use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.
the class AuthenticationServiceTest method test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found.
@Test
public void test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found() {
String accountId = "0000000000";
String roleName = "role/path";
String principalArn = String.format("arn:aws:iam::%s:instance-profile/%s", accountId, roleName);
String roleArn = String.format(AWS_IAM_ROLE_ARN_TEMPLATE, AWS_GLOBAL_PARTITION_NAME, accountId, roleName);
String rootArn = String.format("arn:aws:iam::%s:root", accountId);
AwsIamRoleRecord rootRecord = mock(AwsIamRoleRecord.class);
AwsIamRoleRecord roleRecord = mock(AwsIamRoleRecord.class);
when(awsIamRoleDao.getIamRole(principalArn)).thenReturn(Optional.empty());
when(awsIamRoleDao.getIamRole(roleArn)).thenReturn(Optional.empty());
when(awsIamRoleDao.getIamRole(rootArn)).thenReturn(Optional.of(rootRecord));
when(awsIamRoleArnParser.isRoleArn(principalArn)).thenReturn(false);
when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(principalArn)).thenReturn(roleArn);
when(awsIamRoleArnParser.convertPrincipalArnToRootArn(roleArn)).thenReturn(rootArn);
when(awsIamRoleService.createIamRole(roleArn)).thenReturn(roleRecord);
Optional<AwsIamRoleRecord> result = authenticationService.findIamRoleAssociatedWithSdb(principalArn);
assertEquals(roleRecord, result.get());
}
use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.
the class AuthenticationServiceTest method test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found_for_aws_china.
@Test
public void test_that_findIamRoleAssociatedWithSdb_returns_generic_role_when_iam_principal_not_found_and_root_found_for_aws_china() {
String accountId = "0000000000";
String roleName = "role/path";
String principalArn = String.format("arn:aws-cn:iam::%s:instance-profile/%s", accountId, roleName);
String roleArn = String.format(AWS_IAM_ROLE_ARN_TEMPLATE, AWS_CHINA_PARTITION_NAME, accountId, roleName);
String rootArn = String.format("arn:aws-cn:iam::%s:root", accountId);
AwsIamRoleRecord rootRecord = mock(AwsIamRoleRecord.class);
AwsIamRoleRecord roleRecord = mock(AwsIamRoleRecord.class);
when(awsIamRoleDao.getIamRole(principalArn)).thenReturn(Optional.empty());
when(awsIamRoleDao.getIamRole(roleArn)).thenReturn(Optional.empty());
when(awsIamRoleDao.getIamRole(rootArn)).thenReturn(Optional.of(rootRecord));
when(awsIamRoleArnParser.isRoleArn(principalArn)).thenReturn(false);
when(awsIamRoleArnParser.convertPrincipalArnToRoleArn(principalArn)).thenReturn(roleArn);
when(awsIamRoleArnParser.convertPrincipalArnToRootArn(roleArn)).thenReturn(rootArn);
when(awsIamRoleService.createIamRole(roleArn)).thenReturn(roleRecord);
Optional<AwsIamRoleRecord> result = authenticationService.findIamRoleAssociatedWithSdb(principalArn);
assertEquals(roleRecord, result.get());
}
use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.
the class AuthenticationService method stsAuthenticate.
/**
* Enables an IAM role to authenticate and get back an UNENCRYPTED payload
*
* @param iamPrincipalArn IAM role ARN
* @return Unencrypted auth response
*/
public AuthTokenResponse stsAuthenticate(final String iamPrincipalArn) {
awsIamRoleArnParser.iamPrincipalPartitionCheck(iamPrincipalArn);
final Map<String, String> authPrincipalMetadata = generateCommonIamPrincipalAuthMetadata(iamPrincipalArn);
authPrincipalMetadata.put(CerberusPrincipal.METADATA_KEY_AWS_IAM_PRINCIPAL_ARN, iamPrincipalArn);
final AwsIamRoleRecord iamRoleRecord = getIamPrincipalRecord(// throws error if iam principal not associated with SDB
iamPrincipalArn);
return createToken(iamRoleRecord.getAwsIamRoleArn(), PrincipalType.IAM, authPrincipalMetadata, iamTokenTTL);
}
use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.
the class AuthenticationService method findIamRoleAssociatedWithSdb.
