Search in sources :

Example 1 with AwsPolicyBuilder

use of org.finra.herd.service.helper.AwsPolicyBuilder in project herd by FINRAOS.

the class StorageUnitServiceImpl method getBusinessObjectDataS3Credential.

/**
 * Creates and returns a set of AWS credentials which can be used to access the S3 object indicated by the given business object data and storage.
 *
 * @param businessObjectDataKey Business object data key
 * @param createNewVersion true to create credentials for the next version up from the latest business object data, otherwise, uses specified data version
 * in data key.
 * @param storageName Name of storage to access
 * @param isUpload true if this credential is to upload, false to download
 *
 * @return Credentials which has the permissions to perform the specified actions at the specified storage.
 */
private AwsCredential getBusinessObjectDataS3Credential(BusinessObjectDataKey businessObjectDataKey, Boolean createNewVersion, String storageName, boolean isUpload) {
    Assert.isTrue(StringUtils.isNotBlank(storageName), "storageName must be specified");
    Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() != null || createNewVersion != null, "One of businessObjectDataVersion or createNewVersion must be specified.");
    Assert.isTrue(businessObjectDataKey.getBusinessObjectDataVersion() == null || !Boolean.TRUE.equals(createNewVersion), "createNewVersion must be false or unspecified when businessObjectDataVersion is specified.");
    /*
         * Choose configurations based on whether this is an upload or download operation.
         */
    ConfigurationValue roleArnConfigurationValue;
    ConfigurationValue defaultSessionDurationConfigurationValue;
    ConfigurationValue sessionDurationConfigurationValue;
    S3Actions[] s3Actions;
    KmsActions[] kmsActions;
    if (isUpload) {
        roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_ROLE_ARN;
        defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_UPLOAD_SESSION_DURATION_SECS;
        sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_UPLOAD_SESSION_DURATION_SECS;
        s3Actions = new S3Actions[] { S3Actions.PutObject, S3Actions.DeleteObject };
        kmsActions = new KmsActions[] { KmsActions.GENERATE_DATA_KEY, KmsActions.DECRYPT };
    } else {
        roleArnConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_ROLE_ARN;
        defaultSessionDurationConfigurationValue = ConfigurationValue.AWS_S3_DEFAULT_DOWNLOAD_SESSION_DURATION_SECS;
        sessionDurationConfigurationValue = ConfigurationValue.S3_ATTRIBUTE_NAME_DOWNLOAD_SESSION_DURATION_SECS;
        s3Actions = new S3Actions[] { S3Actions.GetObject };
        kmsActions = new KmsActions[] { KmsActions.DECRYPT };
    }
    StorageEntity storageEntity = storageDaoHelper.getStorageEntity(storageName.trim());
    String roleArn = storageHelper.getStorageAttributeValueByName(configurationHelper.getProperty(roleArnConfigurationValue), storageEntity, true);
    Integer durationSeconds = storageHelper.getStorageAttributeIntegerValueByName(configurationHelper.getProperty(sessionDurationConfigurationValue), storageEntity, configurationHelper.getProperty(defaultSessionDurationConfigurationValue, Integer.class));
    String bucketName = storageHelper.getStorageAttributeValueByName(configurationHelper.getProperty(ConfigurationValue.S3_ATTRIBUTE_NAME_BUCKET_NAME), storageEntity, true);
    S3KeyPrefixInformation s3KeyPrefixInformation = getS3KeyPrefixImpl(businessObjectDataKey, null, storageName, createNewVersion);
    /*
         * Policy is different based on whether this is meant for downloading or uploading.
         * However, both uploader and downloader requires a ListBucket at the bucket level.
         */
    AwsPolicyBuilder awsPolicyBuilder = new AwsPolicyBuilder().withS3Prefix(bucketName, s3KeyPrefixInformation.getS3KeyPrefix(), s3Actions).withS3(bucketName, null, S3Actions.ListObjects);
    /*
         * Only add KMS policies if the storage specifies a KMS ID
         */
    String kmsKeyId = getStorageKmsKeyId(storageEntity);
    if (kmsKeyId != null) {
        awsPolicyBuilder.withKms(kmsKeyId.trim(), kmsActions);
    }
    Credentials credentials = stsDao.getTemporarySecurityCredentials(awsHelper.getAwsParamsDto(), UUID.randomUUID().toString(), roleArn, durationSeconds, awsPolicyBuilder.build());
    AwsCredential awsCredential = new AwsCredential();
    awsCredential.setAwsAccessKey(credentials.getAccessKeyId());
    awsCredential.setAwsSecretKey(credentials.getSecretAccessKey());
    awsCredential.setAwsSessionToken(credentials.getSessionToken());
    awsCredential.setAwsSessionExpirationTime(HerdDateUtils.getXMLGregorianCalendarValue(credentials.getExpiration()));
    return awsCredential;
}
Also used : ConfigurationValue(org.finra.herd.model.dto.ConfigurationValue) AwsPolicyBuilder(org.finra.herd.service.helper.AwsPolicyBuilder) S3Actions(com.amazonaws.auth.policy.actions.S3Actions) StorageEntity(org.finra.herd.model.jpa.StorageEntity) KmsActions(org.finra.herd.service.helper.KmsActions) S3KeyPrefixInformation(org.finra.herd.model.api.xml.S3KeyPrefixInformation) Credentials(com.amazonaws.services.securitytoken.model.Credentials) AwsCredential(org.finra.herd.model.api.xml.AwsCredential)

Aggregations

S3Actions (com.amazonaws.auth.policy.actions.S3Actions)1 Credentials (com.amazonaws.services.securitytoken.model.Credentials)1 AwsCredential (org.finra.herd.model.api.xml.AwsCredential)1 S3KeyPrefixInformation (org.finra.herd.model.api.xml.S3KeyPrefixInformation)1 ConfigurationValue (org.finra.herd.model.dto.ConfigurationValue)1 StorageEntity (org.finra.herd.model.jpa.StorageEntity)1 AwsPolicyBuilder (org.finra.herd.service.helper.AwsPolicyBuilder)1 KmsActions (org.finra.herd.service.helper.KmsActions)1