Move GcpCredentials to internal module

author: Valerij Fredriksen <valerijf@yahooinc.com> 2023-09-11 12:44:22 +0200
committer: Valerij Fredriksen <valerijf@yahooinc.com> 2023-09-11 12:44:22 +0200
commit: d8b3bee871f6b91ccff966fe85be0ce8bb54ec08 (patch)
tree: 8f785e63a1970a4603e6c1d39e72bedda8a2830c /vespa-athenz
parent: 6d9d3fb1265a3bf61fdb2582ceb2f148ef9680c1 (diff)
3 files changed, 0 insertions, 235 deletions
diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml
index 55fd25f8b99..a9379040133 100644
--- a/vespa-athenz/pom.xml
+++ b/vespa-athenz/pom.xml
@@ -275,52 +275,6 @@
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.google.http-client</groupId>
-            <artifactId>google-http-client-apache-v2</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.httpcomponents</groupId>
-                    <artifactId>httpcore</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.httpcomponents</groupId>
-                    <artifactId>httpclient</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.google.http-client</groupId>
-                    <artifactId>google-http-client</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>com.google.http-client</groupId>
-            <artifactId>google-http-client</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.httpcomponents</groupId>
-                    <artifactId>httpcore</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.httpcomponents</groupId>
-                    <artifactId>httpclient</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.google.guava</groupId>
-                    <artifactId>guava</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>com.google.auth</groupId>
-            <artifactId>google-auth-library-oauth2-http</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.google.guava</groupId>
-                    <artifactId>guava</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
     </dependencies>
 
     <build>
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
deleted file mode 100644
index bbdc3c2b372..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
+++ /dev/null
@@ -1,180 +0,0 @@
-package com.yahoo.vespa.athenz.gcp;
-
-import com.google.api.client.http.apache.v2.ApacheHttpTransport;
-import com.google.auth.http.HttpTransportFactory;
-import com.google.auth.oauth2.ExternalAccountCredentials;
-import com.yahoo.security.token.TokenDomain;
-import com.yahoo.security.token.TokenGenerator;
-import com.yahoo.slime.Cursor;
-import com.yahoo.slime.Slime;
-import com.yahoo.slime.SlimeUtils;
-import com.yahoo.vespa.athenz.api.AthenzDomain;
-import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
-import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.impl.client.HttpClientBuilder;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
-import java.util.Objects;
-
-public class GcpCredentials {
-    private static final TokenDomain domain = TokenDomain.of("athenz-gcp-oauth2-nonce");
-
-    final private InputStream tokenApiStream;
-    private final HttpTransportFactory httpTransportFactory;
-
-    private GcpCredentials(Builder builder) {
-        String clientId = builder.athenzDomain.getName() + ".gcp";
-        String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s",
-                builder.projectNumber, builder.workloadPoolName, builder.workloadProviderName);
-        String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken",
-                builder.serviceAccountName, builder.projectName);
-        String scope = URLEncoder.encode(generateIdTokenScope(builder.athenzDomain.getName(), builder.role), StandardCharsets.UTF_8);
-        String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, builder.redirectURISuffix), StandardCharsets.UTF_8);
-        String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json",
-                builder.ztsUrl, clientId, redirectUri, scope, TokenGenerator.generateToken(domain, "", 32).secretTokenString());
-
-        tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, builder.tokenLifetimeSeconds);
-        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.identityProvider.getIdentitySslContext());
-        HttpClientBuilder httpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder()
-                .setSSLSocketFactory(sslConnectionSocketFactory);
-        httpTransportFactory = () -> new ApacheHttpTransport(httpClientBuilder.build());
-    }
-
-    public ExternalAccountCredentials getCredential() throws IOException {
-        return ExternalAccountCredentials.fromStream(tokenApiStream, httpTransportFactory);
-    }
-
-    private InputStream createTokenAPIStream(final String audience, final String serviceUrl, final String tokenUrl,
-                                     int tokenLifetimeSeconds) {
-
-        Slime root = new Slime();
-        Cursor c = root.setObject();
-
-        c.setString("type", "external_account");
-        c.setString("audience", audience);
-        c.setString("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
-        c.setString("token_url", "https://sts.googleapis.com/v1/token");
