Example 11 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class CleanUpServiceTest method test_that_cleanUpInactiveAndOrphanedKmsKeys_does_not_throw_exception_on_failure.
@Test
public void test_that_cleanUpInactiveAndOrphanedKmsKeys_does_not_throw_exception_on_failure() {
int inactivePeriod = 30;
String keyRecordId = "key record id";
String awsKeyId = "aws key id";
String keyRegion = "key region";
AwsIamRoleKmsKeyRecord keyRecord = mock(AwsIamRoleKmsKeyRecord.class);
when(keyRecord.getId()).thenReturn(keyRecordId);
when(keyRecord.getAwsKmsKeyId()).thenReturn(awsKeyId);
when(keyRecord.getAwsRegion()).thenReturn(keyRegion);
when(dateTimeSupplier.get()).thenReturn(now);
OffsetDateTime inactiveCutoffDate = now.minusDays(inactivePeriod);
when(awsIamRoleDao.getInactiveOrOrphanedKmsKeys(inactiveCutoffDate)).thenReturn(Lists.newArrayList(keyRecord));
when(awsIamRoleDao.deleteKmsKeyById(keyRecordId)).thenThrow(new NullPointerException());
cleanUpService.cleanUpInactiveAndOrphanedKmsKeys(inactivePeriod, 0);
}
Also used :
OffsetDateTime(java.time.OffsetDateTime)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Test(org.junit.Test)
Example 12 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsService method getAuthenticationKmsMetadata.
public List<AuthKmsKeyMetadata> getAuthenticationKmsMetadata() {
List<AuthKmsKeyMetadata> result = new LinkedList<>();
Optional<List<AwsIamRoleKmsKeyRecord>> keysOptional = awsIamRoleDao.getAllKmsKeys();
List<AwsIamRoleKmsKeyRecord> keys = keysOptional.orElse(new LinkedList<>());
keys.forEach(key -> {
AuthKmsKeyMetadata metadata = new AuthKmsKeyMetadata().setAwsKmsKeyId(key.getAwsKmsKeyId()).setAwsRegion(key.getAwsRegion()).setCreatedTs(key.getCreatedTs()).setLastUpdatedTs(key.getLastUpdatedTs()).setLastValidatedTs(key.getLastValidatedTs());
awsIamRoleDao.getIamRoleById(key.getAwsIamRoleId()).ifPresent(awsIamRoleRecord -> metadata.setAwsIamRoleArn(awsIamRoleRecord.getAwsIamRoleArn()));
result.add(metadata);
});
return result;
}
Also used :
AuthKmsKeyMetadata(com.nike.cerberus.domain.AuthKmsKeyMetadata)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Example 13 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class KmsService method createKmsKeyRecord.
@Transactional
protected AwsIamRoleKmsKeyRecord createKmsKeyRecord(final String iamRoleRecordId, final String kmsKeyRecordId, final String awsKmsKeyArn, final String awsRegion, final String user, final OffsetDateTime dateTime) {
final AwsIamRoleKmsKeyRecord awsIamRoleKmsKeyRecord = new AwsIamRoleKmsKeyRecord();
awsIamRoleKmsKeyRecord.setId(kmsKeyRecordId).setAwsIamRoleId(iamRoleRecordId).setAwsKmsKeyId(awsKmsKeyArn).setAwsRegion(awsRegion).setCreatedBy(user).setLastUpdatedBy(user).setCreatedTs(dateTime).setLastUpdatedTs(dateTime).setLastValidatedTs(dateTime);
awsIamRoleDao.createIamRoleKmsKey(awsIamRoleKmsKeyRecord);
return awsIamRoleKmsKeyRecord;
}
Also used :
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Transactional(org.springframework.transaction.annotation.Transactional)
Example 14 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class AuthenticationService method getKmsKeyRecordForIamPrincipal.
protected AwsIamRoleKmsKeyRecord getKmsKeyRecordForIamPrincipal(final AwsIamRoleRecord iamRoleRecord, final String awsRegion) {
final Optional<AwsIamRoleKmsKeyRecord> kmsKey = awsIamRoleDao.getKmsKey(iamRoleRecord.getId(), awsRegion);
final AwsIamRoleKmsKeyRecord kmsKeyRecord;
final OffsetDateTime now = dateTimeSupplier.get();
if (!kmsKey.isPresent()) {
kmsKeyRecord = kmsService.provisionKmsKey(iamRoleRecord.getId(), iamRoleRecord.getAwsIamRoleArn(), awsRegion, SYSTEM_USER, now);
} else {
kmsKeyRecord = kmsKey.get();
// regenerate the KMS key policy, if it is invalid
kmsService.validateKeyAndPolicy(kmsKeyRecord, iamRoleRecord.getAwsIamRoleArn());
}
return kmsKeyRecord;
}
Also used :
OffsetDateTime(java.time.OffsetDateTime)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Example 15 with AwsIamRoleKmsKeyRecord
use of com.nike.cerberus.record.AwsIamRoleKmsKeyRecord in project cerberus by Nike-Inc.
the class CleanUpService method cleanUpInactiveAndOrphanedKmsKeys.
