Package com.yahoo.vespa.athenz.client.zts

Interface ZtsClient

All Superinterfaces:
AutoCloseable
All Known Implementing Classes:
DefaultZtsClient
public interface ZtsClient extends AutoCloseable
Interface for a ZTS client.
Author:
bjorncs

  • Method Details

    • registerInstance

      InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr)
      Register an instance using the specified provider.
      Parameters:
      attestationData - The signed identity documented serialized to a string.
      Returns:
      A x509 certificate + service token (optional)

    • refreshInstance

      InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr)
      Refresh an existing instance
      Returns:
      A x509 certificate + service token (optional)

    • getServiceIdentity

      Identity getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr)
      Get service identity
      Returns:
      A x509 certificate with CA certificates

    • getServiceIdentity

      Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix)
      Get service identity
      Returns:
      A x509 certificate with CA certificates

    • getRoleToken

      default ZToken getRoleToken(AthenzDomain domain)
      Fetch a role token for the target domain
      Parameters:
      domain - Target domain
      Returns:
      A role token

    • getRoleToken

      ZToken getRoleToken(AthenzDomain domain, Duration tokenExpiry)
      Fetch a role token for the target domain
      Parameters:
      domain - Target domain
      tokenExpiry - Token expiry
      Returns:
      A role token

    • getRoleToken

      default ZToken getRoleToken(AthenzRole athenzRole)
      Fetch a role token for the target role
      Parameters:
      athenzRole - Target role
      Returns:
      A role token

    • getRoleToken

      ZToken getRoleToken(AthenzRole athenzRole, Duration tokenExpiry)
      Fetch a role token for the target role
      Parameters:
      athenzRole - Target role
      tokenExpiry - Token expiry
      Returns:
      A role token

    • getAccessToken

      default AthenzAccessToken getAccessToken(AthenzDomain domain)
      Fetch an access token for the target domain
      Parameters:
      domain - Target domain
      Returns:
      An Athenz access token

    • getAccessToken

      AthenzAccessToken getAccessToken(AthenzDomain domain, List<AthenzIdentity> proxyPrincipals)
      Fetch an access token for the target domain
      Parameters:
      domain - Target domain
      proxyPrincipals - List of principals to allow proxying token
      Returns:
      An Athenz access token

    • getAccessToken

      AthenzAccessToken getAccessToken(List<AthenzRole> athenzRole)
      Fetch an access token for the target roles
      Parameters:
      athenzRole - List of athenz roles to get access token for
      Returns:
      An Athenz access token

    • getRoleCertificate

      X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry)
      Fetch role certificate for the target domain and role
      Parameters:
      role - Target role
      csr - Certificate signing request matching role
      expiry - Certificate expiry
      Returns:
      A role certificate

    • getRoleCertificate

      X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr)
      Fetch role certificate for the target domain and role
      Parameters:
      role - Target role
      csr - Certificate signing request matching role
      Returns:
      A role certificate

    • getTenantDomains

      List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName)
      For a given provider, get a list of tenant domains that the user is a member of
      Parameters:
      providerIdentity - Provider identity
      userIdentity - User identity
      roleName - Role name
      Returns:
      List of domains

    • getAwsTemporaryCredentials

      default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole)
      Get aws temporary credentials
      Parameters:
      awsRole - AWS role to get credentials for
      Returns:
      AWS temporary credentials

    • getAwsTemporaryCredentials

      default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, String externalId)
      Get aws temporary credentials
      Parameters:
      awsRole - AWS role to get credentials for
      externalId - External Id to get credentials, or null if not required
      Returns:
      AWS temporary credentials

    • getAwsTemporaryCredentials

      AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId)
      Get aws temporary credentials
      Parameters:
      awsRole - AWS role to get credentials for
      duration - Duration for which the credentials should be valid, or null to use default
      externalId - External Id to get credentials, or null if not required
      Returns:
      AWS temporary credentials

    • close

      void close()
      Specified by:
      close in interface AutoCloseable