Example 1 with Permission
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class IPCPubSubRemovalTest method GIVEN_pubsubclient_WHEN_authorized_THEN_component_removed_via_deployment_THEN_updates.
@Test
void GIVEN_pubsubclient_WHEN_authorized_THEN_component_removed_via_deployment_THEN_updates(ExtensionContext context) throws Exception {
try (EventStreamRPCConnection connection = IPCTestUtils.getEventStreamRpcConnection(kernel, "SubscribeAndPublish")) {
GreengrassCoreIPCClient ipcClient = new GreengrassCoreIPCClient(connection);
Pair<CompletableFuture<Void>, Consumer<byte[]>> cb = asyncAssertOnConsumer((m) -> {
assertEquals("some message", new String(m, StandardCharsets.UTF_8));
}, -1);
Permission policyId1 = Permission.builder().principal("SubscribeAndPublish").operation("*").resource("*").build();
Permission policyId2 = Permission.builder().principal("PublishNotSubscribe").operation("aws.greengrass#PublishToTopic").resource("*").build();
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
// Remove component SubscribeAndPublish
GreengrassService subscribeAndPublish = kernel.locate("SubscribeAndPublish");
subscribeAndPublish.close().get(1, TimeUnit.MINUTES);
subscribeAndPublish.getConfig().remove();
kernel.getContext().waitForPublishQueueToClear();
assertFalse(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
// GG_NEEDS_REVIEW: TODO: convert all these integ tests to use only recipe merging instead of loading a kernel config file
// Otherwise the removal of "SubscribeAndPublish" also inadvertently results in the "PublishNotSubscribe"
// component (and all other components) and its policies being removed, since it is not part of the deployment.
// Hence the next line is commented out
// assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME,policyId2));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
// Now the authorization policies should have been removed and these should fail
ExecutionException e = assertThrows(ExecutionException.class, () -> subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight()));
assertTrue(e.getCause() instanceof UnauthorizedError);
e = assertThrows(ExecutionException.class, () -> publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message"));
}
}
Also used :
CompletableFuture(java.util.concurrent.CompletableFuture)
TestUtils.asyncAssertOnConsumer(com.aws.greengrass.testcommons.testutilities.TestUtils.asyncAssertOnConsumer)
Consumer(java.util.function.Consumer)
GreengrassService(com.aws.greengrass.lifecyclemanager.GreengrassService)
GreengrassCoreIPCClient(software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClient)
EventStreamRPCConnection(software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection)
Permission(com.aws.greengrass.authorization.Permission)
ExecutionException(java.util.concurrent.ExecutionException)
UnauthorizedError(software.amazon.awssdk.aws.greengrass.model.UnauthorizedError)
Test(org.junit.jupiter.api.Test)
Example 2 with Permission
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class IPCPubSubRemovalTest method GIVEN_pubsubclient_WHEN_service_removed_and_added_THEN_fail_and_succeed.
@Test
void GIVEN_pubsubclient_WHEN_service_removed_and_added_THEN_fail_and_succeed() throws Exception {
try (EventStreamRPCConnection connection = IPCTestUtils.getEventStreamRpcConnection(kernel, "SubscribeAndPublish")) {
GreengrassCoreIPCClient ipcClient = new GreengrassCoreIPCClient(connection);
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
Pair<CompletableFuture<Void>, Consumer<byte[]>> cb = asyncAssertOnConsumer((m) -> {
assertEquals("some message", new String(m, StandardCharsets.UTF_8));
}, -1);
Permission policyId1 = Permission.builder().principal("SubscribeAndPublish").operation("*").resource("*").build();
Permission policyId2 = Permission.builder().principal("PublishNotSubscribe").operation("aws.greengrass#PublishToTopic").resource("*").build();
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
// Remove the service topic
Topics serviceTopic = kernel.findServiceTopic("SubscribeAndPublish");
if (serviceTopic != null) {
serviceTopic.remove();
}
kernel.getContext().waitForPublishQueueToClear();
assertFalse(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
ExecutionException e = assertThrows(ExecutionException.class, () -> subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight()));
assertTrue(e.getCause() instanceof UnauthorizedError);
e = assertThrows(ExecutionException.class, () -> publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message"));
assertTrue(e.getCause() instanceof UnauthorizedError);
// Reload the kernel with the service and correct authorization policy
kernel.getConfig().read(new URL(IPCPubSubTest.class.getResource("pubsub.yaml").toString()), false);
kernel.getContext().waitForPublishQueueToClear();
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
// now this should succeed
subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
}
}
Also used :
CompletableFuture(java.util.concurrent.CompletableFuture)
Topics(com.aws.greengrass.config.Topics)
TestUtils.asyncAssertOnConsumer(com.aws.greengrass.testcommons.testutilities.TestUtils.asyncAssertOnConsumer)
Consumer(java.util.function.Consumer)
GreengrassCoreIPCClient(software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClient)
EventStreamRPCConnection(software.amazon.awssdk.eventstreamrpc.EventStreamRPCConnection)
Permission(com.aws.greengrass.authorization.Permission)
ExecutionException(java.util.concurrent.ExecutionException)
UnauthorizedError(software.amazon.awssdk.aws.greengrass.model.UnauthorizedError)
URL(java.net.URL)
Test(org.junit.jupiter.api.Test)
Example 3 with Permission
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class PubSubIPCEventStreamAgentTest method GIVEN_subscribed_to_topic_from_all_sources_WHEN_publish_many_binary_message_THEN_publishes_message_inorder.
