Search in sources :

Example 1 with CDPServicePolicyVerificationResponses

use of com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses in project cloudbreak by hortonworks.

the class AwsCredentialConnectorTest method testVerifyByServiceIfRoleBasedCredentialVerificationThrowsAmazonClientExceptionThenFailed503StatusShouldReturn.

@Test
public void testVerifyByServiceIfRoleBasedCredentialVerificationThrowsAmazonClientExceptionThenFailed503StatusShouldReturn() throws IOException {
    URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
    String awsEnvPolicy = Resources.toString(url, UTF_8);
    String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
    List<String> services = List.of("ml");
    Map<String, String> experiencePrerequisites = Map.of("ml", encodedAwsEnvPolicy);
    String roleArn = "someRoleArn";
    when(credentialView.getRoleArn()).thenReturn(roleArn);
    String exceptionMessageComesFromSdk = "Unable to verify AWS credential due to: 'SomethingTerribleHappened'";
    Exception sdkException = new AmazonClientException("SomethingTerribleHappened");
    when(awsPlatformParameters.getEnvironmentMinimalPoliciesJson()).thenReturn(Map.of(PolicyType.PUBLIC, encodedAwsEnvPolicy, PolicyType.GOV, encodedAwsEnvPolicy));
    when(credentialClient.retrieveSessionCredentials(any())).thenThrow(sdkException);
    CDPServicePolicyVerificationResponses result = underTest.verifyByServices(authenticatedContext, services, experiencePrerequisites);
    assertNotNull(result);
    assertEquals(result.getResults().size(), 1);
    assertEquals(result.getResults().stream().findFirst().get().getServiceName(), "ml");
    assertEquals(result.getResults().stream().findFirst().get().getServiceStatus(), exceptionMessageComesFromSdk);
    assertEquals(result.getResults().stream().findFirst().get().getStatusCode(), 503);
}
Also used : AmazonClientException(com.amazonaws.AmazonClientException) CDPServicePolicyVerificationResponses(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses) URL(java.net.URL) SdkBaseException(com.amazonaws.SdkBaseException) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) ExpectedException(org.junit.rules.ExpectedException) IOException(java.io.IOException) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException) AmazonClientException(com.amazonaws.AmazonClientException) Test(org.junit.Test)

Example 2 with CDPServicePolicyVerificationResponses

use of com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses in project cloudbreak by hortonworks.

the class AwsCredentialConnectorTest method testVerifyByServiceIfRoleBasedCredentialVerificationThrowsSdkBaseExceptionThenFailed503StatusShouldReturn.

@Test
public void testVerifyByServiceIfRoleBasedCredentialVerificationThrowsSdkBaseExceptionThenFailed503StatusShouldReturn() throws IOException {
    URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
    String awsEnvPolicy = Resources.toString(url, UTF_8);
    String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
    List<String> services = List.of("ml");
    Map<String, String> experiencePrerequisites = Map.of("ml", encodedAwsEnvPolicy);
    String roleArn = "someRoleArn";
    when(credentialView.getRoleArn()).thenReturn(roleArn);
    String exceptionMessageComesFromSdk = "SomethingTerribleHappened!";
    String expectedExceptionMessage = String.format("Unable to verify credential: check if the role '%s' exists and it's created with the correct " + "external ID. Cause: '%s'", roleArn, exceptionMessageComesFromSdk);
    Exception sdkException = new SdkBaseException(exceptionMessageComesFromSdk);
    when(awsPlatformParameters.getEnvironmentMinimalPoliciesJson()).thenReturn(Map.of(PolicyType.PUBLIC, encodedAwsEnvPolicy, PolicyType.GOV, encodedAwsEnvPolicy));
    when(credentialClient.retrieveSessionCredentials(any())).thenThrow(sdkException);
    CDPServicePolicyVerificationResponses result = underTest.verifyByServices(authenticatedContext, services, experiencePrerequisites);
    assertNotNull(result);
    assertEquals(result.getResults().size(), 1);
    assertEquals(result.getResults().stream().findFirst().get().getServiceName(), "ml");
    assertEquals(result.getResults().stream().findFirst().get().getServiceStatus(), expectedExceptionMessage);
    assertEquals(result.getResults().stream().findFirst().get().getStatusCode(), 503);
}
Also used : SdkBaseException(com.amazonaws.SdkBaseException) CDPServicePolicyVerificationResponses(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses) URL(java.net.URL) SdkBaseException(com.amazonaws.SdkBaseException) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) ExpectedException(org.junit.rules.ExpectedException) IOException(java.io.IOException) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException) AmazonClientException(com.amazonaws.AmazonClientException) Test(org.junit.Test)

Example 3 with CDPServicePolicyVerificationResponses

use of com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses in project cloudbreak by hortonworks.

the class AwsCredentialConnectorTest method testVerifyByServiceIfOnlyKeyBasedCredentialWithAccessKeyAndRoleBasedNOTDefinedShouldThrowException.

