Search in sources :

Example 1 with DescribeKeyResult

use of com.amazonaws.services.kms.model.DescribeKeyResult in project cerberus by Nike-Inc.

the class KmsServiceTest method test_validatePolicy_validates_policy_when_validate_interval_has_passed.

@Test
public void test_validatePolicy_validates_policy_when_validate_interval_has_passed() {
    String kmsKeyArn = "kms key arn";
    String awsIamRoleRecordId = "aws iam role record id";
    String kmsCMKRegion = "kmsCMKRegion";
    String policy = "policy";
    OffsetDateTime lastValidated = OffsetDateTime.of(2016, 1, 1, 1, 1, 1, 1, ZoneOffset.UTC);
    OffsetDateTime now = OffsetDateTime.now();
    AWSKMSClient client = mock(AWSKMSClient.class);
    when(client.describeKey(anyObject())).thenReturn(new DescribeKeyResult().withKeyMetadata(new KeyMetadata().withKeyState(KeyState.Enabled)));
    when(kmsClientFactory.getClient(kmsCMKRegion)).thenReturn(client);
    GetKeyPolicyResult result = mock(GetKeyPolicyResult.class);
    when(result.getPolicy()).thenReturn(policy);
    when(client.getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn).withPolicyName("default"))).thenReturn(result);
    when(kmsPolicyService.isPolicyValid(policy)).thenReturn(true);
    AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
    when(kmsKey.getAwsIamRoleId()).thenReturn(awsIamRoleRecordId);
    when(kmsKey.getAwsKmsKeyId()).thenReturn(kmsKeyArn);
    when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
    when(kmsKey.getLastValidatedTs()).thenReturn(lastValidated);
    when(awsIamRoleDao.getKmsKey(awsIamRoleRecordId, kmsCMKRegion)).thenReturn(Optional.of(kmsKey));
    when(dateTimeSupplier.get()).thenReturn(now);
    kmsService.validateKeyAndPolicy(kmsKey, kmsKeyArn);
    verify(client, times(1)).getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn).withPolicyName("default"));
    verify(kmsPolicyService, times(1)).isPolicyValid(policy);
}
Also used : AuthKmsKeyMetadata(com.nike.cerberus.domain.AuthKmsKeyMetadata) KeyMetadata(com.amazonaws.services.kms.model.KeyMetadata) OffsetDateTime(java.time.OffsetDateTime) DescribeKeyResult(com.amazonaws.services.kms.model.DescribeKeyResult) GetKeyPolicyResult(com.amazonaws.services.kms.model.GetKeyPolicyResult) AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord) AWSKMSClient(com.amazonaws.services.kms.AWSKMSClient) GetKeyPolicyRequest(com.amazonaws.services.kms.model.GetKeyPolicyRequest) Test(org.junit.Test)

Example 2 with DescribeKeyResult

use of com.amazonaws.services.kms.model.DescribeKeyResult in project aws-doc-sdk-examples by awsdocs.

the class ViewCustomerMasterKey method main.

public static void main(String[] args) {
    final String USAGE = "To run this example, supply a key id or ARN\n" + "Usage: ViewCustomerMasterKey <key-id>\n" + "Example: ViewCustomerMasterKey 1234abcd-12ab-34cd-56ef-1234567890ab\n";
    if (args.length != 1) {
        System.out.println(USAGE);
        System.exit(1);
    }
    String keyId = args[0];
    AWSKMS kmsClient = AWSKMSClientBuilder.standard().build();
    // Describe a CMK
    DescribeKeyRequest req = new DescribeKeyRequest().withKeyId(keyId);
    DescribeKeyResult result = kmsClient.describeKey(req);
    KeyMetadata metadata = result.getKeyMetadata();
    System.out.printf("%-15s %s%n", "KeyId:", keyId);
    System.out.printf("%-15s %s%n", "Arn:", metadata.getArn());
    System.out.printf("%-15s %s%n", "CreationDate:", metadata.getCreationDate());
    System.out.printf("%-15s %s%n", "Description:", metadata.getDescription());
    System.out.printf("%-15s %s%n", "KeyUsage:", metadata.getKeyUsage());
    System.out.printf("%-15s %s%n", "KeyState:", metadata.getKeyState());
    System.out.printf("%-15s %s%n", "Origin:", metadata.getOrigin());
    System.out.printf("%-15s %s%n", "KeyManager:", metadata.getKeyManager());
}
Also used : KeyMetadata(com.amazonaws.services.kms.model.KeyMetadata) DescribeKeyResult(com.amazonaws.services.kms.model.DescribeKeyResult) DescribeKeyRequest(com.amazonaws.services.kms.model.DescribeKeyRequest) AWSKMS(com.amazonaws.services.kms.AWSKMS)

