends AutoCloseable {
      */
     List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName);
 
+    /**
+     * Get aws temporary credentials
+     *
+     * @param awsRole AWS role to get credentials for
+     * @return AWS temporary credentials
+     */
+    default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole) {
+        return getAwsTemporaryCredentials(athenzDomain, awsRole, null, null);
+    }
+
+    /**
+     * Get aws temporary credentials
+     *
+     * @param awsRole AWS role to get credentials for
+     * @param externalId External Id to get credentials, or <code>null</code> if not required
+     * @return AWS temporary credentials
+     */
+    default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, String externalId) {
+        return getAwsTemporaryCredentials(athenzDomain, awsRole, null, externalId);
+    }
+
+    /**
+     * Get aws temporary credentials
+     *
+     * @param awsRole AWS role to get credentials for
+     * @param duration Duration for which the credentials should be valid, or <code>null</code> to use default
+     * @param externalId External Id to get credentials, or <code>null</code> if not required
+     * @return AWS temporary credentials
+     */
+    AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId);
+
     void close();
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AwsTemporaryCredentialsResponseEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AwsTemporaryCredentialsResponseEntity.java
new file mode 100644
index 00000000000..50b02730277
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AwsTemporaryCredentialsResponseEntity.java
@@ -0,0 +1,28 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.client.zts.bindings;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
+
+import java.time.Instant;
+
+/**
+ * @author mortent
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class AwsTemporaryCredentialsResponseEntity {
+    private AwsTemporaryCredentials credentials;
+
+    public AwsTemporaryCredentialsResponseEntity(
+            @JsonProperty("accessKeyId") String accessKeyId,
+            @JsonProperty("secretAccessKey") String secretAccessKey,
+            @JsonProperty("sessionToken") String sessionToken,
+            @JsonProperty("expiration") Instant expiration) {
+        this.credentials = new AwsTemporaryCredentials(accessKeyId, secretAccessKey, sessionToken, expiration);
+    }
+
+    public AwsTemporaryCredentials credentials() {
+        return credentials;
+    }
+}
author	Morten Tokle <mortent@oath.com>	2019-02-11 09:36:23 +0100
committer	Morten Tokle <mortent@oath.com>	2019-02-12 10:33:19 +0100
commit	6d2c6b9c3b36e8bc1efd38cc2c4debffabbd3a3a (patch)
tree	920a2beb2f142bab0077cbe64fedfd17e02d9e04 /vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts
parent	b44d662b4fb2e71c0da0484760194b9d0bc4d21a (diff)