-
-        c.setString("service_account_impersonation_url", serviceUrl);
-        Cursor sai = c.setObject("service_account_impersonation");
-        sai.setLong("token_lifetime_seconds", tokenLifetimeSeconds);
-
-        Cursor credentialSource = c.setObject("credential_source");
-        credentialSource.setString("url", tokenUrl);
-
-        Cursor credentialSourceFormat = credentialSource.setObject("format");
-        credentialSourceFormat.setString("type", "json");
-        credentialSourceFormat.setString("subject_token_field_name", "id_token");
-
-        try {
-            return new ByteArrayInputStream(SlimeUtils.toJsonBytes(root));
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private static String generateIdTokenScope(final String domainName, String roleName) {
-        StringBuilder scope = new StringBuilder(256);
-        scope.append("openid");
-        scope.append(' ').append(domainName).append(":role.").append(roleName);
-        return scope.toString();
-    }
-
-    private static String generateRedirectUri(final String clientId, String uriSuffix) {
-        int idx = clientId.lastIndexOf('.');
-        if (idx == -1) {
-            return "";
-        }
-        final String dashDomain = clientId.substring(0, idx).replace('.', '-');
-        final String service = clientId.substring(idx + 1);
-        return "https://" + service + "." + dashDomain + "." + uriSuffix;
-    }
-
-
-    public static class Builder {
-        private String ztsUrl;
-        private ServiceIdentityProvider identityProvider;
-        private String redirectURISuffix;
-        private AthenzDomain athenzDomain;
-        private String role;
-        private String projectName;
-        private String projectNumber;
-        private String serviceAccountName;
-
-        private int tokenLifetimeSeconds = 3600; // default to 1 hour lifetime
-        private String workloadPoolName = "athenz";
-        private String workloadProviderName = "athenz";
-
-        public GcpCredentials build() {
-            Objects.requireNonNull(ztsUrl);
-            Objects.requireNonNull(identityProvider);
-            Objects.requireNonNull(redirectURISuffix);
-            Objects.requireNonNull(athenzDomain);
-            Objects.requireNonNull(role);
-            Objects.requireNonNull(projectName);
-            Objects.requireNonNull(projectNumber);
-            Objects.requireNonNull(serviceAccountName);
-
-            return new GcpCredentials(this);
-        }
-
-        public Builder setZtsUrl(String ztsUrl) {
-            this.ztsUrl = ztsUrl;
-            return this;
-        }
-
-        public Builder identityProvider(ServiceIdentityProvider provider) {
-            this.identityProvider = provider;
-            return this;
-        }
-
-        public Builder redirectURISuffix(String redirectURISuffix) {
-            this.redirectURISuffix = redirectURISuffix;
-            return this;
-        }
-
-        public Builder athenzDomain(AthenzDomain athenzDomain) {
-            this.athenzDomain = athenzDomain;
-            return this;
-        }
-
-        public Builder role(String gcpRole) {
-            this.role = gcpRole;
-            return this;
-        }
-
-        public Builder projectName(String projectName) {
-            this.projectName = projectName;
-            return this;
-        }
-
-        public Builder projectNumber(String projectNumber) {
-            this.projectNumber = projectNumber;
-            return this;
-        }
-
-        public Builder serviceAccountName(String serviceAccountName) {
-            this.serviceAccountName = serviceAccountName;
-            return this;
-        }
-
-        public Builder tokenLifetimeSeconds(int tokenLifetimeSeconds) {
-            this.tokenLifetimeSeconds = tokenLifetimeSeconds;
-            return this;
-        }
-
-        public Builder workloadPoolName(String workloadPoolName) {
-            this.workloadPoolName = workloadPoolName;
-            return this;
-        }
-
-        public Builder workloadProviderName(String workloadProviderName) {
-            this.workloadProviderName = workloadProviderName;
-            return this;
-        }
-    }
-}
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/package-info.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/package-info.java
deleted file mode 100644
index 706f9fdfc99..00000000000
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/package-info.java
+++ /dev/null
@@ -1,9 +0,0 @@
-// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
-
-/**
- * @author bjorncs
- */
-@ExportPackage
-package com.yahoo.vespa.athenz.gcp;
-
-import com.yahoo.osgi.annotation.ExportPackage;
-\ No newline at end of file
author	Valerij Fredriksen <valerijf@yahooinc.com>	2023-09-11 12:44:22 +0200
committer	Valerij Fredriksen <valerijf@yahooinc.com>	2023-09-11 12:44:22 +0200
commit	d8b3bee871f6b91ccff966fe85be0ce8bb54ec08 (patch)
tree	8f785e63a1970a4603e6c1d39e72bedda8a2830c /vespa-athenz
parent	6d9d3fb1265a3bf61fdb2582ceb2f148ef9680c1 (diff)