diff options
author | Valerij Fredriksen <valerijf@yahooinc.com> | 2022-02-18 18:09:24 +0100 |
---|---|---|
committer | Valerij Fredriksen <valerijf@yahooinc.com> | 2022-02-21 09:04:11 +0100 |
commit | a294cb2b68d5989572b3a74886c8bf3be225e715 (patch) | |
tree | 4fd58b2afab7284eb6afb9f06ac1f4ca55ac14b6 /vespa-athenz | |
parent | c7d896f7484b629aef89ebd511e715ce85ba6a30 (diff) |
Merge OktaAccessToken and OktaIdentityToken into OAuthCredentials
Diffstat (limited to 'vespa-athenz')
5 files changed, 68 insertions, 101 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OAuthCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OAuthCredentials.java new file mode 100644 index 00000000000..1798a679b27 --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OAuthCredentials.java @@ -0,0 +1,52 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.api; + +import java.util.Map; +import java.util.Objects; +import java.util.Optional; + +/** + * @author freva + */ +public class OAuthCredentials { + + private final String accessTokenCookieName; + private final String accessToken; + private final String idTokenCookieName; + private final String idToken; + + private OAuthCredentials(String accessTokenCookieName, String accessToken, String idTokenCookieName, String idToken) { + this.accessTokenCookieName = Objects.requireNonNull(accessTokenCookieName); + this.accessToken = Objects.requireNonNull(accessToken); + this.idTokenCookieName = Objects.requireNonNull(idTokenCookieName); + this.idToken = Objects.requireNonNull(idToken); + } + + public String accessToken() { return accessToken; } + public String idToken() { return idToken; } + + public String asCookie() { + return String.format("%s=%s; %s=%s", accessTokenCookieName, accessToken, idTokenCookieName, idToken); + } + + public static OAuthCredentials fromOktaRequestContext(Map<String, Object> requestContext) { + return new OAuthCredentials("okta_at", requireToken(requestContext, "okta.access-token", "No Okta Access Token provided"), + "okta_it", requireToken(requestContext, "okta.identity-token", "No Okta Identity Token provided")); + } + + public static OAuthCredentials fromAuth0RequestContext(Map<String, Object> requestContext) { + return new OAuthCredentials("access_token", requireToken(requestContext, "auth0.access-token", "No Auth0 Access Token provided"), + "id_token", requireToken(requestContext, "auth0.identity-token", "No Auth0 Identity Token provided")); + } + + public static OAuthCredentials createForTesting(String accessToken, String idToken) { + return new OAuthCredentials("accessToken", accessToken, "idToken", idToken); + } + + private static String requireToken(Map<String, Object> context, String attribute, String errorMessage) { + return Optional.ofNullable(context.get(attribute)) + .map(String.class::cast) + .orElseThrow(() -> new IllegalArgumentException(errorMessage)); + } + +} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaAccessToken.java deleted file mode 100644 index 80f769f7fcd..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaAccessToken.java +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.api; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class OktaAccessToken { - - private final String token; - - public OktaAccessToken(String token) { - this.token = token; - } - - public String token() { - return token; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - OktaAccessToken that = (OktaAccessToken) o; - return Objects.equals(token, that.token); - } - - @Override - public int hashCode() { - return Objects.hash(token); - } - - @Override - public String toString() { - return "OktaAccessToken{" + - "token='" + token + '\'' + - '}'; - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java deleted file mode 100644 index dfe69c7d9d4..00000000000 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java +++ /dev/null @@ -1,40 +0,0 @@ -// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.athenz.api; - -import java.util.Objects; - -/** - * @author bjorncs - */ -public class OktaIdentityToken { - - private final String token; - - public OktaIdentityToken(String token) { - this.token = token; - } - - public String token() { - return token; - } - - @Override - public boolean equals(Object o) { - if (this == o) return true; - if (o == null || getClass() != o.getClass()) return false; - OktaIdentityToken that = (OktaIdentityToken) o; - return Objects.equals(token, that.token); - } - - @Override - public int hashCode() { - return Objects.hash(token); - } - - @Override - public String toString() { - return "OktaIdentityToken{" + - "token='" + token + '\'' + - '}'; - } -} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index d83eab9e339..3c60d5bbcc3 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -9,8 +9,7 @@ import