From dd7116842630be3186b51e9d2942f323f49312d7 Mon Sep 17 00:00:00 2001
From: Eirik Nygaard <eirik@ngrd.no>
Date: Thu, 10 Aug 2023 12:47:35 +0200
Subject: Revert "Revert "GcpCredentials retriever" MERGEOK"

---
 vespa-athenz/pom.xml                               |   8 +
 .../com/yahoo/vespa/athenz/gcp/GcpCredentials.java | 180 +++++++++++++++++++++
 2 files changed, 188 insertions(+)
 create mode 100644 vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java

(limited to 'vespa-athenz')

diff --git a/vespa-athenz/pom.xml b/vespa-athenz/pom.xml
index 7c3c982af84..e6e4a0a17b7 100644
--- a/vespa-athenz/pom.xml
+++ b/vespa-athenz/pom.xml
@@ -275,6 +275,14 @@
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.google.http-client</groupId>
+            <artifactId>google-http-client-apache-v2</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.google.auth</groupId>
+            <artifactId>google-auth-library-oauth2-http</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
new file mode 100644
index 00000000000..bbdc3c2b372
--- /dev/null
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/gcp/GcpCredentials.java
@@ -0,0 +1,180 @@
+package com.yahoo.vespa.athenz.gcp;
+
+import com.google.api.client.http.apache.v2.ApacheHttpTransport;
+import com.google.auth.http.HttpTransportFactory;
+import com.google.auth.oauth2.ExternalAccountCredentials;
+import com.yahoo.security.token.TokenDomain;
+import com.yahoo.security.token.TokenGenerator;
+import com.yahoo.slime.Cursor;
+import com.yahoo.slime.Slime;
+import com.yahoo.slime.SlimeUtils;
+import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.impl.client.HttpClientBuilder;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.Objects;
+
+public class GcpCredentials {
+    private static final TokenDomain domain = TokenDomain.of("athenz-gcp-oauth2-nonce");
+
+    final private InputStream tokenApiStream;
+    private final HttpTransportFactory httpTransportFactory;
+
+    private GcpCredentials(Builder builder) {
+        String clientId = builder.athenzDomain.getName() + ".gcp";
+        String audience = String.format("//iam.googleapis.com/projects/%s/locations/global/workloadIdentityPools/%s/providers/%s",
+                builder.projectNumber, builder.workloadPoolName, builder.workloadProviderName);
+        String serviceUrl = String.format("https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/%s@%s.iam.gserviceaccount.com:generateAccessToken",
+                builder.serviceAccountName, builder.projectName);
+        String scope = URLEncoder.encode(generateIdTokenScope(builder.athenzDomain.getName(), builder.role), StandardCharsets.UTF_8);
+        String redirectUri = URLEncoder.encode(generateRedirectUri(clientId, builder.redirectURISuffix), StandardCharsets.UTF_8);
+        String tokenUrl = String.format("%s/oauth2/auth?response_type=id_token&client_id=%s&redirect_uri=%s&scope=%s&nonce=%s&keyType=EC&fullArn=true&output=json",
+                builder.ztsUrl, clientId, redirectUri, scope, TokenGenerator.generateToken(domain, "", 32).secretTokenString());
+
+        tokenApiStream = createTokenAPIStream(audience, serviceUrl, tokenUrl, builder.tokenLifetimeSeconds);
+        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(builder.identityProvider.getIdentitySslContext());
+        HttpClientBuilder httpClientBuilder = ApacheHttpTransport.newDefaultHttpClientBuilder()
+                .setSSLSocketFactory(sslConnectionSocketFactory);
+        httpTransportFactory = () -> new ApacheHttpTransport(httpClientBuilder.build());
+    }
+
+    public ExternalAccountCredentials getCredential() throws IOException {
+        return ExternalAccountCredentials.fromStream(tokenApiStream, httpTransportFactory);
+    }
+
+    private InputStream createTokenAPIStream(final String audience, final String serviceUrl, final String tokenUrl,
+                                     int tokenLifetimeSeconds) {
+
+        Slime root = new Slime();
+        Cursor c = root.setObject();
+
+        c.setString("type", "external_account");
+        c.setString("audience", audience);
+        c.setString("subject_token_type", "urn:ietf:params:oauth:token-type:jwt");
+        c.setString("token_url", "https://sts.googleapis.com/v1/token");
