vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

// Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.athenz.client.zts;

import com.yahoo.security.Pkcs10Csr;
import com.yahoo.vespa.athenz.api.AthenzDomain;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzRole;
import com.yahoo.vespa.athenz.api.AwsRole;
import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
import com.yahoo.vespa.athenz.api.ZToken;

import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.List;

/**
 * Interface for a ZTS client.
 *
 * @author bjorncs
 */
public interface ZtsClient extends AutoCloseable {

    /**
     * Register an instance using the specified provider.
     *
     * @param attestationData The signed identity documented serialized to a string.
     * @return A x509 certificate + service token (optional)
     */
    InstanceIdentity registerInstance(AthenzIdentity providerIdentity,
                                      AthenzIdentity instanceIdentity,
                                      String attestationData,
                                      Pkcs10Csr csr);

    /**
     * Refresh an existing instance
     *
     * @return A x509 certificate + service token (optional)
     */
    InstanceIdentity refreshInstance(AthenzIdentity providerIdentity,
                                     AthenzIdentity instanceIdentity,
                                     String instanceId,
                                     Pkcs10Csr csr);

    /**
     * Get service identity
     *
     * @return A x509 certificate with CA certificates
     */
    Identity getServiceIdentity(AthenzIdentity identity,
                                String keyId,
                                Pkcs10Csr csr);

    /**
     * Get service identity
     *
     * @return A x509 certificate with CA certificates
     */
    Identity getServiceIdentity(AthenzIdentity identity,
                                String keyId,
                                KeyPair keyPair,
                                String dnsSuffix);

    /**
     * Fetch a role token for the target domain
     *
     * @param domain Target domain
     * @return A role token
     */
    ZToken getRoleToken(AthenzDomain domain);

    /**
     * Fetch a role token for the target role
     *
     * @param athenzRole Target role
     * @return A role token
     */
    ZToken getRoleToken(AthenzRole athenzRole);

    /**
     * Fetch role certificate for the target domain and role
     *
     * @param role Target role
     * @param csr Certificate signing request matching role
     * @param expiry Certificate expiry
     * @return A role certificate
     */
    X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr, Duration expiry);

    /**
     * Fetch role certificate for the target domain and role
     *
     * @param role Target role
     * @param csr Certificate signing request matching role
     * @return A role certificate
     */
    X509Certificate getRoleCertificate(AthenzRole role, Pkcs10Csr csr);

    /**
     * For a given provider, get a list of tenant domains that the user is a member of
     *
     * @param providerIdentity Provider identity
     * @param userIdentity User identity
     * @param roleName Role name
     * @return List of domains
     */
    List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName);

    /**
     * Get aws temporary credentials
     *
     * @param awsRole AWS role to get credentials for
     * @return AWS temporary credentials
     */
    default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole) {
        return getAwsTemporaryCredentials(athenzDomain, awsRole, null, null);
    }

    /**
     * Get aws temporary credentials
     *
     * @param awsRole AWS role to get credentials for
     * @param externalId External Id to get credentials, or <code>null</code> if not required
     * @return AWS temporary credentials
     */
    default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, String externalId) {
        return getAwsTemporaryCredentials(athenzDomain, awsRole, null, externalId);
    }

    /**
     * Get aws temporary credentials
     *
     * @param awsRole AWS role to get credentials for
     * @param duration Duration for which the credentials should be valid, or <code>null</code> to use default
     * @param externalId External Id to get credentials, or <code>null</code> if not required
     * @return AWS temporary credentials
     */
    AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId);

    void close();
}