Example 6 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsServiceTest method test_provisionKmsKey.
@Test
public void test_provisionKmsKey() {
String iamRoleId = "role-id";
String awsRegion = "aws-region";
String user = "user";
OffsetDateTime dateTime = OffsetDateTime.now();
String policy = "policy";
String arn = "arn:aws:iam::12345678901234:role/some-role";
String awsIamRoleKmsKeyId = "awsIamRoleKmsKeyId";
when(uuidSupplier.get()).thenReturn(awsIamRoleKmsKeyId);
when(kmsPolicyService.generateStandardKmsPolicy(arn)).thenReturn(policy);
AWSKMSClient client = mock(AWSKMSClient.class);
when(kmsClientFactory.getClient(awsRegion)).thenReturn(client);
CreateKeyRequest request = new CreateKeyRequest();
request.setKeyUsage(KeyUsageType.ENCRYPT_DECRYPT);
request.setDescription("Key used by Cerberus fakeEnv for IAM role authentication. " + arn);
request.setPolicy(policy);
request.setTags(Lists.newArrayList(new Tag().withTagKey("created_by").withTagValue(ARTIFACT + VERSION), new Tag().withTagKey("created_for").withTagValue("cerberus_auth"), new Tag().withTagKey("auth_principal").withTagValue(arn), new Tag().withTagKey("cerberus_env").withTagValue(ENV)));
CreateKeyResult createKeyResult = mock(CreateKeyResult.class);
KeyMetadata metadata = mock(KeyMetadata.class);
when(metadata.getArn()).thenReturn(arn);
when(createKeyResult.getKeyMetadata()).thenReturn(metadata);
when(client.createKey(any())).thenReturn(createKeyResult);
// invoke method under test
String actualResult = kmsService.provisionKmsKey(iamRoleId, arn, awsRegion, user, dateTime).getAwsKmsKeyId();
assertEquals(arn, actualResult);
CreateAliasRequest aliasRequest = new CreateAliasRequest();
aliasRequest.setAliasName(kmsService.getAliasName(awsIamRoleKmsKeyId, arn));
aliasRequest.setTargetKeyId(arn);
verify(client).createAlias(aliasRequest);
AwsIamRoleKmsKeyRecord awsIamRoleKmsKeyRecord = new AwsIamRoleKmsKeyRecord();
awsIamRoleKmsKeyRecord.setId(awsIamRoleKmsKeyId);
awsIamRoleKmsKeyRecord.setAwsIamRoleId(iamRoleId);
awsIamRoleKmsKeyRecord.setAwsKmsKeyId(arn);
awsIamRoleKmsKeyRecord.setAwsRegion(awsRegion);
awsIamRoleKmsKeyRecord.setCreatedBy(user);
awsIamRoleKmsKeyRecord.setLastUpdatedBy(user);
awsIamRoleKmsKeyRecord.setCreatedTs(dateTime);
awsIamRoleKmsKeyRecord.setLastUpdatedTs(dateTime);
awsIamRoleKmsKeyRecord.setLastValidatedTs(dateTime);
verify(awsIamRoleDao).createIamRoleKmsKey(awsIamRoleKmsKeyRecord);
}
Also used :
CreateKeyResult(com.amazonaws.services.kms.model.CreateKeyResult)
AuthKmsKeyMetadata(com.nike.cerberus.domain.AuthKmsKeyMetadata)
KeyMetadata(com.amazonaws.services.kms.model.KeyMetadata)
OffsetDateTime(java.time.OffsetDateTime)
CreateKeyRequest(com.amazonaws.services.kms.model.CreateKeyRequest)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
AWSKMSClient(com.amazonaws.services.kms.AWSKMSClient)
Tag(com.amazonaws.services.kms.model.Tag)
CreateAliasRequest(com.amazonaws.services.kms.model.CreateAliasRequest)
Test(org.junit.Test)
Example 7 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsServiceTest method test_validateKeyAndPolicy_does_not_throw_error_when_cannot_validate.
