Merge OktaAccessToken and OktaIdentityToken into OAuthCredentials

author: Valerij Fredriksen <valerijf@yahooinc.com> 2022-02-18 18:09:24 +0100
committer: Valerij Fredriksen <valerijf@yahooinc.com> 2022-02-21 09:04:11 +0100
commit: a294cb2b68d5989572b3a74886c8bf3be225e715 (patch)
tree: 4fd58b2afab7284eb6afb9f06ac1f4ca55ac14b6 /vespa-athenz
parent: c7d896f7484b629aef89ebd511e715ce85ba6a30 (diff)
5 files changed, 68 insertions, 101 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OAuthCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OAuthCredentials.java
new file mode 100644
index 00000000000..1798a679b27
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OAuthCredentials.java
@@ -0,0 +1,52 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.api;
+
+import java.util.Map;
+import java.util.Objects;
+import java.util.Optional;
+
+/**
+ * @author freva
+ */
+public class OAuthCredentials {
+
+    private final String accessTokenCookieName;
+    private final String accessToken;
+    private final String idTokenCookieName;
+    private final String idToken;
+
+    private OAuthCredentials(String accessTokenCookieName, String accessToken, String idTokenCookieName, String idToken) {
+        this.accessTokenCookieName = Objects.requireNonNull(accessTokenCookieName);
+        this.accessToken = Objects.requireNonNull(accessToken);
+        this.idTokenCookieName = Objects.requireNonNull(idTokenCookieName);
+        this.idToken = Objects.requireNonNull(idToken);
+    }
+
+    public String accessToken() { return accessToken; }
+    public String idToken() { return idToken; }
+
+    public String asCookie() {
+        return String.format("%s=%s; %s=%s", accessTokenCookieName, accessToken, idTokenCookieName, idToken);
+    }
+
+    public static OAuthCredentials fromOktaRequestContext(Map<String, Object> requestContext) {
+        return new OAuthCredentials("okta_at", requireToken(requestContext, "okta.access-token", "No Okta Access Token provided"),
+                                    "okta_it", requireToken(requestContext, "okta.identity-token", "No Okta Identity Token provided"));
+    }
+
+    public static OAuthCredentials fromAuth0RequestContext(Map<String, Object> requestContext) {
+        return new OAuthCredentials("access_token", requireToken(requestContext, "auth0.access-token", "No Auth0 Access Token provided"),
+                                    "id_token", requireToken(requestContext, "auth0.identity-token", "No Auth0 Identity Token provided"));
+    }
+
+    public static OAuthCredentials createForTesting(String accessToken, String idToken) {
+        return new OAuthCredentials("accessToken", accessToken, "idToken", idToken);
+    }
+
+    private static String requireToken(Map<String, Object> context, String attribute, String errorMessage) {
+        return Optional.ofNullable(context.get(attribute))
+                .map(String.class::cast)
+                .orElseThrow(() -> new IllegalArgumentException(errorMessage));
+    }
+
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaAccessToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaAccessToken.java
deleted file mode 100644
index 80f769f7fcd..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaAccessToken.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.athenz.api;
-
-import java.util.Objects;
-
-/**
- * @author bjorncs
- */
-public class OktaAccessToken {
-
-    private final String token;
-
-    public OktaAccessToken(String token) {
-        this.token = token;
-    }
-
-    public String token() {
-        return token;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        OktaAccessToken that = (OktaAccessToken) o;
-        return Objects.equals(token, that.token);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(token);
-    }
-
-    @Override
-    public String toString() {
-        return "OktaAccessToken{" +
-                "token='" + token + '\'' +
-                '}';
-    }
-}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java
deleted file mode 100644
index dfe69c7d9d4..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-package com.yahoo.vespa.athenz.api;
-
-import java.util.Objects;
-
-/**
- * @author bjorncs
- */
-public class OktaIdentityToken {
-
-    private final String token;
-
-    public OktaIdentityToken(String token) {
-        this.token = token;
-    }
-
-    public String token() {
-        return token;
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) return true;
-        if (o == null || getClass() != o.getClass()) return false;
-        OktaIdentityToken that = (OktaIdentityToken) o;
-        return Objects.equals(token, that.token);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(token);
-    }
-
-    @Override
-    public String toString() {
-        return "OktaIdentityToken{" +
-                "token='" + token + '\'' +
-                '}';
-    }
-}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index d83eab9e339..3c60d5bbcc3 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -9,8 +9,7 @@ import com.yahoo.vespa.athenz.api.AthenzPolicy;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.api.OktaAccessToken;
-import com.yahoo.vespa.athenz.api.OktaIdentityToken;
+import com.yahoo.vespa.athenz.api.OAuthCredentials;
 import com.yahoo.vespa.athenz.client.ErrorHandler;
 import com.yahoo.vespa.athenz.client.common.ClientBase;
 import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity;
@@ -74,33 +73,33 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     @Override
-    public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
+    public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName()));
         HttpUriRequest request = RequestBuilder.put()
                 .setUri(uri)
-                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
+                .addHeader(createCookieHeader(oAuthCredentials))
                 .setEntity(toJsonStringEntity(new TenancyRequestEntity(tenantDomain, providerService, Collections.emptyList())))
                 .build();
         execute(request, response -> readEntity(response, Void.class));
     }
 
