Package com.yahoo.vespa.athenz.client.zts

Class DefaultZtsClient

  • All Implemented Interfaces:
    ZtsClient, java.lang.AutoCloseable
    public class DefaultZtsClient
extends ClientBase
implements ZtsClient
    Default implementation of ZtsClient
    Author:
    bjorncs, mortent

    • Constructor Detail

      • DefaultZtsClient

        public DefaultZtsClient​(java.net.URI ztsUrl,
                        javax.net.ssl.SSLContext sslContext)

      • DefaultZtsClient

        public DefaultZtsClient​(java.net.URI ztsUrl,
                        javax.net.ssl.SSLContext sslContext,
                        javax.net.ssl.HostnameVerifier hostnameVerifier)

      • DefaultZtsClient

        public DefaultZtsClient​(java.net.URI ztsUrl,
                        ServiceIdentityProvider identityProvider,
                        javax.net.ssl.HostnameVerifier hostnameVerifier)

    • Method Detail

      • registerInstance

        public InstanceIdentity registerInstance​(AthenzIdentity providerIdentity,
                                         AthenzIdentity instanceIdentity,
                                         java.lang.String attestationData,
                                         com.yahoo.security.Pkcs10Csr csr)
        Description copied from interface: ZtsClient
        Register an instance using the specified provider.
        Specified by:
        registerInstance in interface ZtsClient
        attestationData - The signed identity documented serialized to a string.
        Returns:
        A x509 certificate + service token (optional)

      • getServiceIdentity

        public Identity getServiceIdentity​(AthenzIdentity identity,
                                   java.lang.String keyId,
                                   com.yahoo.security.Pkcs10Csr csr)
        Description copied from interface: ZtsClient
        Get service identity
        Specified by:
        getServiceIdentity in interface ZtsClient
        Returns:
        A x509 certificate with CA certificates

      • getServiceIdentity

        public Identity getServiceIdentity​(AthenzIdentity identity,
                                   java.lang.String keyId,
                                   java.security.KeyPair keyPair,
                                   java.lang.String dnsSuffix)
        Description copied from interface: ZtsClient
        Get service identity
        Specified by:
        getServiceIdentity in interface ZtsClient
        Returns:
        A x509 certificate with CA certificates

      • getRoleToken

        public ZToken getRoleToken​(AthenzDomain domain)
        Description copied from interface: ZtsClient
        Fetch a role token for the target domain
        Specified by:
        getRoleToken in interface ZtsClient
        Parameters:
        domain - Target domain
        Returns:
        A role token

      • getRoleToken

        public ZToken getRoleToken​(AthenzRole athenzRole)
        Description copied from interface: ZtsClient
        Fetch a role token for the target role
        Specified by:
        getRoleToken in interface ZtsClient
        Parameters:
        athenzRole - Target role
        Returns:
        A role token

      • getAccessToken

        public AthenzAccessToken getAccessToken​(java.util.List<AthenzRole> athenzRole)
        Description copied from interface: ZtsClient
        Fetch an access token for the target roles
        Specified by:
        getAccessToken in interface ZtsClient
        Parameters:
        athenzRole - List of athenz roles to get access token for
        Returns:
        An Athenz access token

      • getRoleCertificate

        public java.security.cert.X509Certificate getRoleCertificate​(AthenzRole role,
                                                             com.yahoo.security.Pkcs10Csr csr,
                                                             java.time.Duration expiry)
        Description copied from interface: ZtsClient
        Fetch role certificate for the target domain and role
        Specified by:
        getRoleCertificate in interface ZtsClient
        Parameters:
        role - Target role
        csr - Certificate signing request matching role
        expiry - Certificate expiry
        Returns:
        A role certificate

      • getRoleCertificate

        public java.security.cert.X509Certificate getRoleCertificate​(AthenzRole role,
                                                             com.yahoo.security.Pkcs10Csr csr)
        Description copied from interface: ZtsClient
        Fetch role certificate for the target domain and role
        Specified by:
        getRoleCertificate in interface ZtsClient
        Parameters:
        role - Target role
        csr - Certificate signing request matching role
        Returns:
        A role certificate

      • getTenantDomains

        public java.util.List<AthenzDomain> getTenantDomains​(AthenzIdentity providerIdentity,
                                                     AthenzIdentity userIdentity,
                                                     java.lang.String roleName)
        Description copied from interface: ZtsClient
        For a given provider, get a list of tenant domains that the user is a member of
        Specified by:
        getTenantDomains in interface ZtsClient
        Parameters:
        providerIdentity - Provider identity
        userIdentity - User identity
        roleName - Role name
        Returns:
        List of domains

      • getAwsTemporaryCredentials

        public AwsTemporaryCredentials getAwsTemporaryCredentials​(AthenzDomain athenzDomain,
                                                          AwsRole awsRole,
                                                          java.time.Duration duration,
                                                          java.lang.String externalId)
        Description copied from interface: ZtsClient
        Get aws temporary credentials
        Specified by:
        getAwsTemporaryCredentials in interface ZtsClient
        awsRole - AWS role to get credentials for
        duration - Duration for which the credentials should be valid, or null to use default
        externalId - External Id to get credentials, or null if not required
        Returns:
        AWS temporary credentials