Add new dependencies

author: Eirik Nygaard <eirik.nygaard@yahooinc.com> 2023-08-09 19:37:38 +0200
committer: Eirik Nygaard <eirik.nygaard@yahooinc.com> 2023-08-10 11:10:30 +0200
commit: 7ffad339a7691d7e9f3c7d2459d883113f5b7bd9 (patch)
tree: 355418b76c6b53dccf6dce235273eb4af8d6dc61 /vespa-athenz
parent: 9881bf4a8f7048dd7abff0df3dfb6cd449b42540 (diff)
2 files changed, 102 insertions, 21 deletions
diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml
index e8d43c556ca..e6e4a0a17b7 100644
--- a/vespa-athenz/pom.xml
+++ b/vespa-athenz/pom.xml
@@ -278,13 +278,10 @@
         <dependency>
             <groupId>com.google.http-client</groupId>
             <artifactId>google-http-client-apache-v2</artifactId>
-            <version>1.43.2</version>
         </dependency>
         <dependency>
             <groupId>com.google.auth</groupId>
             <artifactId>google-auth-library-oauth2-http</artifactId>
-            <version>1.15.0</version>
-            <scope>compile</scope>
         </dependency>
     </dependencies>
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
index 9dcccd52b09..bbdc3c2b372 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
@@ -3,7 +3,8 @@ package com.yahoo.vespa.athenz.gcp;
 import com.google.api.client.http.apache.v2.ApacheHttpTransport;
 import com.google.auth.http.HttpTransportFactory;
 import com.google.auth.oauth2.ExternalAccountCredentials;
-import com.yahoo.athenz.auth.util.Crypto;
+import com.yahoo.security.token.TokenDomain;
+import com.yahoo.security.token.TokenGenerator;
 import com.yahoo.slime.Cursor;
 import com.yahoo.slime.Slime;
 import com.yahoo.slime.SlimeUtils;
@@ -17,27 +18,27 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
+import java.util.Objects;
 
 public class GcpCredentials {
-    final private static String WORKLOAD_POOL_NAME = "athenz";
-    final private static String WORKLOAD_PROVIDER_NAME = "athenz";
+    private static final TokenDomain domain = TokenDomain.of("athenz-gcp-oauth2-nonce");
 
     final private InputStream tokenApiStream;
     private final HttpTransportFactory httpTransportFactory;
 
-    public GcpCredentials(String ztsUrl, ServiceIdentityProvider provider, String redirectURISuffix, int tokenLifetimeSeconds, AthenzDomain athenzDomain, String gcpRole, String projectName, String projectNumber, String serviceAccountName) {
-        String clientId = athenzDomain.getName() + ".gcp";
-        final String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s",
-                projectNumber, WORKLOAD_POOL_NAME, WORKLOAD_PROVIDER_NAME);
-        final String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken",
-                serviceAccountName, projectName);
-        final String scope = URLEncoder.encode(generateIdTokenScope(athenzDomain.getName(), gcpRole), StandardCharsets.UTF_8);
-        final String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, redirectURISuffix), StandardCharsets.UTF_8);
-        final String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json",
-                ztsUrl, clientId, redirectUri, scope, Crypto.randomSalt());
-
-        tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, tokenLifetimeSeconds);
-        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(provider.getIdentitySslContext());
+    private GcpCredentials(Builder builder) {
+        String clientId = builder.athenzDomain.getName() + ".gcp";
+        String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s",
+                builder.projectNumber, builder.workloadPoolName, builder.workloadProviderName);
+        String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken",
+                builder.serviceAccountName, builder.projectName);
+        String scope = URLEncoder.encode(generateIdTokenScope(builder.athenzDomain.getName(), builder.role), StandardCharsets.UTF_8);
+        String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, builder.redirectURISuffix), StandardCharsets.UTF_8);
+        String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json",
+                builder.ztsUrl, clientId, redirectUri, scope, TokenGenerator.generateToken(domain, "", 32).secretTokenString());
+
+        tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, builder.tokenLifetimeSeconds);
+        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.identityProvider.getIdentitySslContext());
         HttpClientBuilder httpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder()
                 .setSSLSocketFactory(sslConnectionSocketFactory);
         httpTransportFactory = () -> new ApacheHttpTransport(httpClientBuilder.build());
@@ -76,14 +77,14 @@ public class GcpCredentials {
         }
     }
 
