use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class IPCPubSubRemovalTest method GIVEN_pubsubclient_WHEN_authorized_THEN_component_removed_via_deployment_THEN_updates.
@Test
void GIVEN_pubsubclient_WHEN_authorized_THEN_component_removed_via_deployment_THEN_updates(ExtensionContext context) throws Exception {
try (EventStreamRPCConnection connection = IPCTestUtils.getEventStreamRpcConnection(kernel, "SubscribeAndPublish")) {
GreengrassCoreIPCClient ipcClient = new GreengrassCoreIPCClient(connection);
Pair<CompletableFuture<Void>, Consumer<byte[]>> cb = asyncAssertOnConsumer((m) -> {
assertEquals("some message", new String(m, StandardCharsets.UTF_8));
}, -1);
Permission policyId1 = Permission.builder().principal("SubscribeAndPublish").operation("*").resource("*").build();
Permission policyId2 = Permission.builder().principal("PublishNotSubscribe").operation("aws.greengrass#PublishToTopic").resource("*").build();
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
// Remove component SubscribeAndPublish
GreengrassService subscribeAndPublish = kernel.locate("SubscribeAndPublish");
subscribeAndPublish.close().get(1, TimeUnit.MINUTES);
subscribeAndPublish.getConfig().remove();
kernel.getContext().waitForPublishQueueToClear();
assertFalse(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
// GG_NEEDS_REVIEW: TODO: convert all these integ tests to use only recipe merging instead of loading a kernel config file
// Otherwise the removal of "SubscribeAndPublish" also inadvertently results in the "PublishNotSubscribe"
// component (and all other components) and its policies being removed, since it is not part of the deployment.
// Hence the next line is commented out
// assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME,policyId2));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
// Now the authorization policies should have been removed and these should fail
ExecutionException e = assertThrows(ExecutionException.class, () -> subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight()));
assertTrue(e.getCause() instanceof UnauthorizedError);
e = assertThrows(ExecutionException.class, () -> publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message"));
}
}
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class IPCPubSubRemovalTest method GIVEN_pubsubclient_WHEN_service_removed_and_added_THEN_fail_and_succeed.
@Test
void GIVEN_pubsubclient_WHEN_service_removed_and_added_THEN_fail_and_succeed() throws Exception {
try (EventStreamRPCConnection connection = IPCTestUtils.getEventStreamRpcConnection(kernel, "SubscribeAndPublish")) {
GreengrassCoreIPCClient ipcClient = new GreengrassCoreIPCClient(connection);
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
Pair<CompletableFuture<Void>, Consumer<byte[]>> cb = asyncAssertOnConsumer((m) -> {
assertEquals("some message", new String(m, StandardCharsets.UTF_8));
}, -1);
Permission policyId1 = Permission.builder().principal("SubscribeAndPublish").operation("*").resource("*").build();
Permission policyId2 = Permission.builder().principal("PublishNotSubscribe").operation("aws.greengrass#PublishToTopic").resource("*").build();
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
// Remove the service topic
Topics serviceTopic = kernel.findServiceTopic("SubscribeAndPublish");
if (serviceTopic != null) {
serviceTopic.remove();
}
kernel.getContext().waitForPublishQueueToClear();
assertFalse(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
ExecutionException e = assertThrows(ExecutionException.class, () -> subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight()));
assertTrue(e.getCause() instanceof UnauthorizedError);
e = assertThrows(ExecutionException.class, () -> publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message"));
assertTrue(e.getCause() instanceof UnauthorizedError);
// Reload the kernel with the service and correct authorization policy
kernel.getConfig().read(new URL(IPCPubSubTest.class.getResource("pubsub.yaml").toString()), false);
kernel.getContext().waitForPublishQueueToClear();
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId1));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(PUB_SUB_SERVICE_NAME, policyId2));
assertTrue(kernel.getContext().get(AuthorizationModule.class).isPresent(TOKEN_EXCHANGE_SERVICE_TOPICS, TES_DEFAULT_POLICY));
// now this should succeed
subscribeToTopicOveripcForBinaryMessages(ipcClient, "a", cb.getRight());
publishToTopicOverIpcAsBinaryMessage(ipcClient, "a", "some message");
cb.getLeft().get(TIMEOUT_FOR_PUBSUB_SECONDS, TimeUnit.SECONDS);
}
}
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class PubSubIPCEventStreamAgentTest method GIVEN_subscribed_to_topic_from_all_sources_WHEN_publish_many_binary_message_THEN_publishes_message_inorder.
