Example 1 with AuthTokenResponse
use of com.nike.cerberus.domain.AuthTokenResponse in project cerberus by Nike-Inc.
the class AuthenticationService method authenticate.
private EncryptedAuthDataWrapper authenticate(AwsIamKmsAuthRequest credentials, Map<String, String> authPrincipalMetadata) {
final AwsIamRoleKmsKeyRecord kmsKeyRecord;
final AwsIamRoleRecord iamRoleRecord;
try {
iamRoleRecord = getIamPrincipalRecord(credentials.getIamPrincipalArn());
kmsKeyRecord = getKmsKeyRecordForIamPrincipal(iamRoleRecord, credentials.getRegion());
} catch (AmazonServiceException e) {
if ("InvalidArnException".equals(e.getErrorCode())) {
String msg = String.format("Failed to lazily provision KMS key for %s in region: %s", credentials.getIamPrincipalArn(), credentials.getRegion());
throw ApiException.newBuilder().withApiErrors(CustomApiError.createCustomApiError(DefaultApiError.AUTH_IAM_ROLE_REJECTED, msg)).withExceptionCause(e).withExceptionMessage(msg).build();
}
throw e;
}
AuthTokenResponse authResponse = createToken(iamRoleRecord.getAwsIamRoleArn(), PrincipalType.IAM, authPrincipalMetadata, iamTokenTTL);
byte[] authResponseJson;
try {
authResponseJson = objectMapper.writeValueAsBytes(authResponse);
} catch (JsonProcessingException e) {
String msg = "Failed to write IAM role authentication response as JSON for encrypting.";
throw ApiException.newBuilder().withApiErrors(DefaultApiError.INTERNAL_SERVER_ERROR).withExceptionCause(e).withExceptionMessage(msg).build();
}
authResponseJson = validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize(authResponseJson, authResponse, credentials.getIamPrincipalArn());
final byte[] encryptedAuthResponse = safeEncryptWithRetry(kmsKeyRecord.getAwsIamRoleId(), credentials.getIamPrincipalArn(), kmsKeyRecord.getId(), kmsKeyRecord.getAwsKmsKeyId(), credentials.getRegion(), authResponseJson);
EncryptedAuthDataWrapper encryptedAuthDataWrapper = new EncryptedAuthDataWrapper();
encryptedAuthDataWrapper.setAuthData(Base64.encodeBase64String(encryptedAuthResponse));
return encryptedAuthDataWrapper;
}
Also used :
AuthTokenResponse(com.nike.cerberus.domain.AuthTokenResponse)
EncryptedAuthDataWrapper(com.nike.cerberus.domain.EncryptedAuthDataWrapper)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord)
AmazonServiceException(com.amazonaws.AmazonServiceException)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
Example 2 with AuthTokenResponse
use of com.nike.cerberus.domain.AuthTokenResponse in project cerberus by Nike-Inc.
the class AwsIamStsAuthController method authenticate.
@RequestMapping(method = POST)
public AuthTokenResponse authenticate(@RequestHeader(value = HEADER_X_AMZ_DATE, required = false) String headerXAmzDate, @RequestHeader(value = HEADER_X_AMZ_SECURITY_TOKEN, required = false) String headerXAmzSecurityToken, @RequestHeader(value = HEADER_AUTHORIZATION, required = false) String headerAuthorization) {
String iamPrincipalArn;
AuthTokenResponse authResponse;
try {
if (headerAuthorization == null || headerXAmzDate == null) {
throw new ApiException(DefaultApiError.MISSING_AWS_SIGNATURE_HEADERS);
}
AwsStsHttpHeader header = new AwsStsHttpHeader(headerXAmzDate, headerXAmzSecurityToken, headerAuthorization);
GetCallerIdentityResponse getCallerIdentityResponse = awsStsClient.getCallerIdentity(header);
iamPrincipalArn = getCallerIdentityResponse.getGetCallerIdentityResult().getArn();
authResponse = authenticationService.stsAuthenticate(iamPrincipalArn);
auditLoggingFilterDetails.setAction("Successfully authenticated with AWS IAM STS Auth");
} catch (Exception e) {
String auditMessage = String.format("Failed to authenticate with AWS IAM STS Auth: %s", e.getMessage());
auditLoggingFilterDetails.setAction(auditMessage);
throw e;
}
return authResponse;
}
Also used :
AuthTokenResponse(com.nike.cerberus.domain.AuthTokenResponse)
GetCallerIdentityResponse(com.nike.cerberus.aws.sts.GetCallerIdentityResponse)
ApiException(com.nike.backstopper.exception.ApiException)
ApiException(com.nike.backstopper.exception.ApiException)
AwsStsHttpHeader(com.nike.cerberus.aws.sts.AwsStsHttpHeader)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 3 with AuthTokenResponse
use of com.nike.cerberus.domain.AuthTokenResponse in project cerberus by Nike-Inc.
the class AuthenticationServiceTest method tests_that_validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize_returns_a_truncated_payload_if_the_size_cannot_be_encrypted_by_kms.
