support for service jwt svids

[havetisyan]

Description

addresses issue #3153

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly expands Athenz's identity management capabilities by integrating comprehensive support for Service JWT SVIDs. The core changes involve extending data models to accommodate JWT-specific claims, refactoring the ZTS server's instance registration logic to differentiate between X.509 and JWT requests, and introducing a new instance provider for JWT SVID confirmation with RBAC authorization. These updates enable services to leverage JWT-based identities, aligning Athenz with modern cloud-native security practices, and are complemented by a new Go client utility for ease of use.

Highlights

• JWT SVID Support: Athenz now supports issuing Service JWT SVIDs (Service Verifiable Identity Documents), providing an alternative to traditional X.509 certificates for service identity in cloud-native environments.
• Flexible Instance Registration API: The ZTS server's instance registration API has been refactored to intelligently handle both X.509 certificate requests and JWT SVID requests, adapting its processing based on whether a Certificate Signing Request (CSR) is provided.
• New RBAC Instance Provider for JWTs: A dedicated InstanceAthenzRBACProvider has been introduced. This new Java-based provider is specifically designed to confirm JWT SVID requests, performing robust RBAC authorization checks based on the client's X.509 certificate subject DN.
• Go Client Utility for JWT SVIDs: A new command-line utility, zts-svctoken written in Go, has been added. This tool simplifies the process for services to request and obtain JWT SVIDs from the ZTS server.
• Optional Attestation Data and CSR: The attestationData and csr fields in the InstanceRegisterInformation structure are now optional, allowing for more flexible registration flows, particularly for JWT SVID requests that may not require a CSR.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for service JWT SVIDs, a significant and valuable feature. The implementation is well-structured, refactoring the main ZTS logic to cleanly handle both X.509 and JWT SVID registration flows. The introduction of the InstanceAthenzRBACProvider is a great addition, leveraging Athenz's own RBAC model for authorizing JWT SVID issuance. The new zts-svctoken utility provides a convenient way for clients to obtain these new tokens. The changes are accompanied by comprehensive tests, ensuring the new functionality is robust. Overall, this is an excellent contribution with high-quality code. I have not found any issues of medium or higher severity.

[yosrixp]

Looks good