support for service jwt svids

.gitignore

@@ -118,6 +118,9 @@ utils/zts-idtoken/src/
 utils/zts-rolecert/bin/
 utils/zts-rolecert/pkg/
 utils/zts-rolecert/src/
+utils/zts-svctoken/bin/
+utils/zts-svctoken/pkg/
+utils/zts-svctoken/src/
 utils/msd-agent/pkg/
 utils/zts-accesstoken/zts-accesstoken
 utils/zts-rolecert/zts-rolecert

assembly/utils/utils.xml

@@ -54,6 +54,10 @@
       <directory>${basedir}/../../utils/zts-svccert/target</directory>
       <outputDirectory>bin</outputDirectory>
     </fileSet>
+    <fileSet>
+      <directory>${basedir}/../../utils/zts-svctoken/target</directory>
+      <outputDirectory>bin</outputDirectory>
+    </fileSet>
     <fileSet>
       <directory>${basedir}/../../utils/zts-rolecert/target</directory>
       <outputDirectory>bin</outputDirectory>

core/zts/src/main/java/com/yahoo/athenz/zts/InstanceRegisterInformation.java

@@ -16,7 +16,11 @@ public class InstanceRegisterInformation {
     public String provider;
     public String domain;
     public String service;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public String attestationData;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public String csr;
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
@@ -54,6 +58,24 @@ public class InstanceRegisterInformation {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public String sshCertSignerKeyId;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String jwtSVIDInstanceId;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String jwtSVIDAudience;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String jwtSVIDNonce;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String jwtSVIDSpiffe;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public Boolean jwtSVIDSpiffeSubject;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String jwtSVIDKeyType;
 
     public InstanceRegisterInformation setProvider(String provider) {
         this.provider = provider;
@@ -174,6 +196,48 @@ public InstanceRegisterInformation setSshCertSignerKeyId(String sshCertSignerKey
     public String getSshCertSignerKeyId() {
         return sshCertSignerKeyId;
     }
+    public InstanceRegisterInformation setJwtSVIDInstanceId(String jwtSVIDInstanceId) {
+        this.jwtSVIDInstanceId = jwtSVIDInstanceId;
+        return this;
+    }
+    public String getJwtSVIDInstanceId() {
+        return jwtSVIDInstanceId;
+    }
+    public InstanceRegisterInformation setJwtSVIDAudience(String jwtSVIDAudience) {
+        this.jwtSVIDAudience = jwtSVIDAudience;
+        return this;
+    }
+    public String getJwtSVIDAudience() {
+        return jwtSVIDAudience;
+    }
+    public InstanceRegisterInformation setJwtSVIDNonce(String jwtSVIDNonce) {
+        this.jwtSVIDNonce = jwtSVIDNonce;
+        return this;
+    }
+    public String getJwtSVIDNonce() {
+        return jwtSVIDNonce;
+    }
+    public InstanceRegisterInformation setJwtSVIDSpiffe(String jwtSVIDSpiffe) {
+        this.jwtSVIDSpiffe = jwtSVIDSpiffe;
+        return this;
+    }
+    public String getJwtSVIDSpiffe() {
+        return jwtSVIDSpiffe;
+    }
+    public InstanceRegisterInformation setJwtSVIDSpiffeSubject(Boolean jwtSVIDSpiffeSubject) {
+        this.jwtSVIDSpiffeSubject = jwtSVIDSpiffeSubject;
+        return this;
+    }
+    public Boolean getJwtSVIDSpiffeSubject() {
+        return jwtSVIDSpiffeSubject;
+    }
+    public InstanceRegisterInformation setJwtSVIDKeyType(String jwtSVIDKeyType) {
+        this.jwtSVIDKeyType = jwtSVIDKeyType;
+        return this;
+    }
+    public String getJwtSVIDKeyType() {
+        return jwtSVIDKeyType;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -233,6 +297,24 @@ public boolean equals(Object another) {
             if (sshCertSignerKeyId == null ? a.sshCertSignerKeyId != null : !sshCertSignerKeyId.equals(a.sshCertSignerKeyId)) {
                 return false;
             }
+            if (jwtSVIDInstanceId == null ? a.jwtSVIDInstanceId != null : !jwtSVIDInstanceId.equals(a.jwtSVIDInstanceId)) {
+                return false;
+            }
+            if (jwtSVIDAudience == null ? a.jwtSVIDAudience != null : !jwtSVIDAudience.equals(a.jwtSVIDAudience)) {
+                return false;
+            }
+            if (jwtSVIDNonce == null ? a.jwtSVIDNonce != null : !jwtSVIDNonce.equals(a.jwtSVIDNonce)) {
+                return false;
+            }
+            if (jwtSVIDSpiffe == null ? a.jwtSVIDSpiffe != null : !jwtSVIDSpiffe.equals(a.jwtSVIDSpiffe)) {
+                return false;
+            }
+            if (jwtSVIDSpiffeSubject == null ? a.jwtSVIDSpiffeSubject != null : !jwtSVIDSpiffeSubject.equals(a.jwtSVIDSpiffeSubject)) {
+                return false;
+            }
+            if (jwtSVIDKeyType == null ? a.jwtSVIDKeyType != null : !jwtSVIDKeyType.equals(a.jwtSVIDKeyType)) {
+                return false;
+            }
         }
         return true;
     }

