Add static cred provider for manually setting auth data for Cerberus … (

#5) Add static credential provider for manually setting auth data for Cerberus iam auth
Nike-Inc · Jan 19, 2017 · 044c6ec · 044c6ec
1 parent 8bf8011
commit 044c6ec
Show file tree

Hide file tree

Showing 3 changed files with 251 additions and 1 deletion.
diff --git a/gradle.properties b/gradle.properties
@@ -14,6 +14,6 @@
 # limitations under the License.
 #
 
-version=1.2.0
+version=1.3.0
 groupId=com.nike
 artifactId=cerberus-client
diff --git a/src/main/java/com/nike/cerberus/client/auth/aws/StaticIamRoleVaultCredentialsProvider.java b/src/main/java/com/nike/cerberus/client/auth/aws/StaticIamRoleVaultCredentialsProvider.java
@@ -0,0 +1,106 @@
+package com.nike.cerberus.client.auth.aws;
+
+import com.amazonaws.regions.Region;
+import com.amazonaws.regions.Regions;
+import com.nike.vault.client.StaticVaultUrlResolver;
+import com.nike.vault.client.UrlResolver;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Provider for allowing users to explicitly set the account id, rolename and region that they want to authenticate as.
+ */
+public class StaticIamRoleVaultCredentialsProvider extends BaseAwsCredentialsProvider {
+
+    protected String accountId;
+    protected String roleName;
+    protected Region region;
+
+    public StaticIamRoleVaultCredentialsProvider(UrlResolver urlResolver, String accountId, String roleName, String region) {
+        this(urlResolver);
+        this.accountId = accountId;
+        this.roleName = roleName;
+        this.region = Region.getRegion(Regions.fromName(region));
+    }
+
+    public StaticIamRoleVaultCredentialsProvider(String vaultUrl, String accountId, String roleName, String region) {
+        this(new StaticVaultUrlResolver(vaultUrl));
+        this.accountId = accountId;
+        this.roleName = roleName;
+        this.region = Region.getRegion(Regions.fromName(region));
+    }
+
+    public StaticIamRoleVaultCredentialsProvider(UrlResolver urlResolver, String accountId, String roleName, Region region) {
+        this(urlResolver);
+        this.accountId = accountId;
+        this.roleName = roleName;
+        this.region = region;
+    }
+
+    public StaticIamRoleVaultCredentialsProvider(String vaultUrl, String accountId, String roleName, Region region) {
+        this(new StaticVaultUrlResolver(vaultUrl));
+        this.accountId = accountId;
+        this.roleName = roleName;
+        this.region = region;
+    }
+
+    public StaticIamRoleVaultCredentialsProvider(UrlResolver urlResolver, String iamRoleArn, String region) {
+        this(urlResolver);
+        this.accountId = getAccountIdFromArn(iamRoleArn);
+        this.roleName = getRoleNameFromArn(iamRoleArn);
+        this.region = Region.getRegion(Regions.fromName(region));
+    }
+
+
+    public StaticIamRoleVaultCredentialsProvider(String vaultUrl, String iamRoleArn, String region) {
+        this(new StaticVaultUrlResolver(vaultUrl));
+        this.accountId = getAccountIdFromArn(iamRoleArn);
+        this.roleName = getRoleNameFromArn(iamRoleArn);
+        this.region = Region.getRegion(Regions.fromName(region));
+    }
+
+
+    public StaticIamRoleVaultCredentialsProvider(UrlResolver urlResolver, String iamRoleArn, Region region) {
+        this(urlResolver);
+        this.accountId = getAccountIdFromArn(iamRoleArn);
+        this.roleName = getRoleNameFromArn(iamRoleArn);
+        this.region = region;
+    }
+
+    public StaticIamRoleVaultCredentialsProvider(String vaultUrl, String iamRoleArn, Region region) {
+        this(new StaticVaultUrlResolver(vaultUrl));
+        this.accountId = getAccountIdFromArn(iamRoleArn);
+        this.roleName = getRoleNameFromArn(iamRoleArn);
+        this.region = region;
+    }
+
+    private StaticIamRoleVaultCredentialsProvider(UrlResolver urlResolver) {
+        super(urlResolver);
+    }
+
+    private String getAccountIdFromArn(String arn) {
+        Matcher m = Pattern.compile("arn:aws:iam::(.*?):role.*").matcher(arn);
+        boolean found = m.find();
+        if (found) {
+            return m.group(1);
+        }
+
+        throw new IllegalArgumentException("Invalid IAM role ARN supplied, expected arn:aws:iam::%s:role/%s");
+    }
+
+    private String getRoleNameFromArn(String arn) {
+        Matcher m = Pattern.compile("arn:aws:iam::.*?:role/(.*)").matcher(arn);
+        boolean found = m.find();
+        if (found) {
+            return m.group(1);
+        }
+
+        throw new IllegalArgumentException("Invalid IAM role ARN supplied, expected arn:aws:iam::%s:role/%s");
+    }
+
+    @Override
+    protected void authenticate() {
+        getAndSetToken(accountId, roleName, region);
+    }
+}
diff --git a/...est/java/com/nike/cerberus/client/auth/aws/StaticIamRoleVaultCredentialsProviderTest.java b/...est/java/com/nike/cerberus/client/auth/aws/StaticIamRoleVaultCredentialsProviderTest.java
@@ -0,0 +1,144 @@
+package com.nike.cerberus.client.auth.aws;
+
+import com.amazonaws.regions.Region;
+import com.amazonaws.regions.Regions;
+import com.nike.vault.client.StaticVaultUrlResolver;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+public class StaticIamRoleVaultCredentialsProviderTest {
+
+    private static final String ACCOUNT_ID = "1234";
+    private static final String ROLE_NAME = "foo/base/bar";
+    private static final String ROLE_ARN = String.format("arn:aws:iam::%s:role/%s", ACCOUNT_ID, ROLE_NAME);
+    private static final String REGION_STRING = "us-west-2";
+    private static final Region REGION = Region.getRegion(Regions.US_WEST_2);
+
+    @Test
+    public void test_constructor_1() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+              new StaticVaultUrlResolver("foo"),
+              ACCOUNT_ID,
+              ROLE_NAME,
+              REGION_STRING
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_2() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                "foo",
+                ACCOUNT_ID,
+                ROLE_NAME,
+                REGION_STRING
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_3() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                new StaticVaultUrlResolver("foo"),
+                ACCOUNT_ID,
+                ROLE_NAME,
+                REGION
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_4() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                "foo",
+                ACCOUNT_ID,
+                ROLE_NAME,
+                REGION
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_5() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                new StaticVaultUrlResolver("foo"),
+                ROLE_ARN,
+                REGION_STRING
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_6() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                "foo",
+                ROLE_ARN,
+                REGION_STRING
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_7() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                new StaticVaultUrlResolver("foo"),
+                ROLE_ARN,
+                REGION
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test
+    public void test_constructor_8() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                "foo",
+                ROLE_ARN,
+                REGION
+        );
+
+        assertEquals(ACCOUNT_ID, provider.accountId);
+        assertEquals(ROLE_NAME, provider.roleName);
+        assertEquals(REGION, provider.region);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void test_constructor_bad_arn1() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                "foo",
+                "foo",
+                REGION
+        );
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void test_constructor_bad_arn2() {
+        StaticIamRoleVaultCredentialsProvider provider = new StaticIamRoleVaultCredentialsProvider(
+                "foo",
+                "arn:aws:iam::123:rolefoo",
+                REGION
+        );
+    }
+
+}