use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsCredentialVerifierTest method verifyCredentialAndThrowFailExceptionTest.
@Test
public void verifyCredentialAndThrowFailExceptionTest() throws IOException {
URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
String awsEnvPolicy = Resources.toString(url, Charsets.UTF_8);
String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
Map<String, Object> awsParameters = new HashMap<>();
awsParameters.put("accessKey", "a");
awsParameters.put("secretKey", "b");
CloudCredential cloudCredential = new CloudCredential("id", "name", awsParameters, "acc", false);
AmazonIdentityManagementClient amazonIdentityManagement = mock(AmazonIdentityManagementClient.class);
when(awsClient.createAmazonIdentityManagement(any(AwsCredentialView.class))).thenReturn(amazonIdentityManagement);
AmazonSecurityTokenServiceClient awsSecurityTokenService = mock(AmazonSecurityTokenServiceClient.class);
GetCallerIdentityResult getCallerIdentityResult = new GetCallerIdentityResult();
getCallerIdentityResult.setArn("arn");
when(awsSecurityTokenService.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(getCallerIdentityResult);
when(awsClient.createSecurityTokenService(any(AwsCredentialView.class))).thenReturn(awsSecurityTokenService);
ArgumentCaptor<SimulatePrincipalPolicyRequest> requestArgumentCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
AtomicInteger i = new AtomicInteger();
when(amazonIdentityManagement.simulatePrincipalPolicy(requestArgumentCaptor.capture())).thenAnswer(invocation -> {
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = new SimulatePrincipalPolicyResult();
ArrayList<EvaluationResult> evaluationResults = new ArrayList<>();
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action1_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action2_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("denied_action3_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(new OrganizationsDecisionDetail().withAllowedByOrganizations(true)).withEvalActionName("accepted_action_" + i).withEvalResourceName("*"));
simulatePrincipalPolicyResult.setEvaluationResults(evaluationResults);
i.getAndIncrement();
return simulatePrincipalPolicyResult;
});
try {
awsCredentialVerifier.validateAws(new AwsCredentialView(cloudCredential), encodedAwsEnvPolicy);
fail("It shoud throw verification exception");
} catch (AwsPermissionMissingException e) {
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action1"));
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action2"));
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action3"));
assertThat(e.getMessage(), not(CoreMatchers.containsString("accepted_action")));
}
List<SimulatePrincipalPolicyRequest> allSimulatePrincipalPolicyRequest = requestArgumentCaptor.getAllValues();
int simulateRequestNumber = 5;
assertEquals("expect if " + simulateRequestNumber + " simulate request has been sent", simulateRequestNumber, allSimulatePrincipalPolicyRequest.size());
allSimulatePrincipalPolicyRequest.forEach(simulatePrincipalPolicyRequest -> assertEquals("arn", simulatePrincipalPolicyRequest.getPolicySourceArn()));
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsCredentialVerifierTest method verifyCredentialAndOrganizatioDecisionDetailIsNullTest.