core/zts/src/main/java/com/yahoo/athenz/zts/ZTSSchema.java

@@ -337,8 +337,8 @@ private static Schema build() {
             .field("provider", "ServiceName", false, "the provider service name (i.e. \"aws.us-west-2\", \"sys.openstack.cluster1\")")
             .field("domain", "DomainName", false, "the domain of the instance")
             .field("service", "SimpleName", false, "the service this instance is supposed to run")
-            .field("attestationData", "String", false, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
-            .field("csr", "String", false, "the Certificate Signing Request for the expected X.509 certificate in the response")
+            .field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")
+            .field("csr", "String", true, "the Certificate Signing Request for the expected X.509 certificate in the response")
             .field("ssh", "String", true, "deprecated - use sshCertRequest, if present, return an SSH host certificate. Format is JSON.")
             .field("sshCertRequest", "SSHCertRequest", true, "if present, return an SSH host certificate")
             .field("token", "Bool", true, "if true, return a service token signed by ZTS for this service")
@@ -350,7 +350,13 @@ private static Schema build() {
             .field("namespace", "SimpleName", true, "spiffe/k8s namespace value")
             .field("cloud", "SimpleName", true, "optional cloud name where the instance is bootstrapped. e.g. aws / gcp / azure / openstack etc.")
             .field("x509CertSignerKeyId", "SimpleName", true, "requested x509 cert signer key id")
-            .field("sshCertSignerKeyId", "SimpleName", true, "requested ssh cert signer key id");
+            .field("sshCertSignerKeyId", "SimpleName", true, "requested ssh cert signer key id")
+            .field("jwtSVIDInstanceId", "PathElement", true, "unique instance id within provider's namespace for the jwt svid")
+            .field("jwtSVIDAudience", "String", true, "the audience value for the jwt svid")
+            .field("jwtSVIDNonce", "EntityName", true, "the nonce value for the jwt svid")
+            .field("jwtSVIDSpiffe", "String", true, "the spiffe uri for the jwt svid")
+            .field("jwtSVIDSpiffeSubject", "Bool", true, "if true, return the spiffe uri as the jwt svid sub claim value")
+            .field("jwtSVIDKeyType", "SimpleName", true, "optional signing key type - RSA or EC. Might be ignored if server doesn't have the requested type configured");
 
         sb.structType("InstanceRefreshInformation")
             .field("attestationData", "String", true, "identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.")

core/zts/src/main/rdl/Instance.rdli

@@ -9,8 +9,8 @@ type InstanceRegisterInformation Struct {
     ServiceName provider; //the provider service name (i.e. "aws.us-west-2", "sys.openstack.cluster1")
     DomainName domain; //the domain of the instance
     SimpleName service; //the service this instance is supposed to run
-    String attestationData; //identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.
-    String csr; //the Certificate Signing Request for the expected X.509 certificate in the response
+    String attestationData (optional); //identity attestation data including document with its signature containing attributes like IP address, instance-id, account#, etc.
+    String csr (optional); //the Certificate Signing Request for the expected X.509 certificate in the response
     String ssh (optional); //deprecated - use sshCertRequest, if present, return an SSH host certificate. Format is JSON.
     SSHCertRequest sshCertRequest (optional); //if present, return an SSH host certificate
     Bool token (optional); //if true, return a service token signed by ZTS for this service
@@ -23,6 +23,12 @@ type InstanceRegisterInformation Struct {
     SimpleName cloud (optional); //optional cloud name where the instance is bootstrapped. e.g. aws / gcp / azure / openstack etc.
     SimpleName x509CertSignerKeyId (optional); //requested x509 cert signer key id
     SimpleName sshCertSignerKeyId (optional); //requested ssh cert signer key id
+    PathElement jwtSVIDInstanceId (optional); //unique instance id within provider's namespace for the jwt svid
+    String jwtSVIDAudience (optional); //the audience value for the jwt svid
+    EntityName jwtSVIDNonce (optional); //the nonce value for the jwt svid
+    String jwtSVIDSpiffe (optional); //the spiffe uri for the jwt svid
+    Bool jwtSVIDSpiffeSubject (optional); //if true, return the spiffe uri as the jwt svid sub claim value
+    SimpleName jwtSVIDKeyType (optional); //optional signing key type - RSA or EC. Might be ignored if server doesn't have the requested type configured
 }
 
 type InstanceRefreshInformation Struct {