add support for principal_issuer claim in id/access tokens

[havetisyan]

Description

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances Athenz's authentication system by introducing a principal_issuer claim in both ID and Access tokens. This new claim provides a user-friendly identifier for the entity that issued the principal's credentials, improving clarity and traceability. The implementation includes a new utility class to map certificate issuer details or signer key IDs to these friendly names, and integrates this functionality into the core authentication and ZTS components.

Highlights

• New principal_issuer Claim: Introduced a new principal_issuer claim in both ID and Access tokens to identify the entity that issued the principal's credentials.
• Principal Identity Issuer Mapping: Added a new PrincipalIdentityIssuer class that maps certificate issuer Distinguished Names (DNs) or signer key IDs to user-friendly issuer names, configurable via a JSON file.
• Core Authentication Integration: Integrated the PrincipalIdentityIssuer into the CertificateAuthority and ZTSImpl components to automatically populate the principal_issuer claim during certificate authentication and token issuance.
• Principal Interface and Implementation Updates: Updated the Principal interface and SimplePrincipal implementation to include support for retrieving and setting the new issuer identity.
• Configuration Properties: Added new system properties (athenz.auth.certificate.identity_issuer_map_fname and athenz.zts.principal_identity_issuer_map_fname) to specify the location of the issuer mapping configuration file.
• Comprehensive Testing: Included new unit tests for the PrincipalIdentityIssuer and updated existing tests across auth_core and zts modules to validate the correct handling and population of the principal_issuer claim.

Changelog

• libs/java/auth_core/pom.xml
  • Updated the minimum code coverage requirement.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/Principal.java
  • Added a default method getIssuerIdentity to retrieve the issuer identity of principal credentials.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/CertificateAuthority.java
  • Added a PrincipalIdentityIssuer member, initialized it with a configuration file, and set the issuer identity on the principal during authentication.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/PrincipalIdentityIssuer.java
  • Added a new class to map certificate issuer Distinguished Names (DNs) or signer key IDs to user-friendly issuer identities.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/impl/SimplePrincipal.java
  • Added an issuerIdentity field with corresponding getter and setter methods.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/token/AccessToken.java
  • Added the CLAIM_PRINCIPAL_ISSUER constant and included this claim when generating signed access tokens.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/token/IdToken.java
  • Added the CLAIM_PRINCIPAL_ISSUER constant and included this claim when generating signed ID tokens.
• libs/java/auth_core/src/main/java/com/yahoo/athenz/auth/token/OAuth2Token.java
  • Defined CLAIM_PRINCIPAL_ISSUER constant, added a principalIssuer field, and updated methods to handle this new claim.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/PrincipalTest.java
  • Added an assertion to verify that the default getIssuerIdentity returns null.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/CertificateAuthorityTest.java
  • Added new test methods to verify certificate authentication with issuer identity mapping.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/PrincipalIdentityIssuerTest.java
  • Added a new test class to thoroughly test the PrincipalIdentityIssuer functionality.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/impl/SimplePrincipalTest.java
  • Updated a test method to include setting and asserting the issuerIdentity on a SimplePrincipal.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/token/AccessTokenTest.java
  • Modified test methods to include setting and validating the principal_issuer claim in access tokens.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/token/IdTokenTest.java
  • Modified test methods to include setting and validating the principal_issuer claim in ID tokens.
• libs/java/auth_core/src/test/java/com/yahoo/athenz/auth/token/OAuth2TokenTest.java
  • Updated test methods to include assertions for the principal_issuer claim and extended isStandardClaim tests.
• libs/java/auth_core/src/test/resources/principal_identity_issuers.json
  • Added a new JSON test resource file for principal identity issuer mappings.
• libs/java/auth_core/src/test/resources/principal_identity_issuers_default_only.json
  • Added a new JSON test resource file specifying only a default issuer identity.
• libs/java/auth_core/src/test/resources/principal_identity_issuers_invalid_entry.json
  • Added a new JSON test resource file containing an invalid issuer entry for testing purposes.
• servers/zts/conf/zts.properties
  • Added a new configuration property athenz.zts.principal_identity_issuer_map_fname with detailed documentation.
• servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
  • Added a new constant ZTS_PROP_PRINCIPAL_IDENTITY_ISSUER_MAP_FNAME for the issuer map filename property.
• servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
  • Imported PrincipalIdentityIssuer, added a new member, initialized it, and updated various token issuance methods to populate the principal_issuer claim.
• servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplAccessTokenTest.java
  • Updated test cases to set system properties for issuer mapping and verify the principal_issuer claim in access tokens.
• servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplIDTokenTest.java
  • Updated test cases to set system properties for issuer mapping and verify the principal_issuer claim in ID tokens.
• servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplPostInstanceJWTRegisterTest.java
  • Modified method calls to postInstanceJWTRegister to include new parameters and set up DomainData.
• servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
  • Updated test cases to set system properties for issuer mapping, verify the principal_issuer claim in OIDC responses, and adjust getCertRequestServiceToken calls.
• servers/zts/src/test/resources/principal_identity_issuers.json
  • Added a new JSON test resource file for principal identity issuer mappings.

Activity

• The pull request introduces a new feature to support the principal_issuer claim in ID and Access tokens.
• New classes and properties have been added to facilitate this feature, including a mechanism to map certificate issuer details to user-friendly names.
• Extensive unit tests have been added and updated across multiple modules to cover the new functionality and ensure its correctness and robustness.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for a principal_issuer claim in ID and access tokens. This is achieved by adding a getIssuerIdentity() method to the Principal interface and implementing it in SimplePrincipal. A new PrincipalIdentityIssuer class is introduced to determine the issuer identity from a configurable mapping file. This new identity is then correctly propagated into the tokens during their generation in ZTSImpl. The changes are well-tested with new unit tests for the PrincipalIdentityIssuer and updates to existing tests. My only feedback is a minor one regarding log messages in the new PrincipalIdentityIssuer class.

_{Note: Security Review did not run due to the size of the PR.}