diff options
-rw-r--r-- | parent/pom.xml | 10 | ||||
-rw-r--r-- | vespa-athenz/pom.xml | 3 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java | 120 | ||||
-rw-r--r-- | vespa-dependencies-enforcer/allowed-maven-dependencies.txt | 10 |
4 files changed, 122 insertions, 21 deletions
diff --git a/parent/pom.xml b/parent/pom.xml index df20b94ec79..f2d9f71d553 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -1161,6 +1161,16 @@ <artifactId>checker-qual</artifactId> <version>3.30.0</version> </dependency> + <dependency> + <groupId>com.google.http-client</groupId> + <artifactId>google-http-client-apache-v2</artifactId> + <version>1.43.2</version> + </dependency> + <dependency> + <groupId>com.google.auth</groupId> + <artifactId>google-auth-library-oauth2-http</artifactId> + <version>1.15.0</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml index e8d43c556ca..e6e4a0a17b7 100644 --- a/vespa-athenz/pom.xml +++ b/vespa-athenz/pom.xml @@ -278,13 +278,10 @@ <dependency> <groupId>com.google.http-client</groupId> <artifactId>google-http-client-apache-v2</artifactId> - <version>1.43.2</version> </dependency> <dependency> <groupId>com.google.auth</groupId> <artifactId>google-auth-library-oauth2-http</artifactId> - <version>1.15.0</version> - <scope>compile</scope> </dependency> </dependencies> diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java index 9dcccd52b09..bbdc3c2b372 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java @@ -3,7 +3,8 @@ package com.yahoo.vespa.athenz.gcp; import com.google.api.client.http.apache.v2.ApacheHttpTransport; import com.google.auth.http.HttpTransportFactory; import com.google.auth.oauth2.ExternalAccountCredentials; -import com.yahoo.athenz.auth.util.Crypto; +import com.yahoo.security.token.TokenDomain; +import com.yahoo.security.token.TokenGenerator; import com.yahoo.slime.Cursor; import com.yahoo.slime.Slime; import com.yahoo.slime.SlimeUtils; @@ -17,27 +18,27 @@ import java.io.IOException; import java.io.InputStream; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; +import java.util.Objects; public class GcpCredentials { - final private static String WORKLOAD_POOL_NAME = "athenz"; - final private static String WORKLOAD_PROVIDER_NAME = "athenz"; + private static final TokenDomain domain = TokenDomain.of("athenz-gcp-oauth2-nonce"); final private InputStream tokenApiStream; private final HttpTransportFactory httpTransportFactory; - public GcpCredentials(String ztsUrl, ServiceIdentityProvider provider, String redirectURISuffix, int tokenLifetimeSeconds, AthenzDomain athenzDomain, String gcpRole, String projectName, String projectNumber, String serviceAccountName) { - String clientId = athenzDomain.getName() + ".gcp"; - final String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", - projectNumber, WORKLOAD_POOL_NAME, WORKLOAD_PROVIDER_NAME); - final String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken", - serviceAccountName, projectName); - final String scope = URLEncoder.encode(generateIdTokenScope(athenzDomain.getName(), gcpRole), StandardCharsets.UTF_8); - final String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, redirectURISuffix), StandardCharsets.UTF_8); - final String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json", - ztsUrl, clientId, redirectUri, scope, Crypto.randomSalt()); - - tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, tokenLifetimeSeconds); - SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(provider.getIdentitySslContext()); + private GcpCredentials(Builder builder) { + String clientId = builder.athenzDomain.getName() + ".gcp"; + String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s", + builder.projectNumber, builder.workloadPoolName, builder.workloadProviderName); + String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken", + builder.serviceAccountName, builder.projectName); + String scope = URLEncoder.encode(generateIdTokenScope(builder.athenzDomain.getName(), builder.role), StandardCharsets.UTF_8); + String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, builder.redirectURISuffix), StandardCharsets.UTF_8); + String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json", + builder.ztsUrl, clientId, redirectUri, scope, TokenGenerator.generateToken(domain, "", 32).secretTokenString()); + + tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, builder.tokenLifetimeSeconds); + SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.identityProvider.getIdentitySslContext()); HttpClientBuilder httpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder() .setSSLSocketFactory(sslConnectionSocketFactory); httpTransportFactory = () -> new ApacheHttpTransport(httpClientBuilder.build()); @@ -76,14 +77,14 @@ public class GcpCredentials { } } - public static