blob: fc55512f7f7d29e7f2b7e3221d778a6cb5b71e9d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.container.jdisc.athenz;
import javax.net.ssl.SSLContext;
import java.nio.file.Path;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
/**
* Provides convenience methods to interact with Athenz authenticated services
*
* @author mortent
* @author bjorncs
*/
public interface AthenzIdentityProvider {
/**
* Get the Athenz domain associated with this identity provider.
*
* @return The Athenz domain.
*/
String domain();
/**
* Get the Athenz service name associated with this identity provider.
*
* @return The Athenz service name.
*/
String service();
/**
* Get the SSLContext used for authenticating with the configured Athenz service
*
* @return An SSLContext for identity authentication.
*/
SSLContext getIdentitySslContext();
/**
* Get the SSLContext for authenticating with an Athenz role
*
* @param domain Athenz domain name for the role
* @param role Athenz role name
* @return A SSLContext for role authentication within the specified domain and role.
*/
SSLContext getRoleSslContext(String domain, String role);
/**
* Get a role token for the specified Athenz domain.
*
* @param domain The Athenz domain for the role token
* @return A role token for the specified domain.
*/
String getRoleToken(String domain);
/**
* Get a role token for a specific Athenz role.
*
* @param domain The Athenz domain name for the role
* @param role The Athenz role name
* @return A role token for the specified domain and role.
*/
String getRoleToken(String domain, String role);
/**
* Get an access token for the specified Athenz domain.
*
* @param domain Athenz domain name for the token
* @return An access token for the specified domain.
*/
String getAccessToken(String domain);
/**
* Get an access token for a list of roles in an Athenz domain.
*
* @param domain Athenz domain name for the roles
* @param roles The list of Athenz roles names
* @return An access token for the specified roles.
*/
String getAccessToken(String domain, List<String> roles);
/**
* Get an access token for the specified Athenz domain.
*
* @param domain Athenz domain name
* @param roles List of Athenz role names. Empty list or null will fetch a token for all roles in the domain.
* @param proxyPrincipal List of principals to allow proxying the token. Each principal must be provided as: <em><domain>:service.<service></em>
* Empty list or <em>null</em> will return a token without proxy principals.
* @return An access token for the specified domain.
*/
String getAccessToken(String domain, List<String> roles, List<String> proxyPrincipal);
/**
* Get the X.509 identity certificate associated with this identity provider.
*
* @return The X.509 identity certificate.
*/
List<X509Certificate> getIdentityCertificate();
/**
* Get the X.509 role certificate for a specific Athenz role.
*
* @param domain Athenz domain name for the role
* @param role Athenz role name
* @return An X.509 role certificate for the specified domain and role.
*/
X509Certificate getRoleCertificate(String domain, String role);
/**
* Get the private key associated with this identity provider.
*
* @return The private key used for authentication.
*/
PrivateKey getPrivateKey();
/**
* Get the path to the trust store used for SSL verification.
*
* @return The path to the trust store.
*/
Path trustStorePath();
void deconstruct();
}
|