Class DefaultZtsClient

java.lang.Object
com.yahoo.vespa.athenz.client.common.ClientBase
com.yahoo.vespa.athenz.client.zts.DefaultZtsClient
All Implemented Interfaces:
ZtsClient, AutoCloseable

public class DefaultZtsClient extends ClientBase implements ZtsClient
Default implementation of ZtsClient
Author:
bjorncs, mortent
  • Constructor Details

  • Method Details

    • registerInstance

      public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr)
      Description copied from interface: ZtsClient
      Register an instance using the specified provider.
      Specified by:
      registerInstance in interface ZtsClient
      attestationData - The signed identity documented serialized to a string.
      Returns:
      A x509 certificate + service token (optional)
    • refreshInstance

      public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr)
      Description copied from interface: ZtsClient
      Refresh an existing instance
      Specified by:
      refreshInstance in interface ZtsClient
      Returns:
      A x509 certificate + service token (optional)
    • getServiceIdentity

      public Identity getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr)
      Description copied from interface: ZtsClient
      Get service identity
      Specified by:
      getServiceIdentity in interface ZtsClient
      Returns:
      A x509 certificate with CA certificates
    • getServiceIdentity

      public Identity getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr, Optional<NToken> nToken)
    • getServiceIdentity

      public Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix)
      Description copied from interface: ZtsClient
      Get service identity
      Specified by:
      getServiceIdentity in interface ZtsClient
      Returns:
      A x509 certificate with CA certificates
    • getRoleToken

      public ZToken getRoleToken(AthenzDomain domain, Duration expiry)
      Description copied from interface: ZtsClient
      Fetch a role token for the target domain
      Specified by:
      getRoleToken in interface ZtsClient
      Parameters:
      domain - Target domain
      expiry - Token expiry
      Returns:
      A role token
    • getRoleToken

      public ZToken getRoleToken(AthenzRole athenzRole, Duration expiry)
      Description copied from interface: ZtsClient
      Fetch a role token for the target role
      Specified by:
      getRoleToken in interface ZtsClient
      Parameters:
      athenzRole - Target role
      expiry - Token expiry
      Returns:
      A role token
    • getAccessToken

      public AthenzAccessToken getAccessToken(AthenzDomain domain, List<AthenzIdentity> proxyPrincipals)
      Description copied from interface: ZtsClient
      Fetch an access token for the target domain
      Specified by:
      getAccessToken in interface ZtsClient
      Parameters:
      domain - Target domain
      proxyPrincipals - List of principals to allow proxying token
      Returns:
      An Athenz access token
    • getAccessToken

      public AthenzAccessToken getAccessToken(List<AthenzRole> athenzRole)
      Description copied from interface: ZtsClient
      Fetch an access token for the target roles
      Specified by:
      getAccessToken in interface ZtsClient
      Parameters:
      athenzRole - List of athenz roles to get access token for
      Returns:
      An Athenz access token
    • getRoleCertificate

      public X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry)
      Description copied from interface: ZtsClient
      Fetch role certificate for the target domain and role
      Specified by:
      getRoleCertificate in interface ZtsClient
      Parameters:
      role - Target role
      csr - Certificate signing request matching role
      expiry - Certificate expiry
      Returns:
      A role certificate
    • getRoleCertificate

      public X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr)
      Description copied from interface: ZtsClient
      Fetch role certificate for the target domain and role
      Specified by:
      getRoleCertificate in interface ZtsClient
      Parameters:
      role - Target role
      csr - Certificate signing request matching role
      Returns:
      A role certificate
    • getTenantDomains

      public List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName)
      Description copied from interface: ZtsClient
      For a given provider, get a list of tenant domains that the user is a member of
      Specified by:
      getTenantDomains in interface ZtsClient
      Parameters:
      providerIdentity - Provider identity
      userIdentity - User identity
      roleName - Role name
      Returns:
      List of domains
    • getAwsTemporaryCredentials

      public AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId)
      Description copied from interface: ZtsClient
      Get aws temporary credentials
      Specified by:
      getAwsTemporaryCredentials in interface ZtsClient
      awsRole - AWS role to get credentials for
      duration - Duration for which the credentials should be valid, or null to use default
      externalId - External Id to get credentials, or null if not required
      Returns:
      AWS temporary credentials
    • hasAccess

      public boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity)
      Description copied from interface: ZtsClient
      Check access to resource for a given principal
      Specified by:
      hasAccess in interface ZtsClient
      Parameters:
      resource - The resource to verify access to
      action - Action to verify
      identity - Principal that requests access
      Returns:
      true if access is allowed, false otherwise