Examples with AwsIamRoleKmsKeyRecord com.nike.cerberus.record.AwsIamRoleKmsKeyRecord used on opensource projects

Example 1 with AwsIamRoleKmsKeyRecord

use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.

the class AuthenticationService method authenticate.

private EncryptedAuthDataWrapper authenticate(AwsIamKmsAuthRequest credentials, Map<String, String> authPrincipalMetadata) {
    final AwsIamRoleKmsKeyRecord kmsKeyRecord;
    final AwsIamRoleRecord iamRoleRecord;
    try {
        iamRoleRecord = getIamPrincipalRecord(credentials.getIamPrincipalArn());
        kmsKeyRecord = getKmsKeyRecordForIamPrincipal(iamRoleRecord, credentials.getRegion());
    } catch (AmazonServiceException e) {
        if ("InvalidArnException".equals(e.getErrorCode())) {
            String msg = String.format("Failed to lazily provision KMS key for %s in region: %s", credentials.getIamPrincipalArn(), credentials.getRegion());
            throw ApiException.newBuilder().withApiErrors(CustomApiError.createCustomApiError(DefaultApiError.AUTH_IAM_ROLE_REJECTED, msg)).withExceptionCause(e).withExceptionMessage(msg).build();
        }
        throw e;
    }
    AuthTokenResponse authResponse = createToken(iamRoleRecord.getAwsIamRoleArn(), PrincipalType.IAM, authPrincipalMetadata, iamTokenTTL);
    byte[] authResponseJson;
    try {
        authResponseJson = objectMapper.writeValueAsBytes(authResponse);
    } catch (JsonProcessingException e) {
        String msg = "Failed to write IAM role authentication response as JSON for encrypting.";
        throw ApiException.newBuilder().withApiErrors(DefaultApiError.INTERNAL_SERVER_ERROR).withExceptionCause(e).withExceptionMessage(msg).build();
    }
    authResponseJson = validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize(authResponseJson, authResponse, credentials.getIamPrincipalArn());
    final byte[] encryptedAuthResponse = safeEncryptWithRetry(kmsKeyRecord.getAwsIamRoleId(), credentials.getIamPrincipalArn(), kmsKeyRecord.getId(), kmsKeyRecord.getAwsKmsKeyId(), credentials.getRegion(), authResponseJson);
    EncryptedAuthDataWrapper encryptedAuthDataWrapper = new EncryptedAuthDataWrapper();
    encryptedAuthDataWrapper.setAuthData(Base64.encodeBase64String(encryptedAuthResponse));
    return encryptedAuthDataWrapper;
}

Example 2 with AwsIamRoleKmsKeyRecord

use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.

the class KmsService method updateKmsKey.

/**
 * Updates the KMS CMK record for the specified IAM role and region
 *
 * @param awsIamRoleId The IAM role that this CMK will be associated with
 * @param awsRegion The region to provision the key in
 * @param user The user requesting it
 * @param lastedUpdatedTs The date when the record was last updated
 * @param lastValidatedTs The date when the record was last validated
 */
@Transactional
public void updateKmsKey(final String awsIamRoleId, final String awsRegion, final String user, final OffsetDateTime lastedUpdatedTs, final OffsetDateTime lastValidatedTs) {
    final Optional<AwsIamRoleKmsKeyRecord> kmsKey = awsIamRoleDao.getKmsKey(awsIamRoleId, awsRegion);
    if (kmsKey.isEmpty()) {
        String msg = "Unable to update a KMS key that does not exist.";
        throw ApiException.newBuilder().withApiErrors(CustomApiError.createCustomApiError(DefaultApiError.ENTITY_NOT_FOUND, msg)).withExceptionMessage(msg).build();
    }
    AwsIamRoleKmsKeyRecord kmsKeyRecord = kmsKey.get();
    AwsIamRoleKmsKeyRecord updatedKmsKeyRecord = new AwsIamRoleKmsKeyRecord();
    updatedKmsKeyRecord.setAwsIamRoleId(kmsKeyRecord.getAwsIamRoleId());
    updatedKmsKeyRecord.setLastUpdatedBy(user);
    updatedKmsKeyRecord.setLastUpdatedTs(lastedUpdatedTs);
    updatedKmsKeyRecord.setLastValidatedTs(lastValidatedTs);
    updatedKmsKeyRecord.setAwsRegion(kmsKeyRecord.getAwsRegion());
    awsIamRoleDao.updateIamRoleKmsKey(updatedKmsKeyRecord);
}

Example 3 with AwsIamRoleKmsKeyRecord

use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.

the class KmsServiceTest method test_validatePolicy_validates_policy_when_validate_interval_has_passed.