     @Override
-    public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
+    public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName()));
         HttpUriRequest request = RequestBuilder.delete()
                 .setUri(uri)
-                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
+                .addHeader(createCookieHeader(oAuthCredentials))
                 .build();
         execute(request, response -> readEntity(response, Void.class));
     }
 
     @Override
     public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
-                                            Set<RoleAction> roleActions, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
+                                            Set<RoleAction> roleActions, OAuthCredentials oAuthCredentials) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup));
         HttpUriRequest request = RequestBuilder.put()
                 .setUri(uri)
-                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
+                .addHeader(createCookieHeader(oAuthCredentials))
                 .setEntity(toJsonStringEntity(new ResourceGroupRolesEntity(providerService, tenantDomain, roleActions, resourceGroup)))
                 .build();
         execute(request, response -> readEntity(response, Void.class)); // Note: The ZMS API will actually return a json object that is similar to ProviderResourceGroupRolesRequestEntity
@@ -108,11 +107,11 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
 
     @Override
     public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
-                                            OktaIdentityToken identityToken, OktaAccessToken accessToken) {
+                                            OAuthCredentials oAuthCredentials) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup));
         HttpUriRequest request = RequestBuilder.delete()
                 .setUri(uri)
-                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
+                .addHeader(createCookieHeader(oAuthCredentials))
                 .build();
         execute(request, response -> readEntity(response, Void.class));
     }
@@ -404,8 +403,8 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
         execute(request, response -> readEntity(response, Void.class));
     }
 
-    private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) {
-        return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token()));
+    private static Header createCookieHeader(OAuthCredentials oAuthCredentials) {
+        return new BasicHeader("Cookie", oAuthCredentials.asCookie());
     }
 
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 38d11d33d74..bd73913ea64 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -8,9 +8,7 @@ import com.yahoo.vespa.athenz.api.AthenzPolicy;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AthenzService;
-import com.yahoo.vespa.athenz.api.AthenzUser;
-import com.yahoo.vespa.athenz.api.OktaAccessToken;
-import com.yahoo.vespa.athenz.api.OktaIdentityToken;
+import com.yahoo.vespa.athenz.api.OAuthCredentials;
 
 import java.time.Instant;
 import java.util.List;
@@ -23,17 +21,15 @@ import java.util.Set;
  */
 public interface ZmsClient extends AutoCloseable {
 
-    void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService,
-                       OktaIdentityToken identityToken, OktaAccessToken accessToken);
+    void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials);
 
-    void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService,
-                       OktaIdentityToken identityToken, OktaAccessToken accessToken);
+    void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OAuthCredentials oAuthCredentials);
 
     void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
-                                     Set<RoleAction> roleActions, OktaIdentityToken identityToken, OktaAccessToken accessToken);
+                                     Set<RoleAction> roleActions, OAuthCredentials oAuthCredentials);
 
     void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
-                                     OktaIdentityToken identityToken, OktaAccessToken accessToken);
+                                     OAuthCredentials oAuthCredentials);
 
     /** For manual tenancy provisioning - only creates roles/policies on provider domain */
     void createTenantResourceGroup(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup,
author	Valerij Fredriksen <valerijf@yahooinc.com>	2022-02-18 18:09:24 +0100
committer	Valerij Fredriksen <valerijf@yahooinc.com>	2022-02-21 09:04:11 +0100
commit	a294cb2b68d5989572b3a74886c8bf3be225e715 (patch)
tree	4fd58b2afab7284eb6afb9f06ac1f4ca55ac14b6 /vespa-athenz
parent	c7d896f7484b629aef89ebd511e715ce85ba6a30 (diff)