extensible Issuer support for tokens

[havetisyan]

Description

addresses feature request #3194

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the flexibility of token issuance within the ZTS service by introducing an extensible issuer resolution mechanism. The core change involves centralizing the logic for determining OAuth2 and OpenID Connect token issuers into a dedicated IssuerResolver class. This new component supports configurable host-to-issuer mappings, allowing for dynamic issuer assignments based on request headers, while seamlessly integrating with existing default issuer determination logic. This change aims to provide greater control and adaptability over how tokens are issued and validated.

Highlights

• Centralized Issuer Resolution: Introduced a new IssuerResolver component to centralize the logic for determining the appropriate issuer for OAuth2 and OpenID Connect tokens, replacing scattered conditional logic within ZTSImpl.
• Configurable Host-to-Issuer Mapping: Added support for an extensible host-to-issuer mapping file, allowing administrators to define custom issuer URIs based on the incoming request's host header. This is configured via the new athenz.zts.host_issuer_mapping_file system property.
• Dynamic OAuth2 Issuer Set: The set of recognized OAuth2 issuers is now dynamically built by the IssuerResolver, incorporating both default ZTS issuers and any custom issuers defined in the host mapping file, enhancing flexibility for token validation.
• Improved Test Coverage: New unit tests have been added for the HostIssuerMapping and IssuerResolver classes, ensuring the robustness and correctness of the new issuer resolution mechanism.

Changelog

• servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
  • Added ZTS_PROP_HOST_ISSUER_MAPPING_FILE constant for configuring the host-to-issuer mapping file path.
• servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
  • Introduced issuerResolver field and initialized it in the constructor.
  • Replaced direct issuer assignments with calls to issuerResolver.getIDTokenIssuer() and issuerResolver.getAccessTokenIssuer() for ID and Access tokens.
  • Updated OAuth2 issuer set configuration to use issuerResolver.getOauth2Issuers().
  • Modified JAG token exchange request processing to use issuerResolver.isOauth2Issuer() for audience validation.
• servers/zts/src/main/java/com/yahoo/athenz/zts/token/HostIssuerMapping.java
  • New class defining a simple data structure for host and issuer pairs used in the mapping file.
• servers/zts/src/main/java/com/yahoo/athenz/zts/token/IssuerResolver.java
  • New class implementing the logic to resolve token issuers based on HTTP request host headers or fallback to default ZTS issuer logic.
  • Handles loading host-to-issuer mappings from a JSON configuration file.
  • Provides methods to retrieve the set of all valid OAuth2 issuers and to determine the specific issuer for Access and ID tokens.
• servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
  • Updated testGetOIDCResponseNoRulesGroups to use system properties for OIDC port and issuer, aligning with the new IssuerResolver initialization.
• servers/zts/src/test/java/com/yahoo/athenz/zts/token/HostIssuerMappingTest.java
  • New unit tests for the HostIssuerMapping data class.
• servers/zts/src/test/java/com/yahoo/athenz/zts/token/IssuerResolverTest.java
  • New comprehensive unit tests for the IssuerResolver class, covering various mapping and resolution scenarios.
• servers/zts/src/test/resources/provider.config.json
  • Updated a test issuerUri from https://athenz.io:4443/zts/v1 to https://stage.athenz.io:4443/zts/v1.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces extensible issuer support for tokens by refactoring the issuer resolution logic into a new IssuerResolver class. This is a good design that centralizes issuer management and allows for configuration-based host-to-issuer mapping. The changes are well-structured and include comprehensive tests for the new functionality. I have one suggestion to make the host-to-issuer mapping more robust.