Search in sources :

Example 1 with Permission

use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.

the class IPCPubSubRemovalTest method GIVEN_pubsubclient_WHEN_authorized_THEN_component_removed_via_deployment_THEN_updates.

@Test
void GIVEN_pubsubclient_WHEN_authorized_THEN_component_removed_via_deployment_THEN_updates(ExtensionContext context) throws Exception {
    try (EventStreamRPCConnection connection = IPCTestUtils.getEventStreamRpcConnection(kernel, "SubscribeAndPublish")) {
        GreengrassCoreIPCClient ipcClient = new GreengrassCoreIPCClient(connection);
        Pair<CompletableFuture<Void>, Consumer<byte[]>> cb = asyncAssertOnConsumer((m) -> {
            assertEquals("some message", new String(m, StandardCharsets.UTF_8));
        }, -1);
        Permission policyId1 = Permission.builder().principal("SubscribeAndPublish").operation("*").resource("*").build();
        Permission policyId2 = Permission.builder().principal("PublishNotSubscribe").operation("aws.greengrass#PublishToTopic").resource("*").build();
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
        subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
        publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
        cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
        // Remove component SubscribeAndPublish
        GreengrassService subscribeAndPublish = kernel.locate("SubscribeAndPublish");
        subscribeAndPublish.close().get(1, TimeUnit.MINUTES);
        subscribeAndPublish.getConfig().remove();
        kernel.getContext().waitForPublishQueueToClear();
        assertFalse(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
        // GG_NEEDS_REVIEW: TODO: convert all these integ tests to use only recipe merging instead of loading a kernel config file
        // Otherwise the removal of "SubscribeAndPublish" also inadvertently results in the "PublishNotSubscribe"
        // component (and all other components) and its policies being removed, since it is not part of the deployment.
        // Hence the next line is commented out
        // assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME,policyId2));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
        // Now the authorization policies should have been removed and these should fail
        ExecutionException e = assertThrows(ExecutionException.class, () -> subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight()));
        assertTrue(e.getCause() instanceof UnauthorizedError);
        e = assertThrows(ExecutionException.class, () -> publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message"));
    }
}
Also used : CompletableFuture(java.util.concurrent.CompletableFuture) TestUtils.asyncAssertOnConsumer(com.aws.greengrass.testcommons.testutilities.TestUtils.asyncAssertOnConsumer) Consumer(java.util.function.Consumer) GreengrassService(com.aws.greengrass.lifecyclemanager.GreengrassService) GreengrassCoreIPCClient(software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClient) EventStreamRPCConnection(software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection) Permission(com.aws.greengrass.authorization.Permission) ExecutionException(java.util.concurrent.ExecutionException) UnauthorizedError(software.amazon.awssdk.aws.greengrass.model.UnauthorizedError) Test(org.junit.jupiter.api.Test)

Example 2 with Permission

use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.

the class IPCPubSubRemovalTest method GIVEN_pubsubclient_WHEN_service_removed_and_added_THEN_fail_and_succeed.

@Test
void GIVEN_pubsubclient_WHEN_service_removed_and_added_THEN_fail_and_succeed() throws Exception {
    try (EventStreamRPCConnection connection = IPCTestUtils.getEventStreamRpcConnection(kernel, "SubscribeAndPublish")) {
        GreengrassCoreIPCClient ipcClient = new GreengrassCoreIPCClient(connection);
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
        Pair<CompletableFuture<Void>, Consumer<byte[]>> cb = asyncAssertOnConsumer((m) -> {
            assertEquals("some message", new String(m, StandardCharsets.UTF_8));
        }, -1);
        Permission policyId1 = Permission.builder().principal("SubscribeAndPublish").operation("*").resource("*").build();
        Permission policyId2 = Permission.builder().principal("PublishNotSubscribe").operation("aws.greengrass#PublishToTopic").resource("*").build();
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
        subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
        publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
        cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
        // Remove the service topic
        Topics serviceTopic = kernel.findServiceTopic("SubscribeAndPublish");
        if (serviceTopic != null) {
            serviceTopic.remove();
        }
        kernel.getContext().waitForPublishQueueToClear();
        assertFalse(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
        ExecutionException e = assertThrows(ExecutionException.class, () -> subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight()));
        assertTrue(e.getCause() instanceof UnauthorizedError);
        e = assertThrows(ExecutionException.class, () -> publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message"));
        assertTrue(e.getCause() instanceof UnauthorizedError);
        // Reload the kernel with the service and correct authorization policy
        kernel.getConfig().read(new URL(IPCPubSubTest.class.getResource("pubsub.yaml").toString()), false);
        kernel.getContext().waitForPublishQueueToClear();
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
        assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
        // now this should succeed
        subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
        publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
        cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
    }
}
Also used : CompletableFuture(java.util.concurrent.CompletableFuture) Topics(com.aws.greengrass.config.Topics) TestUtils.asyncAssertOnConsumer(com.aws.greengrass.testcommons.testutilities.TestUtils.asyncAssertOnConsumer) Consumer(java.util.function.Consumer) GreengrassCoreIPCClient(software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClient) EventStreamRPCConnection(software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection) Permission(com.aws.greengrass.authorization.Permission) ExecutionException(java.util.concurrent.ExecutionException) UnauthorizedError(software.amazon.awssdk.aws.greengrass.model.UnauthorizedError) URL(java.net.URL) Test(org.junit.jupiter.api.Test)

Example 3 with Permission

use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.

the class PubSubIPCEventStreamAgentTest method GIVEN_subscribed_to_topic_from_all_sources_WHEN_publish_many_binary_message_THEN_publishes_message_inorder.

