-
Notifications
You must be signed in to change notification settings - Fork 284
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update ZTS Client AWS support + fix caching with certs (#356)
* #350 zts role token restriction on appid move to authz service * Update ZTS Client AWS support + fix caching with certs
- Loading branch information
1 parent
c63ce3d
commit da9ee2c
Showing
4 changed files
with
131 additions
and
48 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 78 additions & 21 deletions
99
clients/java/zts/src/main/java/com/yahoo/athenz/zts/AWSCredentialsProviderImpl.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,50 +1,107 @@ | ||
/** | ||
* Copyright 2017 Yahoo Holdings Inc. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package com.yahoo.athenz.zts; | ||
|
||
import java.io.Closeable; | ||
import java.io.IOException; | ||
import javax.net.ssl.SSLContext; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import com.amazonaws.auth.AWSCredentials; | ||
import com.amazonaws.auth.AWSCredentialsProvider; | ||
import com.amazonaws.auth.BasicSessionCredentials; | ||
import org.slf4j.Logger; | ||
import org.slf4j.LoggerFactory; | ||
|
||
public class AWSCredentialsProviderImpl implements AWSCredentialsProvider { | ||
public class AWSCredentialsProviderImpl implements AWSCredentialsProvider, Closeable { | ||
|
||
private static final Logger LOG = LoggerFactory.getLogger(AWSCredentialsProviderImpl.class); | ||
private static String athensSvcDomain = ""; | ||
private static String athensDomRole = ""; | ||
|
||
private String domainName; | ||
private String roleName; | ||
private ZTSClient ztsClient; | ||
private volatile AWSCredentials credentials; | ||
private ZTSClient ztsClt; | ||
|
||
private boolean closeZTSClient; | ||
|
||
public AWSCredentialsProviderImpl(ZTSClient ztsClient, String domainName, String roleName) { | ||
this.ztsClient = ztsClient; | ||
this.domainName = domainName; | ||
this.roleName = roleName; | ||
this.closeZTSClient = false; | ||
} | ||
|
||
public AWSCredentialsProviderImpl(ZTSClient ztsClt, String athensSvcDomain, String athensDomRole) { | ||
this.ztsClt = ztsClt; | ||
this.athensDomRole = athensDomRole; | ||
this.athensSvcDomain = athensSvcDomain; | ||
/** | ||
* Constructs a new AWSCredentialsProvider object with the given SSLContext object, | ||
* ZTS Server Url, Athenz domain name and AWS Role Name to retrieve temporary | ||
* credentials for. The constructor will automatically create and use the ZTS | ||
* client object for retrieving credentials. This object must be closed so | ||
* the ZTS client object is closed as well. | ||
* @param ztsUrl ZTS Server's URL | ||
* @param sslContext SSLContext that includes service's private key and x.509 certificate | ||
* for authenticating requests | ||
* @param domainName name of the domain | ||
* @param roleName is the name of the role | ||
*/ | ||
public AWSCredentialsProviderImpl(String ztsUrl, SSLContext sslContext, | ||
String domainName, String roleName) { | ||
this.domainName = domainName; | ||
this.roleName = roleName; | ||
this.ztsClient = new ZTSClient(ztsUrl, sslContext); | ||
this.closeZTSClient = true; | ||
} | ||
|
||
@Override | ||
public void close() throws IOException { | ||
if (closeZTSClient) { | ||
ztsClient.close(); | ||
} | ||
} | ||
|
||
@Override | ||
public AWSCredentials getCredentials() { | ||
this.refresh(); | ||
return this.credentials; | ||
|
||
// we are going to first refresh our credentials object. | ||
// for initial request this will fetch the credentials | ||
// while for others it will check if it exists in the cache | ||
// and only fetch if it's about to expire | ||
|
||
refresh(); | ||
return credentials; | ||
} | ||
|
||
@Override | ||
public void refresh() { | ||
try { | ||
AWSTemporaryCredentials creds = ztsClt.getAWSTemporaryCredentials(athensSvcDomain, athensDomRole); | ||
AWSTemporaryCredentials creds = ztsClient.getAWSTemporaryCredentials(domainName, roleName); | ||
if (LOG.isDebugEnabled()) { | ||
LOG.debug("AWSCredentialsProviderImpl:refresh: Credentials with id: \"" + creds.accessKeyId + "\" were fetched"); | ||
LOG.debug("Refresh: Credentials with id: {} and expiration {} were fetched", | ||
creds.getAccessKeyId(), creds.getExpiration()); | ||
} | ||
|
||
this.credentials = new BasicSessionCredentials( | ||
creds.getAccessKeyId(), | ||
creds.getSecretAccessKey(), | ||
creds.getSessionToken()); | ||
} catch (ZTSClientException exp) { | ||
this.credentials = null; | ||
LOG.error("AWSCredentialsProviderImpl:refresh: Failed to get the AWS temporary credentials from ZTS. Status: " + exp.getCode() + "Error" + exp.getData()); | ||
} catch (Exception exp) { | ||
this.credentials = null; | ||
LOG.error("AWSCredentialsProviderImpl:refresh: Failed to refresh credentials . Error: " + exp.getMessage()); | ||
|
||
} catch (ZTSClientException ex) { | ||
credentials = null; | ||
LOG.error("Refresh: Failed to get the AWS temporary credentials from ZTS: {}", | ||
ex.getMessage()); | ||
} catch (Exception ex) { | ||
credentials = null; | ||
LOG.error("Refresh: Failed to refresh credentials: {}", ex.getMessage()); | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters