Example 1 with SimulatePrincipalPolicyRequest
use of com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest in project cloudbreak by hortonworks.
the class AwsCredentialVerifierTest method verifyCredentialAndThrowFailExceptionBecauseOrganizatioRuleTest.
@Test
public void verifyCredentialAndThrowFailExceptionBecauseOrganizatioRuleTest() throws IOException {
URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
String awsEnvPolicy = Resources.toString(url, Charsets.UTF_8);
String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
Map<String, Object> awsParameters = new HashMap<>();
awsParameters.put("accessKey", "a");
awsParameters.put("secretKey", "b");
CloudCredential cloudCredential = new CloudCredential("id", "name", awsParameters, "acc", false);
AmazonIdentityManagementClient amazonIdentityManagement = mock(AmazonIdentityManagementClient.class);
when(awsClient.createAmazonIdentityManagement(any(AwsCredentialView.class))).thenReturn(amazonIdentityManagement);
AmazonSecurityTokenServiceClient awsSecurityTokenService = mock(AmazonSecurityTokenServiceClient.class);
GetCallerIdentityResult getCallerIdentityResult = new GetCallerIdentityResult();
getCallerIdentityResult.setArn("arn");
when(awsSecurityTokenService.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(getCallerIdentityResult);
when(awsClient.createSecurityTokenService(any(AwsCredentialView.class))).thenReturn(awsSecurityTokenService);
ArgumentCaptor<SimulatePrincipalPolicyRequest> requestArgumentCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
AtomicInteger i = new AtomicInteger();
when(amazonIdentityManagement.simulatePrincipalPolicy(requestArgumentCaptor.capture())).thenAnswer(invocation -> {
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = new SimulatePrincipalPolicyResult();
ArrayList<EvaluationResult> evaluationResults = new ArrayList<>();
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action1_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(false)).withEvalActionName("denied_action2_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(false)).withEvalActionName("denied_action3_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action_" + i).withEvalResourceName("*"));
simulatePrincipalPolicyResult.setEvaluationResults(evaluationResults);
i.getAndIncrement();
return simulatePrincipalPolicyResult;
});
try {
awsCredentialVerifier.validateAws(new AwsCredentialView(cloudCredential), encodedAwsEnvPolicy);
fail("It shoud throw verification exception");
} catch (AwsPermissionMissingException e) {
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action1_0 : aws:ec2,"));
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action2_0 : aws:ec2 -> Denied by Organization Rule,"));
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action3_0 : aws:ec2 -> Denied by Organization Rule,"));
assertThat(e.getMessage(), not(CoreMatchers.containsString("accepted_action")));
}
List<SimulatePrincipalPolicyRequest> allSimulatePrincipalPolicyRequest = requestArgumentCaptor.getAllValues();
int simulateRequestNumber = 5;
assertEquals("expect if " + simulateRequestNumber + " simulate request has been sent", simulateRequestNumber, allSimulatePrincipalPolicyRequest.size());
allSimulatePrincipalPolicyRequest.forEach(simulatePrincipalPolicyRequest -> assertEquals("arn", simulatePrincipalPolicyRequest.getPolicySourceArn()));
}
Also used :
AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException)
AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient)
HashMap(java.util.HashMap)
CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential)
OrganizationsDecisionDetail(com.amazonaws.services.identitymanagement.model.OrganizationsDecisionDetail)
ArrayList(java.util.ArrayList)
URL(java.net.URL)
EvaluationResult(com.amazonaws.services.identitymanagement.model.EvaluationResult)
AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)
AtomicInteger(java.util.concurrent.atomic.AtomicInteger)
SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)
GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)
AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient)
SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
Test(org.junit.Test)
Example 2 with SimulatePrincipalPolicyRequest
use of com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest in project cloudbreak by hortonworks.
the class AwsCredentialVerifierTest method verifyCredentialTest.