@Test
public void verifyCredentialAndOrganizatioDecisionDetailIsNullTest() throws IOException {
URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
String awsEnvPolicy = Resources.toString(url, Charsets.UTF_8);
String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
Map<String, Object> awsParameters = new HashMap<>();
awsParameters.put("accessKey", "a");
awsParameters.put("secretKey", "b");
CloudCredential cloudCredential = new CloudCredential("id", "name", awsParameters, "acc", false);
AmazonIdentityManagementClient amazonIdentityManagement = mock(AmazonIdentityManagementClient.class);
when(awsClient.createAmazonIdentityManagement(any(AwsCredentialView.class))).thenReturn(amazonIdentityManagement);
AmazonSecurityTokenServiceClient awsSecurityTokenService = mock(AmazonSecurityTokenServiceClient.class);
GetCallerIdentityResult getCallerIdentityResult = new GetCallerIdentityResult();
getCallerIdentityResult.setArn("arn");
when(awsSecurityTokenService.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(getCallerIdentityResult);
when(awsClient.createSecurityTokenService(any(AwsCredentialView.class))).thenReturn(awsSecurityTokenService);
ArgumentCaptor<SimulatePrincipalPolicyRequest> requestArgumentCaptor = ArgumentCaptor.forClass(SimulatePrincipalPolicyRequest.class);
AtomicInteger i = new AtomicInteger();
when(amazonIdentityManagement.simulatePrincipalPolicy(requestArgumentCaptor.capture())).thenAnswer(invocation -> {
SimulatePrincipalPolicyResult simulatePrincipalPolicyResult = new SimulatePrincipalPolicyResult();
ArrayList<EvaluationResult> evaluationResults = new ArrayList<>();
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(null).withEvalActionName("denied_action1_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(null).withEvalActionName("denied_action2_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("deny").withOrganizationsDecisionDetail(null).withEvalActionName("denied_action3_" + i).withEvalResourceName("aws:ec2"));
evaluationResults.add(new EvaluationResult().withEvalDecision("accept").withOrganizationsDecisionDetail(null).withEvalActionName("accepted_action_" + i).withEvalResourceName("*"));
simulatePrincipalPolicyResult.setEvaluationResults(evaluationResults);
i.getAndIncrement();
return simulatePrincipalPolicyResult;
});
try {
awsCredentialVerifier.validateAws(new AwsCredentialView(cloudCredential), encodedAwsEnvPolicy);
fail("It shoud throw verification exception");
} catch (AwsPermissionMissingException e) {
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action1_0 : aws:ec2,"));
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action2_0 : aws:ec2,"));
assertThat(e.getMessage(), CoreMatchers.containsString("denied_action3_0 : aws:ec2,"));
assertThat(e.getMessage(), not(CoreMatchers.containsString("accepted_action")));
}
List<SimulatePrincipalPolicyRequest> allSimulatePrincipalPolicyRequest = requestArgumentCaptor.getAllValues();
int simulateRequestNumber = 5;
assertEquals("expect if " + simulateRequestNumber + " simulate request has been sent", simulateRequestNumber, allSimulatePrincipalPolicyRequest.size());
allSimulatePrincipalPolicyRequest.forEach(simulatePrincipalPolicyRequest -> assertEquals("arn", simulatePrincipalPolicyRequest.getPolicySourceArn()));
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsNativeResourceConnector method launchLoadBalancers.
@Override
public List<CloudResourceStatus> launchLoadBalancers(AuthenticatedContext authenticatedContext, CloudStack stack, PersistenceNotifier persistenceNotifier) throws Exception {
LOGGER.info("Launching elastic load balancers");
CloudCredential cloudCredential = authenticatedContext.getCloudCredential();
String region = authenticatedContext.getCloudContext().getLocation().getRegion().value();
AwsCredentialView awsCredentialView = new AwsCredentialView(cloudCredential);
AmazonElasticLoadBalancingClient elasticLoadBalancingClient = commonAwsClient.createElasticLoadBalancingClient(awsCredentialView, region);
return loadBalancerLaunchService.launchLoadBalancerResources(authenticatedContext, stack, persistenceNotifier, elasticLoadBalancingClient, true);
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsCloudFormationSetup method scalingPrerequisites.
