use of org.finra.herd.service.helper.AwsPolicyBuilder in project herd by FINRAOS.
the class StorageUnitServiceImpl method getBusinessObjectDataS3Credential.
/**
* Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage.
*
* @param businessObjectDataKey Business object data key
* @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version
* in data key.
* @param storageName Name of storage to access
* @param isUpload true if this credential is to upload, false to download
*
* @return Credentials which has the permissions to perform the specified actions at the specified storage.
*/
private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName, boolean isUpload) {
Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified");
Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null, "One of businessObjectDataVersion or createNewVersion must be specified.");
Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion), "createNewVersion must be false or unspecified when businessObjectDataVersion is specified.");
/*
* Choose configurations based on whether this is an upload or download operation.
*/
ConfigurationValue roleArnConfigurationValue;
ConfigurationValue defaultSessionDurationConfigurationValue;
ConfigurationValue sessionDurationConfigurationValue;
S3Actions[] s3Actions;
KmsActions[] kmsActions;
if (isUpload) {
roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN;
defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS;
sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS;
s3Actions = new S3Actions[] { S3Actions.PutObject, S3Actions.DeleteObject };
kmsActions = new KmsActions[] { KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT };
} else {
roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN;
defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS;
sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_SESSION_DURATION_SECS;
s3Actions = new S3Actions[] { S3Actions.GetObject };
kmsActions = new KmsActions[] { KmsActions.DECRYPT };
}
StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim());
String roleArn = storageHelper.getStorageAttributeValueByName(configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true);
Integer durationSeconds = storageHelper.getStorageAttributeIntegerValueByName(configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity, configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class));
String bucketName = storageHelper.getStorageAttributeValueByName(configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true);
S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, storageName, createNewVersion);
/*
* Policy is different based on whether this is meant for downloading or uploading.
* However, both uploader and downloader requires a ListBucket at the bucket level.
*/
AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder().withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions).withS3(bucketName, null, S3Actions.ListObjects);
/*
* Only add KMS policies if the storage specifies a KMS ID
*/
String kmsKeyId = getStorageKmsKeyId(storageEntity);
if (kmsKeyId != null) {
awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions);
}
Credentials credentials = stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build());
AwsCredential awsCredential = new AwsCredential();
awsCredential.setAwsAccessKey(credentials.getAccessKeyId());
awsCredential.setAwsSecretKey(credentials.getSecretAccessKey());
awsCredential.setAwsSessionToken(credentials.getSessionToken());
awsCredential.setAwsSessionExpirationTime(HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration()));
return awsCredential;
}
Aggregations