+
+        c.setString("service_account_impersonation_url", serviceUrl);
+        Cursor sai = c.setObject("service_account_impersonation");
+        sai.setLong("token_lifetime_seconds", tokenLifetimeSeconds);
+
+        Cursor credentialSource = c.setObject("credential_source");
+        credentialSource.setString("url", tokenUrl);
+
+        Cursor credentialSourceFormat = credentialSource.setObject("format");
+        credentialSourceFormat.setString("type", "json");
+        credentialSourceFormat.setString("subject_token_field_name", "id_token");
+
+        try {
+            return new ByteArrayInputStream(SlimeUtils.toJsonBytes(root));
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static String generateIdTokenScope(final String domainName, String roleName) {
+        StringBuilder scope = new StringBuilder(256);
+        scope.append("openid");
+        scope.append(' ').append(domainName).append(":role.").append(roleName);
+        return scope.toString();
+    }
+
+    private static String generateRedirectUri(final String clientId, String uriSuffix) {
+        int idx = clientId.lastIndexOf('.');
+        if (idx == -1) {
+            return "";
+        }
+        final String dashDomain = clientId.substring(0, idx).replace('.', '-');
+        final String service = clientId.substring(idx + 1);
+        return "https://" + service + "." + dashDomain + "." + uriSuffix;
+    }
+
+
+    public static class Builder {
+        private String ztsUrl;
+        private ServiceIdentityProvider identityProvider;
+        private String redirectURISuffix;
+        private AthenzDomain athenzDomain;
+        private String role;
+        private String projectName;
+        private String projectNumber;
+        private String serviceAccountName;
+
+        private int tokenLifetimeSeconds = 3600; // default to 1 hour lifetime
+        private String workloadPoolName = "athenz";
+        private String workloadProviderName = "athenz";
+
+        public GcpCredentials build() {
+            Objects.requireNonNull(ztsUrl);
+            Objects.requireNonNull(identityProvider);
+            Objects.requireNonNull(redirectURISuffix);
+            Objects.requireNonNull(athenzDomain);
+            Objects.requireNonNull(role);
+            Objects.requireNonNull(projectName);
+            Objects.requireNonNull(projectNumber);
+            Objects.requireNonNull(serviceAccountName);
+
+            return new GcpCredentials(this);
+        }
+
+        public Builder setZtsUrl(String ztsUrl) {
+            this.ztsUrl = ztsUrl;
+            return this;
+        }
+
+        public Builder identityProvider(ServiceIdentityProvider provider) {
+            this.identityProvider = provider;
+            return this;
+        }
+
+        public Builder redirectURISuffix(String redirectURISuffix) {
+            this.redirectURISuffix = redirectURISuffix;
+            return this;
+        }
+
+        public Builder athenzDomain(AthenzDomain athenzDomain) {
+            this.athenzDomain = athenzDomain;
+            return this;
+        }
+
+        public Builder role(String gcpRole) {
+            this.role = gcpRole;
+            return this;
+        }
+
+        public Builder projectName(String projectName) {
+            this.projectName = projectName;
+            return this;
+        }
+
+        public Builder projectNumber(String projectNumber) {
+            this.projectNumber = projectNumber;
+            return this;
+        }
+
+        public Builder serviceAccountName(String serviceAccountName) {
+            this.serviceAccountName = serviceAccountName;
+            return this;
+        }
+
+        public Builder tokenLifetimeSeconds(int tokenLifetimeSeconds) {
+            this.tokenLifetimeSeconds = tokenLifetimeSeconds;
+            return this;
+        }
+
+        public Builder workloadPoolName(String workloadPoolName) {
+            this.workloadPoolName = workloadPoolName;
+            return this;
+        }
+
+        public Builder workloadProviderName(String workloadProviderName) {
+            this.workloadProviderName = workloadProviderName;
+            return this;
+        }
+    }
+}
-- 
cgit v1.2.3