com.yahoo.vespa.athenz.api.AthenzPolicy; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.api.OktaAccessToken; -import com.yahoo.vespa.athenz.api.OktaIdentityToken; +import com.yahoo.vespa.athenz.api.OAuthCredentials; import com.yahoo.vespa.athenz.client.ErrorHandler; import com.yahoo.vespa.athenz.client.common.ClientBase; import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity; @@ -74,33 +73,33 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override - public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaIdentityToken identityToken, OktaAccessToken accessToken) { + public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials) { URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName())); HttpUriRequest request = RequestBuilder.put() .setUri(uri) - .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken)) + .addHeader(createCookieHeader(oAuthCredentials)) .setEntity(toJsonStringEntity(new TenancyRequestEntity(tenantDomain, providerService, Collections.emptyList()))) .build(); execute(request, response -> readEntity(response, Void.class)); } @Override - public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaIdentityToken identityToken, OktaAccessToken accessToken) { + public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials) { URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName())); HttpUriRequest request = RequestBuilder.delete() .setUri(uri) - .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken)) + .addHeader(createCookieHeader(oAuthCredentials)) .build(); execute(request, response -> readEntity(response, Void.class)); } @Override public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, - Set<RoleAction> roleActions, OktaIdentityToken identityToken, OktaAccessToken accessToken) { + Set<RoleAction> roleActions, OAuthCredentials oAuthCredentials) { URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup)); HttpUriRequest request = RequestBuilder.put() .setUri(uri) - .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken)) + .addHeader(createCookieHeader(oAuthCredentials)) .setEntity(toJsonStringEntity(new ResourceGroupRolesEntity(providerService, tenantDomain, roleActions, resourceGroup))) .build(); execute(request, response -> readEntity(response, Void.class)); // Note: The ZMS API will actually return a json object that is similar to ProviderResourceGroupRolesRequestEntity @@ -108,11 +107,11 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { @Override public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, - OktaIdentityToken identityToken, OktaAccessToken accessToken) { + OAuthCredentials oAuthCredentials) { URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup)); HttpUriRequest request = RequestBuilder.delete() .setUri(uri) - .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken)) + .addHeader(createCookieHeader(oAuthCredentials)) .build(); execute(request, response -> readEntity(response, Void.class)); } @@ -404,8 +403,8 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { execute(request, response -> readEntity(response, Void.class)); } - private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) { - return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token())); + private static Header createCookieHeader(OAuthCredentials oAuthCredentials) { + return new BasicHeader("Cookie", oAuthCredentials.asCookie()); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 38d11d33d74..bd73913ea64 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -8,9 +8,7 @@ import com.yahoo.vespa.athenz.api.AthenzPolicy; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.athenz.api.AthenzUser; -import com.yahoo.vespa.athenz.api.OktaAccessToken; -import com.yahoo.vespa.athenz.api.OktaIdentityToken; +import com.yahoo.vespa.athenz.api.OAuthCredentials; import java.time.Instant; import java.util.List; @@ -23,17 +21,15 @@ import java.util.Set; */ public interface ZmsClient extends AutoCloseable { - void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, - OktaIdentityToken identityToken, OktaAccessToken accessToken); + void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials); - void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, - OktaIdentityToken identityToken, OktaAccessToken accessToken); + void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials); void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, - Set<RoleAction> roleActions, OktaIdentityToken identityToken, OktaAccessToken accessToken); + Set<RoleAction> roleActions, OAuthCredentials oAuthCredentials); void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, - OktaIdentityToken identityToken, OktaAccessToken accessToken); + OAuthCredentials oAuthCredentials); /** For manual tenancy provisioning - only creates roles/policies on provider domain */ void createTenantResourceGroup(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup, |