Search in sources :

Example 1 with AwsIamRoleRecord

use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.

the class AuthenticationServiceTest method test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found.

@Test
public void test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found() {
    String accountId = "0000000000";
    String roleName = "role/path";
    String principalArn = String.format("arn:aws:iam::%s:instance-profile/%s", accountId, roleName);
    String roleArn = String.format(AWS_IAM_ROLE_ARN_TEMPLATE, AWS_GLOBAL_PARTITION_NAME, accountId, roleName);
    String rootArn = String.format("arn:aws:iam::%s:root", accountId);
    AwsIamRoleRecord rootRecord = mock(AwsIamRoleRecord.class);
    AwsIamRoleRecord roleRecord = mock(AwsIamRoleRecord.class);
    when(awsIamRoleDao.getIamRole(principalArn)).thenReturn(Optional.empty());
    when(awsIamRoleDao.getIamRole(roleArn)).thenReturn(Optional.empty());
    when(awsIamRoleDao.getIamRole(rootArn)).thenReturn(Optional.of(rootRecord));
    when(awsIamRoleArnParser.isRoleArn(principalArn)).thenReturn(false);
    when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(principalArn)).thenReturn(roleArn);
    when(awsIamRoleArnParser.convertPrincipalArnToRootArn(roleArn)).thenReturn(rootArn);
    when(awsIamRoleService.createIamRole(roleArn)).thenReturn(roleRecord);
    Optional<AwsIamRoleRecord> result = authenticationService.findIamRoleAssociatedWithSdb(principalArn);
    assertEquals(roleRecord, result.get());
}
Also used : AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord) Matchers.anyString(org.mockito.Matchers.anyString) Test(org.junit.Test)

Example 2 with AwsIamRoleRecord

use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.

the class AuthenticationServiceTest method test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found_for_aws_china.

@Test
public void test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found_for_aws_china() {
    String accountId = "0000000000";
    String roleName = "role/path";
    String principalArn = String.format("arn:aws-cn:iam::%s:instance-profile/%s", accountId, roleName);
    String roleArn = String.format(AWS_IAM_ROLE_ARN_TEMPLATE, AWS_CHINA_PARTITION_NAME, accountId, roleName);
    String rootArn = String.format("arn:aws-cn:iam::%s:root", accountId);
    AwsIamRoleRecord rootRecord = mock(AwsIamRoleRecord.class);
    AwsIamRoleRecord roleRecord = mock(AwsIamRoleRecord.class);
    when(awsIamRoleDao.getIamRole(principalArn)).thenReturn(Optional.empty());
    when(awsIamRoleDao.getIamRole(roleArn)).thenReturn(Optional.empty());
    when(awsIamRoleDao.getIamRole(rootArn)).thenReturn(Optional.of(rootRecord));
    when(awsIamRoleArnParser.isRoleArn(principalArn)).thenReturn(false);
    when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(principalArn)).thenReturn(roleArn);
    when(awsIamRoleArnParser.convertPrincipalArnToRootArn(roleArn)).thenReturn(rootArn);
    when(awsIamRoleService.createIamRole(roleArn)).thenReturn(roleRecord);
    Optional<AwsIamRoleRecord> result = authenticationService.findIamRoleAssociatedWithSdb(principalArn);
    assertEquals(roleRecord, result.get());
}
Also used : AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord) Matchers.anyString(org.mockito.Matchers.anyString) Test(org.junit.Test)

Example 3 with AwsIamRoleRecord

use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.

the class AuthenticationService method stsAuthenticate.

/**
 * Enables an IAM role to authenticate and get back an UNENCRYPTED payload
 *
 * @param iamPrincipalArn IAM role ARN
 * @return Unencrypted auth response
 */
public AuthTokenResponse stsAuthenticate(final String iamPrincipalArn) {
    awsIamRoleArnParser.iamPrincipalPartitionCheck(iamPrincipalArn);
    final Map<String, String> authPrincipalMetadata = generateCommonIamPrincipalAuthMetadata(iamPrincipalArn);
    authPrincipalMetadata.put(CerberusPrincipal.METADATA_KEY_AWS_IAM_PRINCIPAL_ARN, iamPrincipalArn);
    final AwsIamRoleRecord iamRoleRecord = getIamPrincipalRecord(// throws error if iam principal not associated with SDB
    iamPrincipalArn);
    return createToken(iamRoleRecord.getAwsIamRoleArn(), PrincipalType.IAM, authPrincipalMetadata, iamTokenTTL);
}
Also used : AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord)

Example 4 with AwsIamRoleRecord

use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.

the class AuthenticationService method findIamRoleAssociatedWithSdb.