@Test
public void test_validatePolicy_validates_policy_when_validate_interval_has_passed() {
    String kmsKeyArn = "kms key arn";
    String awsIamRoleRecordId = "aws iam role record id";
    String kmsCMKRegion = "kmsCMKRegion";
    String policy = "policy";
    OffsetDateTime lastValidated = OffsetDateTime.of(2016, 1, 1, 1, 1, 1, 1, ZoneOffset.UTC);
    OffsetDateTime now = OffsetDateTime.now();
    AWSKMSClient client = mock(AWSKMSClient.class);
    when(client.describeKey(anyObject())).thenReturn(new DescribeKeyResult().withKeyMetadata(new KeyMetadata().withKeyState(KeyState.Enabled)));
    when(kmsClientFactory.getClient(kmsCMKRegion)).thenReturn(client);
    GetKeyPolicyResult result = mock(GetKeyPolicyResult.class);
    when(result.getPolicy()).thenReturn(policy);
    when(client.getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn).withPolicyName("default"))).thenReturn(result);
    when(kmsPolicyService.isPolicyValid(policy)).thenReturn(true);
    AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
    when(kmsKey.getAwsIamRoleId()).thenReturn(awsIamRoleRecordId);
    when(kmsKey.getAwsKmsKeyId()).thenReturn(kmsKeyArn);
    when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
    when(kmsKey.getLastValidatedTs()).thenReturn(lastValidated);
    when(awsIamRoleDao.getKmsKey(awsIamRoleRecordId, kmsCMKRegion)).thenReturn(Optional.of(kmsKey));
    when(dateTimeSupplier.get()).thenReturn(now);
    kmsService.validateKeyAndPolicy(kmsKey, kmsKeyArn);
    verify(client, times(1)).getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn).withPolicyName("default"));
    verify(kmsPolicyService, times(1)).isPolicyValid(policy);
}

Example 4 with AwsIamRoleKmsKeyRecord

use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.

the class CleanUpServiceTest method test_that_cleanUpInactiveAndOrphanedKmsKeys_succeeds.

@Test
public void test_that_cleanUpInactiveAndOrphanedKmsKeys_succeeds() {
    int inactivePeriod = 30;
    String keyRecordId = "key record id";
    String awsKeyId = "aws key id";
    String keyRegion = "key region";
    AwsIamRoleKmsKeyRecord keyRecord = mock(AwsIamRoleKmsKeyRecord.class);
    when(keyRecord.getId()).thenReturn(keyRecordId);
    when(keyRecord.getAwsKmsKeyId()).thenReturn(awsKeyId);
    when(keyRecord.getAwsRegion()).thenReturn(keyRegion);
    when(dateTimeSupplier.get()).thenReturn(now);
    OffsetDateTime inactiveCutoffDate = now.minusDays(inactivePeriod);
    when(awsIamRoleDao.getInactiveOrOrphanedKmsKeys(inactiveCutoffDate)).thenReturn(Lists.newArrayList(keyRecord));
    // perform the call
    cleanUpService.cleanUpInactiveAndOrphanedKmsKeys(inactivePeriod, 0);
    verify(awsIamRoleDao).getInactiveOrOrphanedKmsKeys(inactiveCutoffDate);
    verify(kmsService).deleteKmsKeyById(keyRecordId);
    verify(kmsService).scheduleKmsKeyDeletion(awsKeyId, keyRegion, SOONEST_A_KMS_KEY_CAN_BE_DELETED);
}

Example 5 with AwsIamRoleKmsKeyRecord

use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.

the class AuthenticationServiceTest method test_that_getKeyId_only_validates_kms_policy_one_time_within_interval.

@Test
public void test_that_getKeyId_only_validates_kms_policy_one_time_within_interval() {
    String principalArn = "principal arn";
    String region = "region";
    String iamRoleId = "iam role id";
    String kmsKeyId = "kms id";
    String cmkId = "key id";
    // ensure that validate interval is passed
    OffsetDateTime dateTime = OffsetDateTime.of(2016, 1, 1, 1, 1, 1, 1, ZoneOffset.UTC);
    OffsetDateTime now = OffsetDateTime.now();
    AwsIamRoleRecord awsIamRoleRecord = new AwsIamRoleRecord().setAwsIamRoleArn(principalArn);
    awsIamRoleRecord.setAwsIamRoleArn(principalArn);
    awsIamRoleRecord.setId(iamRoleId);
    when(awsIamRoleDao.getIamRole(principalArn)).thenReturn(Optional.of(awsIamRoleRecord));
    AwsIamRoleKmsKeyRecord awsIamRoleKmsKeyRecord = new AwsIamRoleKmsKeyRecord();
    awsIamRoleKmsKeyRecord.setId(kmsKeyId);
    awsIamRoleKmsKeyRecord.setAwsKmsKeyId(cmkId);
    awsIamRoleKmsKeyRecord.setLastValidatedTs(dateTime);
    when(awsIamRoleDao.getKmsKey(iamRoleId, region)).thenReturn(Optional.of(awsIamRoleKmsKeyRecord));
    when(dateTimeSupplier.get()).thenReturn(now);
    String result = authenticationService.getKmsKeyRecordForIamPrincipal(awsIamRoleRecord, region).getAwsKmsKeyId();
    // verify validate is called once interval has passed
    assertEquals(cmkId, result);
    verify(kmsService, times(1)).validateKeyAndPolicy(awsIamRoleKmsKeyRecord, principalArn);
}