@Test
public void verifyCredentialTest() throws IOException, AwsPermissionMissingException {
URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
String awsEnvPolicy = Resources.toString(url, Charsets.UTF_8);
String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
Map<String, Object> awsParameters = new HashMap<>();
awsParameters.put("accessKey", "a");
awsParameters.put("secretKey", "b");
CloudCredential cloudCredential = new CloudCredential("id", "name", awsParameters, "acc", false);
AmazonIdentityManagementClient amazonIdentityManagement = mock(AmazonIdentityManagementClient.class);
when(awsClient.createAmazonIdentityManagement(any(AwsCredentialView.class))).thenReturn(amazonIdentityManagement);
AmazonSecurityTokenServiceClient awsSecurityTokenService = mock(AmazonSecurityTokenServiceClient.class);
GetCallerIdentityResult getCallerIdentityResult = new GetCallerIdentityResult();
getCallerIdentityResult.setArn("arn");
when(awsSecurityTokenService.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(getCallerIdentityResult);
when(awsClient.createSecurityTokenService(any(AwsCredentialView.class))).thenReturn(awsSecurityTokenService);
ArgumentCaptor<SimulatePrincipalPolicyRequest> requestArgumentCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = new SimulatePrincipalPolicyResult();
ArrayList<EvaluationResult> evaluationResults = new ArrayList<>();
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action1").withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action2").withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action3").withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action4").withEvalResourceName("*"));
simulatePrincipalPolicyResult.setEvaluationResults(evaluationResults);
when(amazonIdentityManagement.simulatePrincipalPolicy(requestArgumentCaptor.capture())).thenReturn(simulatePrincipalPolicyResult);
awsCredentialVerifier.validateAws(new AwsCredentialView(cloudCredential), encodedAwsEnvPolicy);
}
Also used :
AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient)
HashMap(java.util.HashMap)
CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential)
OrganizationsDecisionDetail(com.amazonaws.services.identitymanagement.model.OrganizationsDecisionDetail)
ArrayList(java.util.ArrayList)
URL(java.net.URL)
EvaluationResult(com.amazonaws.services.identitymanagement.model.EvaluationResult)
AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)
SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)
GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)
AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient)
SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
Test(org.junit.Test)
Example 3 with SimulatePrincipalPolicyRequest
use of com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest in project cloudbreak by hortonworks.
the class AwsIamService method simulatePrincipalPolicy.
/**
* Helper method that wraps simulating a principal policy
*
* @param iam AmazonIdentityManagement client
* @param policySourceArn arn to to check against
* @param actionNames actions to simulate
* @param resourceArns resources to simulate
* @return List of evaluation results
*/
public List<EvaluationResult> simulatePrincipalPolicy(AmazonIdentityManagementClient iam, String policySourceArn, Collection<String> actionNames, Collection<String> resourceArns) throws AmazonIdentityManagementException {
SimulatePrincipalPolicyRequest simulatePrincipalPolicyRequest = new SimulatePrincipalPolicyRequest().withPolicySourceArn(policySourceArn).withActionNames(actionNames).withResourceArns(resourceArns);
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = iam.simulatePrincipalPolicy(simulatePrincipalPolicyRequest);
return simulatePrincipalPolicyResult.getEvaluationResults();
}
Also used :
SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)
SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)
Example 4 with SimulatePrincipalPolicyRequest
use of com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest in project cloudbreak by hortonworks.
the class AwsIamServiceTest method testValidateRolePolicies.
