diff options
Diffstat (limited to 'controller-server/src/main/java/com/yahoo')
3 files changed, 21 insertions, 47 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index a0b70eb88ab..eceb098d702 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -16,8 +16,7 @@ import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.AthenzUser; -import com.yahoo.vespa.athenz.api.OktaAccessToken; -import com.yahoo.vespa.athenz.api.OktaIdentityToken; +import com.yahoo.vespa.athenz.api.OAuthCredentials; import com.yahoo.vespa.athenz.client.zms.RoleAction; import com.yahoo.vespa.athenz.client.zms.ZmsClient; import com.yahoo.vespa.athenz.client.zms.ZmsClientException; @@ -109,7 +108,7 @@ public class AthenzFacade implements AccessControl { } else { // Create tenant resources in Athenz if domain is not already taken. log("createTenancy(tenantDomain=%s, service=%s)", domain, service); - zmsClient.createTenancy(domain, service, athenzCredentials.identityToken(), athenzCredentials.accessToken()); + zmsClient.createTenancy(domain, service, athenzCredentials.oAuthCredentials()); } return tenant; @@ -150,14 +149,14 @@ public class AthenzFacade implements AccessControl { } else { // Delete and recreate tenant, and optionally application, resources in Athenz otherwise. log("createTenancy(tenantDomain=%s, service=%s)", newDomain, service); - zmsClient.createTenancy(newDomain, service, athenzCredentials.identityToken(), athenzCredentials.accessToken()); + zmsClient.createTenancy(newDomain, service, athenzCredentials.oAuthCredentials()); for (Application application : applications) - createApplication(newDomain, application.id().application(), athenzCredentials.identityToken(), athenzCredentials.accessToken()); + createApplication(newDomain, application.id().application(), athenzCredentials.oAuthCredentials()); log("deleteTenancy(tenantDomain=%s, service=%s)", oldDomain, service); for (Application application : applications) - deleteApplication(oldDomain, application.id().application(), athenzCredentials.identityToken(), athenzCredentials.accessToken()); - zmsClient.deleteTenancy(oldDomain, service, athenzCredentials.identityToken(), athenzCredentials.accessToken()); + deleteApplication(oldDomain, application.id().application(), athenzCredentials.oAuthCredentials()); + zmsClient.deleteTenancy(oldDomain, service, athenzCredentials.oAuthCredentials()); } return tenant; @@ -169,7 +168,7 @@ public class AthenzFacade implements AccessControl { AthenzDomain tenantDomain = athenzCredentials.domain(); log("deleteTenancy(tenantDomain=%s, service=%s)", tenantDomain, service); try { - zmsClient.deleteTenancy(tenantDomain, service, athenzCredentials.identityToken(), athenzCredentials.accessToken()); + zmsClient.deleteTenancy(tenantDomain, service, athenzCredentials.oAuthCredentials()); } catch (ZmsClientException e) { if (e.getErrorCode() == 404) { log.log(Level.WARNING, @@ -185,16 +184,16 @@ public class AthenzFacade implements AccessControl { @Override public void createApplication(TenantAndApplicationId id, Credentials credentials) { AthenzCredentials athenzCredentials = (AthenzCredentials) credentials; - createApplication(athenzCredentials.domain(), id.application(), athenzCredentials.identityToken(), athenzCredentials.accessToken()); + createApplication(athenzCredentials.domain(), id.application(), athenzCredentials.oAuthCredentials()); } - private void createApplication(AthenzDomain domain, ApplicationName application, OktaIdentityToken identityToken, OktaAccessToken accessToken) { + private void createApplication(AthenzDomain domain, ApplicationName application, OAuthCredentials oAuthCredentials) { Set<RoleAction> tenantRoleActions = createTenantRoleActions(); log("createProviderResourceGroup(" + "tenantDomain=%s, providerDomain=%s, service=%s, resourceGroup=%s, roleActions=%s)", domain, service.getDomain().getName(), service.getName(), application, tenantRoleActions); try { - zmsClient.createProviderResourceGroup(domain, service, application.value(), tenantRoleActions, identityToken, accessToken); + zmsClient.createProviderResourceGroup(domain, service, application.value(), tenantRoleActions, oAuthCredentials); } catch (ZmsClientException e) { if (e.getErrorCode() == com.yahoo.jdisc.Response.Status.FORBIDDEN) @@ -211,7 +210,7 @@ public class AthenzFacade implements AccessControl { athenzCredentials.domain(), service.getDomain().getName(), service.getName(), id.application()); try { zmsClient.deleteProviderResourceGroup(athenzCredentials.domain(), service, id.application().value(), - athenzCredentials.identityToken(), athenzCredentials.accessToken()); + athenzCredentials.oAuthCredentials()); } catch (ZmsClientException e) { if (e.getErrorCode() == 404) { log.log(Level.WARNING, @@ -243,10 +242,10 @@ public class AthenzFacade implements AccessControl { zmsClient.addRoleMember(new AthenzRole(tenantDomain, "tenancy." + service.getFullName() + ".admin"), user, Optional.empty()); } - private