String generateIdTokenScope(final String domainName, String roleName) { + private static String generateIdTokenScope(final String domainName, String roleName) { StringBuilder scope = new StringBuilder(256); scope.append("openid"); scope.append(' ').append(domainName).append(":role.").append(roleName); return scope.toString(); } - public static String generateRedirectUri(final String clientId, String uriSuffix) { + private static String generateRedirectUri(final String clientId, String uriSuffix) { int idx = clientId.lastIndexOf('.'); if (idx == -1) { return ""; @@ -93,4 +94,87 @@ public class GcpCredentials { return "https://" + service + "." + dashDomain + "." + uriSuffix; } + + public static class Builder { + private String ztsUrl; + private ServiceIdentityProvider identityProvider; + private String redirectURISuffix; + private AthenzDomain athenzDomain; + private String role; + private String projectName; + private String projectNumber; + private String serviceAccountName; + + private int tokenLifetimeSeconds = 3600; // default to 1 hour lifetime + private String workloadPoolName = "athenz"; + private String workloadProviderName = "athenz"; + + public GcpCredentials build() { + Objects.requireNonNull(ztsUrl); + Objects.requireNonNull(identityProvider); + Objects.requireNonNull(redirectURISuffix); + Objects.requireNonNull(athenzDomain); + Objects.requireNonNull(role); + Objects.requireNonNull(projectName); + Objects.requireNonNull(projectNumber); + Objects.requireNonNull(serviceAccountName); + + return new GcpCredentials(this); + } + + public Builder setZtsUrl(String ztsUrl) { + this.ztsUrl = ztsUrl; + return this; + } + + public Builder identityProvider(ServiceIdentityProvider provider) { + this.identityProvider = provider; + return this; + } + + public Builder redirectURISuffix(String redirectURISuffix) { + this.redirectURISuffix = redirectURISuffix; + return this; + } + + public Builder athenzDomain(AthenzDomain athenzDomain) { + this.athenzDomain = athenzDomain; + return this; + } + + public Builder role(String gcpRole) { + this.role = gcpRole; + return this; + } + + public Builder projectName(String projectName) { + this.projectName = projectName; + return this; + } + + public Builder projectNumber(String projectNumber) { + this.projectNumber = projectNumber; + return this; + } + + public Builder serviceAccountName(String serviceAccountName) { + this.serviceAccountName = serviceAccountName; + return this; + } + + public Builder tokenLifetimeSeconds(int tokenLifetimeSeconds) { + this.tokenLifetimeSeconds = tokenLifetimeSeconds; + return this; + } + + public Builder workloadPoolName(String workloadPoolName) { + this.workloadPoolName = workloadPoolName; + return this; + } + + public Builder workloadProviderName(String workloadProviderName) { + this.workloadProviderName = workloadProviderName; + return this; + } + } } diff --git a/vespa-dependencies-enforcer/allowed-maven-dependencies.txt b/vespa-dependencies-enforcer/allowed-maven-dependencies.txt index 7684e3ea2ae..729e872053b 100644 --- a/vespa-dependencies-enforcer/allowed-maven-dependencies.txt +++ b/vespa-dependencies-enforcer/allowed-maven-dependencies.txt @@ -24,10 +24,17 @@ com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.15.2 com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:2.15.2 com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.15.2 com.github.spotbugs:spotbugs-annotations:3.1.9 +com.google.auth:google-auth-library-credentials:1.15.0 +com.google.auth:google-auth-library-oauth2-http:1.15.0 +com.google.auto.value:auto-value-annotations:1.10.1 com.google.code.findbugs:jsr305:3.0.2 +com.google.code.gson:gson:2.10 com.google.errorprone:error_prone_annotations:2.18.0 com.google.guava:failureaccess:1.0.1 com.google.guava:guava:32.1.1-jre +com.google.http-client:google-http-client:1.43.2 +com.google.http-client:google-http-client-apache-v2:1.43.2 +com.google.http-client:google-http-client-gson:1.42.3 com.google.inject:guice:4.2.3:no_aop com.google.j2objc:j2objc-annotations:2.8 com.google.protobuf:protobuf-java:3.21.7 @@ -53,6 +60,7 @@ commons-io:commons-io:2.11.0 commons-logging:commons-logging:1.2 io.airlift:airline:0.9 io.dropwizard.metrics:metrics-core:3.2.5 +io.grpc:grpc-context:1.27.2 io.jsonwebtoken:jjwt-api:0.11.5 io.jsonwebtoken:jjwt-impl:0.11.5 io.jsonwebtoken:jjwt-jackson:0.11.5 @@ -67,6 +75,8 @@ io.netty:netty-transport:4.1.94.Final io.netty:netty-transport-classes-epoll:4.1.94.Final io.netty:netty-transport-native-epoll:4.1.94.Final io.netty:netty-transport-native-unix-common:4.1.94.Final +io.opencensus:opencensus-api:0.31.1 +io.opencensus:opencensus-contrib-http-util:0.31.1 io.prometheus:simpleclient:0.6.0 io.prometheus:simpleclient_common:0.6.0 javax.annotation:javax.annotation-api:1.2 |