Feature/restore complete (#21)

Add restore complete command.
Nike-Inc · Mar 16, 2017 · 2bb36c6 · 2bb36c6
1 parent 844cf85
commit 2bb36c6
Show file tree

Hide file tree

Showing 11 changed files with 622 additions and 24 deletions.
diff --git a/gradle.properties b/gradle.properties
@@ -16,4 +16,4 @@
 
 group=com.nike
 artifactId=cerberus-lifecycle-cli
-version=0.14.2
+version=0.15.0
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
@@ -34,7 +34,7 @@ allprojects {
         compile group: 'com.amazonaws', name: 'aws-java-sdk-sns', version: awsSDKVersion
         compile group: 'com.amazonaws', name: 'aws-java-sdk-lambda', version: awsSDKVersion
 
-        compile 'com.nike:vault-client:1.0.0'
+        compile 'com.nike:vault-client:1.2.1'
         compile 'com.squareup.okhttp3:okhttp:3.3.1'
         compile 'com.beust:jcommander:1.55'
         compile 'com.fasterxml.jackson.core:jackson-core:2.7.+'

diff --git a/src/main/java/com/nike/cerberus/cli/CerberusRunner.java b/src/main/java/com/nike/cerberus/cli/CerberusRunner.java
@@ -37,6 +37,7 @@
 import com.nike.cerberus.command.consul.CreateVaultAclCommand;
 import com.nike.cerberus.command.core.CreateBaseCommand;
 import com.nike.cerberus.command.core.PrintStackInfoCommand;
+import com.nike.cerberus.command.core.RestoreCompleteCerberusDataFromS3BackupCommand;
 import com.nike.cerberus.command.core.UpdateStackCommand;
 import com.nike.cerberus.command.core.UploadCertFilesCommand;
 import com.nike.cerberus.command.core.WhitelistCidrForVpcAccessCommand;
@@ -138,7 +139,11 @@ public void run(String[] args) {
             if (StringUtils.isNotBlank(commandName)) {
                 commander.usage(commandName);
             } else {
-                printCustomUsage();
+                if (StringUtils.isNotBlank(commandName)) {
+                    commander.usage(commandName);
+                } else {
+                    printCustomUsage();
+                }
             }
         }
     }
@@ -285,6 +290,7 @@ private void registerAllCommands() {
         registerCommand(new CreateCloudFrontLogProcessingLambdaConfigCommand());
         registerCommand(new CreateCloudFrontSecurityGroupUpdaterLambdaCommand());
         registerCommand(new WhitelistCidrForVpcAccessCommand());
+        registerCommand(new RestoreCompleteCerberusDataFromS3BackupCommand());
     }
 
