diff --git a/src/main/java/com/nike/cerberus/dao/SecureDataDao.java b/src/main/java/com/nike/cerberus/dao/SecureDataDao.java index b00d8b837..e1c149714 100644 --- a/src/main/java/com/nike/cerberus/dao/SecureDataDao.java +++ b/src/main/java/com/nike/cerberus/dao/SecureDataDao.java @@ -84,32 +84,32 @@ public void updateSecureData(String sdbId, ); } - public Optional readSecureDataByPath(String path) { - return Optional.ofNullable(secureDataMapper.readSecureDataByPath(path)); + public Optional readSecureDataByPath(String sdbId, String path) { + return Optional.ofNullable(secureDataMapper.readSecureDataByPath(sdbId, path)); } - public Optional readSecureDataByPathAndType(String path, SecureDataType type) { - return Optional.ofNullable(secureDataMapper.readSecureDataByPathAndType(path, type)); + public Optional readSecureDataByPathAndType(String sdbId, String path, SecureDataType type) { + return Optional.ofNullable(secureDataMapper.readSecureDataByPathAndType(sdbId, path, type)); } - public Optional readMetadataByPathAndType(String path, SecureDataType type) { - return Optional.ofNullable(secureDataMapper.readMetadataByPathAndType(path, type)); + public Optional readMetadataByPathAndType(String sdbId, String path, SecureDataType type) { + return Optional.ofNullable(secureDataMapper.readMetadataByPathAndType(sdbId, path, type)); } - public String[] getPathsByPartialPath(String partialPath) { - return secureDataMapper.getPathsByPartialPath(partialPath); + public String[] getPathsByPartialPath(String sdbId, String partialPath) { + return secureDataMapper.getPathsByPartialPath(sdbId, partialPath); } - public String[] getPathsByPartialPathAndType(String partialPath, SecureDataType type) { - return secureDataMapper.getPathsByPartialPathAndType(partialPath, type); + public String[] getPathsByPartialPathAndType(String sdbId, String partialPath, SecureDataType type) { + return secureDataMapper.getPathsByPartialPathAndType(sdbId, partialPath, type); } public Set getPathsBySdbId(String sdbId) { return secureDataMapper.getPathsBySdbId(sdbId); } - public List listSecureDataByPartialPathAndType(String partialPath, SecureDataType type, int limit, int offset) { - return secureDataMapper.listSecureDataByPartialPathAndType(partialPath, type, limit, offset); + public List listSecureDataByPartialPathAndType(String sdbId, String partialPath, SecureDataType type, int limit, int offset) { + return secureDataMapper.listSecureDataByPartialPathAndType(sdbId, partialPath, type, limit, offset); } public int countByPartialPathAndType(String partialPath, SecureDataType type) { @@ -124,12 +124,12 @@ public int getTotalNumberOfDataNodes() { return secureDataMapper.getTotalNumberOfDataNodes(); } - public void deleteAllSecretsThatStartWithGivenPartialPath(String partialPath) { - secureDataMapper.deleteAllSecretsThatStartWithGivenPartialPath(partialPath); + public void deleteAllSecretsThatStartWithGivenPartialPath(String sdbId, String partialPath) { + secureDataMapper.deleteAllSecretsThatStartWithGivenPartialPath(sdbId, partialPath); } - public void deleteSecret(String path) { - secureDataMapper.deleteSecret(path); + public void deleteSecret(String sdbId, String path) { + secureDataMapper.deleteSecret(sdbId, path); } public int getSumTopLevelKeyValuePairs() { diff --git a/src/main/java/com/nike/cerberus/endpoints/admin/RestoreSafeDepositBox.java b/src/main/java/com/nike/cerberus/endpoints/admin/RestoreSafeDepositBox.java index 8aef00fbd..850d17811 100644 --- a/src/main/java/com/nike/cerberus/endpoints/admin/RestoreSafeDepositBox.java +++ b/src/main/java/com/nike/cerberus/endpoints/admin/RestoreSafeDepositBox.java @@ -77,7 +77,7 @@ private ResponseInfo restoreSdb(RequestInfo request, Security metadataService.restoreMetadata(sdbMetadata, principal); String sdbId = metadataService.getSdbId(sdbMetadata); String sdbPathWithoutCategory = StringUtils.substringAfter(sdbMetadata.getPath(), "/"); - secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbPathWithoutCategory); + secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbId, sdbPathWithoutCategory); secureDataService.restoreSdbSecrets(sdbId, sdbMetadata.getData(), principal); return ResponseInfo.newBuilder() diff --git a/src/main/java/com/nike/cerberus/endpoints/file/DeleteSecureFile.java b/src/main/java/com/nike/cerberus/endpoints/file/DeleteSecureFile.java index c726da6bd..16e034fd0 100644 --- a/src/main/java/com/nike/cerberus/endpoints/file/DeleteSecureFile.java +++ b/src/main/java/com/nike/cerberus/endpoints/file/DeleteSecureFile.java @@ -80,7 +80,8 @@ private ResponseInfo deleteSecureFile(final RequestInfo request) { if (securityContext.isPresent()) { SecureDataRequestInfo requestInfo = secureDataRequestService.parseAndValidateRequest(request); - secureDataService.deleteSecret(requestInfo.getPath(), SecureDataType.FILE, requestInfo.getPrincipal().getName()); + secureDataService.deleteSecret(requestInfo.getSdbId(), + requestInfo.getPath(), SecureDataType.FILE, requestInfo.getPrincipal().getName()); return