@Test
void GIVEN_subscribed_to_topic_from_all_sources_WHEN_publish_many_binary_message_THEN_publishes_message_inorder() throws InterruptedException, AuthorizationException {
StreamEventPublisher publisher = mock(StreamEventPublisher.class);
Set<Object> set = new HashSet<>();
set.add(publisher);
pubSubIPCEventStreamAgent.getListeners().add(TEST_TOPIC, set);
when(publisher.sendStreamEvent(subscriptionResponseMessageCaptor.capture())).thenReturn(new CompletableFuture());
List<PublishToTopicRequest> publishToTopicRequests = new ArrayList<>();
for (int i = 0; i < 10; i++) {
PublishToTopicRequest publishToTopicRequest = new PublishToTopicRequest();
publishToTopicRequest.setTopic(TEST_TOPIC);
PublishMessage publishMessage = new PublishMessage();
BinaryMessage binaryMessage = new BinaryMessage();
binaryMessage.setMessage(String.valueOf(i).getBytes());
publishMessage.setBinaryMessage(binaryMessage);
publishToTopicRequest.setPublishMessage(publishMessage);
publishToTopicRequests.add(publishToTopicRequest);
}
try (PubSubIPCEventStreamAgent.PublishToTopicOperationHandler publishToTopicHandler = pubSubIPCEventStreamAgent.getPublishToTopicHandler(mockContext)) {
for (PublishToTopicRequest publishToTopicRequest : publishToTopicRequests) {
PublishToTopicResponse publishToTopicResponse = publishToTopicHandler.handleRequest(publishToTopicRequest);
assertNotNull(publishToTopicResponse);
}
verify(authorizationHandler, times(10)).isAuthorized(eq(PUB_SUB_SERVICE_NAME), permissionArgumentCaptor.capture(), eq(ResourceLookupPolicy.MQTT_STYLE));
Permission capturedPermission = permissionArgumentCaptor.getValue();
assertThat(capturedPermission.getOperation(), is(GreengrassCoreIPCService.PUBLISH_TO_TOPIC));
assertThat(capturedPermission.getPrincipal(), is(TEST_SERVICE));
assertThat(capturedPermission.getResource(), is(TEST_TOPIC));
TimeUnit.SECONDS.sleep(2);
assertNotNull(subscriptionResponseMessageCaptor.getAllValues());
assertEquals(10, subscriptionResponseMessageCaptor.getAllValues().size());
int i = 0;
for (SubscriptionResponseMessage responseMessage : subscriptionResponseMessageCaptor.getAllValues()) {
assertNull(responseMessage.getJsonMessage());
assertNotNull(responseMessage.getBinaryMessage());
assertEquals(String.valueOf(i), new String(responseMessage.getBinaryMessage().getMessage()));
assertEquals(TEST_TOPIC, responseMessage.getBinaryMessage().getEventTopic());
i++;
}
}
}
Also used :
ArrayList(java.util.ArrayList)
Matchers.containsString(org.hamcrest.Matchers.containsString)
BinaryMessage(software.amazon.awssdk.aws.greengrass.model.BinaryMessage)
PublishMessage(software.amazon.awssdk.aws.greengrass.model.PublishMessage)
CompletableFuture(java.util.concurrent.CompletableFuture)
PublishToTopicResponse(software.amazon.awssdk.aws.greengrass.model.PublishToTopicResponse)
SubscriptionResponseMessage(software.amazon.awssdk.aws.greengrass.model.SubscriptionResponseMessage)
Permission(com.aws.greengrass.authorization.Permission)
StreamEventPublisher(software.amazon.awssdk.eventstreamrpc.StreamEventPublisher)
PublishToTopicRequest(software.amazon.awssdk.aws.greengrass.model.PublishToTopicRequest)
HashSet(java.util.HashSet)
Test(org.junit.jupiter.api.Test)
Example 4 with Permission
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class PubSubIPCEventStreamAgentTest method GIVEN_subscribe_topic_to_all_sources_WHEN_subscribe_THEN_added_all_services_listeners.