@Test
public void testValidateRolePolicies() {
ArgumentCaptor<SimulatePrincipalPolicyRequest> simulatePolicyRequestCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
when(iam.simulatePrincipalPolicy(simulatePolicyRequestCaptor.capture())).thenReturn(new SimulatePrincipalPolicyResult().withEvaluationResults(new EvaluationResult().withEvalDecision(PolicyEvaluationDecisionType.Allowed)));
Policy policy1 = new Policy();
Set<Statement> statements1 = Set.of(createStatement(Set.of(AutoScalingActions.CreateAutoScalingGroup, AutoScalingActions.DeleteAutoScalingGroup), Set.of(new Resource("resource1"), new Resource("resource2"))), createStatement(Set.of(S3Actions.GetObject, S3Actions.PutObject), Set.of(new Resource("resource1"), new Resource("resource2"), new Resource("resource3"), new Resource("resource4"))));
policy1.getStatements().addAll(statements1);
Policy policy2 = new Policy();
Set<Statement> statements2 = Set.of(createStatement(Set.of(AutoScalingActions.AttachLoadBalancers, AutoScalingActions.AttachLoadBalancerTargetGroups), Set.of(new Resource("resource1"), new Resource("resource2"))), createStatement(Set.of(S3Actions.GetObject, S3Actions.PutObject), Set.of(new Resource("resource5"))), createStatement(Set.of(S3Actions.GetObject, S3Actions.PutObject), Set.of(new Resource("resource6"))));
policy2.setStatements(statements2);
Set<Policy> policies = Set.of(policy1, policy2);
List<EvaluationResult> evaluationResults = awsIamService.validateRolePolicies(iam, createRole(), policies);
assertEquals(2, evaluationResults.size());
verify(iam, times(2)).simulatePrincipalPolicy(any());
List<SimulatePrincipalPolicyRequest> requests = simulatePolicyRequestCaptor.getAllValues();
SimulatePrincipalPolicyRequest request1;
SimulatePrincipalPolicyRequest request2;
if (requests.get(0).getResourceArns().size() == 6) {
request1 = requests.get(0);
request2 = requests.get(1);
} else {
request1 = requests.get(1);
request2 = requests.get(0);
}
assertEquals("roleArn", request1.getPolicySourceArn());
assertEquals("roleArn", request2.getPolicySourceArn());
assertThat(request1.getResourceArns()).containsExactlyInAnyOrder("resource1", "resource2", "resource3", "resource4", "resource5", "resource6");
assertThat(request2.getResourceArns()).containsExactlyInAnyOrder("resource1", "resource2");
assertThat(request1.getActionNames()).containsExactlyInAnyOrder("s3:GetObject", "s3:PutObject");
assertThat(request2.getActionNames()).containsExactlyInAnyOrder("autoscaling:CreateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:AttachLoadBalancers", "autoscaling:AttachLoadBalancerTargetGroups");
}
Also used :
Policy(com.amazonaws.auth.policy.Policy)
Statement(com.amazonaws.auth.policy.Statement)
Resource(com.amazonaws.auth.policy.Resource)
SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)
SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)
EvaluationResult(com.amazonaws.services.identitymanagement.model.EvaluationResult)
Test(org.junit.jupiter.api.Test)
Example 5 with SimulatePrincipalPolicyRequest
use of com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest in project cloudbreak by hortonworks.
the class AwsCredentialVerifier method validateAws.
@Cacheable(value = AwsCredentialCachingConfig.TEMPORARY_AWS_CREDENTIAL_VERIFIER_CACHE, unless = "#awsCredential == null")
public void validateAws(AwsCredentialView awsCredential, String policyJson) throws AwsPermissionMissingException {
String policies = new String(Base64.getDecoder().decode(policyJson));
try {
List<RequiredAction> resourcesWithActions = getRequiredActions(policies);
AmazonIdentityManagementClient amazonIdentityManagement = awsClient.createAmazonIdentityManagement(awsCredential);
AmazonSecurityTokenServiceClient awsSecurityTokenService = awsClient.createSecurityTokenService(awsCredential);
String arn;
if (awsCredential.getRoleArn() != null) {
arn = awsCredential.getRoleArn();
} else {
GetCallerIdentityResult callerIdentity = awsSecurityTokenService.getCallerIdentity(new GetCallerIdentityRequest());
arn = callerIdentity.getArn();
}
List<String> failedActionList = new ArrayList<>();
for (RequiredAction resourceAndAction : resourcesWithActions) {
SimulatePrincipalPolicyRequest simulatePrincipalPolicyRequest = new SimulatePrincipalPolicyRequest();
simulatePrincipalPolicyRequest.setMaxItems(MAX_ELEMENT_SIZE);
simulatePrincipalPolicyRequest.setPolicySourceArn(arn);
simulatePrincipalPolicyRequest.setActionNames(resourceAndAction.getActionNames());
simulatePrincipalPolicyRequest.setResourceArns(Collections.singleton(resourceAndAction.getResourceArn()));
simulatePrincipalPolicyRequest.setContextEntries(resourceAndAction.getConditions());
LOGGER.debug("Simulate policy request: {}", simulatePrincipalPolicyRequest);