-    public static String generateIdTokenScope(final String domainName, String roleName) {
+    private static String generateIdTokenScope(final String domainName, String roleName) {
         StringBuilder scope = new StringBuilder(256);
         scope.append("openid");
         scope.append(' ').append(domainName).append(":role.").append(roleName);
         return scope.toString();
     }
 
-    public static String generateRedirectUri(final String clientId, String uriSuffix) {
+    private static String generateRedirectUri(final String clientId, String uriSuffix) {
         int idx = clientId.lastIndexOf('.');
         if (idx == -1) {
             return "";
@@ -93,4 +94,87 @@ public class GcpCredentials {
         return "https://" + service + "." + dashDomain + "." + uriSuffix;
     }
 
+
+    public static class Builder {
+        private String ztsUrl;
+        private ServiceIdentityProvider identityProvider;
+        private String redirectURISuffix;
+        private AthenzDomain athenzDomain;
+        private String role;
+        private String projectName;
+        private String projectNumber;
+        private String serviceAccountName;
+
+        private int tokenLifetimeSeconds = 3600; // default to 1 hour lifetime
+        private String workloadPoolName = "athenz";
+        private String workloadProviderName = "athenz";
+
+        public GcpCredentials build() {
+            Objects.requireNonNull(ztsUrl);
+            Objects.requireNonNull(identityProvider);
+            Objects.requireNonNull(redirectURISuffix);
+            Objects.requireNonNull(athenzDomain);
+            Objects.requireNonNull(role);
+            Objects.requireNonNull(projectName);
+            Objects.requireNonNull(projectNumber);
+            Objects.requireNonNull(serviceAccountName);
+
+            return new GcpCredentials(this);
+        }
+
+        public Builder setZtsUrl(String ztsUrl) {
+            this.ztsUrl = ztsUrl;
+            return this;
+        }
+
+        public Builder identityProvider(ServiceIdentityProvider provider) {
+            this.identityProvider = provider;
+            return this;
+        }
+
+        public Builder redirectURISuffix(String redirectURISuffix) {
+            this.redirectURISuffix = redirectURISuffix;
+            return this;
+        }
+
+        public Builder athenzDomain(AthenzDomain athenzDomain) {
+            this.athenzDomain = athenzDomain;
+            return this;
+        }
+
+        public Builder role(String gcpRole) {
+            this.role = gcpRole;
+            return this;
+        }
+
+        public Builder projectName(String projectName) {
+            this.projectName = projectName;
+            return this;
+        }
+
+        public Builder projectNumber(String projectNumber) {
+            this.projectNumber = projectNumber;
+            return this;
+        }
+
+        public Builder serviceAccountName(String serviceAccountName) {
+            this.serviceAccountName = serviceAccountName;
+            return this;
+        }
+
+        public Builder tokenLifetimeSeconds(int tokenLifetimeSeconds) {
+            this.tokenLifetimeSeconds = tokenLifetimeSeconds;
+            return this;
+        }
+
+        public Builder workloadPoolName(String workloadPoolName) {
+            this.workloadPoolName = workloadPoolName;
+            return this;
+        }
+
+        public Builder workloadProviderName(String workloadProviderName) {
+            this.workloadProviderName = workloadProviderName;
+            return this;
+        }
+    }
 }
author	Eirik Nygaard <eirik.nygaard@yahooinc.com>	2023-08-09 19:37:38 +0200
committer	Eirik Nygaard <eirik.nygaard@yahooinc.com>	2023-08-10 11:10:30 +0200
commit	7ffad339a7691d7e9f3c7d2459d883113f5b7bd9 (patch)
tree	355418b76c6b53dccf6dce235273eb4af8d6dc61 /vespa-athenz
parent	9881bf4a8f7048dd7abff0df3dfb6cd449b42540 (diff)