@Test
public void testVerifyByServiceIfOnlyKeyBasedCredentialWithAccessKeyAndRoleBasedNOTDefinedShouldThrowException() throws IOException {
    URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
    String awsEnvPolicy = Resources.toString(url, UTF_8);
    String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
    List<String> services = List.of("ml");
    Map<String, String> experiencePrerequisites = Map.of("ml", encodedAwsEnvPolicy);
    String roleArn = "someRoleArn";
    when(credentialView.getAccessKey()).thenReturn(roleArn);
    when(credentialView.getRoleArn()).thenReturn(null);
    when(credentialView.getSecretKey()).thenReturn(null);
    String exceptionMessageComesFromSdk = "Please provide both the 'access' and 'secret key'";
    when(awsPlatformParameters.getEnvironmentMinimalPoliciesJson()).thenReturn(Map.of(PolicyType.PUBLIC, encodedAwsEnvPolicy, PolicyType.GOV, encodedAwsEnvPolicy));
    CDPServicePolicyVerificationResponses result = underTest.verifyByServices(authenticatedContext, services, experiencePrerequisites);
    assertNotNull(result);
    assertEquals(result.getResults().size(), 1);
    assertEquals(result.getResults().stream().findFirst().get().getServiceName(), "ml");
    assertEquals(result.getResults().stream().findFirst().get().getServiceStatus(), exceptionMessageComesFromSdk);
    assertEquals(result.getResults().stream().findFirst().get().getStatusCode(), 503);
}
Also used : CDPServicePolicyVerificationResponses(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses) URL(java.net.URL) Test(org.junit.Test)

Example 4 with CDPServicePolicyVerificationResponses

use of com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses in project cloudbreak by hortonworks.

the class AwsCredentialConnectorTest method testVerifyByServiceIfRoleBasedCredentialVerificationThrowsAwsConfusedDeputyExceptionThenFailed503StatusShouldReturn.

@Test
public void testVerifyByServiceIfRoleBasedCredentialVerificationThrowsAwsConfusedDeputyExceptionThenFailed503StatusShouldReturn() throws IOException {
    URL url = Resources.getResource("definitions/aws-environment-minimal-policy.json");
    String awsEnvPolicy = Resources.toString(url, UTF_8);
    String encodedAwsEnvPolicy = Base64.getEncoder().encodeToString(awsEnvPolicy.getBytes());
    List<String> services = List.of("ml");
    Map<String, String> experiencePrerequisites = Map.of("ml", encodedAwsEnvPolicy);
    String roleArn = "someRoleArn";
    when(credentialView.getRoleArn()).thenReturn(roleArn);
    String exceptionMessageComesFromSdk = "Unable to verify credential: check if the role 'someRoleArn' exists " + "and it's created with the correct external ID. Cause: 'SomethingTerribleHappened!!";
    Exception sdkException = new AwsConfusedDeputyException("SomethingTerribleHappened");
    when(awsPlatformParameters.getEnvironmentMinimalPoliciesJson()).thenReturn(Map.of(PolicyType.PUBLIC, encodedAwsEnvPolicy, PolicyType.GOV, encodedAwsEnvPolicy));
    when(credentialClient.retrieveSessionCredentials(any())).thenThrow(sdkException);
    CDPServicePolicyVerificationResponses result = underTest.verifyByServices(authenticatedContext, services, experiencePrerequisites);
    assertNotNull(result);
    assertEquals(result.getResults().size(), 1);
    assertEquals(result.getResults().stream().findFirst().get().getServiceName(), "ml");
    assertEquals(result.getResults().stream().findFirst().get().getServiceStatus(), "SomethingTerribleHappened");
    assertEquals(result.getResults().stream().findFirst().get().getStatusCode(), 503);
}
Also used : CDPServicePolicyVerificationResponses(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException) URL(java.net.URL) SdkBaseException(com.amazonaws.SdkBaseException) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) ExpectedException(org.junit.rules.ExpectedException) IOException(java.io.IOException) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException) AmazonClientException(com.amazonaws.AmazonClientException) Test(org.junit.Test)

Example 5 with CDPServicePolicyVerificationResponses

use of com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses in project cloudbreak by hortonworks.

the class AwsCredentialConnector method verifyIamRoleIsAssumable.