/**
* Delete all AWS KMS keys and DB records for KMS keys that have not been used recently or are no
* longer associated with an SDB.
*
* @param kmsKeysInactiveAfterNDays Consider KMS keys to be inactive after 'n' number of days
* @param sleepInSeconds Sleep for 'n' seconds between AWS calls, to keep from exceeding the API
* limit
* @return Number of KMS keys cleaned up
*/
public int cleanUpInactiveAndOrphanedKmsKeys(final int kmsKeysInactiveAfterNDays, final int sleepInSeconds) {
// get orphaned and inactive kms keys (not used in 'n' days)
final OffsetDateTime inactiveDateTime = dateTimeSupplier.get().minusDays(kmsKeysInactiveAfterNDays);
final List<AwsIamRoleKmsKeyRecord> inactiveAndOrphanedKmsKeys = awsIamRoleDao.getInactiveOrOrphanedKmsKeys(inactiveDateTime);
if (inactiveAndOrphanedKmsKeys.isEmpty()) {
logger.info("No keys to clean up.");
} else {
// delete inactive and orphaned kms key records from DB
logger.info("Cleaning up orphaned or inactive KMS keys...");
inactiveAndOrphanedKmsKeys.forEach(kmsKeyRecord -> {
final String kmsKeyArn = kmsKeyRecord.getAwsKmsKeyId();
final String kmsKeyRegion = kmsKeyRecord.getAwsRegion();
try {
logger.info("Deleting orphaned or inactive KMS key: id={}, region={}, lastValidated={}", kmsKeyArn, kmsKeyRegion, kmsKeyRecord.getLastValidatedTs());
kmsService.validatePolicyAllowsCMSToDeleteCMK(kmsKeyArn, kmsKeyRegion);
kmsService.scheduleKmsKeyDeletion(kmsKeyArn, kmsKeyRegion, SOONEST_A_KMS_KEY_CAN_BE_DELETED);
kmsService.deleteKmsKeyById(kmsKeyRecord.getId());
TimeUnit.SECONDS.sleep(sleepInSeconds);
} catch (InterruptedException ie) {
logger.error("Timeout between KMS key deletion was interrupted", ie);
Thread.currentThread().interrupt();
} catch (Exception e) {
logger.error("There was a problem deleting KMS key with id: {}, region: {}", kmsKeyRecord.getAwsIamRoleId(), kmsKeyRegion, e);
}
});
}
return inactiveAndOrphanedKmsKeys.size();
}
Also used :
OffsetDateTime(java.time.OffsetDateTime)
AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)
Aggregations
AwsIamRoleKmsKeyRecord (com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)15
OffsetDateTime (java.time.OffsetDateTime)11
Test (org.junit.Test)9
AuthKmsKeyMetadata (com.nike.cerberus.domain.AuthKmsKeyMetadata)4
AWSKMSClient (com.amazonaws.services.kms.AWSKMSClient)3
AwsIamRoleRecord (com.nike.cerberus.record.AwsIamRoleRecord)3
GetKeyPolicyRequest (com.amazonaws.services.kms.model.GetKeyPolicyRequest)2
GetKeyPolicyResult (com.amazonaws.services.kms.model.GetKeyPolicyResult)2
KeyMetadata (com.amazonaws.services.kms.model.KeyMetadata)2
Transactional (org.springframework.transaction.annotation.Transactional)2
AmazonServiceException (com.amazonaws.AmazonServiceException)1
CreateAliasRequest (com.amazonaws.services.kms.model.CreateAliasRequest)1
CreateKeyRequest (com.amazonaws.services.kms.model.CreateKeyRequest)1
CreateKeyResult (com.amazonaws.services.kms.model.CreateKeyResult)1
DescribeKeyResult (com.amazonaws.services.kms.model.DescribeKeyResult)1
Tag (com.amazonaws.services.kms.model.Tag)1
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)1
AuthTokenResponse (com.nike.cerberus.domain.AuthTokenResponse)1
EncryptedAuthDataWrapper (com.nike.cerberus.domain.EncryptedAuthDataWrapper)1
Matchers.anyString (org.mockito.Matchers.anyString)1
