use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class ZTSClient method initZTSAccessTokenFileLoader.
public static void initZTSAccessTokenFileLoader() {
if (resolver == null) {
resolver = new JwtsSigningKeyResolver(null, null);
}
ztsAccessTokenFileLoader = new ZTSAccessTokenFileLoader(resolver);
ztsAccessTokenFileLoader.preload();
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class ZTSClientTokenCacher method setAccessToken.
/**
* Add the given access token to the zts client static cache.
*
* @param accessTokenResponse the access token response object returned by ZTS
* @param roleNames list of roles names the access token was requested for, could be null
*/
public static void setAccessToken(AccessTokenResponse accessTokenResponse, final List<String> roleNames) {
if (accessTokenResponse == null || accessTokenResponse.getAccess_token() == null) {
return;
}
// parse the access token without validating the signature
final String tokenWithoutSignature = removeSignature(accessTokenResponse.getAccess_token());
AccessToken accessToken;
try {
accessToken = new AccessToken(tokenWithoutSignature, (JwtsSigningKeyResolver) null);
} catch (Exception ex) {
LOG.error("ZTSTokenCache: unable to parse access token", ex);
return;
}
final String domainName = accessToken.getAudience();
final String principalName = accessToken.getClientId();
// parse principalName for the tenant domain and service name
// if we have an invalid principal name then we'll just skip
int index = principalName.lastIndexOf('.');
if (index == -1) {
return;
}
final String tenantDomain = principalName.substring(0, index);
final String tenantService = principalName.substring(index + 1);
AccessTokenResponseCacheEntry cacheEntry = new AccessTokenResponseCacheEntry(accessTokenResponse);
String proxyPrincipalSpiffeUris = null;
List<String> spiffeUris = accessToken.getConfirmProxyPrincpalSpiffeUris();
if (spiffeUris != null) {
proxyPrincipalSpiffeUris = String.join(",", spiffeUris);
}
final String idTokenServiceName = extractIdTokenServiceName(accessTokenResponse.getId_token());
final String key = ZTSClient.getAccessTokenCacheKey(tenantDomain, tenantService, domainName, roleNames, idTokenServiceName, accessToken.getProxyPrincipal(), accessToken.getAuthorizationDetails(), proxyPrincipalSpiffeUris);
if (LOG.isInfoEnabled()) {
LOG.info("ZTSTokenCache: cache-add key: {} expires-in: {}", key, accessTokenResponse.getExpires_in());
}
ZTSClient.ACCESS_TOKEN_CACHE.put(key, cacheEntry);
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class ZTSClientTokenCacher method extractIdTokenServiceName.
private static String extractIdTokenServiceName(final String token) {
if (token == null) {
return null;
}
final String tokenWithoutSignature = removeSignature(token);
IdToken idToken;
try {
idToken = new IdToken(tokenWithoutSignature, (JwtsSigningKeyResolver) null);
} catch (Exception ex) {
LOG.error("ZTSTokenCache: unable to parse id token", ex);
return null;
}
final String fullServiceName = idToken.getAudience();
if (fullServiceName == null) {
LOG.error("ZTSTokenCache: token has no audience");
return null;
}
int index = fullServiceName.lastIndexOf('.');
if (index == -1) {
LOG.error("ZTSTokenCache: invalid id token audience - {}", fullServiceName);
return null;
}
return fullServiceName.substring(index + 1);
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class ZTSAccessTokenFileLoaderTest method setup.
@BeforeMethod
public void setup() {
resolver = new JwtsSigningKeyResolver(null, null);
PublicKey publicKey = Crypto.loadPublicKey(ecPublicKey);
resolver.addPublicKey("eckey1", publicKey);
System.setProperty(ZTSAccessTokenFileLoader.ACCESS_TOKEN_PATH_PROPERTY, "./src/test/resources/");
System.setProperty("athenz.athenz_conf", confFile.getAbsolutePath());
setupTokenFile();
}
use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.
the class InstanceZTSProvider method initialize.
@Override
public void initialize(String provider, String providerEndpoint, SSLContext sslContext, KeyStore keyStore) {
// save our provider name
this.provider = provider;
// obtain list of valid principals for this principal if
// one is configured
final String principalList = System.getProperty(ZTS_PROP_PRINCIPAL_LIST);
if (principalList != null && !principalList.isEmpty()) {
principals = new HashSet<>(Arrays.asList(principalList.split(",")));
}
// determine the dns suffix. if this is not specified we'll just default to zts.athenz.cloud
dnsSuffixes = new HashSet<>();
String dnsSuffix = System.getProperty(ZTS_PROP_PROVIDER_DNS_SUFFIX, "zts.athenz.cloud");
if (StringUtil.isEmpty(dnsSuffix)) {
dnsSuffix = "zts.athenz.cloud";
}
dnsSuffixes.addAll(Arrays.asList(dnsSuffix.split(",")));
this.keyStore = keyStore;
// get expiry time for any generated tokens - default 30 mins
final String expiryTimeStr = System.getProperty(ZTS_PROP_EXPIRY_TIME, "30");
expiryTime = Integer.parseInt(expiryTimeStr);
// initialize our jwt key resolver
signingKeyResolver = new JwtsSigningKeyResolver(null, null);
}
Aggregations