blob: 28a0db4dbf47987604256df134a6e7212022564a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.api;
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.yahoo.vespa.athenz.utils.AthenzIdentities;
import java.time.Instant;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
/**
* Represents an Athenz Access Token
*
* @author bjorncs
*/
public class AthenzAccessToken {
public static final String HTTP_HEADER_NAME = "Authorization";
private static final String BEARER_TOKEN_PREFIX = "Bearer ";
private static final String SCOPE_CLAIM = "scp";
private static final String AUDIENCE_CLAIM = "aud";
private final String value;
private volatile DecodedJWT jwt;
public AthenzAccessToken(String value) {
this.value = stripBearerTokenPrefix(value);
}
private static String stripBearerTokenPrefix(String rawValue) {
String stripped = rawValue.strip();
String prefixRemoved = stripped.startsWith(BEARER_TOKEN_PREFIX)
? stripped.substring(BEARER_TOKEN_PREFIX.length()).strip()
: stripped;
if (prefixRemoved.isBlank()) {
throw new IllegalArgumentException(String.format("Access token is blank: '%s'", prefixRemoved));
}
return prefixRemoved;
}
public String value() { return value; }
public String valueWithBearerPrefix() { return BEARER_TOKEN_PREFIX + value; }
public Instant getExpiryTime () {
return jwt().getExpiresAt().toInstant();
}
public AthenzIdentity getAthenzIdentity() { return AthenzIdentities.from(jwt().getClaim("client_id").asString()); }
public List<AthenzRole> roles() {
String domain = Optional.ofNullable(jwt().getClaim(AUDIENCE_CLAIM).asString()).orElse("");
return Optional.ofNullable(jwt().getClaim(SCOPE_CLAIM).asList(String.class)).orElse(List.of()).stream()
.map(role -> new AthenzRole(domain, role))
.toList();
}
private DecodedJWT jwt() {
if (jwt == null) {
// Decoding a token is expensive and involves construction of at least one Jackson ObjectMapper instance
// TODO Cache encoder/decoder as static field in AthenzAccessToken
jwt = JWT.decode(this.value);
}
return jwt;
}
@Override public String toString() { return "AthenzAccessToken{value='" + value + "'}"; }
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
AthenzAccessToken that = (AthenzAccessToken) o;
return Objects.equals(value, that.value);
}
@Override
public int hashCode() {
return Objects.hash(value);
}
}
|
