Package com.yahoo.vespa.athenz.client.zts

Interface ZtsClient

  • All Superinterfaces:
    java.lang.AutoCloseable
    All Known Implementing Classes:
    DefaultZtsClient
    public interface ZtsClient
extends java.lang.AutoCloseable
    Interface for a ZTS client.
    Author:
    bjorncs

    • Method Detail

      • registerInstance

        InstanceIdentity registerInstance​(AthenzIdentity providerIdentity,
                                  AthenzIdentity instanceIdentity,
                                  java.lang.String attestationData,
                                  com.yahoo.security.Pkcs10Csr csr)
        Register an instance using the specified provider.
        Parameters:
        attestationData - The signed identity documented serialized to a string.
        Returns:
        A x509 certificate + service token (optional)

      • refreshInstance

        InstanceIdentity refreshInstance​(AthenzIdentity providerIdentity,
                                 AthenzIdentity instanceIdentity,
                                 java.lang.String instanceId,
                                 com.yahoo.security.Pkcs10Csr csr)
        Refresh an existing instance
        Returns:
        A x509 certificate + service token (optional)

      • getServiceIdentity

        Identity getServiceIdentity​(AthenzIdentity identity,
                            java.lang.String keyId,
                            com.yahoo.security.Pkcs10Csr csr)
        Get service identity
        Returns:
        A x509 certificate with CA certificates

      • getServiceIdentity

        Identity getServiceIdentity​(AthenzIdentity identity,
                            java.lang.String keyId,
                            java.security.KeyPair keyPair,
                            java.lang.String dnsSuffix)
        Get service identity
        Returns:
        A x509 certificate with CA certificates

      • getRoleToken

        ZToken getRoleToken​(AthenzDomain domain)
        Fetch a role token for the target domain
        Parameters:
        domain - Target domain
        Returns:
        A role token

      • getRoleToken

        ZToken getRoleToken​(AthenzRole athenzRole)
        Fetch a role token for the target role
        Parameters:
        athenzRole - Target role
        Returns:
        A role token

      • getAccessToken

        AthenzAccessToken getAccessToken​(AthenzDomain domain)
        Fetch an access token for the target domain
        Parameters:
        domain - Target domain
        Returns:
        An Athenz access token

      • getAccessToken

        AthenzAccessToken getAccessToken​(java.util.List<AthenzRole> athenzRole)
        Fetch an access token for the target roles
        Parameters:
        athenzRole - List of athenz roles to get access token for
        Returns:
        An Athenz access token

      • getRoleCertificate

        java.security.cert.X509Certificate getRoleCertificate​(AthenzRole role,
                                                      com.yahoo.security.Pkcs10Csr csr,
                                                      java.time.Duration expiry)
        Fetch role certificate for the target domain and role
        Parameters:
        role - Target role
        csr - Certificate signing request matching role
        expiry - Certificate expiry
        Returns:
        A role certificate

      • getRoleCertificate

        java.security.cert.X509Certificate getRoleCertificate​(AthenzRole role,
                                                      com.yahoo.security.Pkcs10Csr csr)
        Fetch role certificate for the target domain and role
        Parameters:
        role - Target role
        csr - Certificate signing request matching role
        Returns:
        A role certificate

      • getTenantDomains

        java.util.List<AthenzDomain> getTenantDomains​(AthenzIdentity providerIdentity,
                                              AthenzIdentity userIdentity,
                                              java.lang.String roleName)
        For a given provider, get a list of tenant domains that the user is a member of
        Parameters:
        providerIdentity - Provider identity
        userIdentity - User identity
        roleName - Role name
        Returns:
        List of domains

      • getAwsTemporaryCredentials

        default AwsTemporaryCredentials getAwsTemporaryCredentials​(AthenzDomain athenzDomain,
                                                           AwsRole awsRole)
        Get aws temporary credentials
        Parameters:
        awsRole - AWS role to get credentials for
        Returns:
        AWS temporary credentials

      • getAwsTemporaryCredentials

        default AwsTemporaryCredentials getAwsTemporaryCredentials​(AthenzDomain athenzDomain,
                                                           AwsRole awsRole,
                                                           java.lang.String externalId)
        Get aws temporary credentials
        Parameters:
        awsRole - AWS role to get credentials for
        externalId - External Id to get credentials, or null if not required
        Returns:
        AWS temporary credentials

      • getAwsTemporaryCredentials

        AwsTemporaryCredentials getAwsTemporaryCredentials​(AthenzDomain athenzDomain,
                                                   AwsRole awsRole,
                                                   java.time.Duration duration,
                                                   java.lang.String externalId)
        Get aws temporary credentials
        Parameters:
        awsRole - AWS role to get credentials for
        duration - Duration for which the credentials should be valid, or null to use default
        externalId - External Id to get credentials, or null if not required
        Returns:
        AWS temporary credentials

      • close

        void close()
        Specified by:
        close in interface java.lang.AutoCloseable