Pass Okta identity token to Athenz tenancy operations

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-10-29 15:02:43 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2019-10-29 15:52:39 +0100
commit: b1dd451e2d24d36fa3932e8208969e9f8b938e11 (patch)
tree: e5a4485d6b190aa7738c15d0c0cb64d5e8e763f8 /vespa-athenz
parent: 93b092487fe0ee071b83787f8073bbaeb00e9826 (diff)
3 files changed, 63 insertions, 16 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java
new file mode 100644
index 00000000000..45f3024bec6
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/OktaIdentityToken.java
@@ -0,0 +1,40 @@
+// Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.vespa.athenz.api;
+
+import java.util.Objects;
+
+/**
+ * @author bjorncs
+ */
+public class OktaIdentityToken {
+
+    private final String token;
+
+    public OktaIdentityToken(String token) {
+        this.token = token;
+    }
+
+    public String token() {
+        return token;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        OktaIdentityToken that = (OktaIdentityToken) o;
+        return Objects.equals(token, that.token);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(token);
+    }
+
+    @Override
+    public String toString() {
+        return "OktaIdentityToken{" +
+                "token='" + token + '\'' +
+                '}';
+    }
+}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 7b5427216a1..8129763a6d6 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -6,6 +6,7 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
+import com.yahoo.vespa.athenz.api.OktaIdentityToken;
 import com.yahoo.vespa.athenz.client.common.ClientBase;
 import com.yahoo.vespa.athenz.client.zms.bindings.AccessResponseEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.DomainListResponseEntity;
@@ -54,43 +55,45 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     @Override
-    public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token) {
+    public void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName()));
         HttpUriRequest request = RequestBuilder.put()
                 .setUri(uri)
-                .addHeader(creatOktaAccessTokenHeader(token))
+                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
                 .setEntity(toJsonStringEntity(new TenancyRequestEntity(tenantDomain, providerService, Collections.emptyList())))
                 .build();
         execute(request, response -> readEntity(response, Void.class));
     }
 
     @Override
-    public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token) {
+    public void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/tenancy/%s", tenantDomain.getName(), providerService.getFullName()));
         HttpUriRequest request = RequestBuilder.delete()
                 .setUri(uri)
-                .addHeader(creatOktaAccessTokenHeader(token))
+                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
                 .build();
         execute(request, response -> readEntity(response, Void.class));
     }
 
     @Override
-    public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token) {
+    public void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
+                                            Set<RoleAction> roleActions, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup));
         HttpUriRequest request = RequestBuilder.put()
                 .setUri(uri)
-                .addHeader(creatOktaAccessTokenHeader(token))
+                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
                 .setEntity(toJsonStringEntity(new ProviderResourceGroupRolesRequestEntity(providerService, tenantDomain, roleActions, resourceGroup)))
                 .build();
         execute(request, response -> readEntity(response, Void.class)); // Note: The ZMS API will actually return a json object that is similar to ProviderResourceGroupRolesRequestEntity
     }
 
     @Override
-    public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, OktaAccessToken token) {
+    public void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
+                                            OktaIdentityToken identityToken, OktaAccessToken accessToken) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/provDomain/%s/provService/%s/resourceGroup/%s", tenantDomain.getName(), providerService.getDomainName(), providerService.getName(), resourceGroup));
         HttpUriRequest request = RequestBuilder.delete()
                 .setUri(uri)
-                .addHeader(creatOktaAccessTokenHeader(token))
+                .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
                 .build();
         execute(request, response -> readEntity(response, Void.class));
     }
@@ -132,7 +135,8 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
         });
     }
 
-    private static Header creatOktaAccessTokenHeader(OktaAccessToken token) {
-        return new BasicHeader("Cookie", String.format("okta_at=%s", token.token()));
+    private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) {
+        return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token()));
     }
+
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index e78478bc1a2..6a11a69a797 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -5,10 +5,9 @@ import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
-import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.api.OktaAccessToken;
+import com.yahoo.vespa.athenz.api.OktaIdentityToken;
 
-import java.time.Instant;
 import java.util.List;
 import java.util.Set;
 
@@ -17,13 +16,17 @@ import java.util.Set;
  */
 public interface ZmsClient extends AutoCloseable {
 
-    void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token);
+    void createTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService,
+                       OktaIdentityToken identityToken, OktaAccessToken accessToken);
 
-    void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService, OktaAccessToken token);
+    void deleteTenancy(AthenzDomain tenantDomain, AthenzIdentity providerService,
+                       OktaIdentityToken identityToken, OktaAccessToken accessToken);
 
-    void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, Set<RoleAction> roleActions, OktaAccessToken token);
+    void createProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
+                                     Set<RoleAction> roleActions, OktaIdentityToken identityToken, OktaAccessToken accessToken);
 
-    void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, OktaAccessToken token);
+    void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
+                                     OktaIdentityToken identityToken, OktaAccessToken accessToken);
 
     boolean getMembership(AthenzRole role, AthenzIdentity identity);
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-10-29 15:02:43 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2019-10-29 15:52:39 +0100
commit	b1dd451e2d24d36fa3932e8208969e9f8b938e11 (patch)
tree	e5a4485d6b190aa7738c15d0c0cb64d5e8e763f8 /vespa-athenz
parent	93b092487fe0ee071b83787f8073bbaeb00e9826 (diff)