A utility to retrieve and report authorization history dependencies

.gitignore

@@ -97,6 +97,9 @@ utils/hostdoc/target/
 utils/zms-svctoken/bin/
 utils/zms-svctoken/pkg/
 utils/zms-svctoken/src/
+utils/zms-authhistory/bin/
+utils/zms-authhistory/pkg/
+utils/zms-authhistory/src/
 utils/zpe-updater/pkg/
 utils/zpe-updater/src/
 utils/zpe-updater/bin/

pom.xml

@@ -212,6 +212,7 @@
     <module>utils/athenz-conf</module>
     <module>utils/zms-domainattrs</module>
     <module>utils/zms-svctoken</module>
+    <module>utils/zms-authhistory</module>
     <module>utils/zpe-updater</module>
     <module>utils/zts-roletoken</module>
     <module>utils/zts-accesstoken</module>

utils/zms-authhistory/Makefile

@@ -0,0 +1,58 @@
+#
+# Makefile to build ZMS Token Access utility
+# Prerequisite: Go development environment
+#
+# Copyright The Athenz Authors
+# Licensed under the Apache License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0
+#
+
+GOPKGNAME = github.com/AthenZ/athenz/utils/zms-authhistory
+PKG_DATE=$(shell date '+%Y-%m-%dT%H:%M:%S')
+BINARY=zms-authhistory
+SRC=zms-authhistory.go
+
+# check to see if go utility is installed
+GO := $(shell command -v go 2> /dev/null)
+GOPATH := $(shell pwd)
+export $(GOPATH)
+
+ifdef GO
+
+# we need to make sure we have go 1.19+
+# the output for the go version command is:
+# go version go1.19 darwin/amd64
+
+GO_VER_GTEQ := $(shell expr `go version | cut -f 3 -d' ' | cut -f2 -d.` \>= 19)
+ifneq "$(GO_VER_GTEQ)" "1"
+all:
+	@echo "Please install 1.19.x or newer version of golang"
+else
+
+.PHONY: vet fmt linux darwin
+all: vet fmt linux darwin
+
+endif
+
+else
+
+all:
+	@echo "go is not available please install golang"
+
+endif
+
+vet:
+	go vet .
+
+fmt:
+	go fmt .
+
+darwin:
+	@echo "Building darwin client..."
+	GOOS=darwin go build -ldflags "-X main.VERSION=$(PKG_VERSION) -X main.BUILD_DATE=$(PKG_DATE)" -o target/darwin/$(BINARY) $(SRC)
+
+linux:
+	@echo "Building linux client..."
+	GOOS=linux go build -ldflags "-X main.VERSION=$(PKG_VERSION) -X main.BUILD_DATE=$(PKG_DATE)" -o target/linux/$(BINARY) $(SRC)
+
+clean:
+	rm -rf target

