use of com.sequenceiq.cloudbreak.cloud.model.encryption.CreatedDiskEncryptionSet in project cloudbreak by hortonworks.
the class AzureEncryptionResources method createDiskEncryptionSet.
@Override
public CreatedDiskEncryptionSet createDiskEncryptionSet(DiskEncryptionSetCreationRequest diskEncryptionSetCreationRequest) {
try {
String vaultName;
AuthenticatedContext authenticatedContext = azureClientService.createAuthenticatedContext(diskEncryptionSetCreationRequest.getCloudContext(), diskEncryptionSetCreationRequest.getCloudCredential());
AzureClient azureClient = authenticatedContext.getParameter(AzureClient.class);
Matcher matcher = ENCRYPTION_KEY_URL_VAULT_NAME.matcher(diskEncryptionSetCreationRequest.getEncryptionKeyUrl());
if (matcher.matches()) {
vaultName = matcher.group(1);
} else {
throw new IllegalArgumentException("vaultName cannot be fetched from encryptionKeyUrl. encryptionKeyUrl should be of format - " + "'https://<vaultName>.vault.azure.net/keys/<keyName>/<keyVersion>'");
}
boolean singleResourceGroup = Boolean.TRUE;
String vaultResourceGroupName = diskEncryptionSetCreationRequest.getEncryptionKeyResourceGroupName();
String desResourceGroupName = diskEncryptionSetCreationRequest.getDiskEncryptionSetResourceGroupName();
if (StringUtils.isEmpty(desResourceGroupName)) {
if (StringUtils.isEmpty(vaultResourceGroupName)) {
throw new IllegalArgumentException("Encryption key resource group name should be present if resource group is not provided during " + "environment creation. At least one of --resource-group-name or --encryption-key-resource-group-name should be specified.");
}
singleResourceGroup = Boolean.FALSE;
desResourceGroupName = azureUtils.generateResourceGroupNameByNameAndId(String.format("%s-CDP_DES-", diskEncryptionSetCreationRequest.getCloudContext().getName()), diskEncryptionSetCreationRequest.getId());
}
String sourceVaultId = String.format("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.KeyVault/vaults/%s", azureClient.getCurrentSubscription().subscriptionId(), vaultResourceGroupName, vaultName);
// If keyVault is wrong or user lacks permissions to access it, granting access permissions to this keyVault for DES would fail.
if (!azureClient.keyVaultExists(vaultResourceGroupName, vaultName)) {
throw new IllegalArgumentException(String.format("Vault with name \"%s\" either does not exist or user does not have permissions to " + "access it. Kindly check if the vault & encryption key exists and correct encryption key URL is specified.", vaultName));
}
CreatedDiskEncryptionSet diskEncryptionSet = getOrCreateDiskEncryptionSetOnCloud(authenticatedContext, azureClient, desResourceGroupName, sourceVaultId, diskEncryptionSetCreationRequest, singleResourceGroup);
// The existence of the DES SP cannot be easily checked. That would need powerful special AD API permissions for the credential app itself that
// most customers would never grant. Though there is a system assigned managed identity as well sitting behind the SP, querying the properties of
// this identity (in order to check its existence) would also need an additional powerful Action for the role assigned to the credential app.
grantKeyVaultAccessPolicyToDiskEncryptionSetServicePrincipal(azureClient, vaultResourceGroupName, vaultName, desResourceGroupName, diskEncryptionSet.getDiskEncryptionSetName(), diskEncryptionSet.getDiskEncryptionSetPrincipalObjectId());
return diskEncryptionSet;
} catch (Exception e) {
LOGGER.error("Disk Encryption Set creation failed, request=" + diskEncryptionSetCreationRequest, e);
throw azureUtils.convertToCloudConnectorException(e, "Disk Encryption Set creation");
}
}
use of com.sequenceiq.cloudbreak.cloud.model.encryption.CreatedDiskEncryptionSet in project cloudbreak by hortonworks.
the class EnvironmentModificationServiceTest method testUpdateAzureResourceEncryptionParametersByEnvironmentName.
