1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.api;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.time.Clock;
import java.time.Duration;
import java.util.function.LongSupplier;
import static java.lang.String.format;
import static java.util.Objects.requireNonNull;
/**
* @author hakonhall
*/
public class NTokenGenerator {
private final Signer signer;
private final Clock clock;
private String domain = null;
private String name = null;
private String keyVersion = null;
private String keyService = null;
private String hostname = null;
private String ip = null;
private final StringBuilder token = new StringBuilder();
private final LongSupplier randomGenerator;
@FunctionalInterface
public interface Signer {
/** @see Crypto#sign(String, PrivateKey) */
String sign(String message, PrivateKey key) throws CryptoException;
}
public NTokenGenerator() { this(Crypto::sign, Clock.systemUTC(), new SecureRandom()::nextLong); }
/** For testing. */
NTokenGenerator(Signer signer, Clock clock, LongSupplier randomGenerator) {
this.signer = signer;
this.clock = clock;
this.randomGenerator = randomGenerator;
}
/** Required. */
public NTokenGenerator setIdentity(AthenzIdentity identity) {
this.domain = identity.getDomainName();
this.name = identity.getName();
return this;
}
/** Required. */
public NTokenGenerator setKeyVersion(String keyVersion) {
this.keyVersion = requireNonNull(keyVersion);
return this;
}
public NTokenGenerator setKeyService(String keyService) {
this.keyService = requireNonNull(keyService);
return this;
}
public NTokenGenerator setHostname(String hostname) {
this.hostname = requireNonNull(hostname);
return this;
}
public NTokenGenerator setIp(String ip) {
this.ip = requireNonNull(ip);
return this;
}
public NToken sign(PrivateKey privateKey) {
// See https://github.com/AthenZ/athenz/blob/master/libs/go/zmssvctoken/token.go
var generationTime = clock.instant();
token.setLength(0);
append('v', "S1");
append('d', domain);
append('n', name);
append('k', keyVersion);
append('z', keyService, false);
append('h', hostname, false);
append('i', ip, false);
append('a', format("%x", randomGenerator.getAsLong()));
append('t', format("%d", generationTime.getEpochSecond()));
append('e', format("%d", generationTime.plus(Duration.ofMinutes(10)).getEpochSecond()));
append('s', signer.sign(token.toString(), privateKey));
return new NToken(token.toString());
}
private void append(char name, String value) { append(name, value, true); }
private void append(char name, String value, boolean required) {
if (value == null) {
if (required) {
throw new IllegalStateException("Missing value for NToken key " + name);
} else {
return;
}
}
if (token.length() > 0) {
token.append(';');
}
token.append(name).append('=').append(value);
}
}
|