Example 3 with DescribeKeyResult

use of com.amazonaws.services.kms.model.DescribeKeyResult in project cloudbreak by hortonworks.

the class AwsPlatformResourcesTest method collectEncryptionKeysWhenWeGetBackInfoThenItShouldReturnListWithElements.

@Test
public void collectEncryptionKeysWhenWeGetBackInfoThenItShouldReturnListWithElements() {
    ListKeysResult listKeysResult = new ListKeysResult();
    Set<KeyListEntry> listEntries = new HashSet<>();
    listEntries.add(keyListEntry(1));
    listEntries.add(keyListEntry(2));
    listEntries.add(keyListEntry(3));
    listEntries.add(keyListEntry(4));
    listKeysResult.setKeys(listEntries);
    DescribeKeyResult describeKeyResult = new DescribeKeyResult();
    describeKeyResult.setKeyMetadata(new KeyMetadata());
    ListAliasesResult describeAliasResult = new ListAliasesResult();
    Set<AliasListEntry> aliasListEntries = new HashSet<>();
    aliasListEntries.add(aliasListEntry(1));
    aliasListEntries.add(aliasListEntry(2));
    aliasListEntries.add(aliasListEntry(3));
    aliasListEntries.add(aliasListEntry(4));
    describeAliasResult.setAliases(aliasListEntries);
    when(awsClient.createAWSKMS(any(AwsCredentialView.class), anyString())).thenReturn(awskmsClient);
    when(awskmsClient.listKeys(any(ListKeysRequest.class))).thenReturn(listKeysResult);
    when(awskmsClient.describeKey(any(DescribeKeyRequest.class))).thenReturn(describeKeyResult);
    when(awskmsClient.listAliases(any(ListAliasesRequest.class))).thenReturn(describeAliasResult);
    CloudEncryptionKeys cloudEncryptionKeys = underTest.encryptionKeys(cloudCredential, region("London"), new HashMap<>());
    assertEquals(4L, cloudEncryptionKeys.getCloudEncryptionKeys().size());
}
Also used : ListAliasesResult(com.amazonaws.services.kms.model.ListAliasesResult) AliasListEntry(com.amazonaws.services.kms.model.AliasListEntry) DescribeKeyRequest(com.amazonaws.services.kms.model.DescribeKeyRequest) ListKeysRequest(com.amazonaws.services.kms.model.ListKeysRequest) CloudEncryptionKeys(com.sequenceiq.cloudbreak.cloud.model.CloudEncryptionKeys) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) KeyListEntry(com.amazonaws.services.kms.model.KeyListEntry) KeyMetadata(com.amazonaws.services.kms.model.KeyMetadata) DescribeKeyResult(com.amazonaws.services.kms.model.DescribeKeyResult) ListKeysResult(com.amazonaws.services.kms.model.ListKeysResult) ListAliasesRequest(com.amazonaws.services.kms.model.ListAliasesRequest) HashSet(java.util.HashSet) Test(org.junit.jupiter.api.Test)

Example 4 with DescribeKeyResult

use of com.amazonaws.services.kms.model.DescribeKeyResult in project cloudbreak by hortonworks.

the class AwsPlatformResources method encryptionKeys.