@Test
void testUpdateAzureResourceEncryptionParametersByEnvironmentName() {
UpdateAzureResourceEncryptionDto updateAzureResourceEncryptionDto = UpdateAzureResourceEncryptionDto.builder().withAzureResourceEncryptionParametersDto(AzureResourceEncryptionParametersDto.builder().withEncryptionKeyUrl("dummyKeyUrl").withEncryptionKeyResourceGroupName("dummyResourceGroupName").build()).build();
CreatedDiskEncryptionSet createdDiskEncryptionSet = new CreatedDiskEncryptionSet.Builder().withDiskEncryptionSetId("dummyId").build();
Environment env = new Environment();
env.setParameters(new AzureParameters());
when(environmentService.getValidatorService()).thenReturn(validatorService);
when(environmentService.findByNameAndAccountIdAndArchivedIsFalse(eq(ENVIRONMENT_NAME), eq(ACCOUNT_ID))).thenReturn(Optional.of(env));
when(validatorService.validateEncryptionKeyUrl(any(String.class), any(String.class))).thenReturn(ValidationResult.builder().build());
when(environmentDtoConverter.environmentToDto(env)).thenReturn(new EnvironmentDto());
when(environmentEncryptionService.createEncryptionResources(any(EnvironmentDto.class))).thenReturn(createdDiskEncryptionSet);
environmentModificationServiceUnderTest.updateAzureResourceEncryptionParametersByEnvironmentName(ACCOUNT_ID, ENVIRONMENT_NAME, updateAzureResourceEncryptionDto);
ArgumentCaptor<AzureParameters> azureParametersArgumentCaptor = ArgumentCaptor.forClass(AzureParameters.class);
verify(azureParametersRepository).save(azureParametersArgumentCaptor.capture());
assertEquals("dummyKeyUrl", azureParametersArgumentCaptor.getValue().getEncryptionKeyUrl());
assertEquals("dummyResourceGroupName", azureParametersArgumentCaptor.getValue().getEncryptionKeyResourceGroupName());
}
use of com.sequenceiq.cloudbreak.cloud.model.encryption.CreatedDiskEncryptionSet in project cloudbreak by hortonworks.
the class AzureEncryptionResourcesTest method testCreateDiskEncryptionSetShouldReturnNewlyCreatedDiskEncryptionSetIfNotAlreadyExistsAndCreateNewResourceGroupWhenIsNotSingleResourceGroup.
@Test
public void testCreateDiskEncryptionSetShouldReturnNewlyCreatedDiskEncryptionSetIfNotAlreadyExistsAndCreateNewResourceGroupWhenIsNotSingleResourceGroup() {
DiskEncryptionSetCreationRequest requestedSet = new DiskEncryptionSetCreationRequest.Builder().withId("uniqueId").withCloudContext(cloudContext).withCloudCredential(cloudCredential).withEncryptionKeyResourceGroupName("dummyResourceGroup").withDiskEncryptionSetResourceGroupName(null).withTags(new HashMap<>()).withEncryptionKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").build();
EncryptionSetIdentity identity = new EncryptionSetIdentity().withType(DiskEncryptionSetIdentityType.SYSTEM_ASSIGNED);
ReflectionTestUtils.setField(identity, "principalId", DES_PRINCIPAL_ID);
DiskEncryptionSetInner des = (DiskEncryptionSetInner) new DiskEncryptionSetInner().withEncryptionType(DiskEncryptionSetType.ENCRYPTION_AT_REST_WITH_CUSTOMER_KEY).withActiveKey(new KeyForDiskEncryptionSet().withKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").withSourceVault(new SourceVault().withId("/subscriptions/dummySubs/resourceGroups/dummyResourceGroup/providers/Microsoft.KeyVault/vaults/dummyVaultName"))).withIdentity(identity).withLocation("dummyRegion").withTags(new HashMap<>());
