Interface ZtsClient
- All Superinterfaces:
AutoCloseable
- All Known Implementing Classes:
DefaultZtsClient
Interface for a ZTS client.
- Author:
- bjorncs
-
Method Summary
Modifier and TypeMethodDescriptionvoid
close()
default AthenzAccessToken
getAccessToken
(AthenzDomain domain) Fetch an access token for the target domaingetAccessToken
(AthenzDomain domain, List<AthenzIdentity> proxyPrincipals) Fetch an access token for the target domaingetAccessToken
(List<AthenzRole> athenzRole) Fetch an access token for the target rolesdefault AwsTemporaryCredentials
getAwsTemporaryCredentials
(AthenzDomain athenzDomain, AwsRole awsRole) Get aws temporary credentialsdefault AwsTemporaryCredentials
getAwsTemporaryCredentials
(AthenzDomain athenzDomain, AwsRole awsRole, String externalId) Get aws temporary credentialsgetAwsTemporaryCredentials
(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId) Get aws temporary credentialsgetRoleCertificate
(AthenzRole role, com.yahoo.security.Pkcs10Csr csr) Fetch role certificate for the target domain and rolegetRoleCertificate
(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry) Fetch role certificate for the target domain and roledefault ZToken
getRoleToken
(AthenzDomain domain) Fetch a role token for the target domaingetRoleToken
(AthenzDomain domain, Duration tokenExpiry) Fetch a role token for the target domaindefault ZToken
getRoleToken
(AthenzRole athenzRole) Fetch a role token for the target rolegetRoleToken
(AthenzRole athenzRole, Duration tokenExpiry) Fetch a role token for the target rolegetServiceIdentity
(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr) Get service identitygetServiceIdentity
(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix) Get service identitygetTenantDomains
(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName) For a given provider, get a list of tenant domains that the user is a member ofboolean
hasAccess
(AthenzResourceName resource, String action, AthenzIdentity identity) Check access to resource for a given principalrefreshInstance
(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr) Refresh an existing instanceregisterInstance
(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr) Register an instance using the specified provider.
-
Method Details
-
registerInstance
InstanceIdentity registerInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String attestationData, com.yahoo.security.Pkcs10Csr csr) Register an instance using the specified provider.- Parameters:
attestationData
- The signed identity documented serialized to a string.- Returns:
- A x509 certificate + service token (optional)
-
refreshInstance
InstanceIdentity refreshInstance(AthenzIdentity providerIdentity, AthenzIdentity instanceIdentity, String instanceId, com.yahoo.security.Pkcs10Csr csr) Refresh an existing instance- Returns:
- A x509 certificate + service token (optional)
-
getServiceIdentity
Identity getServiceIdentity(AthenzIdentity identity, String keyId, com.yahoo.security.Pkcs10Csr csr) Get service identity- Returns:
- A x509 certificate with CA certificates
-
getServiceIdentity
Identity getServiceIdentity(AthenzIdentity identity, String keyId, KeyPair keyPair, String dnsSuffix) Get service identity- Returns:
- A x509 certificate with CA certificates
-
getRoleToken
Fetch a role token for the target domain- Parameters:
domain
- Target domain- Returns:
- A role token
-
getRoleToken
Fetch a role token for the target domain- Parameters:
domain
- Target domaintokenExpiry
- Token expiry- Returns:
- A role token
-
getRoleToken
Fetch a role token for the target role- Parameters:
athenzRole
- Target role- Returns:
- A role token
-
getRoleToken
Fetch a role token for the target role- Parameters:
athenzRole
- Target roletokenExpiry
- Token expiry- Returns:
- A role token
-
getAccessToken
Fetch an access token for the target domain- Parameters:
domain
- Target domain- Returns:
- An Athenz access token
-
getAccessToken
Fetch an access token for the target domain- Parameters:
domain
- Target domainproxyPrincipals
- List of principals to allow proxying token- Returns:
- An Athenz access token
-
getAccessToken
Fetch an access token for the target roles- Parameters:
athenzRole
- List of athenz roles to get access token for- Returns:
- An Athenz access token
-
getRoleCertificate
X509Certificate getRoleCertificate(AthenzRole role, com.yahoo.security.Pkcs10Csr csr, Duration expiry) Fetch role certificate for the target domain and role- Parameters:
role
- Target rolecsr
- Certificate signing request matching roleexpiry
- Certificate expiry- Returns:
- A role certificate
-
getRoleCertificate
Fetch role certificate for the target domain and role- Parameters:
role
- Target rolecsr
- Certificate signing request matching role- Returns:
- A role certificate
-
getTenantDomains
List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName) For a given provider, get a list of tenant domains that the user is a member of- Parameters:
providerIdentity
- Provider identityuserIdentity
- User identityroleName
- Role name- Returns:
- List of domains
-
getAwsTemporaryCredentials
default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole) Get aws temporary credentials- Parameters:
awsRole
- AWS role to get credentials for- Returns:
- AWS temporary credentials
-
getAwsTemporaryCredentials
default AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, String externalId) Get aws temporary credentials- Parameters:
awsRole
- AWS role to get credentials forexternalId
- External Id to get credentials, ornull
if not required- Returns:
- AWS temporary credentials
-
getAwsTemporaryCredentials
AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId) Get aws temporary credentials- Parameters:
awsRole
- AWS role to get credentials forduration
- Duration for which the credentials should be valid, ornull
to use defaultexternalId
- External Id to get credentials, ornull
if not required- Returns:
- AWS temporary credentials
-
hasAccess
Check access to resource for a given principal- Parameters:
resource
- The resource to verify access toaction
- Action to verifyidentity
- Principal that requests access- Returns:
true
if access is allowed,false
otherwise
-
close
void close()- Specified by:
close
in interfaceAutoCloseable
-