@Test
public void test_validateKeyAndPolicy_does_not_throw_error_when_cannot_validate() {
String keyId = "key-id";
String iamPrincipalArn = "arn";
String kmsCMKRegion = "kmsCMKRegion";
String policy = "policy";
OffsetDateTime lastValidated = OffsetDateTime.of(2016, 1, 1, 1, 1, 1, 1, ZoneOffset.UTC);
OffsetDateTime now = OffsetDateTime.now();
when(dateTimeSupplier.get()).thenReturn(now);
AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
when(kmsKey.getAwsKmsKeyId()).thenReturn(keyId);
when(kmsKey.getAwsIamRoleId()).thenReturn(iamPrincipalArn);
when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
when(kmsKey.getLastValidatedTs()).thenReturn(lastValidated);
AWSKMSClient client = mock(AWSKMSClient.class);
when(kmsClientFactory.getClient(kmsCMKRegion)).thenReturn(client);
GetKeyPolicyResult result = mock(GetKeyPolicyResult.class);
when(result.getPolicy()).thenReturn(policy);
when(client.getKeyPolicy(new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName("default"))).thenThrow(AmazonServiceException.class);
kmsService.validateKeyAndPolicy(kmsKey, iamPrincipalArn);
verify(kmsPolicyService, never()).isPolicyValid(policy);
verify(client, never()).putKeyPolicy(anyObject());
}
Also used :
OffsetDateTime(java.time.OffsetDateTime)
GetKeyPolicyResult(com.amazonaws.services.kms.model.GetKeyPolicyResult)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
AWSKMSClient(com.amazonaws.services.kms.AWSKMSClient)
GetKeyPolicyRequest(com.amazonaws.services.kms.model.GetKeyPolicyRequest)
Test(org.junit.Test)
Example 8 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsServiceTest method test_validateKeyAndPolicy_validates_policy_when_validate_interval_has_not_passed.
@Test
public void test_validateKeyAndPolicy_validates_policy_when_validate_interval_has_not_passed() {
String awsKmsKeyArn = "aws kms key arn";
String iamPrincipalArn = "arn";
String awsIamRoleRecordId = "aws iam role record id";
String kmsCMKRegion = "kmsCMKRegion";
OffsetDateTime now = OffsetDateTime.now();
AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
when(kmsKey.getAwsKmsKeyId()).thenReturn(awsKmsKeyArn);
when(kmsKey.getAwsIamRoleId()).thenReturn(awsIamRoleRecordId);
when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
when(kmsKey.getLastValidatedTs()).thenReturn(now);
when(dateTimeSupplier.get()).thenReturn(now);
kmsService.validateKeyAndPolicy(kmsKey, iamPrincipalArn);
verify(kmsClientFactory, never()).getClient(anyString());
verify(kmsPolicyService, never()).isPolicyValid(anyString());
}
Also used :
OffsetDateTime(java.time.OffsetDateTime)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Test(org.junit.Test)
Example 9 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsServiceTest method test_that_getAuthenticationKmsMetadata_returns_AuthKmsKeyMetadata_from_dao_data.