@Override
public void scalingPrerequisites(AuthenticatedContext ac, CloudStack stack, boolean upscale) {
if (!upscale) {
return;
}
String regionName = ac.getCloudContext().getLocation().getRegion().value();
AwsCredentialView awsCredential = new AwsCredentialView(ac.getCloudCredential());
AmazonCloudFormationClient cloudFormationClient = awsClient.createCloudFormationClient(awsCredential, regionName);
AmazonAutoScalingClient amazonASClient = awsClient.createAutoScalingClient(awsCredential, regionName);
List<Group> groups = stack.getGroups().stream().filter(g -> g.getInstances().stream().anyMatch(inst -> InstanceStatus.CREATE_REQUESTED == inst.getTemplate().getStatus())).collect(Collectors.toList());
Map<String, Group> groupMap = groups.stream().collect(Collectors.toMap(g -> cfStackUtil.getAutoscalingGroupName(ac, cloudFormationClient, g.getName()), g -> g));
DescribeAutoScalingGroupsResult result = amazonASClient.describeAutoScalingGroups(new DescribeAutoScalingGroupsRequest().withAutoScalingGroupNames(groupMap.keySet()));
for (AutoScalingGroup asg : result.getAutoScalingGroups()) {
Group group = groupMap.get(asg.getAutoScalingGroupName());
List<CloudInstance> groupInstances = group.getInstances().stream().filter(inst -> InstanceStatus.CREATED.equals(inst.getTemplate().getStatus())).collect(Collectors.toList());
List<CloudVmInstanceStatus> instanceStatuses = instanceConnector.check(ac, groupInstances);
if (checkInstanceStatuses(instanceStatuses, ac.getCloudCredential().getAccountId())) {
String errorMessage = "Not all the existing instances are in allowed state, upscale is not possible!";
LOGGER.info(errorMessage);
throw new CloudConnectorException(errorMessage);
}
List<Instance> asgOnlyInstances = asg.getInstances().stream().filter(inst -> groupInstances.stream().noneMatch(gi -> gi.getInstanceId().equals(inst.getInstanceId()))).collect(Collectors.toList());
List<CloudInstance> cbOnlyInstances = groupInstances.stream().filter(gi -> asg.getInstances().stream().noneMatch(inst -> inst.getInstanceId().equals(gi.getInstanceId()))).collect(Collectors.toList());
if (!asgOnlyInstances.isEmpty() || !cbOnlyInstances.isEmpty()) {
String errorMessage = "The instances in the autoscaling group are not in sync with the instances in cloudbreak! Cloudbreak only instances: [" + cbOnlyInstances.stream().map(CloudInstance::getInstanceId).collect(Collectors.joining(",")) + "], AWS only instances: [" + asgOnlyInstances.stream().map(Instance::getInstanceId).collect(Collectors.joining(",")) + "]. Upscale is not possible!";
LOGGER.info(errorMessage);
throw new CloudConnectorException(errorMessage);
}
if (groupInstances.size() != asg.getDesiredCapacity()) {
String errorMessage = String.format("The autoscale group's desired instance count is not match with the instance count in the cloudbreak." + " Desired count: %d <> cb instance count: %d. Upscale is not possible!", asg.getDesiredCapacity(), groupInstances.size());
LOGGER.info(errorMessage);
throw new CloudConnectorException(errorMessage);
}
}
}
use of com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView in project cloudbreak by hortonworks.
the class AwsObjectStorageConnector method validateObjectStorage.
@Override
public ObjectStorageValidateResponse validateObjectStorage(ObjectStorageValidateRequest request) {
String accountId = Crn.safeFromString(request.getCredential().getId()).getAccountId();
if (!entitlementService.awsCloudStorageValidationEnabled(accountId)) {
LOGGER.info("Aws Cloud storage validation entitlement is missing, not validating cloudStorageRequest: {}", JsonUtil.writeValueAsStringSilent(request));
return ObjectStorageValidateResponse.builder().withStatus(ResponseStatus.OK).build();
}
AwsCredentialView awsCredentialView = new AwsCredentialView(request.getCredential());
AmazonIdentityManagementClient iam = awsClient.createAmazonIdentityManagement(awsCredentialView);
SpiFileSystem spiFileSystem = request.getSpiFileSystem();
ValidationResultBuilder resultBuilder = new ValidationResultBuilder();
resultBuilder.prefix("Cloud Storage validation failed");
ValidationResult validationResult = awsIDBrokerObjectStorageValidator.validateObjectStorage(iam, spiFileSystem, request.getLogsLocationBase(), request.getBackupLocationBase(), resultBuilder);
ObjectStorageValidateResponse response;
if (validationResult.hasError()) {
response = ObjectStorageValidateResponse.builder().withStatus(ResponseStatus.ERROR).withError(validationResult.getFormattedErrors()).build();
} else {
response = ObjectStorageValidateResponse.builder().withStatus(ResponseStatus.OK).withError(validationResult.getFormattedWarnings()).build();
}
return response;
}
Aggregations