AthenZ · abvaidya · Aug 14, 2023 · Aug 13, 2023
diff --git a/servers/zts/conf/zts.properties b/servers/zts/conf/zts.properties
@@ -717,5 +717,10 @@ athenz.zts.cert_signer_factory_class=com.yahoo.athenz.zts.cert.impl.SelfCertSign
 #athenz.zts.k8s_provider_attestation_aws_assume_role_name=
 
 # This property allows configuring a factory class to validate supported Kubernetes distributions
-# for which ZTS can accept service account tokens issued by respective Kubernetes API servers
-athenz.zts.k8s_provider_distribution_validator_factory_class=com.yahoo.athenz.instance.provider.impl.DefaultKubernetesDistributionValidatorFactory
+# for which ZTS can accept service account tokens issued by respective Kubernetes API servers.
+athenz.zts.k8s_provider_distribution_validator_factory_class=com.yahoo.athenz.instance.provider.impl.DefaultKubernetesDistributionValidatorFactory
+
+# The property lists the external credential providers that should
+# be enabled in the server. Current, we have only one provider
+# implemented for GCP and the default value includes this provider.
+#athenz.zts.external_creds_providers=gcp
diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSConsts.java
@@ -263,8 +263,9 @@ public final class ZTSConsts {
     public static final String ZTS_PROP_GCP_WORKLOAD_POOL_NAME     = "athenz.zts.gcp_workload_pool_name";
     public static final String ZTS_PROP_GCP_WORKLOAD_PROVIDER_NAME = "athenz.zts.gcp_workload_provider_name";
 
-    public static final String ZTS_EXTERNAL_CREDS_PROVIDER_GCP = "gcp";
-    public static final String ZTS_EXTERNAL_CREDS_PROVIDER_AWS = "aws";
+    public static final String ZTS_PROP_EXTERNAL_CREDS_PROVIDERS = "athenz.zts.external_creds_providers";
+    public static final String ZTS_EXTERNAL_CREDS_PROVIDER_GCP   = "gcp";
+    public static final String ZTS_EXTERNAL_CREDS_PROVIDER_AWS   = "aws";
 
     public static final String ZTS_EXTERNAL_ATTR_ROLE_NAME = "athenzRoleName";
     public static final String ZTS_EXTERNAL_ATTR_SCOPE     = "athenzScope";

diff --git a/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java b/servers/zts/src/main/java/com/yahoo/athenz/zts/ZTSImpl.java
@@ -178,7 +178,8 @@ public class ZTSImpl implements KeyStore, ZTSHandler {
     private long lastAthenzJWKUpdateTime = 0;
     protected int millisBetweenAthenzJWKUpdates = 0;
     private final Object updateJWKMutex = new Object();
-    final Map<String, ExternalCredentialsProvider> externalCredentialsProviders;
+    protected Map<String, ExternalCredentialsProvider> externalCredentialsProviders;
+    protected Set<String> enabledExternalCredentialsProviders;
 
     private static final String TYPE_DOMAIN_NAME = "DomainName";
     private static final String TYPE_SIMPLE_NAME = "SimpleName";
@@ -380,10 +381,23 @@ public ZTSImpl(CloudStore implCloudStore, DataStore implDataStore) {
 
         // initialize our external credentials providers
 
+        loadExternalCredentialsProviders();
+    }
+
+    void loadExternalCredentialsProviders() {
+
+        // initialize and load our known providers
+
         externalCredentialsProviders = new HashMap<>();
         ExternalCredentialsProvider gcpProvider = new GcpAccessTokenProvider();
         gcpProvider.setAuthorizer(authorizer);
         externalCredentialsProviders.put(ZTSConsts.ZTS_EXTERNAL_CREDS_PROVIDER_GCP, gcpProvider);
+
+        // configure which providers are enabled
+
+        final String providerList = System.getProperty(ZTSConsts.ZTS_PROP_EXTERNAL_CREDS_PROVIDERS,
+                ZTSConsts.ZTS_EXTERNAL_CREDS_PROVIDER_GCP);
+        enabledExternalCredentialsProviders = new HashSet<>(Arrays.asList(providerList.split(",")));
     }
 
     void loadJsonMapper() {
@@ -4859,7 +4873,7 @@ public ExternalCredentialsResponse postExternalCredentialsRequest(ResourceContex
         // before doing anything verify that our provider is valid
 
         ExternalCredentialsProvider externalCredentialsProvider = externalCredentialsProviders.get(provider);
-        if (externalCredentialsProvider == null) {
+        if (externalCredentialsProvider == null || !enabledExternalCredentialsProviders.contains(provider)) {
             throw requestError("Invalid external credentials provider: " + provider, caller, domainName, principalDomain);
         }
 

diff --git a/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java b/servers/zts/src/test/java/com/yahoo/athenz/zts/ZTSImplTest.java
@@ -14551,6 +14551,18 @@ public void testPostExternalCredentials() throws IOException {
                 "gcp", "coretech", extCredsRequest);
         assertNotNull(extCredsResponse);
 
+        // let's temporarily disable gcp provider
+
+        ztsImpl.enabledExternalCredentialsProviders.remove("gcp");
+        try {
+            ztsImpl.postExternalCredentialsRequest(context, "gcp", "coretech", extCredsRequest);
+            fail();
+        } catch (ResourceException ex) {
+            assertEquals(400, ex.getCode());
+            assertTrue(ex.getMessage().contains("Invalid external credentials provider"));
+        }
+        ztsImpl.enabledExternalCredentialsProviders.add("gcp");
+
         // now let's configure our http driver to return failure
 
         exchangeTokenResponse = new HttpDriverResponse(403, GcpAccessTokenProviderTest.EXCHANGE_TOKEN_ERROR_STR, null);