private CDPServicePolicyVerificationResponses verifyIamRoleIsAssumable(CloudCredential cloudCredential, List<String> services, Map<String, String> experiencePrerequisites) {
    AwsCredentialView awsCredential = credentialViewProvider.createAwsCredentialView(cloudCredential);
    CDPServicePolicyVerificationResponses credentialStatus;
    Map<String, String> servicesWithPolicies = new HashMap<>();
    services.forEach(service -> experiencePrerequisites.keySet().stream().filter(AwsCredentialConnector::isPolicyServiceMatchesForName).findFirst().ifPresent(policyKey -> servicesWithPolicies.put(service, experiencePrerequisites.get(policyKey))));
    try {
        credentialClient.retrieveSessionCredentials(awsCredential);
        credentialStatus = verifyCredentialsPermission(awsCredential, servicesWithPolicies);
    } catch (AmazonClientException ae) {
        String errorMessage = getErrorMessageForAwsClientException(awsCredential, ae);
        LOGGER.warn(errorMessage, ae);
        credentialStatus = new CDPServicePolicyVerificationResponses(getServiceStatus(services, errorMessage));
    } catch (AwsConfusedDeputyException confusedDeputyEx) {
        credentialStatus = new CDPServicePolicyVerificationResponses(getServiceStatus(services, confusedDeputyEx.getMessage()));
    } catch (RuntimeException e) {
        String errorMessage = String.format("Unable to verify credential: check if the role '%s' exists and it's created with the correct external ID. " + "Cause: '%s'", awsCredential.getRoleArn(), e.getMessage());
        LOGGER.warn(errorMessage, e);
        credentialStatus = new CDPServicePolicyVerificationResponses(getServiceStatus(services, errorMessage));
    }
    return credentialStatus;
}
Also used : AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) CDPServicePolicyVerificationResponse(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponse) CloudContext(com.sequenceiq.cloudbreak.cloud.context.CloudContext) LoggerFactory(org.slf4j.LoggerFactory) HashMap(java.util.HashMap) StringUtils(org.apache.commons.lang3.StringUtils) StringUtils.isNotEmpty(org.apache.commons.lang3.StringUtils.isNotEmpty) AwsPermissionMissingException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException) HashSet(java.util.HashSet) Inject(javax.inject.Inject) Value(org.springframework.beans.factory.annotation.Value) Strings(com.google.common.base.Strings) AwsCredentialViewProvider(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialViewProvider) StringUtils.isNoneEmpty(org.apache.commons.lang3.StringUtils.isNoneEmpty) AwsCredentialView(com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView) AuthenticatedContext(com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext) Service(org.springframework.stereotype.Service) Map(java.util.Map) CredentialPrerequisitesResponse(com.sequenceiq.cloudbreak.cloud.response.CredentialPrerequisitesResponse) CredentialType(com.sequenceiq.common.model.CredentialType) StringUtils.isEmpty(org.apache.commons.lang3.StringUtils.isEmpty) CDPServicePolicyVerificationResponses(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses) Logger(org.slf4j.Logger) CredentialVerificationContext(com.sequenceiq.cloudbreak.cloud.model.credential.CredentialVerificationContext) Set(java.util.Set) AwsCredentialPrerequisites(com.sequenceiq.cloudbreak.cloud.response.AwsCredentialPrerequisites) CloudCredential(com.sequenceiq.cloudbreak.cloud.model.CloudCredential) CredentialStatus(com.sequenceiq.cloudbreak.cloud.model.CredentialStatus) CredentialConnector(com.sequenceiq.cloudbreak.cloud.CredentialConnector) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException) PERMISSIONS_MISSING(com.sequenceiq.cloudbreak.cloud.model.CredentialStatus.PERMISSIONS_MISSING) List(java.util.List) CloudCredentialStatus(com.sequenceiq.cloudbreak.cloud.model.CloudCredentialStatus) PolicyServiceName(com.sequenceiq.cloudbreak.experience.PolicyServiceName) AmazonClientException(com.amazonaws.AmazonClientException) HashMap(java.util.HashMap) AmazonClientException(com.amazonaws.AmazonClientException) CDPServicePolicyVerificationResponses(com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses) AwsConfusedDeputyException(com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException)

Aggregations

CDPServicePolicyVerificationResponses (com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponses)12 AwsPermissionMissingException (com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsPermissionMissingException)7 Test (org.junit.Test)7 AmazonClientException (com.amazonaws.AmazonClientException)6 AwsConfusedDeputyException (com.sequenceiq.cloudbreak.cloud.aws.common.exception.AwsConfusedDeputyException)6 URL (java.net.URL)6 SdkBaseException (com.amazonaws.SdkBaseException)5 IOException (java.io.IOException)5 ExpectedException (org.junit.rules.ExpectedException)5 CloudCredential (com.sequenceiq.cloudbreak.cloud.model.CloudCredential)3 AwsCredentialView (com.sequenceiq.cloudbreak.cloud.aws.common.view.AwsCredentialView)2 AuthenticatedContext (com.sequenceiq.cloudbreak.cloud.context.AuthenticatedContext)2 CloudContext (com.sequenceiq.cloudbreak.cloud.context.CloudContext)2 CDPServicePolicyVerificationException (com.sequenceiq.cloudbreak.cloud.event.credential.CDPServicePolicyVerificationException)2 CDPServicePolicyVerificationRequest (com.sequenceiq.cloudbreak.cloud.event.credential.CDPServicePolicyVerificationRequest)2 CDPServicePolicyVerificationResult (com.sequenceiq.cloudbreak.cloud.event.credential.CDPServicePolicyVerificationResult)2 CDPServicePolicyVerificationResponse (com.sequenceiq.cloudbreak.cloud.model.CDPServicePolicyVerificationResponse)2 HashMap (java.util.HashMap)2 HashSet (java.util.HashSet)2 Map (java.util.Map)2