@Test
public void test_that_getAuthenticationKmsMetadata_returns_AuthKmsKeyMetadata_from_dao_data() {
OffsetDateTime create = OffsetDateTime.now().plus(5, ChronoUnit.MINUTES);
OffsetDateTime update = OffsetDateTime.now().plus(3, ChronoUnit.MINUTES);
OffsetDateTime validate = OffsetDateTime.now().plus(7, ChronoUnit.MINUTES);
List<AwsIamRoleKmsKeyRecord> keyRecords = ImmutableList.of(new AwsIamRoleKmsKeyRecord().setAwsIamRoleId("iam-role-id").setAwsKmsKeyId("key-id").setAwsRegion("us-west-2").setCreatedTs(create).setLastUpdatedTs(update).setLastValidatedTs(validate));
List<AuthKmsKeyMetadata> expected = ImmutableList.of(new AuthKmsKeyMetadata().setAwsIamRoleArn("iam-role-arn").setAwsKmsKeyId("key-id").setAwsRegion("us-west-2").setCreatedTs(create).setLastUpdatedTs(update).setLastValidatedTs(validate));
when(awsIamRoleDao.getAllKmsKeys()).thenReturn(Optional.ofNullable(keyRecords));
when(awsIamRoleDao.getIamRoleById("iam-role-id")).thenReturn(Optional.of(new AwsIamRoleRecord().setAwsIamRoleArn("iam-role-arn")));
assertArrayEquals(expected.toArray(), kmsService.getAuthenticationKmsMetadata().toArray());
}
Also used :
AuthKmsKeyMetadata(com.nike.cerberus.domain.AuthKmsKeyMetadata)
OffsetDateTime(java.time.OffsetDateTime)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord)
Test(org.junit.Test)
Example 10 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsServiceTest method test_updateKmsKey.
@Test
public void test_updateKmsKey() {
String iamRoleId = "role-id";
String awsRegion = "aws-region";
String user = "user";
OffsetDateTime dateTime = OffsetDateTime.now();
AwsIamRoleKmsKeyRecord dbRecord = new AwsIamRoleKmsKeyRecord();
dbRecord.setAwsRegion(awsRegion);
dbRecord.setAwsIamRoleId(iamRoleId);
dbRecord.setLastValidatedTs(OffsetDateTime.now());
when(awsIamRoleDao.getKmsKey(iamRoleId, awsRegion)).thenReturn(Optional.of(dbRecord));
kmsService.updateKmsKey(iamRoleId, awsRegion, user, dateTime, dateTime);
AwsIamRoleKmsKeyRecord expected = new AwsIamRoleKmsKeyRecord();
expected.setAwsIamRoleId(iamRoleId);
expected.setLastUpdatedBy(user);
expected.setLastUpdatedTs(dateTime);
expected.setLastValidatedTs(dateTime);
expected.setAwsRegion(awsRegion);
verify(awsIamRoleDao).updateIamRoleKmsKey(expected);
}
Also used :
OffsetDateTime(java.time.OffsetDateTime)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Test(org.junit.Test)
Aggregations
AwsIamRoleKmsKeyRecord (com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)15
OffsetDateTime (java.time.OffsetDateTime)11
Test (org.junit.Test)9
AuthKmsKeyMetadata (com.nike.cerberus.domain.AuthKmsKeyMetadata)4
AWSKMSClient (com.amazonaws.services.kms.AWSKMSClient)3
AwsIamRoleRecord (com.nike.cerberus.record.AwsIamRoleRecord)3
GetKeyPolicyRequest (com.amazonaws.services.kms.model.GetKeyPolicyRequest)2
GetKeyPolicyResult (com.amazonaws.services.kms.model.GetKeyPolicyResult)2
KeyMetadata (com.amazonaws.services.kms.model.KeyMetadata)2
Transactional (org.springframework.transaction.annotation.Transactional)2
AmazonServiceException (com.amazonaws.AmazonServiceException)1
CreateAliasRequest (com.amazonaws.services.kms.model.CreateAliasRequest)1
CreateKeyRequest (com.amazonaws.services.kms.model.CreateKeyRequest)1
CreateKeyResult (com.amazonaws.services.kms.model.CreateKeyResult)1
DescribeKeyResult (com.amazonaws.services.kms.model.DescribeKeyResult)1
Tag (com.amazonaws.services.kms.model.Tag)1
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)1
AuthTokenResponse (com.nike.cerberus.domain.AuthTokenResponse)1
EncryptedAuthDataWrapper (com.nike.cerberus.domain.EncryptedAuthDataWrapper)1
Matchers.anyString (org.mockito.Matchers.anyString)1