void deleteApplication(AthenzDomain domain, ApplicationName application, OktaIdentityToken identityToken, OktaAccessToken accessToken) { + private void deleteApplication(AthenzDomain domain, ApplicationName application, OAuthCredentials oAuthCredentials) { log("deleteProviderResourceGroup(tenantDomain=%s, providerDomain=%s, service=%s, resourceGroup=%s)", domain, service.getDomain().getName(), service.getName(), application); - zmsClient.deleteProviderResourceGroup(domain, service, application.value(), identityToken, accessToken); + zmsClient.deleteProviderResourceGroup(domain, service, application.value(), oAuthCredentials); } public boolean hasApplicationAccess( diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java index 876882b7f19..f4f6df28ebc 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzAccessControlRequests.java @@ -8,8 +8,7 @@ import com.yahoo.slime.Inspector; import com.yahoo.text.Text; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzPrincipal; -import com.yahoo.vespa.athenz.api.OktaAccessToken; -import com.yahoo.vespa.athenz.api.OktaIdentityToken; +import com.yahoo.vespa.athenz.api.OAuthCredentials; import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.TenantController; import com.yahoo.vespa.hosted.controller.api.identifiers.Property; @@ -19,7 +18,6 @@ import com.yahoo.vespa.hosted.controller.tenant.AthenzTenant; import java.security.Principal; import java.util.Objects; import java.util.Optional; -import java.util.function.Function; /** * Extracts access control data for Athenz or user tenants from HTTP requests. @@ -48,22 +46,7 @@ public class AthenzAccessControlRequests implements AccessControlRequests { return new AthenzCredentials(requireAthenzPrincipal(request), tenants.get(tenant).map(AthenzTenant.class::cast).map(AthenzTenant::domain) .orElseGet(() -> new AthenzDomain(required("athensDomain", requestObject))), - requireOktaIdentityToken(request), - requireOktaAccessToken(request)); - } - - private static OktaIdentityToken requireOktaIdentityToken(HttpRequest request) { - return requireToken(request, OktaIdentityToken::new, "okta.identity-token", "No Okta Identity Token provided"); - } - - private static OktaAccessToken requireOktaAccessToken(HttpRequest request) { - return requireToken(request, OktaAccessToken::new, "okta.access-token", "No Okta Access Token provided"); - } - - private static <T> T requireToken(HttpRequest request, Function<String, T> tokenFactory, String attribute, String errorMessage) { - return Optional.ofNullable(request.context().get(attribute)) - .map(value -> tokenFactory.apply((String) value)) - .orElseThrow(() -> new IllegalArgumentException(errorMessage)); + OAuthCredentials.fromOktaRequestContext(request.context())); } private static String required(String fieldName, Inspector object) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzCredentials.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzCredentials.java index 04b0d6adafd..fd74626a6cf 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzCredentials.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/AthenzCredentials.java @@ -3,8 +3,7 @@ package com.yahoo.vespa.hosted.controller.security; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzPrincipal; -import com.yahoo.vespa.athenz.api.OktaAccessToken; -import com.yahoo.vespa.athenz.api.OktaIdentityToken; +import com.yahoo.vespa.athenz.api.OAuthCredentials; import static java.util.Objects.requireNonNull; @@ -18,15 +17,12 @@ import static java.util.Objects.requireNonNull; public class AthenzCredentials extends Credentials { private final AthenzDomain domain; - private final OktaIdentityToken identityToken; - private final OktaAccessToken accessToken; + private final OAuthCredentials oAuthCredentials; - public AthenzCredentials(AthenzPrincipal user, AthenzDomain domain, - OktaIdentityToken identityToken, OktaAccessToken accessToken) { + public AthenzCredentials(AthenzPrincipal user, AthenzDomain domain, OAuthCredentials oAuthCredentials) { super(user); this.domain = requireNonNull(domain); - this.accessToken = requireNonNull(accessToken); - this.identityToken = requireNonNull(identityToken); + this.oAuthCredentials = requireNonNull(oAuthCredentials); } @Override @@ -35,11 +31,7 @@ public class AthenzCredentials extends Credentials { /** Returns the Athenz domain of the tenant on whose behalf this request is made. */ public AthenzDomain domain() { return domain; } - /** Returns the Okta access token required for Athenz tenancy operation */ - public OktaAccessToken accessToken() { return accessToken; } - - /** Returns the Okta identity token required for Athenz tenancy operation */ - public OktaIdentityToken identityToken() { return identityToken; } - + /** Returns the OAuth credentials required for Athenz tenancy operation */ + public OAuthCredentials oAuthCredentials() { return oAuthCredentials; } } |