@Test
public void tests_that_validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize_returns_a_truncated_payload_if_the_size_cannot_be_encrypted_by_kms() throws JsonProcessingException {
Map<String, String> meta = new HashMap<>();
Set<String> policies = new HashSet<>();
for (int i = 0; i < 100; i++) {
policies.add(RandomStringUtils.random(25));
}
AuthTokenResponse response = new AuthTokenResponse().setClientToken(UUID.randomUUID().toString()).setLeaseDuration(3600).setMetadata(meta).setPolicies(policies).setRenewable(false);
byte[] serializedAuth = new ObjectMapper().writeValueAsBytes(response);
assertTrue(serializedAuth.length > AuthenticationService.KMS_SIZE_LIMIT);
byte[] actual = authenticationService.validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize(serializedAuth, response, "foo");
assertNotEquals(serializedAuth, actual);
assertTrue(actual.length < AuthenticationService.KMS_SIZE_LIMIT);
}
Also used :
AuthTokenResponse(com.nike.cerberus.domain.AuthTokenResponse)
Matchers.anyString(org.mockito.Matchers.anyString)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Test(org.junit.Test)
Example 4 with AuthTokenResponse
use of com.nike.cerberus.domain.AuthTokenResponse in project cerberus by Nike-Inc.
the class AuthenticationServiceTest method tests_that_validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize_returns_the_original_payload_if_the_size_can_be_encrypted_by_kms.
@Test
public void tests_that_validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize_returns_the_original_payload_if_the_size_can_be_encrypted_by_kms() throws JsonProcessingException {
AuthTokenResponse response = new AuthTokenResponse().setClientToken(UUID.randomUUID().toString()).setLeaseDuration(3600).setMetadata(new HashMap<>()).setPolicies(new HashSet<>()).setRenewable(false);
byte[] serializedAuth = new ObjectMapper().writeValueAsBytes(response);
byte[] actual = authenticationService.validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize(serializedAuth, response, "foo");
assertTrue(Arrays.equals(serializedAuth, actual));
}
Also used :
AuthTokenResponse(com.nike.cerberus.domain.AuthTokenResponse)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Test(org.junit.Test)
Example 5 with AuthTokenResponse
use of com.nike.cerberus.domain.AuthTokenResponse in project cerberus by Nike-Inc.
the class AwsIamStsAuthControllerTest method testAuthenticate.
@Test
public void testAuthenticate() {
GetCallerIdentityResponse getCallerIdentityResponse = Mockito.mock(GetCallerIdentityResponse.class);
GetCallerIdentityResult getCallerIdentityResult = Mockito.mock(GetCallerIdentityResult.class);
Mockito.when(getCallerIdentityResponse.getGetCallerIdentityResult()).thenReturn(getCallerIdentityResult);
Mockito.when(getCallerIdentityResult.getArn()).thenReturn("arn");
Mockito.when(awsStsClient.getCallerIdentity(Mockito.any(AwsStsHttpHeader.class))).thenReturn(getCallerIdentityResponse);
AuthTokenResponse authTokenResponse = Mockito.mock(AuthTokenResponse.class);
Mockito.when(authenticationService.stsAuthenticate("arn")).thenReturn(authTokenResponse);
AuthTokenResponse actualAuthTokenResponse = awsIamStsAuthController.authenticate("date", "token", "authorization");
Assert.assertSame(authTokenResponse, actualAuthTokenResponse);
Mockito.verify(auditLoggingFilterDetails).setAction("Successfully authenticated with AWS IAM STS Auth");
}
Also used :
AuthTokenResponse(com.nike.cerberus.domain.AuthTokenResponse)
GetCallerIdentityResponse(com.nike.cerberus.aws.sts.GetCallerIdentityResponse)
GetCallerIdentityResult(com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)
AwsStsHttpHeader(com.nike.cerberus.aws.sts.AwsStsHttpHeader)
Test(org.junit.Test)
Aggregations
AuthTokenResponse (com.nike.cerberus.domain.AuthTokenResponse)6
Test (org.junit.Test)3
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2
AwsStsHttpHeader (com.nike.cerberus.aws.sts.AwsStsHttpHeader)2
GetCallerIdentityResponse (com.nike.cerberus.aws.sts.GetCallerIdentityResponse)2
AmazonServiceException (com.amazonaws.AmazonServiceException)1
GetCallerIdentityResult (com.amazonaws.services.securitytoken.model.GetCallerIdentityResult)1
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)1
ApiException (com.nike.backstopper.exception.ApiException)1
CerberusAuthToken (com.nike.cerberus.domain.CerberusAuthToken)1
EncryptedAuthDataWrapper (com.nike.cerberus.domain.EncryptedAuthDataWrapper)1
AwsIamRoleKmsKeyRecord (com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)1
AwsIamRoleRecord (com.nike.cerberus.record.AwsIamRoleRecord)1
Period (org.joda.time.Period)1
PeriodFormatter (org.joda.time.format.PeriodFormatter)1
PeriodFormatterBuilder (org.joda.time.format.PeriodFormatterBuilder)1
Matchers.anyString (org.mockito.Matchers.anyString)1
RequestMapping (org.springframework.web.bind.annotation.RequestMapping)1