@Test
void GIVEN_subscribed_to_topic_from_all_sources_WHEN_publish_many_binary_message_THEN_publishes_message_inorder() throws InterruptedException, AuthorizationException {
    StreamEventPublisher publisher = mock(StreamEventPublisher.class);
    Set<Object> set = new HashSet<>();
    set.add(publisher);
    pubSubIPCEventStreamAgent.getListeners().add(TEST_TOPIC, set);
    when(publisher.sendStreamEvent(subscriptionResponseMessageCaptor.capture())).thenReturn(new CompletableFuture());
    List<PublishToTopicRequest> publishToTopicRequests = new ArrayList<>();
    for (int i = 0; i < 10; i++) {
        PublishToTopicRequest publishToTopicRequest = new PublishToTopicRequest();
        publishToTopicRequest.setTopic(TEST_TOPIC);
        PublishMessage publishMessage = new PublishMessage();
        BinaryMessage binaryMessage = new BinaryMessage();
        binaryMessage.setMessage(String.valueOf(i).getBytes());
        publishMessage.setBinaryMessage(binaryMessage);
        publishToTopicRequest.setPublishMessage(publishMessage);
        publishToTopicRequests.add(publishToTopicRequest);
    }
    try (PubSubIPCEventStreamAgent.PublishToTopicOperationHandler publishToTopicHandler = pubSubIPCEventStreamAgent.getPublishToTopicHandler(mockContext)) {
        for (PublishToTopicRequest publishToTopicRequest : publishToTopicRequests) {
            PublishToTopicResponse publishToTopicResponse = publishToTopicHandler.handleRequest(publishToTopicRequest);
            assertNotNull(publishToTopicResponse);
        }
        verify(authorizationHandler, times(10)).isAuthorized(eq(PUB_SUB_SERVICE_NAME), permissionArgumentCaptor.capture(), eq(ResourceLookupPolicy.MQTT_STYLE));
        Permission capturedPermission = permissionArgumentCaptor.getValue();
        assertThat(capturedPermission.getOperation(), is(GreengrassCoreIPCService.PUBLISH_TO_TOPIC));
        assertThat(capturedPermission.getPrincipal(), is(TEST_SERVICE));
        assertThat(capturedPermission.getResource(), is(TEST_TOPIC));
        TimeUnit.SECONDS.sleep(2);
        assertNotNull(subscriptionResponseMessageCaptor.getAllValues());
        assertEquals(10, subscriptionResponseMessageCaptor.getAllValues().size());
        int i = 0;
        for (SubscriptionResponseMessage responseMessage : subscriptionResponseMessageCaptor.getAllValues()) {
            assertNull(responseMessage.getJsonMessage());
            assertNotNull(responseMessage.getBinaryMessage());
            assertEquals(String.valueOf(i), new String(responseMessage.getBinaryMessage().getMessage()));
            assertEquals(TEST_TOPIC, responseMessage.getBinaryMessage().getEventTopic());
            i++;
        }
    }
}
Also used : ArrayList(java.util.ArrayList) Matchers.containsString(org.hamcrest.Matchers.containsString) BinaryMessage(software.amazon.awssdk.aws.greengrass.model.BinaryMessage) PublishMessage(software.amazon.awssdk.aws.greengrass.model.PublishMessage) CompletableFuture(java.util.concurrent.CompletableFuture) PublishToTopicResponse(software.amazon.awssdk.aws.greengrass.model.PublishToTopicResponse) SubscriptionResponseMessage(software.amazon.awssdk.aws.greengrass.model.SubscriptionResponseMessage) Permission(com.aws.greengrass.authorization.Permission) StreamEventPublisher(software.amazon.awssdk.eventstreamrpc.StreamEventPublisher) PublishToTopicRequest(software.amazon.awssdk.aws.greengrass.model.PublishToTopicRequest) HashSet(java.util.HashSet) Test(org.junit.jupiter.api.Test)

Example 4 with Permission

use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.

the class PubSubIPCEventStreamAgentTest method GIVEN_subscribe_topic_to_all_sources_WHEN_subscribe_THEN_added_all_services_listeners.

