Examples with AccessToken com.yahoo.athenz.auth.token.AccessToken used on opensource projects

Example 6 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class AccessTokenTestFileHelper method createAccessToken.

private static AccessToken createAccessToken(long now) {
    AccessToken accessToken = new AccessToken();
    accessToken.setAuthTime(now);
    accessToken.setScope(Collections.singletonList("admin"));
    accessToken.setSubject("subject");
    accessToken.setUserId("userid");
    accessToken.setExpiryTime(now + 3600);
    accessToken.setIssueTime(now);
    accessToken.setClientId("mtls");
    accessToken.setAudience("coretech");
    accessToken.setVersion(1);
    accessToken.setIssuer("athenz");
    accessToken.setProxyPrincipal("proxy.user");
    accessToken.setConfirmEntry("x5t#uri", "spiffe://athenz/sa/api");
    try {
        Path path = Paths.get("src/test/resources/mtls_token_spec.cert");
        String certStr = new String(Files.readAllBytes(path));
        X509Certificate cert = Crypto.loadX509Certificate(certStr);
        accessToken.setConfirmX509CertHash(cert);
    } catch (IOException ignored) {
        fail();
    }
    return accessToken;
}

Example 7 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class AccessTokenTestFileHelper method setupTokenFile.

public static void setupTokenFile() {
    AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
    long now = System.currentTimeMillis() / 1000;
    AccessToken accessToken = createAccessToken(now);
    PrivateKey privateKey = Crypto.loadPrivateKey(ecPrivateKey);
    String accessJws = accessToken.getSignedToken(privateKey, "eckey1", SignatureAlgorithm.ES256);
    accessTokenResponse.setAccess_token(accessJws);
    accessTokenResponse.setExpires_in(28800);
    accessTokenResponse.setScope("admin");
    accessTokenResponse.setToken_type("Bearer");
    ObjectMapper objectMapper = new ObjectMapper();
    try {
        objectMapper.writeValue(tokenFile, accessTokenResponse);
        System.out.println("Write new access token " + accessTokenResponse.toString() + " to file: " + tokenFile + " successfully");
    } catch (IOException e) {
        e.printStackTrace();
        fail();
    }
}

Example 8 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class TestAuthZpe method testValidateAccessTokenWithMtlsBound.

@Test
public void testValidateAccessTokenWithMtlsBound() throws IOException {
    Path path = Paths.get("src/test/resources/mtls_token_spec.cert");
    String certStr = new String(Files.readAllBytes(path));
    X509Certificate cert = Crypto.loadX509Certificate(certStr);
    AccessToken accessToken = AuthZpeClient.validateAccessToken(accessToken0AnglerRegex, cert, null);
    assertNotNull(accessToken);
    // now we're going to include the Bearer part
    accessToken = AuthZpeClient.validateAccessToken("Bearer " + accessToken0AnglerRegex, cert, null);
    assertNotNull(accessToken);
}

Example 9 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class ZTSAccessTokenFileLoader method addToRoleMap.

private void addToRoleMap(String domain, String fileName, AccessTokenResponse accessTokenResponse) {
    // parse roles from access token
    final String token = accessTokenResponse.getAccess_token();
    try {
        AccessToken accessToken = new AccessToken(token, accessSignKeyResolver);
        List<String> roleNames = accessToken.getScope();
        roleNameMap.put(getRolesStr(domain, roleNames), fileName);
    } catch (Exception e) {
        LOG.error("Got error to parse access token file {}, error: {}", fileName, e.getMessage());
        return;
    }
}

Example 10 with AccessToken

use of com.yahoo.athenz.auth.token.AccessToken in project athenz by yahoo.

the class ZTSClientTokenCacher method setAccessToken.

/**
 * Add the given access token to the zts client static cache.
 *
 * @param accessTokenResponse the access token response object returned by ZTS
 * @param roleNames list of roles names the access token was requested for, could be null
 */
public static void setAccessToken(AccessTokenResponse accessTokenResponse, final List<String> roleNames) {
    if (accessTokenResponse == null || accessTokenResponse.getAccess_token() == null) {
        return;
    }
    // parse the access token without validating the signature
    final String tokenWithoutSignature = removeSignature(accessTokenResponse.getAccess_token());
    AccessToken accessToken;
    try {
        accessToken = new AccessToken(tokenWithoutSignature, (JwtsSigningKeyResolver) null);
    } catch (Exception ex) {
        LOG.error("ZTSTokenCache: unable to parse access token", ex);
        return;
    }
    final String domainName = accessToken.getAudience();
    final String principalName = accessToken.getClientId();
    // parse principalName for the tenant domain and service name
    // if we have an invalid principal name then we'll just skip
    int index = principalName.lastIndexOf('.');
    if (index == -1) {
        return;
    }
    final String tenantDomain = principalName.substring(0, index);
    final String tenantService = principalName.substring(index + 1);
    AccessTokenResponseCacheEntry cacheEntry = new AccessTokenResponseCacheEntry(accessTokenResponse);
    String proxyPrincipalSpiffeUris = null;
    List<String> spiffeUris = accessToken.getConfirmProxyPrincpalSpiffeUris();
    if (spiffeUris != null) {
        proxyPrincipalSpiffeUris = String.join(",", spiffeUris);
    }
    final String idTokenServiceName = extractIdTokenServiceName(accessTokenResponse.getId_token());
    final String key = ZTSClient.getAccessTokenCacheKey(tenantDomain, tenantService, domainName, roleNames, idTokenServiceName, accessToken.getProxyPrincipal(), accessToken.getAuthorizationDetails(), proxyPrincipalSpiffeUris);
    if (LOG.isInfoEnabled()) {
        LOG.info("ZTSTokenCache: cache-add key: {} expires-in: {}", key, accessTokenResponse.getExpires_in());
    }
    ZTSClient.ACCESS_TOKEN_CACHE.put(key, cacheEntry);
}