Class DefaultZtsClient
- java.lang.Object
-
- com.yahoo.vespa.athenz.client.common.ClientBase
-
- com.yahoo.vespa.athenz.client.zts.DefaultZtsClient
-
- All Implemented Interfaces:
ZtsClient,AutoCloseable
public class DefaultZtsClient extends ClientBase implements ZtsClient
Default implementation ofZtsClient- Author:
- bjorncs, mortent
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classDefaultZtsClient.Builder-
Nested classes/interfaces inherited from class com.yahoo.vespa.athenz.client.common.ClientBase
ClientBase.ClientExceptionFactory
-
-
Field Summary
-
Fields inherited from class com.yahoo.vespa.athenz.client.common.ClientBase
logger
-
-
Constructor Summary
Constructors Modifier Constructor Description protectedDefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier, ErrorHandler errorHandler)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description AthenzAccessTokengetAccessToken(AthenzDomain domain)Fetch an access token for the target domainAthenzAccessTokengetAccessToken(List<AthenzRole> athenzRole)Fetch an access token for the target rolesAwsTemporaryCredentialsgetAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId)Get aws temporary credentialsX509CertificategetRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr)Fetch role certificate for the target domain and roleX509CertificategetRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry)Fetch role certificate for the target domain and roleZTokengetRoleToken(AthenzDomain domain)Fetch a role token for the target domainZTokengetRoleToken(AthenzRole athenzRole)Fetch a role token for the target roleIdentitygetServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr)Get service identityIdentitygetServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix)Get service identityList<AthenzDomain>getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName)For a given provider, get a list of tenant domains that the user is a member ofInstanceIdentityrefreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr)Refresh an existing instanceInstanceIdentityregisterInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr)Register an instance using the specified provider.-
Methods inherited from class com.yahoo.vespa.athenz.client.common.ClientBase
close, execute, readEntity, toJsonStringEntity
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface com.yahoo.vespa.athenz.client.zts.ZtsClient
close, getAwsTemporaryCredentials, getAwsTemporaryCredentials
-
-
-
-
Constructor Detail
-
DefaultZtsClient
protected DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier, ErrorHandler errorHandler)
-
-
Method Detail
-
registerInstance
public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClientRegister an instance using the specified provider.- Specified by:
registerInstancein interfaceZtsClientattestationData- The signed identity documented serialized to a string.- Returns:
- A x509 certificate + service token (optional)
-
refreshInstance
public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClientRefresh an existing instance- Specified by:
refreshInstancein interfaceZtsClient- Returns:
- A x509 certificate + service token (optional)
-
getServiceIdentity
public Identity getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClientGet service identity- Specified by:
getServiceIdentityin interfaceZtsClient- Returns:
- A x509 certificate with CA certificates
-
getServiceIdentity
public Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix)
Description copied from interface:ZtsClientGet service identity- Specified by:
getServiceIdentityin interfaceZtsClient- Returns:
- A x509 certificate with CA certificates
-
getRoleToken
public ZToken getRoleToken(AthenzDomain domain)
Description copied from interface:ZtsClientFetch a role token for the target domain- Specified by:
getRoleTokenin interfaceZtsClient- Parameters:
domain- Target domain- Returns:
- A role token
-
getRoleToken
public ZToken getRoleToken(AthenzRole athenzRole)
Description copied from interface:ZtsClientFetch a role token for the target role- Specified by:
getRoleTokenin interfaceZtsClient- Parameters:
athenzRole- Target role- Returns:
- A role token
-
getAccessToken
public AthenzAccessToken getAccessToken(AthenzDomain domain)
Description copied from interface:ZtsClientFetch an access token for the target domain- Specified by:
getAccessTokenin interfaceZtsClient- Parameters:
domain- Target domain- Returns:
- An Athenz access token
-
getAccessToken
public AthenzAccessToken getAccessToken(List<AthenzRole> athenzRole)
Description copied from interface:ZtsClientFetch an access token for the target roles- Specified by:
getAccessTokenin interfaceZtsClient- Parameters:
athenzRole- List of athenz roles to get access token for- Returns:
- An Athenz access token
-
getRoleCertificate
public X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry)
Description copied from interface:ZtsClientFetch role certificate for the target domain and role- Specified by:
getRoleCertificatein interfaceZtsClient- Parameters:
role- Target rolecsr- Certificate signing request matching roleexpiry- Certificate expiry- Returns:
- A role certificate
-
getRoleCertificate
public X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClientFetch role certificate for the target domain and role- Specified by:
getRoleCertificatein interfaceZtsClient- Parameters:
role- Target rolecsr- Certificate signing request matching role- Returns:
- A role certificate
-
getTenantDomains
public List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName)
Description copied from interface:ZtsClientFor a given provider, get a list of tenant domains that the user is a member of- Specified by:
getTenantDomainsin interfaceZtsClient- Parameters:
providerIdentity- Provider identityuserIdentity- User identityroleName- Role name- Returns:
- List of domains
-
getAwsTemporaryCredentials
public AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId)
Description copied from interface:ZtsClientGet aws temporary credentials- Specified by:
getAwsTemporaryCredentialsin interfaceZtsClientawsRole- AWS role to get credentials forduration- Duration for which the credentials should be valid, ornullto use defaultexternalId- External Id to get credentials, ornullif not required- Returns:
- AWS temporary credentials
-
-