Examples with JwtsSigningKeyResolver com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver used on opensource projects

Example 11 with JwtsSigningKeyResolver

use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.

the class ZTSClient method initZTSAccessTokenFileLoader.

public static void initZTSAccessTokenFileLoader() {
    if (resolver == null) {
        resolver = new JwtsSigningKeyResolver(null, null);
    }
    ztsAccessTokenFileLoader = new ZTSAccessTokenFileLoader(resolver);
    ztsAccessTokenFileLoader.preload();
}

Example 12 with JwtsSigningKeyResolver

use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.

the class ZTSClientTokenCacher method setAccessToken.

/**
 * Add the given access token to the zts client static cache.
 *
 * @param accessTokenResponse the access token response object returned by ZTS
 * @param roleNames list of roles names the access token was requested for, could be null
 */
public static void setAccessToken(AccessTokenResponse accessTokenResponse, final List<String> roleNames) {
    if (accessTokenResponse == null || accessTokenResponse.getAccess_token() == null) {
        return;
    }
    // parse the access token without validating the signature
    final String tokenWithoutSignature = removeSignature(accessTokenResponse.getAccess_token());
    AccessToken accessToken;
    try {
        accessToken = new AccessToken(tokenWithoutSignature, (JwtsSigningKeyResolver) null);
    } catch (Exception ex) {
        LOG.error("ZTSTokenCache: unable to parse access token", ex);
        return;
    }
    final String domainName = accessToken.getAudience();
    final String principalName = accessToken.getClientId();
    // parse principalName for the tenant domain and service name
    // if we have an invalid principal name then we'll just skip
    int index = principalName.lastIndexOf('.');
    if (index == -1) {
        return;
    }
    final String tenantDomain = principalName.substring(0, index);
    final String tenantService = principalName.substring(index + 1);
    AccessTokenResponseCacheEntry cacheEntry = new AccessTokenResponseCacheEntry(accessTokenResponse);
    String proxyPrincipalSpiffeUris = null;
    List<String> spiffeUris = accessToken.getConfirmProxyPrincpalSpiffeUris();
    if (spiffeUris != null) {
        proxyPrincipalSpiffeUris = String.join(",", spiffeUris);
    }
    final String idTokenServiceName = extractIdTokenServiceName(accessTokenResponse.getId_token());
    final String key = ZTSClient.getAccessTokenCacheKey(tenantDomain, tenantService, domainName, roleNames, idTokenServiceName, accessToken.getProxyPrincipal(), accessToken.getAuthorizationDetails(), proxyPrincipalSpiffeUris);
    if (LOG.isInfoEnabled()) {
        LOG.info("ZTSTokenCache: cache-add key: {} expires-in: {}", key, accessTokenResponse.getExpires_in());
    }
    ZTSClient.ACCESS_TOKEN_CACHE.put(key, cacheEntry);
}

Example 13 with JwtsSigningKeyResolver

use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.

the class ZTSClientTokenCacher method extractIdTokenServiceName.

private static String extractIdTokenServiceName(final String token) {
    if (token == null) {
        return null;
    }
    final String tokenWithoutSignature = removeSignature(token);
    IdToken idToken;
    try {
        idToken = new IdToken(tokenWithoutSignature, (JwtsSigningKeyResolver) null);
    } catch (Exception ex) {
        LOG.error("ZTSTokenCache: unable to parse id token", ex);
        return null;
    }
    final String fullServiceName = idToken.getAudience();
    if (fullServiceName == null) {
        LOG.error("ZTSTokenCache: token has no audience");
        return null;
    }
    int index = fullServiceName.lastIndexOf('.');
    if (index == -1) {
        LOG.error("ZTSTokenCache: invalid id token audience - {}", fullServiceName);
        return null;
    }
    return fullServiceName.substring(index + 1);
}

Example 14 with JwtsSigningKeyResolver

use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.

the class ZTSAccessTokenFileLoaderTest method setup.

@BeforeMethod
public void setup() {
    resolver = new JwtsSigningKeyResolver(null, null);
    PublicKey publicKey = Crypto.loadPublicKey(ecPublicKey);
    resolver.addPublicKey("eckey1", publicKey);
    System.setProperty(ZTSAccessTokenFileLoader.ACCESS_TOKEN_PATH_PROPERTY, "./src/test/resources/");
    System.setProperty("athenz.athenz_conf", confFile.getAbsolutePath());
    setupTokenFile();
}

Example 15 with JwtsSigningKeyResolver

use of com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver in project athenz by yahoo.

the class InstanceZTSProvider method initialize.

@Override
public void initialize(String provider, String providerEndpoint, SSLContext sslContext, KeyStore keyStore) {
    // save our provider name
    this.provider = provider;
    // obtain list of valid principals for this principal if
    // one is configured
    final String principalList = System.getProperty(ZTS_PROP_PRINCIPAL_LIST);
    if (principalList != null && !principalList.isEmpty()) {
        principals = new HashSet<>(Arrays.asList(principalList.split(",")));
    }
    // determine the dns suffix. if this is not specified we'll just default to zts.athenz.cloud
    dnsSuffixes = new HashSet<>();
    String dnsSuffix = System.getProperty(ZTS_PROP_PROVIDER_DNS_SUFFIX, "zts.athenz.cloud");
    if (StringUtil.isEmpty(dnsSuffix)) {
        dnsSuffix = "zts.athenz.cloud";
    }
    dnsSuffixes.addAll(Arrays.asList(dnsSuffix.split(",")));
    this.keyStore = keyStore;
    // get expiry time for any generated tokens - default 30 mins
    final String expiryTimeStr = System.getProperty(ZTS_PROP_EXPIRY_TIME, "30");
    expiryTime = Integer.parseInt(expiryTimeStr);
    // initialize our jwt key resolver
    signingKeyResolver = new JwtsSigningKeyResolver(null, null);
}