@Override
public CloudEncryptionKeys encryptionKeys(ExtendedCloudCredential cloudCredential, Region region, Map<String, String> filters) {
    String queryFailedMessage = "Could not get encryption keys from Amazon: ";
    CloudEncryptionKeys cloudEncryptionKeys = new CloudEncryptionKeys(new HashSet<>());
    AwsCredentialView awsCredentialView = new AwsCredentialView(cloudCredential);
    AmazonKmsClient client = awsClient.createAWSKMS(awsCredentialView, region.value());
    try {
        ListKeysRequest listKeysRequest = new ListKeysRequest();
        ListKeysResult listKeysResult = client.listKeys(listKeysRequest);
        ListAliasesResult listAliasesResult = client.listAliases(new ListAliasesRequest());
        for (AliasListEntry keyListEntry : listAliasesResult.getAliases()) {
            try {
                listKeysResult.getKeys().stream().filter(item -> item.getKeyId().equals(keyListEntry.getTargetKeyId())).findFirst().ifPresent(item -> {
                    DescribeKeyRequest describeKeyRequest = new DescribeKeyRequest().withKeyId(item.getKeyId());
                    DescribeKeyResult describeKeyResult = client.describeKey(describeKeyRequest);
                    Map<String, Object> meta = new HashMap<>();
                    meta.put("aWSAccountId", describeKeyResult.getKeyMetadata().getAWSAccountId());
                    meta.put("creationDate", describeKeyResult.getKeyMetadata().getCreationDate());
                    meta.put("enabled", describeKeyResult.getKeyMetadata().getEnabled());
                    meta.put("expirationModel", describeKeyResult.getKeyMetadata().getExpirationModel());
                    meta.put("keyManager", describeKeyResult.getKeyMetadata().getKeyManager());
                    meta.put("keyState", describeKeyResult.getKeyMetadata().getKeyState());
                    meta.put("keyUsage", describeKeyResult.getKeyMetadata().getKeyUsage());
                    meta.put("origin", describeKeyResult.getKeyMetadata().getOrigin());
                    meta.put("validTo", describeKeyResult.getKeyMetadata().getValidTo());
                    if (!CloudConstants.AWS.equalsIgnoreCase(describeKeyResult.getKeyMetadata().getKeyManager())) {
                        CloudEncryptionKey key = new CloudEncryptionKey(item.getKeyArn(), describeKeyResult.getKeyMetadata().getKeyId(), describeKeyResult.getKeyMetadata().getDescription(), keyListEntry.getAliasName().replace("alias/", ""), meta);
                        cloudEncryptionKeys.getCloudEncryptionKeys().add(key);
                    }
                });
            } catch (AmazonServiceException e) {
                if (e.getStatusCode() == UNAUTHORIZED) {
                    String policyMessage = "Could not get encryption keys because the user does not have enough permission.";
                    LOGGER.error(policyMessage, e);
                } else {
                    LOGGER.info(queryFailedMessage, e);
                }
            } catch (Exception e) {
                LOGGER.warn(queryFailedMessage, e);
            }
        }
    } catch (AmazonServiceException ase) {
        if (ase.getStatusCode() == UNAUTHORIZED) {
            String policyMessage = "Could not get encryption keys because the user does not have enough permission.";
            LOGGER.error(policyMessage, ase);
            throw new CloudUnauthorizedException(policyMessage, ase);
        } else {
            LOGGER.info(queryFailedMessage, ase);
            throw new CloudConnectorException(queryFailedMessage + ase.getMessage(), ase);
        }
    } catch (Exception e) {
        LOGGER.warn(queryFailedMessage, e);
        throw new CloudConnectorException(queryFailedMessage + e.getMessage(), e);
    }
    return cloudEncryptionKeys;
}
Also used : ListAliasesResult(com.amazonaws.services.kms.model.ListAliasesResult) AliasListEntry(com.amazonaws.services.kms.model.AliasListEntry) AmazonKmsClient(com.sequenceiq.cloudbreak.cloud.aws.common.client.AmazonKmsClient) HashMap(java.util.HashMap) CloudConnectorException(com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException) DescribeKeyRequest(com.amazonaws.services.kms.model.DescribeKeyRequest) ListKeysRequest(com.amazonaws.services.kms.model.ListKeysRequest) CloudEncryptionKeys(com.sequenceiq.cloudbreak.cloud.model.CloudEncryptionKeys) CloudUnauthorizedException(com.sequenceiq.cloudbreak.cloud.exception.CloudUnauthorizedException) AmazonServiceException(com.amazonaws.AmazonServiceException) CloudConnectorException(com.sequenceiq.cloudbreak.cloud.exception.CloudConnectorException) IOException(java.io.IOException) SdkClientException(com.amazonaws.SdkClientException) AmazonEC2Exception(com.amazonaws.services.ec2.model.AmazonEC2Exception) PermanentlyFailedException(com.sequenceiq.cloudbreak.util.PermanentlyFailedException) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) CloudEncryptionKey(com.sequenceiq.cloudbreak.cloud.model.CloudEncryptionKey) DescribeKeyResult(com.amazonaws.services.kms.model.DescribeKeyResult) AmazonServiceException(com.amazonaws.AmazonServiceException) ListKeysResult(com.amazonaws.services.kms.model.ListKeysResult) ListAliasesRequest(com.amazonaws.services.kms.model.ListAliasesRequest) CloudUnauthorizedException(com.sequenceiq.cloudbreak.cloud.exception.CloudUnauthorizedException)

