diff options
author | Morten Tokle <mortent@oath.com> | 2019-02-11 09:36:23 +0100 |
---|---|---|
committer | Morten Tokle <mortent@oath.com> | 2019-02-12 10:33:19 +0100 |
commit | 6d2c6b9c3b36e8bc1efd38cc2c4debffabbd3a3a (patch) | |
tree | 920a2beb2f142bab0077cbe64fedfd17e02d9e04 /vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts | |
parent | b44d662b4fb2e71c0da0484760194b9d0bc4d21a (diff) |
Add support for AWS temp credentials
Diffstat (limited to 'vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts')
3 files changed, 83 insertions, 1 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index 9eef2ff9903..05395947fc1 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -5,9 +5,12 @@ import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.api.AwsRole; +import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials; import com.yahoo.vespa.athenz.api.NToken; import com.yahoo.vespa.athenz.api.ZToken; import com.yahoo.vespa.athenz.client.common.ClientBase; +import com.yahoo.vespa.athenz.client.zts.bindings.AwsTemporaryCredentialsResponseEntity; import com.yahoo.vespa.athenz.client.zts.bindings.IdentityRefreshRequestEntity; import com.yahoo.vespa.athenz.client.zts.bindings.IdentityResponseEntity; import com.yahoo.vespa.athenz.client.zts.bindings.InstanceIdentityCredentials; @@ -31,6 +34,7 @@ import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; import java.util.List; +import java.util.Optional; import java.util.function.Supplier; import static java.util.stream.Collectors.toList; @@ -171,6 +175,23 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient { }); } + @Override + public AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId) { + URI uri = ztsUrl.resolve( + String.format("domain/%s/role/%s/creds", athenzDomain.getName(), awsRole.encodedName())); + RequestBuilder requestBuilder = RequestBuilder.get(uri); + + // Add optional durationSeconds and externalId parameters + Optional.ofNullable(duration).ifPresent(d -> requestBuilder.addParameter("durationSeconds", Long.toString(duration.getSeconds()))); + Optional.ofNullable(externalId).ifPresent(s -> requestBuilder.addParameter("externalId", s)); + + HttpUriRequest request = requestBuilder.build(); + return execute(request, response -> { + AwsTemporaryCredentialsResponseEntity entity = readEntity(response, AwsTemporaryCredentialsResponseEntity.class); + return entity.credentials(); + }); + } + private InstanceIdentity getInstanceIdentity(HttpResponse response) throws IOException { InstanceIdentityCredentials entity = readEntity(response, InstanceIdentityCredentials.class); return entity.getServiceToken() != null diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 0ca2ea2fe69..7b77fccfed6 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -1,12 +1,14 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zts; +import com.yahoo.security.Pkcs10Csr; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.api.AwsRole; +import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials; import com.yahoo.vespa.athenz.api.ZToken; -import com.yahoo.security.Pkcs10Csr; import java.security.KeyPair; import java.security.cert.X509Certificate; @@ -108,5 +110,36 @@ public interface ZtsClient extends AutoCloseable { */ List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName); + /** + * Get aws temporary credentials + * + * @param awsRole AWS role to get credentials for + * @return AWS temporary credentials + */ + default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole) { + return getAwsTemporaryCredentials(athenzDomain, awsRole, null, null); + } + + /** + * Get aws temporary credentials + * + * @param awsRole AWS role to get credentials for + * @param externalId External Id to get credentials, or <code>null</code> if not required + * @return AWS temporary credentials + */ + default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, String externalId) { + return getAwsTemporaryCredentials(athenzDomain, awsRole, null, externalId); + } + + /** + * Get aws temporary credentials + * + * @param awsRole AWS role to get credentials for + * @param duration Duration for which the credentials should be valid, or <code>null</code> to use default + * @param externalId External Id to get credentials, or <code>null</code> if not required + * @return AWS temporary credentials + */ + AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId); + void close(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AwsTemporaryCredentialsResponseEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AwsTemporaryCredentialsResponseEntity.java new file mode 100644 index 00000000000..50b02730277 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/AwsTemporaryCredentialsResponseEntity.java @@ -0,0 +1,28 @@ +// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zts.bindings; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials; + +import java.time.Instant; + +/** + * @author mortent + */ +@JsonIgnoreProperties(ignoreUnknown = true) +public class AwsTemporaryCredentialsResponseEntity { + private AwsTemporaryCredentials credentials; + + public AwsTemporaryCredentialsResponseEntity( + @JsonProperty("accessKeyId") String accessKeyId, + @JsonProperty("secretAccessKey") String secretAccessKey, + @JsonProperty("sessionToken") String sessionToken, + @JsonProperty("expiration") Instant expiration) { + this.credentials = new AwsTemporaryCredentials(accessKeyId, secretAccessKey, sessionToken, expiration); + } + + public AwsTemporaryCredentials credentials() { + return credentials; + } +} |