From 83ab7a5bb7caf7565c678d04d3bdf5ec464b0c3b Mon Sep 17 00:00:00 2001
From: Morten Tokle <mortent@yahooinc.com>
Date: Thu, 30 Jun 2022 15:56:50 +0200
Subject: Add proxy principal spiffe uris

---
 .../java/com/yahoo/vespa/athenz/api/AthenzIdentity.java  |  5 ++++-
 .../yahoo/vespa/athenz/client/zts/DefaultZtsClient.java  | 16 +++++++++++-----
 .../com/yahoo/vespa/athenz/client/zts/ZtsClient.java     | 13 ++++++++++++-
 3 files changed, 27 insertions(+), 7 deletions(-)

(limited to 'vespa-athenz/src/main/java')

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java
index 14d0cddc61f..9c29e2d92ef 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzIdentity.java
@@ -1,13 +1,16 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.api;
 
-
+import java.net.URI;
 /**
  * @author bjorncs
  */
 public interface AthenzIdentity {
     AthenzDomain getDomain();
     String getName();
+    default URI spiffeUri() {
+        return URI.create("spiffe://%s/sa/%s".formatted(getDomainName(), getName()));
+    }
     default String getFullName() {
         return getDomain().getName() + "." + getName();
     }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
index 197af753442..262df8611f5 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/DefaultZtsClient.java
@@ -141,8 +141,8 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
     }
 
     @Override
-    public AthenzAccessToken getAccessToken(AthenzDomain domain) {
-        return this.getAccessTokenImpl(List.of(new AthenzResourceName(domain, "domain")));
+    public AthenzAccessToken getAccessToken(AthenzDomain domain,  List<AthenzIdentity> proxyPrincipals) {
+        return this.getAccessTokenImpl(List.of(new AthenzResourceName(domain, "domain")), proxyPrincipals);
     }
 
     @Override
@@ -150,16 +150,22 @@ public class DefaultZtsClient extends ClientBase implements ZtsClient {
         List<AthenzResourceName> athenzResourceNames = athenzRole.stream()
                 .map(AthenzRole::toResourceName)
                 .collect(toList());
-        return this.getAccessTokenImpl(athenzResourceNames);
+        return this.getAccessTokenImpl(athenzResourceNames, List.of());
     }
 
-    private AthenzAccessToken getAccessTokenImpl(List<AthenzResourceName> resources) {
+    private AthenzAccessToken getAccessTokenImpl(List<AthenzResourceName> resources, List<AthenzIdentity> proxyPrincipals) {
         URI uri = ztsUrl.resolve("oauth2/token");
         RequestBuilder requestBuilder = RequestBuilder.post(uri)
                 .addHeader("Content-Type", "application/x-www-form-urlencoded")
                 .addParameter("grant_type", "client_credentials")
                 .addParameter("scope", resources.stream().map(AthenzResourceName::toResourceNameString).collect(Collectors.joining(" ")));
-
+        if (proxyPrincipals.size()>0) {
+            String proxyPrincipalString = proxyPrincipals.stream()
+                    .map(AthenzIdentity::spiffeUri)
+                    .map(URI::toString)
+                    .collect(Collectors.joining(","));
+            requestBuilder.addParameter("proxy_principal_spiffe_uris", proxyPrincipalString);
+        }
         HttpUriRequest request = requestBuilder.build();
         return execute(request, response -> {
             AccessTokenResponseEntity accessTokenResponseEntity = readEntity(response, AccessTokenResponseEntity.class);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index 30c8ab2fd50..c4be6d8ced7 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -106,7 +106,18 @@ public interface ZtsClient extends AutoCloseable {
      * @param domain Target domain
      * @return An Athenz access token
      */
-    AthenzAccessToken getAccessToken(AthenzDomain domain);
+    default AthenzAccessToken getAccessToken(AthenzDomain domain) {
+        return getAccessToken(domain, List.of());
+    }
+
+    /**
+     * Fetch an access token for the target domain
+     *
+     * @param domain Target domain
+     * @param proxyPrincipals List of principals to allow proxying token
+     * @return An Athenz access token
+     */
+    AthenzAccessToken getAccessToken(AthenzDomain domain, List<AthenzIdentity> proxyPrincipals);
 
     /**
      * Fetch an access token for the target roles
-- 
cgit v1.2.3