/**
 * Search for the given IAM principal (e.g. arn:aws:iam::1111111111:instance-profile/example), if
 * not found, then also search for the base role that the principal assumes (i.e.
 * arn:aws:iam::1111111111:role/example)
 *
 * @param iamPrincipalArn - The authenticating IAM principal ARN
 * @return - The associated IAM role record
 */
protected Optional<AwsIamRoleRecord> findIamRoleAssociatedWithSdb(String iamPrincipalArn) {
    Optional<AwsIamRoleRecord> iamRole = awsIamRoleDao.getIamRole(iamPrincipalArn);
    // then try checking for the generic "arn:aws:iam::0000000000:role/foo" format
    if (iamRole.isEmpty() && !awsIamRoleArnParser.isRoleArn(iamPrincipalArn)) {
        logger.debug("Detected non-role ARN, attempting to find SDBs associated with the principal's base role...");
        // Minimal code change to stop authentication with assumed-role ARN from inserting too many
        // rows into AWS_IAM_ROLE table
        iamPrincipalArn = awsIamRoleArnParser.convertPrincipalArnToRoleArn(iamPrincipalArn);
        iamRole = awsIamRoleDao.getIamRole(iamPrincipalArn);
    }
    if (iamRole.isEmpty()) {
        String accountRootArn = awsIamRoleArnParser.convertPrincipalArnToRootArn(iamPrincipalArn);
        boolean rootArnExists = awsIamRoleDao.getIamRole(accountRootArn).isPresent();
        if (rootArnExists) {
            AwsIamRoleRecord newAwsIamRoleRecord = awsIamRoleService.createIamRole(iamPrincipalArn);
            iamRole = Optional.of(newAwsIamRoleRecord);
        }
    }
    return iamRole;
}
Also used : AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord)

Example 5 with AwsIamRoleRecord

use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.

the class AuthenticationService method authenticate.

private EncryptedAuthDataWrapper authenticate(AwsIamKmsAuthRequest credentials, Map<String, String> authPrincipalMetadata) {
    final AwsIamRoleKmsKeyRecord kmsKeyRecord;
    final AwsIamRoleRecord iamRoleRecord;
    try {
        iamRoleRecord = getIamPrincipalRecord(credentials.getIamPrincipalArn());
        kmsKeyRecord = getKmsKeyRecordForIamPrincipal(iamRoleRecord, credentials.getRegion());
    } catch (AmazonServiceException e) {
        if ("InvalidArnException".equals(e.getErrorCode())) {
            String msg = String.format("Failed to lazily provision KMS key for %s in region: %s", credentials.getIamPrincipalArn(), credentials.getRegion());
            throw ApiException.newBuilder().withApiErrors(CustomApiError.createCustomApiError(DefaultApiError.AUTH_IAM_ROLE_REJECTED, msg)).withExceptionCause(e).withExceptionMessage(msg).build();
        }
        throw e;
    }
    AuthTokenResponse authResponse = createToken(iamRoleRecord.getAwsIamRoleArn(), PrincipalType.IAM, authPrincipalMetadata, iamTokenTTL);
    byte[] authResponseJson;
    try {
        authResponseJson = objectMapper.writeValueAsBytes(authResponse);
    } catch (JsonProcessingException e) {
        String msg = "Failed to write IAM role authentication response as JSON for encrypting.";
        throw ApiException.newBuilder().withApiErrors(DefaultApiError.INTERNAL_SERVER_ERROR).withExceptionCause(e).withExceptionMessage(msg).build();
    }
    authResponseJson = validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize(authResponseJson, authResponse, credentials.getIamPrincipalArn());
    final byte[] encryptedAuthResponse = safeEncryptWithRetry(kmsKeyRecord.getAwsIamRoleId(), credentials.getIamPrincipalArn(), kmsKeyRecord.getId(), kmsKeyRecord.getAwsKmsKeyId(), credentials.getRegion(), authResponseJson);
    EncryptedAuthDataWrapper encryptedAuthDataWrapper = new EncryptedAuthDataWrapper();
    encryptedAuthDataWrapper.setAuthData(Base64.encodeBase64String(encryptedAuthResponse));
    return encryptedAuthDataWrapper;
}
Also used : AuthTokenResponse(com.nike.cerberus.domain.AuthTokenResponse) EncryptedAuthDataWrapper(com.nike.cerberus.domain.EncryptedAuthDataWrapper) AwsIamRoleKmsKeyRecord(com.nike.cerberus.record.AwsIamRoleKmsKeyRecord) AwsIamRoleRecord(com.nike.cerberus.record.AwsIamRoleRecord) AmazonServiceException(com.amazonaws.AmazonServiceException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)

Aggregations

AwsIamRoleRecord (com.nike.cerberus.record.AwsIamRoleRecord)24 Test (org.junit.Test)17 IamPrincipalPermission (com.nike.cerberus.domain.IamPrincipalPermission)8 AwsIamRolePermissionRecord (com.nike.cerberus.record.AwsIamRolePermissionRecord)8 Matchers.anyString (org.mockito.Matchers.anyString)6 Role (com.nike.cerberus.domain.Role)3 AwsIamRoleKmsKeyRecord (com.nike.cerberus.record.AwsIamRoleKmsKeyRecord)3 OffsetDateTime (java.time.OffsetDateTime)3 HashSet (java.util.HashSet)3 Transactional (org.springframework.transaction.annotation.Transactional)3 AmazonServiceException (com.amazonaws.AmazonServiceException)1 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)1 AuthKmsKeyMetadata (com.nike.cerberus.domain.AuthKmsKeyMetadata)1 AuthTokenResponse (com.nike.cerberus.domain.AuthTokenResponse)1 EncryptedAuthDataWrapper (com.nike.cerberus.domain.EncryptedAuthDataWrapper)1 ArrayList (java.util.ArrayList)1