     /**

diff --git a/src/main/java/com/nike/cerberus/client/CerberusAdminClient.java b/src/main/java/com/nike/cerberus/client/CerberusAdminClient.java
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2017 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.client;
+
+import com.nike.vault.client.UrlResolver;
+import com.nike.vault.client.VaultAdminClient;
+import com.nike.vault.client.VaultClientException;
+import com.nike.vault.client.auth.VaultCredentialsProvider;
+import com.nike.vault.client.http.HttpHeader;
+import com.nike.vault.client.http.HttpMethod;
+import okhttp3.HttpUrl;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.RequestBody;
+import okhttp3.Response;
+
+import javax.net.ssl.SSLException;
+import java.io.IOException;
+
+/**
+ * A Cerberus admin client with the ability to restore metadata
+ */
+public class CerberusAdminClient extends VaultAdminClient {
+
+    protected OkHttpClient httpClient;
+    protected VaultCredentialsProvider credentialsProvider;
+
+    /**
+     * Explicit constructor that allows for full control over construction of the Vault client.
+     *
+     * @param vaultUrlResolver    URL resolver for Vault
+     * @param credentialsProvider Credential provider for acquiring a token for interacting with Vault
+     * @param httpClient          HTTP client for calling Vault
+     */
+    public CerberusAdminClient(UrlResolver vaultUrlResolver,
+                               VaultCredentialsProvider credentialsProvider,
+                               OkHttpClient httpClient) {
+
+        super(vaultUrlResolver, credentialsProvider, httpClient);
+        this.httpClient = httpClient;
+        this.credentialsProvider = credentialsProvider;
+    }
+
+    public void restoreMetadata(String jsonPayload) {
+        HttpUrl url = buildUrl("v1/", "metadata");
+        Response response = execute(url, HttpMethod.PUT, jsonPayload);
+        if (! response.isSuccessful()) {
+            throw new RuntimeException("Failed to restore metadata with cms body: " + response.message());
+        }
+    }
+
+    protected Response execute(final HttpUrl url, final String method, final String json) {
+        try {
+            Request.Builder requestBuilder = new Request.Builder()
+                    .url(url)
+                    .addHeader(HttpHeader.VAULT_TOKEN, credentialsProvider.getCredentials().getToken())
+                    .addHeader(HttpHeader.ACCEPT, DEFAULT_MEDIA_TYPE.toString());
+
+            requestBuilder.addHeader(HttpHeader.CONTENT_TYPE, DEFAULT_MEDIA_TYPE.toString())
+                    .method(method, RequestBody.create(DEFAULT_MEDIA_TYPE, json));
+
+            return httpClient.newCall(requestBuilder.build()).execute();
+        } catch (IOException e) {
+            if (e instanceof SSLException
+                    && e.getMessage() != null
+                    && e.getMessage().contains("Unrecognized SSL message, plaintext connection?")) {
+                // AnyConnect web security proxy can be disabled with:
+                //  `sudo /opt/cisco/anyconnect/bin/acwebsecagent -disablesvc -websecurity`
+                throw new VaultClientException("I/O error while communicating with vault. Unrecognized SSL message may be due to a web proxy e.g. AnyConnect", e);
+            } else {
+                throw new VaultClientException("I/O error while communicating with vault.", e);
+            }
+        }
+    }
+}
diff --git a/...n/java/com/nike/cerberus/command/core/RestoreCompleteCerberusDataFromS3BackupCommand.java b/...n/java/com/nike/cerberus/command/core/RestoreCompleteCerberusDataFromS3BackupCommand.java
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 2017 Nike, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.nike.cerberus.command.core;
+
+import com.beust.jcommander.Parameter;
+import com.beust.jcommander.Parameters;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.core.RestoreCompleteCerberusDataFromS3BackupOperation;
+
+import static com.nike.cerberus.command.core.WhitelistCidrForVpcAccessCommand.COMMAND_NAME;
+
+/**
+ * Command for restoring Safe Deposit Box Metadata and Vault secret data for SDBs from backups that are in S3 from
+ * the cross region backup lambda.
+ */
+@Parameters(
+        commandNames = COMMAND_NAME,
+        commandDescription = "Allows Cerberus operators to restore a complete backup from S3 that was created using the cross region backup lambda."
+)
+public class RestoreCompleteCerberusDataFromS3BackupCommand implements Command {
+
+    public static final String COMMAND_NAME = "restore-complete";
+
+    @Parameter(names = "-s3-region",
+            description = "The region for the bucket that contains the backups",
+            required = true
+    )
+    private String s3Region;
+
+    @Parameter(names = "-s3-bucket",
+            description = "The bucket that contains the backups",
+            required = true
+    )
+    private String s3Bucket;
+
+    @Parameter(names = "-s3-prefix",
+            description = "the folder that contains the json backup files",
+            required = true
+    )
+    private String s3Prefix;
+
+    @Parameter(names = "-url",
+            description = "The cerberus api, to restore to",
+            required = true
+    )
+    private String cerberusUrl;
+
+    public String getS3Region() {
+        return s3Region;
+    }
+
+    public String getS3Bucket() {
+        return s3Bucket;
+    }
+
+    public String getS3Prefix() {
+        return s3Prefix;
+    }
+
+    public String getCerberusUrl() {
+        return cerberusUrl;
+    }
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return RestoreCompleteCerberusDataFromS3BackupOperation.class;
+    }
+}