Example 5 with DescribeKeyResult

use of com.amazonaws.services.kms.model.DescribeKeyResult in project cerberus by Nike-Inc.

the class KmsServiceTest method test_getKmsKeyState_happy.

@Test
public void test_getKmsKeyState_happy() {
    String awsRegion = "aws region";
    String kmsKeyId = "kms key id";
    String state = "state";
    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(new DescribeKeyResult().withKeyMetadata(new KeyMetadata().withKeyState(state)));
    String result = kmsService.getKmsKeyState(kmsKeyId, awsRegion);
    assertEquals(state, result);
}
Also used : AuthKmsKeyMetadata(com.nike.cerberus.domain.AuthKmsKeyMetadata) KeyMetadata(com.amazonaws.services.kms.model.KeyMetadata) DescribeKeyResult(com.amazonaws.services.kms.model.DescribeKeyResult) AWSKMSClient(com.amazonaws.services.kms.AWSKMSClient) Test(org.junit.Test)

Aggregations

DescribeKeyResult (com.amazonaws.services.kms.model.DescribeKeyResult)5 KeyMetadata (com.amazonaws.services.kms.model.KeyMetadata)4 DescribeKeyRequest (com.amazonaws.services.kms.model.DescribeKeyRequest)3 AWSKMSClient (com.amazonaws.services.kms.AWSKMSClient)2 AliasListEntry (com.amazonaws.services.kms.model.AliasListEntry)2 ListAliasesRequest (com.amazonaws.services.kms.model.ListAliasesRequest)2 ListAliasesResult (com.amazonaws.services.kms.model.ListAliasesResult)2 ListKeysRequest (com.amazonaws.services.kms.model.ListKeysRequest)2 ListKeysResult (com.amazonaws.services.kms.model.ListKeysResult)2 AuthKmsKeyMetadata (com.nike.cerberus.domain.AuthKmsKeyMetadata)2 AwsCredentialView (com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)2 CloudEncryptionKeys (com.sequenceiq.cloudbreak.cloud.model.CloudEncryptionKeys)2 Test (org.junit.Test)2 AmazonServiceException (com.amazonaws.AmazonServiceException)1 SdkClientException (com.amazonaws.SdkClientException)1 AmazonEC2Exception (com.amazonaws.services.ec2.model.AmazonEC2Exception)1 AWSKMS (com.amazonaws.services.kms.AWSKMS)1 GetKeyPolicyRequest (com.amazonaws.services.kms.model.GetKeyPolicyRequest)1 GetKeyPolicyResult (com.amazonaws.services.kms.model.GetKeyPolicyResult)1 KeyListEntry (com.amazonaws.services.kms.model.KeyListEntry)1