ResourceGroup resourceGroup = mock(ResourceGroup.class);
ReflectionTestUtils.setField(des, "id", DES_RESOURCE_ID);
Subscription subscription = mock(Subscription.class);
when(persistenceNotifier.notifyAllocation(any(CloudResource.class), eq(cloudContext))).thenReturn(new ResourcePersisted());
when(subscription.subscriptionId()).thenReturn("dummySubscriptionId");
when(azureUtils.generateDesNameByNameAndId(any(String.class), any(String.class))).thenReturn("dummyEnvName-DES-uniqueId");
when(azureClientService.createAuthenticatedContext(cloudContext, cloudCredential)).thenReturn(authenticatedContext);
when(authenticatedContext.getParameter(AzureClient.class)).thenReturn(azureClient);
when(azureClient.getCurrentSubscription()).thenReturn(subscription);
when(azureClient.getDiskEncryptionSetByName(any(String.class), any(String.class))).thenReturn(null);
when(azureUtils.generateResourceGroupNameByNameAndId(any(String.class), any(String.class))).thenReturn("envName-CDP_DES-uniqueId");
when(azureClient.resourceGroupExists(eq("envName-CDP_DES-uniqueId"))).thenReturn(Boolean.FALSE);
when(azureClient.createResourceGroup(eq("envName-CDP_DES-uniqueId"), eq("dummyRegion"), any(HashMap.class))).thenReturn(resourceGroup);
when(azureClient.createDiskEncryptionSet(any(String.class), any(String.class), any(String.class), any(String.class), any(String.class), any(Map.class))).thenReturn(des);
when(azureClient.keyVaultExists("dummyResourceGroup", "dummyVaultName")).thenReturn(Boolean.TRUE);
when(azureClient.checkKeyVaultAccessPolicyForServicePrincipal("dummyResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID)).thenReturn(true);
initRetry();
// Return the same DES instance to simulate that the poller checker task instantly completed
when(diskEncryptionSetCreationPoller.startPolling(eq(authenticatedContext), any(DiskEncryptionSetCreationCheckerContext.class), eq(des))).thenReturn(des);
CreatedDiskEncryptionSet createdDes = underTest.createDiskEncryptionSet(requestedSet);
assertEquals(createdDes.getDiskEncryptionSetLocation(), "dummyRegion");
assertEquals(createdDes.getDiskEncryptionSetResourceGroupName(), "envName-CDP_DES-uniqueId");
verify(azureClient).grantKeyVaultAccessPolicyToServicePrincipal("dummyResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID);
verify(azureClient).checkKeyVaultAccessPolicyForServicePrincipal("dummyResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID);
verify(azureClient).createResourceGroup(eq("envName-CDP_DES-uniqueId"), eq("dummyRegion"), any(HashMap.class));
verifyPersistedResourceGroupAndDiskEncryptionSetCloudResource(resourceGroup.id());
}
use of com.sequenceiq.cloudbreak.cloud.model.encryption.CreatedDiskEncryptionSet in project cloudbreak by hortonworks.
the class AzureEncryptionResourcesTest method testCreateDiskEncryptionSetShouldReturnNewlyCreatedDiskEncryptionSetWhenDesAndVaultResourceGroupAreDifferentAndDesNotAlreadyExists.