@Test
void GIVEN_subscribed_to_topic_from_all_sources_WHEN_publish_many_binary_message_THEN_publishes_message_inorder() throws InterruptedException, AuthorizationException {
StreamEventPublisher publisher = mock(StreamEventPublisher.class);
Set<Object> set = new HashSet<>();
set.add(publisher);
pubSubIPCEventStreamAgent.getListeners().add(TEST_TOPIC, set);
when(publisher.sendStreamEvent(subscriptionResponseMessageCaptor.capture())).thenReturn(new CompletableFuture());
List<PublishToTopicRequest> publishToTopicRequests = new ArrayList<>();
for (int i = 0; i < 10; i++) {
PublishToTopicRequest publishToTopicRequest = new PublishToTopicRequest();
publishToTopicRequest.setTopic(TEST_TOPIC);
PublishMessage publishMessage = new PublishMessage();
BinaryMessage binaryMessage = new BinaryMessage();
binaryMessage.setMessage(String.valueOf(i).getBytes());
publishMessage.setBinaryMessage(binaryMessage);
publishToTopicRequest.setPublishMessage(publishMessage);
publishToTopicRequests.add(publishToTopicRequest);
}
try (PubSubIPCEventStreamAgent.PublishToTopicOperationHandler publishToTopicHandler = pubSubIPCEventStreamAgent.getPublishToTopicHandler(mockContext)) {
for (PublishToTopicRequest publishToTopicRequest : publishToTopicRequests) {
PublishToTopicResponse publishToTopicResponse = publishToTopicHandler.handleRequest(publishToTopicRequest);
assertNotNull(publishToTopicResponse);
}
verify(authorizationHandler, times(10)).isAuthorized(eq(PUB_SUB_SERVICE_NAME), permissionArgumentCaptor.capture(), eq(ResourceLookupPolicy.MQTT_STYLE));
Permission capturedPermission = permissionArgumentCaptor.getValue();
assertThat(capturedPermission.getOperation(), is(GreengrassCoreIPCService.PUBLISH_TO_TOPIC));
assertThat(capturedPermission.getPrincipal(), is(TEST_SERVICE));
assertThat(capturedPermission.getResource(), is(TEST_TOPIC));
TimeUnit.SECONDS.sleep(2);
assertNotNull(subscriptionResponseMessageCaptor.getAllValues());
assertEquals(10, subscriptionResponseMessageCaptor.getAllValues().size());
int i = 0;
for (SubscriptionResponseMessage responseMessage : subscriptionResponseMessageCaptor.getAllValues()) {
assertNull(responseMessage.getJsonMessage());
assertNotNull(responseMessage.getBinaryMessage());
assertEquals(String.valueOf(i), new String(responseMessage.getBinaryMessage().getMessage()));
assertEquals(TEST_TOPIC, responseMessage.getBinaryMessage().getEventTopic());
i++;
}
}
}
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class PubSubIPCEventStreamAgentTest method GIVEN_subscribe_topic_to_all_sources_WHEN_subscribe_THEN_added_all_services_listeners.
@Test
void GIVEN_subscribe_topic_to_all_sources_WHEN_subscribe_THEN_added_all_services_listeners() throws AuthorizationException {
SubscribeToTopicRequest subscribeToTopicRequest = new SubscribeToTopicRequest();
subscribeToTopicRequest.setTopic(TEST_TOPIC);
try (PubSubIPCEventStreamAgent.SubscribeToTopicOperationHandler subscribeToTopicHandler = pubSubIPCEventStreamAgent.getSubscribeToTopicHandler(mockContext)) {
SubscribeToTopicResponse subscribeToTopicResponse = subscribeToTopicHandler.handleRequest(subscribeToTopicRequest);
assertNotNull(subscribeToTopicResponse);
verify(authorizationHandler).isAuthorized(eq(PUB_SUB_SERVICE_NAME), permissionArgumentCaptor.capture(), eq(ResourceLookupPolicy.MQTT_STYLE));
Permission capturedPermission = permissionArgumentCaptor.getValue();
assertThat(capturedPermission.getOperation(), is(GreengrassCoreIPCService.SUBSCRIBE_TO_TOPIC));
assertThat(capturedPermission.getPrincipal(), is(TEST_SERVICE));
assertThat(capturedPermission.getResource(), is(TEST_TOPIC));
assertTrue(pubSubIPCEventStreamAgent.getListeners().containsKey(TEST_TOPIC));
assertEquals(1, pubSubIPCEventStreamAgent.getListeners().get(TEST_TOPIC).size());
}
}
use of com.aws.greengrass.authorization.Permission in project aws-greengrass-nucleus by aws-greengrass.
the class LifecycleIPCEventStreamAgentTest method GIVEN_pause_component_request_WHEN_component_not_external_THEN_return_invalid_error.
@Test
@EnabledOnOs(OS.LINUX)
void GIVEN_pause_component_request_WHEN_component_not_external_THEN_return_invalid_error() throws ServiceException, AuthorizationException {
GreengrassService mockInternalComponent = mock(GreengrassService.class);
when(kernel.locate(TEST_TARGET_COMPONENT)).thenReturn(mockInternalComponent);
when(authorizationHandler.isAuthorized(any(), any())).thenReturn(true);
PauseComponentRequest request = new PauseComponentRequest();
request.setComponentName(TEST_TARGET_COMPONENT);
assertThrows(InvalidArgumentsError.class, () -> lifecycleIPCEventStreamAgent.getPauseComponentHandler(mockContext).handleRequest(request));
ArgumentCaptor<Permission> permissionArg = ArgumentCaptor.forClass(Permission.class);
verify(authorizationHandler).isAuthorized(eq(LIFECYCLE_SERVICE_NAME), permissionArg.capture());
Permission permission = permissionArg.getValue();
assertThat(permission.getOperation(), is(GreengrassCoreIPCService.PAUSE_COMPONENT));
assertThat(permission.getPrincipal(), is(TEST_SERVICE));
assertThat(permission.getResource(), is(TEST_TARGET_COMPONENT));
verify(kernel).locate(TEST_TARGET_COMPONENT);
verify(targetComponent, never()).getState();
verify(targetComponent, never()).pause();
}
Aggregations