@Test
void GIVEN_subscribe_topic_to_all_sources_WHEN_subscribe_THEN_added_all_services_listeners() throws AuthorizationException {
SubscribeToTopicRequest subscribeToTopicRequest = new SubscribeToTopicRequest();
subscribeToTopicRequest.setTopic(TEST_TOPIC);
try (PubSubIPCEventStreamAgent.SubscribeToTopicOperationHandler subscribeToTopicHandler = pubSubIPCEventStreamAgent.getSubscribeToTopicHandler(mockContext)) {
SubscribeToTopicResponse subscribeToTopicResponse = subscribeToTopicHandler.handleRequest(subscribeToTopicRequest);
assertNotNull(subscribeToTopicResponse);
verify(authorizationHandler).isAuthorized(eq(PUB_SUB_SERVICE_NAME), permissionArgumentCaptor.capture(), eq(ResourceLookupPolicy.MQTT_STYLE));
Permission capturedPermission = permissionArgumentCaptor.getValue();
assertThat(capturedPermission.getOperation(), is(GreengrassCoreIPCService.SUBSCRIBE_TO_TOPIC));
assertThat(capturedPermission.getPrincipal(), is(TEST_SERVICE));
assertThat(capturedPermission.getResource(), is(TEST_TOPIC));
assertTrue(pubSubIPCEventStreamAgent.getListeners().containsKey(TEST_TOPIC));
assertEquals(1, pubSubIPCEventStreamAgent.getListeners().get(TEST_TOPIC).size());
}
}
Also used :
Permission(com.aws.greengrass.authorization.Permission)
SubscribeToTopicResponse(software.amazon.awssdk.aws.greengrass.model.SubscribeToTopicResponse)
SubscribeToTopicRequest(software.amazon.awssdk.aws.greengrass.model.SubscribeToTopicRequest)
Test(org.junit.jupiter.api.Test)
Example 5 with Permission
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class LifecycleIPCEventStreamAgentTest method GIVEN_pause_component_request_WHEN_component_not_external_THEN_return_invalid_error.
@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_pause_component_request_WHEN_component_not_external_THEN_return_invalid_error() throws ServiceException, AuthorizationException {
GreengrassService mockInternalComponent = mock(GreengrassService.class);
when(kernel.locate(TEST_TARGET_COMPONENT)).thenReturn(mockInternalComponent);
when(authorizationHandler.isAuthorized(any(), any())).thenReturn(true);
PauseComponentRequest request = new PauseComponentRequest();
request.setComponentName(TEST_TARGET_COMPONENT);
assertThrows(InvalidArgumentsError.class, () -> lifecycleIPCEventStreamAgent.getPauseComponentHandler(mockContext).handleRequest(request));
ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
Permission permission = permissionArg.getValue();
assertThat(permission.getOperation(), is(GreengrassCoreIPCService.PAUSE_COMPONENT));
assertThat(permission.getPrincipal(), is(TEST_SERVICE));
assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
verify(kernel).locate(TEST_TARGET_COMPONENT);
verify(targetComponent, never()).getState();
verify(targetComponent, never()).pause();
}
Also used :
PauseComponentRequest(software.amazon.awssdk.aws.greengrass.model.PauseComponentRequest)
GreengrassService(com.aws.greengrass.lifecyclemanager.GreengrassService)
Permission(com.aws.greengrass.authorization.Permission)
EnabledOnOs(org.junit.jupiter.api.condition.EnabledOnOs)
Test(org.junit.jupiter.api.Test)
Aggregations
Permission (com.aws.greengrass.authorization.Permission)22
Test (org.junit.jupiter.api.Test)22
EnabledOnOs (org.junit.jupiter.api.condition.EnabledOnOs)12
CompletableFuture (java.util.concurrent.CompletableFuture)9
HashSet (java.util.HashSet)6
Matchers.containsString (org.hamcrest.Matchers.containsString)6
PauseComponentRequest (software.amazon.awssdk.aws.greengrass.model.PauseComponentRequest)6
PublishMessage (software.amazon.awssdk.aws.greengrass.model.PublishMessage)6
PublishToTopicRequest (software.amazon.awssdk.aws.greengrass.model.PublishToTopicRequest)6
PublishToTopicResponse (software.amazon.awssdk.aws.greengrass.model.PublishToTopicResponse)6
ResumeComponentRequest (software.amazon.awssdk.aws.greengrass.model.ResumeComponentRequest)6
SubscriptionResponseMessage (software.amazon.awssdk.aws.greengrass.model.SubscriptionResponseMessage)6
StreamEventPublisher (software.amazon.awssdk.eventstreamrpc.StreamEventPublisher)6
BinaryMessage (software.amazon.awssdk.aws.greengrass.model.BinaryMessage)4
GreengrassService (com.aws.greengrass.lifecyclemanager.GreengrassService)3
TestUtils.asyncAssertOnConsumer (com.aws.greengrass.testcommons.testutilities.TestUtils.asyncAssertOnConsumer)3
ArrayList (java.util.ArrayList)3
ExecutionException (java.util.concurrent.ExecutionException)3
Consumer (java.util.function.Consumer)3
GreengrassCoreIPCClient (software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCClient)3