@Test
public void testCreateDiskEncryptionSetShouldReturnNewlyCreatedDiskEncryptionSetWhenDesAndVaultResourceGroupAreDifferentAndDesNotAlreadyExists() {
DiskEncryptionSetCreationRequest requestedSet = new DiskEncryptionSetCreationRequest.Builder().withId("uniqueId").withCloudContext(cloudContext).withCloudCredential(cloudCredential).withDiskEncryptionSetResourceGroupName("dummyResourceGroup").withEncryptionKeyResourceGroupName("dummyVaultResourceGroup").withTags(new HashMap<>()).withEncryptionKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").build();
EncryptionSetIdentity identity = new EncryptionSetIdentity().withType(DiskEncryptionSetIdentityType.SYSTEM_ASSIGNED);
ReflectionTestUtils.setField(identity, "principalId", DES_PRINCIPAL_ID);
DiskEncryptionSetInner des = (DiskEncryptionSetInner) new DiskEncryptionSetInner().withEncryptionType(DiskEncryptionSetType.ENCRYPTION_AT_REST_WITH_CUSTOMER_KEY).withActiveKey(new KeyForDiskEncryptionSet().withKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").withSourceVault(new SourceVault().withId("/subscriptions/dummySubs/resourceGroups/dummyVaultResourceGroup/providers/Microsoft.KeyVault/vaults/dummyVaultName"))).withIdentity(identity).withLocation("dummyRegion").withTags(new HashMap<>());
ReflectionTestUtils.setField(des, "id", DES_RESOURCE_ID);
Subscription subscription = mock(Subscription.class);
when(persistenceNotifier.notifyAllocation(any(CloudResource.class), eq(cloudContext))).thenReturn(new ResourcePersisted());
when(subscription.subscriptionId()).thenReturn("dummySubscriptionId");
when(azureUtils.generateDesNameByNameAndId(any(String.class), any(String.class))).thenReturn("dummyEnvName-DES-uniqueId");
when(azureClientService.createAuthenticatedContext(cloudContext, cloudCredential)).thenReturn(authenticatedContext);
when(authenticatedContext.getParameter(AzureClient.class)).thenReturn(azureClient);
when(azureClient.getCurrentSubscription()).thenReturn(subscription);
when(azureClient.getDiskEncryptionSetByName(any(String.class), any(String.class))).thenReturn(null);
when(azureClient.createDiskEncryptionSet(any(String.class), any(String.class), any(String.class), any(String.class), any(String.class), any(Map.class))).thenReturn(des);
when(azureClient.checkKeyVaultAccessPolicyForServicePrincipal("dummyVaultResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID)).thenReturn(true);
initRetry();
// Return the same DES instance to simulate that the poller checker task instantly completed
when(diskEncryptionSetCreationPoller.startPolling(eq(authenticatedContext), any(DiskEncryptionSetCreationCheckerContext.class), eq(des))).thenReturn(des);
when(azureClient.keyVaultExists("dummyVaultResourceGroup", "dummyVaultName")).thenReturn(Boolean.TRUE);
CreatedDiskEncryptionSet createdDes = underTest.createDiskEncryptionSet(requestedSet);
assertEquals(createdDes.getDiskEncryptionSetLocation(), "dummyRegion");
assertEquals(createdDes.getDiskEncryptionSetResourceGroupName(), "dummyResourceGroup");
verify(azureClient).grantKeyVaultAccessPolicyToServicePrincipal("dummyVaultResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID);
verify(azureClient).checkKeyVaultAccessPolicyForServicePrincipal("dummyVaultResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID);
verifyPersistedCloudResource();
}
use of com.sequenceiq.cloudbreak.cloud.model.encryption.CreatedDiskEncryptionSet in project cloudbreak by hortonworks.
the class AzureEncryptionResourcesTest method testCreateDiskEncryptionSetShouldReturnExistingDiskEncryptionSetWithPolling.