utils/zms-authhistory/README.md

@@ -0,0 +1,95 @@
+zms-authhistory
+===============
+
+A utility to retrieve and report authorization history dependencies for services in a specified Athenz domain. It connects to the ZMS server using mTLS authentication and generates a report showing both **incoming** and **outgoing** dependencies for each service in the domain.
+
+- **Outgoing dependencies**: Services in your domain that have accessed resources in other domains (which domains they call).
+- **Incoming dependencies**: Principals from other domains that have accessed resources in your domain (who calls your domain).
+
+## Usage
+
+```
+zms-authhistory -domain <domain> -zms <url> -svc-key-file <key-file> -svc-cert-file <cert-file> [-svc-cacert-file <ca-cert-file>] [-days <days>] [-domains-only]
+```
+
+### Required Options
+
+| Option | Description |
+|--------|-------------|
+| `-domain` | Athenz domain name to report on |
+| `-zms` | ZMS server URL (e.g. `https://athenz.io:4443/zms/v1`) |
+| `-svc-key-file` | Service identity private key file (PEM) |
+| `-svc-cert-file` | Service identity certificate file (PEM) |
+
+### Optional Options
+
+| Option | Description |
+|--------|-------------|
+| `-svc-cacert-file` | CA certificates file for verifying the ZMS server |
+| `-days` | Number of days to look back; records older than this are ignored (0 = no filter) |
+| `-domains-only` | For dependencies, show only the domain name (no service name) |
+| `-version` | Print version and exit |
+
+### Example
+
+```bash
+zms-authhistory -domain mydomain -zms https://athenz.example.com:4443/zms/v1 \
+  -svc-key-file /path/to/key.pem -svc-cert-file /path/to/cert.pem \
+  -svc-cacert-file /path/to/ca.pem -days 30
+```
+
+With `-domains-only` to get a compact list of domains only:
+
+```bash
+zms-authhistory -domain mydomain -zms https://athenz.example.com:4443/zms/v1 \
+  -svc-key-file ./key.pem -svc-cert-file ./cert.pem -domains-only -days 7
+```
+
+## Output
+
+The report is printed as CSV to stdout.
+
+**Default format** (with service names):
+
+- **Outgoing**: `Service,Target-Domain,Last-Access` — services in your domain and which external domains they accessed.
+- **Incoming**: `Source-Domain,Source-Service,Last-Access` — external principals that accessed your domain.
+
+**With `-domains-only`**:
+
+- **Outgoing**: `Target-Domain,Last-Access`
+- **Incoming**: `Source-Domain,Last-Access`
+
+Example (default):
+
+```
+Service,Target-Domain,Last-Access
+api,other.domain,2025-02-10T12:00:00Z
+api,third.domain,2025-02-09T08:30:00Z
+worker,other.domain,2025-02-08T14:00:00Z
+
+Source-Domain,Source-Service,Last-Access
+caller.domain,frontend,2025-02-10T11:00:00Z
+caller.domain,ingest,2025-02-09T09:00:00Z
+```
+
+## Building
+
+Prerequisites: Go 1.19 or newer.
+
+```bash
+# Build for current OS and run checks
+make
+
+# Build for specific platforms
+make darwin   # target/darwin/zms-authhistory
+make linux    # target/linux/zms-authhistory
+
+# Clean build artifacts
+make clean
+```
+
+## License
+
+Copyright The Athenz Authors
+
+Licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)

utils/zms-authhistory/doc.go

@@ -0,0 +1,8 @@
+// Copyright The Athenz Authors
+// Licensed under the terms of the Apache version 2.0 license. See LICENSE file for terms.
+
+// zms-authhistory is a utility program to retrieve and report authorization
+// history dependencies for services in a specified domain. It connects to
+// the ZMS server using mTLS authentication and generates a report showing
+// both incoming and outgoing dependencies for each service in the domain.
+package main

utils/zms-authhistory/pom.xml

@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    Copyright The Athenz Authors
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>com.yahoo.athenz</groupId>
+    <artifactId>athenz</artifactId>
+    <version>1.12.35-SNAPSHOT</version>
+    <relativePath>../../pom.xml</relativePath>
+  </parent>
+
+  <artifactId>zms-authhistory</artifactId>
+  <packaging>jar</packaging>
+  <name>zms-authhistory</name>
+  <description>Utility to report all auth dependencies</description>
+
+  <properties>
+    <maven.install.skip>true</maven.install.skip>
+    <checkstyle.skip>true</checkstyle.skip>
+  </properties>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>exec-maven-plugin</artifactId>
+        <version>${maven-exec-plugin.version}</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>exec</goal>
+            </goals>
+            <phase>compile</phase>
+          </execution>
+        </executions>
+        <configuration>
+          <executable>make</executable>
+          <arguments>
+            <argument>PKG_VERSION=${project.parent.version}</argument>
+            <argument>clean</argument>
+            <argument>all</argument>
+          </arguments>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>${maven-jar-plugin.version}</version>
+        <executions>
+          <execution>
+            <id>default-jar</id>
+            <phase />
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+
+</project>