@Test
void GIVEN_subscribe_topic_to_all_sources_WHEN_subscribe_THEN_added_all_services_listeners() throws AuthorizationException {
    SubscribeToTopicRequest subscribeToTopicRequest = new SubscribeToTopicRequest();
    subscribeToTopicRequest.setTopic(TEST_TOPIC);
    try (PubSubIPCEventStreamAgent.SubscribeToTopicOperationHandler subscribeToTopicHandler = pubSubIPCEventStreamAgent.getSubscribeToTopicHandler(mockContext)) {
        SubscribeToTopicResponse subscribeToTopicResponse = subscribeToTopicHandler.handleRequest(subscribeToTopicRequest);
        assertNotNull(subscribeToTopicResponse);
        verify(authorizationHandler).isAuthorized(eq(PUB_SUB_SERVICE_NAME), permissionArgumentCaptor.capture(), eq(ResourceLookupPolicy.MQTT_STYLE));
        Permission capturedPermission = permissionArgumentCaptor.getValue();
        assertThat(capturedPermission.getOperation(), is(GreengrassCoreIPCService.SUBSCRIBE_TO_TOPIC));
        assertThat(capturedPermission.getPrincipal(), is(TEST_SERVICE));
        assertThat(capturedPermission.getResource(), is(TEST_TOPIC));
        assertTrue(pubSubIPCEventStreamAgent.getListeners().containsKey(TEST_TOPIC));
        assertEquals(1, pubSubIPCEventStreamAgent.getListeners().get(TEST_TOPIC).size());
    }
}
Also used : Permission(com.aws.greengrass.authorization.Permission) SubscribeToTopicResponse(software.amazon.awssdk.aws.greengrass.model.SubscribeToTopicResponse) SubscribeToTopicRequest(software.amazon.awssdk.aws.greengrass.model.SubscribeToTopicRequest) Test(org.junit.jupiter.api.Test)

Example 5 with Permission

use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.

the class LifecycleIPCEventStreamAgentTest method GIVEN_pause_component_request_WHEN_component_not_external_THEN_return_invalid_error.

@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_pause_component_request_WHEN_component_not_external_THEN_return_invalid_error() throws ServiceException, AuthorizationException {
    GreengrassService mockInternalComponent = mock(GreengrassService.class);
    when(kernel.locate(TEST_TARGET_COMPONENT)).thenReturn(mockInternalComponent);
    when(authorizationHandler.isAuthorized(any(), any())).thenReturn(true);
    PauseComponentRequest request = new PauseComponentRequest();
    request.setComponentName(TEST_TARGET_COMPONENT);
    assertThrows(InvalidArgumentsError.class, () -> lifecycleIPCEventStreamAgent.getPauseComponentHandler(mockContext).handleRequest(request));
    ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
    verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
    Permission permission = permissionArg.getValue();
    assertThat(permission.getOperation(), is(GreengrassCoreIPCService.PAUSE_COMPONENT));
    assertThat(permission.getPrincipal(), is(TEST_SERVICE));
    assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
    verify(kernel).locate(TEST_TARGET_COMPONENT);
    verify(targetComponent, never()).getState();
    verify(targetComponent, never()).pause();
}
Also used : PauseComponentRequest(software.amazon.awssdk.aws.greengrass.model.PauseComponentRequest) GreengrassService(com.aws.greengrass.lifecyclemanager.GreengrassService) Permission(com.aws.greengrass.authorization.Permission) EnabledOnOs(org.junit.jupiter.api.condition.EnabledOnOs) Test(org.junit.jupiter.api.Test)

Aggregations

Permission (com.aws.greengrass.authorization.Permission)22 Test (org.junit.jupiter.api.Test)22 EnabledOnOs (org.junit.jupiter.api.condition.EnabledOnOs)12 CompletableFuture (java.util.concurrent.CompletableFuture)9 HashSet (java.util.HashSet)6 Matchers.containsString (org.hamcrest.Matchers.containsString)6 PauseComponentRequest (software.amazon.awssdk.aws.greengrass.model.PauseComponentRequest)6 PublishMessage (software.amazon.awssdk.aws.greengrass.model.PublishMessage)6 PublishToTopicRequest (software.amazon.awssdk.aws.greengrass.model.PublishToTopicRequest)6 PublishToTopicResponse (software.amazon.awssdk.aws.greengrass.model.PublishToTopicResponse)6 ResumeComponentRequest (software.amazon.awssdk.aws.greengrass.model.ResumeComponentRequest)6 SubscriptionResponseMessage (software.amazon.awssdk.aws.greengrass.model.SubscriptionResponseMessage)6 StreamEventPublisher (software.amazon.awssdk.eventstreamrpc.StreamEventPublisher)6 BinaryMessage (software.amazon.awssdk.aws.greengrass.model.BinaryMessage)4 GreengrassService (com.aws.greengrass.lifecyclemanager.GreengrassService)3 TestUtils.asyncAssertOnConsumer (com.aws.greengrass.testcommons.testutilities.TestUtils.asyncAssertOnConsumer)3 ArrayList (java.util.ArrayList)3 ExecutionException (java.util.concurrent.ExecutionException)3 Consumer (java.util.function.Consumer)3 GreengrassCoreIPCClient (software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClient)3