@Test
public void testCreateDiskEncryptionSetShouldReturnExistingDiskEncryptionSetWithPolling() {
DiskEncryptionSetCreationRequest requestedSet = new DiskEncryptionSetCreationRequest.Builder().withId("uniqueId").withCloudContext(cloudContext).withCloudCredential(cloudCredential).withDiskEncryptionSetResourceGroupName("dummyResourceGroup").withEncryptionKeyResourceGroupName("dummyResourceGroup").withTags(new HashMap<>()).withEncryptionKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").build();
DiskEncryptionSetInner desInitial = (DiskEncryptionSetInner) new DiskEncryptionSetInner().withEncryptionType(DiskEncryptionSetType.ENCRYPTION_AT_REST_WITH_CUSTOMER_KEY).withActiveKey(new KeyForDiskEncryptionSet().withKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").withSourceVault(new SourceVault().withId("/subscriptions/dummySubs/resourceGroups/dummyResourceGroup/providers/Microsoft.KeyVault/vaults/dummyVaultName"))).withIdentity(new EncryptionSetIdentity().withType(DiskEncryptionSetIdentityType.SYSTEM_ASSIGNED)).withLocation("dummyRegion").withTags(new HashMap<>());
ReflectionTestUtils.setField(desInitial, "id", DES_RESOURCE_ID);
EncryptionSetIdentity identity = new EncryptionSetIdentity().withType(DiskEncryptionSetIdentityType.SYSTEM_ASSIGNED);
ReflectionTestUtils.setField(identity, "principalId", DES_PRINCIPAL_ID);
DiskEncryptionSetInner desAfterPolling = (DiskEncryptionSetInner) new DiskEncryptionSetInner().withEncryptionType(DiskEncryptionSetType.ENCRYPTION_AT_REST_WITH_CUSTOMER_KEY).withActiveKey(new KeyForDiskEncryptionSet().withKeyUrl("https://dummyVaultName.vault.azure.net/keys/dummyKeyName/dummyKeyVersion").withSourceVault(new SourceVault().withId("/subscriptions/dummySubs/resourceGroups/dummyResourceGroup/providers/Microsoft.KeyVault/vaults/dummyVaultName"))).withIdentity(identity).withLocation("dummyRegion").withTags(new HashMap<>());
ReflectionTestUtils.setField(desAfterPolling, "id", DES_RESOURCE_ID);
Subscription subscription = mock(Subscription.class);
when(persistenceNotifier.notifyAllocation(any(CloudResource.class), eq(cloudContext))).thenReturn(new ResourcePersisted());
when(subscription.subscriptionId()).thenReturn("dummySubscriptionId");
when(azureUtils.generateDesNameByNameAndId(any(String.class), any(String.class))).thenReturn("dummyEnvName-DES-uniqueId");
when(azureClientService.createAuthenticatedContext(cloudContext, cloudCredential)).thenReturn(authenticatedContext);
when(authenticatedContext.getParameter(AzureClient.class)).thenReturn(azureClient);
when(azureClient.getCurrentSubscription()).thenReturn(subscription);
when(azureClient.getDiskEncryptionSetByName(any(String.class), any(String.class))).thenReturn(desInitial);
when(azureClient.checkKeyVaultAccessPolicyForServicePrincipal(any(String.class), any(String.class), any(String.class))).thenReturn(true);
initRetry();
// Return a different DES instance to simulate that the poller checker task initially indicated incomplete, hence the final DES was obtained by the
// scheduled execution of the poller
when(diskEncryptionSetCreationPoller.startPolling(eq(authenticatedContext), any(DiskEncryptionSetCreationCheckerContext.class), eq(desInitial))).thenReturn(desAfterPolling);
when(azureClient.keyVaultExists("dummyResourceGroup", "dummyVaultName")).thenReturn(Boolean.TRUE);
CreatedDiskEncryptionSet createdDes = underTest.createDiskEncryptionSet(requestedSet);
assertEquals(createdDes.getDiskEncryptionSetLocation(), "dummyRegion");
assertEquals(createdDes.getDiskEncryptionSetResourceGroupName(), "dummyResourceGroup");
assertThat(createdDes.getDiskEncryptionSetId()).isEqualTo(DES_RESOURCE_ID);
verify(azureClient, never()).createDiskEncryptionSet(any(String.class), any(String.class), any(String.class), any(String.class), any(String.class), any(Map.class));
verify(azureClient).grantKeyVaultAccessPolicyToServicePrincipal("dummyResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID);
verify(azureClient).checkKeyVaultAccessPolicyForServicePrincipal("dummyResourceGroup", "dummyVaultName", DES_PRINCIPAL_ID);
verifyPersistedCloudResource();
}
Aggregations