Class DefaultZtsClient
- java.lang.Object
-
- com.yahoo.vespa.athenz.client.common.ClientBase
-
- com.yahoo.vespa.athenz.client.zts.DefaultZtsClient
-
- All Implemented Interfaces:
ZtsClient
,AutoCloseable
public class DefaultZtsClient extends ClientBase implements ZtsClient
Default implementation ofZtsClient
- Author:
- bjorncs, mortent
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
DefaultZtsClient.Builder
-
Nested classes/interfaces inherited from class com.yahoo.vespa.athenz.client.common.ClientBase
ClientBase.ClientExceptionFactory
-
-
Field Summary
-
Fields inherited from class com.yahoo.vespa.athenz.client.common.ClientBase
logger
-
-
Constructor Summary
Constructors Modifier Constructor Description protected
DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier, ErrorHandler errorHandler)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description AthenzAccessToken
getAccessToken(AthenzDomain domain)
Fetch an access token for the target domainAthenzAccessToken
getAccessToken(List<AthenzRole> athenzRole)
Fetch an access token for the target rolesAwsTemporaryCredentials
getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId)
Get aws temporary credentialsX509Certificate
getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr)
Fetch role certificate for the target domain and roleX509Certificate
getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry)
Fetch role certificate for the target domain and roleZToken
getRoleToken(AthenzDomain domain)
Fetch a role token for the target domainZToken
getRoleToken(AthenzRole athenzRole)
Fetch a role token for the target roleIdentity
getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr)
Get service identityIdentity
getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix)
Get service identityList<AthenzDomain>
getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName)
For a given provider, get a list of tenant domains that the user is a member ofInstanceIdentity
refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr)
Refresh an existing instanceInstanceIdentity
registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr)
Register an instance using the specified provider.-
Methods inherited from class com.yahoo.vespa.athenz.client.common.ClientBase
close, execute, readEntity, toJsonStringEntity
-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface com.yahoo.vespa.athenz.client.zts.ZtsClient
close, getAwsTemporaryCredentials, getAwsTemporaryCredentials
-
-
-
-
Constructor Detail
-
DefaultZtsClient
protected DefaultZtsClient(URI ztsUrl, Supplier<SSLContext> sslContextSupplier, HostnameVerifier hostnameVerifier, ErrorHandler errorHandler)
-
-
Method Detail
-
registerInstance
public InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClient
Register an instance using the specified provider.- Specified by:
registerInstance
in interfaceZtsClient
attestationData
- The signed identity documented serialized to a string.- Returns:
- A x509 certificate + service token (optional)
-
refreshInstance
public InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClient
Refresh an existing instance- Specified by:
refreshInstance
in interfaceZtsClient
- Returns:
- A x509 certificate + service token (optional)
-
getServiceIdentity
public Identity getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClient
Get service identity- Specified by:
getServiceIdentity
in interfaceZtsClient
- Returns:
- A x509 certificate with CA certificates
-
getServiceIdentity
public Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix)
Description copied from interface:ZtsClient
Get service identity- Specified by:
getServiceIdentity
in interfaceZtsClient
- Returns:
- A x509 certificate with CA certificates
-
getRoleToken
public ZToken getRoleToken(AthenzDomain domain)
Description copied from interface:ZtsClient
Fetch a role token for the target domain- Specified by:
getRoleToken
in interfaceZtsClient
- Parameters:
domain
- Target domain- Returns:
- A role token
-
getRoleToken
public ZToken getRoleToken(AthenzRole athenzRole)
Description copied from interface:ZtsClient
Fetch a role token for the target role- Specified by:
getRoleToken
in interfaceZtsClient
- Parameters:
athenzRole
- Target role- Returns:
- A role token
-
getAccessToken
public AthenzAccessToken getAccessToken(AthenzDomain domain)
Description copied from interface:ZtsClient
Fetch an access token for the target domain- Specified by:
getAccessToken
in interfaceZtsClient
- Parameters:
domain
- Target domain- Returns:
- An Athenz access token
-
getAccessToken
public AthenzAccessToken getAccessToken(List<AthenzRole> athenzRole)
Description copied from interface:ZtsClient
Fetch an access token for the target roles- Specified by:
getAccessToken
in interfaceZtsClient
- Parameters:
athenzRole
- List of athenz roles to get access token for- Returns:
- An Athenz access token
-
getRoleCertificate
public X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry)
Description copied from interface:ZtsClient
Fetch role certificate for the target domain and role- Specified by:
getRoleCertificate
in interfaceZtsClient
- Parameters:
role
- Target rolecsr
- Certificate signing request matching roleexpiry
- Certificate expiry- Returns:
- A role certificate
-
getRoleCertificate
public X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr)
Description copied from interface:ZtsClient
Fetch role certificate for the target domain and role- Specified by:
getRoleCertificate
in interfaceZtsClient
- Parameters:
role
- Target rolecsr
- Certificate signing request matching role- Returns:
- A role certificate
-
getTenantDomains
public List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName)
Description copied from interface:ZtsClient
For a given provider, get a list of tenant domains that the user is a member of- Specified by:
getTenantDomains
in interfaceZtsClient
- Parameters:
providerIdentity
- Provider identityuserIdentity
- User identityroleName
- Role name- Returns:
- List of domains
-
getAwsTemporaryCredentials
public AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId)
Description copied from interface:ZtsClient
Get aws temporary credentials- Specified by:
getAwsTemporaryCredentials
in interfaceZtsClient
awsRole
- AWS role to get credentials forduration
- Duration for which the credentials should be valid, ornull
to use defaultexternalId
- External Id to get credentials, ornull
if not required- Returns:
- AWS temporary credentials
-
-