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = amazonIdentityManagement.simulatePrincipalPolicy(simulatePrincipalPolicyRequest);
LOGGER.debug("Simulate policy result: {}", simulatePrincipalPolicyResult);
simulatePrincipalPolicyResult.getEvaluationResults().stream().filter(evaluationResult -> evaluationResult.getEvalDecision().toLowerCase().contains("deny")).map(evaluationResult -> {
if (evaluationResult.getOrganizationsDecisionDetail() != null && !evaluationResult.getOrganizationsDecisionDetail().getAllowedByOrganizations()) {
return evaluationResult.getEvalActionName() + " : " + evaluationResult.getEvalResourceName() + " -> Denied by Organization Rule";
} else {
return evaluationResult.getEvalActionName() + " : " + evaluationResult.getEvalResourceName();
}
}).forEach(failedActionList::add);
}
if (!failedActionList.isEmpty()) {
throw new AwsPermissionMissingException(String.format("CDP Credential '%s' doesn't have permission for these actions which are required: %s", awsCredential.getName(), failedActionList.stream().collect(joining(", ", "[ ", " ]"))));
}
} catch (IOException e) {
throw new IllegalStateException("Can not parse aws policy json", e);
}
}
Also used :
Policy(com.amazonaws.auth.policy.Policy)
AwsCredentialCachingConfig(com.sequenceiq.cloudbreak.cloud.aws.common.cache.AwsCredentialCachingConfig)
Action(com.amazonaws.auth.policy.Action)
Cacheable(org.springframework.cache.annotation.Cacheable)
LoggerFactory(org.slf4j.LoggerFactory)
SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)
ContextEntry(com.amazonaws.services.identitymanagement.model.ContextEntry)
ArrayList(java.util.ArrayList)
AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException)
Inject(javax.inject.Inject)
AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)
Service(org.springframework.stereotype.Service)
ContextKeyTypeEnum(com.amazonaws.services.identitymanagement.model.ContextKeyTypeEnum)
AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient)
Statement(com.amazonaws.auth.policy.Statement)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
Logger(org.slf4j.Logger)
JsonPolicyReader(com.amazonaws.auth.policy.internal.JsonPolicyReader)
IOException(java.io.IOException)
Collectors(java.util.stream.Collectors)
Collectors.joining(java.util.stream.Collectors.joining)
GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)
SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)
Base64(java.util.Base64)
List(java.util.List)
AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient)
Optional(java.util.Optional)
Collections(java.util.Collections)
Condition(com.amazonaws.auth.policy.Condition)
AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException)
AmazonIdentityManagementClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient)
ArrayList(java.util.ArrayList)
IOException(java.io.IOException)
SimulatePrincipalPolicyRequest(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)
GetCallerIdentityRequest(com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)
AmazonSecurityTokenServiceClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient)
SimulatePrincipalPolicyResult(com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
Cacheable(org.springframework.cache.annotation.Cacheable)
Aggregations
SimulatePrincipalPolicyRequest (com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyRequest)7
SimulatePrincipalPolicyResult (com.amazonaws.services.identitymanagement.model.SimulatePrincipalPolicyResult)7
EvaluationResult (com.amazonaws.services.identitymanagement.model.EvaluationResult)5
GetCallerIdentityRequest (com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest)5
GetCallerIdentityResult (com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)5
AmazonIdentityManagementClient (com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonIdentityManagementClient)5
AmazonSecurityTokenServiceClient (com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonSecurityTokenServiceClient)5
AwsCredentialView (com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)5
ArrayList (java.util.ArrayList)5
AwsPermissionMissingException (com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException)4
CloudCredential (com.sequenceiq.cloudbreak.cloud.model.CloudCredential)4
URL (java.net.URL)4
HashMap (java.util.HashMap)4
Test (org.junit.Test)4
OrganizationsDecisionDetail (com.amazonaws.services.identitymanagement.model.OrganizationsDecisionDetail)3
AtomicInteger (java.util.concurrent.atomic.AtomicInteger)3
Policy (com.amazonaws.auth.policy.Policy)2
Statement (com.amazonaws.auth.policy.Statement)2
Action (com.amazonaws.auth.policy.Action)1
Condition (com.amazonaws.auth.policy.Condition)1
