diff options
| author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-05 17:01:25 +0200 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-05 17:01:25 +0200 |
| commit | 20d413cee8e3c7553101187f6778d214fe8c7708 (patch) | |
| tree | dd62890bf09d0d5c2ad699c300f2afe3795058fb /vespa-athenz | |
| parent | a9e1f8619ae5a4db3e0909ade11feaf4a263d8ce (diff) | |
Add getTenantDomains to vespa-athenz ZtsClient
Diffstat (limited to 'vespa-athenz')
3 files changed, 54 insertions, 0 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java index f8654bbaa68..8c67c3386b7 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java @@ -18,6 +18,7 @@ import com.yahoo.vespa.athenz.client.zts.bindings.InstanceRegisterInformation; import com.yahoo.vespa.athenz.client.zts.bindings.RoleCertificateRequestEntity; import com.yahoo.vespa.athenz.client.zts.bindings.RoleCertificateResponseEntity; import com.yahoo.vespa.athenz.client.zts.bindings.RoleTokenResponseEntity; +import com.yahoo.vespa.athenz.client.zts.bindings.TenantDomainsResponseEntity; import com.yahoo.vespa.athenz.client.zts.utils.IdentityCsrGenerator; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.tls.Pkcs10Csr; @@ -43,13 +44,16 @@ import java.net.URI; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; +import java.util.List; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReadWriteLock; import java.util.concurrent.locks.ReentrantReadWriteLock; +import java.util.stream.Collectors; import static com.yahoo.vespa.athenz.tls.SignatureAlgorithm.SHA256_WITH_RSA; import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME; import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.RFC822_NAME; +import static java.util.stream.Collectors.toList; /** * Default implementation of {@link ZtsClient} @@ -206,6 +210,22 @@ public class DefaultZtsClient implements ZtsClient { return getRoleCertificate(role, null, keyPair, cloud); } + @Override + public List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName) { + URI uri = ztsUrl.resolve( + String.format("providerdomain/%s/user/%s", providerIdentity.getDomainName(), userIdentity.getFullName())); + HttpUriRequest request = RequestBuilder.get(uri) + .addParameter("roleName", roleName) + .addParameter("serviceName", providerIdentity.getName()) + .build(); + return withClient(client -> { + try (CloseableHttpResponse response = client.execute(request)) { + TenantDomainsResponseEntity entity = readEntity(response, TenantDomainsResponseEntity.class); + return entity.tenantDomainNames.stream().map(AthenzDomain::new).collect(toList()); + } + }); + } + private static InstanceIdentity getInstanceIdentity(HttpResponse response) throws IOException { InstanceIdentityCredentials entity = readEntity(response, InstanceIdentityCredentials.class); return entity.getServiceToken() != null diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java index 9502deca1c0..5c0e21bfa97 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java @@ -1,7 +1,9 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zts; +import com.yahoo.athenz.zts.TenantDomains; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.ZToken; @@ -10,6 +12,7 @@ import com.yahoo.vespa.athenz.tls.Pkcs10Csr; import java.security.KeyPair; import java.security.cert.X509Certificate; import java.time.Duration; +import java.util.List; /** * Interface for a ZTS client. @@ -103,5 +106,15 @@ public interface ZtsClient extends AutoCloseable { KeyPair keyPair, String cloud); + /** + * For a given provider, get a list of tenant domains that the user is a member of + * + * @param providerIdentity Provider identity + * @param userIdentity User identity + * @param roleName Role name + * @return List of domains + */ + List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName); + void close(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/TenantDomainsResponseEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/TenantDomainsResponseEntity.java new file mode 100644 index 00000000000..0c69aac318c --- /dev/null +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/bindings/TenantDomainsResponseEntity.java @@ -0,0 +1,21 @@ +// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.athenz.client.zts.bindings; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.List; + +/** + * @author bjorncs + */ +@JsonIgnoreProperties(ignoreUnknown = true) +public class TenantDomainsResponseEntity { + public final List<String> tenantDomainNames; + + @JsonCreator + public TenantDomainsResponseEntity(@JsonProperty("tenantDomainNames") List<String> tenantDomainNames) { + this.tenantDomainNames = tenantDomainNames; + } +} |