/**
* Search for the given IAM principal (e.g. arn:aws:iam::1111111111:instance-profile/example), if
* not found, then also search for the base role that the principal assumes (i.e.
* arn:aws:iam::1111111111:role/example)
*
* @param iamPrincipalArn - The authenticating IAM principal ARN
* @return - The associated IAM role record
*/
protected Optional<AwsIamRoleRecord> findIamRoleAssociatedWithSdb(String iamPrincipalArn) {
Optional<AwsIamRoleRecord> iamRole = awsIamRoleDao.getIamRole(iamPrincipalArn);
// then try checking for the generic "arn:aws:iam::0000000000:role/foo" format
if (iamRole.isEmpty() && !awsIamRoleArnParser.isRoleArn(iamPrincipalArn)) {
logger.debug("Detected non-role ARN, attempting to find SDBs associated with the principal's base role...");
// Minimal code change to stop authentication with assumed-role ARN from inserting too many
// rows into AWS_IAM_ROLE table
iamPrincipalArn = awsIamRoleArnParser.convertPrincipalArnToRoleArn(iamPrincipalArn);
iamRole = awsIamRoleDao.getIamRole(iamPrincipalArn);
}
if (iamRole.isEmpty()) {
String accountRootArn = awsIamRoleArnParser.convertPrincipalArnToRootArn(iamPrincipalArn);
boolean rootArnExists = awsIamRoleDao.getIamRole(accountRootArn).isPresent();
if (rootArnExists) {
AwsIamRoleRecord newAwsIamRoleRecord = awsIamRoleService.createIamRole(iamPrincipalArn);
iamRole = Optional.of(newAwsIamRoleRecord);
}
}
return iamRole;
}
use of com.nike.cerberus.record.AwsIamRoleRecord in project cerberus by Nike-Inc.
the class AuthenticationService method authenticate.
private EncryptedAuthDataWrapper authenticate(AwsIamKmsAuthRequest credentials, Map<String, String> authPrincipalMetadata) {
final AwsIamRoleKmsKeyRecord kmsKeyRecord;
final AwsIamRoleRecord iamRoleRecord;
try {
iamRoleRecord = getIamPrincipalRecord(credentials.getIamPrincipalArn());
kmsKeyRecord = getKmsKeyRecordForIamPrincipal(iamRoleRecord, credentials.getRegion());
} catch (AmazonServiceException e) {
if ("InvalidArnException".equals(e.getErrorCode())) {
String msg = String.format("Failed to lazily provision KMS key for %s in region: %s", credentials.getIamPrincipalArn(), credentials.getRegion());
throw ApiException.newBuilder().withApiErrors(CustomApiError.createCustomApiError(DefaultApiError.AUTH_IAM_ROLE_REJECTED, msg)).withExceptionCause(e).withExceptionMessage(msg).build();
}
throw e;
}
AuthTokenResponse authResponse = createToken(iamRoleRecord.getAwsIamRoleArn(), PrincipalType.IAM, authPrincipalMetadata, iamTokenTTL);
byte[] authResponseJson;
try {
authResponseJson = objectMapper.writeValueAsBytes(authResponse);
} catch (JsonProcessingException e) {
String msg = "Failed to write IAM role authentication response as JSON for encrypting.";
throw ApiException.newBuilder().withApiErrors(DefaultApiError.INTERNAL_SERVER_ERROR).withExceptionCause(e).withExceptionMessage(msg).build();
}
authResponseJson = validateAuthPayloadSizeAndTruncateIfLargerThanMaxKmsSupportedSize(authResponseJson, authResponse, credentials.getIamPrincipalArn());
final byte[] encryptedAuthResponse = safeEncryptWithRetry(kmsKeyRecord.getAwsIamRoleId(), credentials.getIamPrincipalArn(), kmsKeyRecord.getId(), kmsKeyRecord.getAwsKmsKeyId(), credentials.getRegion(), authResponseJson);
EncryptedAuthDataWrapper encryptedAuthDataWrapper = new EncryptedAuthDataWrapper();
encryptedAuthDataWrapper.setAuthData(Base64.encodeBase64String(encryptedAuthResponse));
return encryptedAuthDataWrapper;
}
Aggregations