ResponseInfo.newBuilder(). withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()). diff --git a/src/main/java/com/nike/cerberus/endpoints/file/GetSecureFiles.java b/src/main/java/com/nike/cerberus/endpoints/file/GetSecureFiles.java index 122472b40..e4f921ec0 100644 --- a/src/main/java/com/nike/cerberus/endpoints/file/GetSecureFiles.java +++ b/src/main/java/com/nike/cerberus/endpoints/file/GetSecureFiles.java @@ -65,9 +65,10 @@ public CompletableFuture> doExecute(Reques SecureDataRequestInfo info = secureDataRequestService.parseAndValidateRequest(request); SecureFileSummaryResult fileSummaryResult = secureDataService.listSecureFilesSummaries( - info.getPath(), - paginationService.getLimit(request), - paginationService.getOffset(request)); + info.getSdbId(), + info.getPath(), + paginationService.getLimit(request), + paginationService.getOffset(request)); final ResponseInfo response = ResponseInfo.newBuilder() .withContentForFullResponse(fileSummaryResult) diff --git a/src/main/java/com/nike/cerberus/endpoints/file/HeadSecureFile.java b/src/main/java/com/nike/cerberus/endpoints/file/HeadSecureFile.java index 2f94b630f..274a215fb 100644 --- a/src/main/java/com/nike/cerberus/endpoints/file/HeadSecureFile.java +++ b/src/main/java/com/nike/cerberus/endpoints/file/HeadSecureFile.java @@ -61,13 +61,13 @@ protected HeadSecureFile(SecureDataService secureDataService, @Override public CompletableFuture> doExecute(RequestInfo request, - Executor longRunningTaskExecutor, - ChannelHandlerContext ctx) { + Executor longRunningTaskExecutor, + ChannelHandlerContext ctx) { SecureDataRequestInfo requestInfo = secureDataRequestService.parseAndValidateRequest(request); ResponseInfo response; - Optional secureFileOpt = secureDataService.readFileMetadataOnly(requestInfo.getPath()); + Optional secureFileOpt = secureDataService.readFileMetadataOnly(requestInfo.getSdbId(), requestInfo.getPath()); if (! secureFileOpt.isPresent()) { throw new ApiException.Builder() diff --git a/src/main/java/com/nike/cerberus/endpoints/file/ReadSecureFile.java b/src/main/java/com/nike/cerberus/endpoints/file/ReadSecureFile.java index f58b215dc..d22794864 100644 --- a/src/main/java/com/nike/cerberus/endpoints/file/ReadSecureFile.java +++ b/src/main/java/com/nike/cerberus/endpoints/file/ReadSecureFile.java @@ -77,7 +77,7 @@ public CompletableFuture> doExecute(RequestInfo reque String versionId = request.getQueryParamSingle("versionId"); response = readSecureDataVersion(requestInfo, versionId); } else { - Optional secureFileOpt = secureDataService.readFile(requestInfo.getPath()); + Optional secureFileOpt = secureDataService.readFile(requestInfo.getSdbId(), requestInfo.getPath()); if (! secureFileOpt.isPresent()) { throw ApiException.newBuilder() @@ -107,6 +107,7 @@ public CompletableFuture> doExecute(RequestInfo reque private ResponseInfo readSecureDataVersion(SecureDataRequestInfo requestInfo, String versionId) { Optional secureFileVersionOpt = secureDataVersionService.getSecureFileVersionById( + requestInfo.getSdbId(), versionId, requestInfo.getCategory(), requestInfo.getPath()); diff --git a/src/main/java/com/nike/cerberus/endpoints/secret/DeleteSecureData.java b/src/main/java/com/nike/cerberus/endpoints/secret/DeleteSecureData.java index a73d08a1a..c0ef044c9 100644 --- a/src/main/java/com/nike/cerberus/endpoints/secret/DeleteSecureData.java +++ b/src/main/java/com/nike/cerberus/endpoints/secret/DeleteSecureData.java @@ -73,7 +73,7 @@ public CompletableFuture> executeSecureDataCall(SecureDataR private ResponseInfo deleteSecureData(SecureDataRequestInfo requestInfo) { CerberusPrincipal principal = requestInfo.getPrincipal(); - secureDataService.deleteSecret(requestInfo.getPath(), SecureDataType.OBJECT, principal.getName()); + secureDataService.deleteSecret(requestInfo.getSdbId(), requestInfo.getPath(), SecureDataType.OBJECT, principal.getName()); return ResponseInfo.newBuilder().withHttpStatusCode(HttpResponseStatus.NO_CONTENT.code()).build(); } diff --git a/src/main/java/com/nike/cerberus/endpoints/secret/ReadSecureData.java b/src/main/java/com/nike/cerberus/endpoints/secret/ReadSecureData.java index e2d16f956..9100499d0 100644 --- a/src/main/java/com/nike/cerberus/endpoints/secret/ReadSecureData.java +++ b/src/main/java/com/nike/cerberus/endpoints/secret/ReadSecureData.java @@ -83,7 +83,7 @@ public CompletableFuture> executeSecureDataCall(SecureDataR String versionId = request.getQueryParamSingle("versionId"); response = readSecureDataVersion(requestInfo, versionId); } else { - Optional secureDataOpt = secureDataService.readSecret(requestInfo.getPath()); + Optional secureDataOpt = secureDataService.readSecret(requestInfo.getSdbId(), requestInfo.getPath()); if (! secureDataOpt.isPresent()) { response = generateVaultStyleResponse( @@ -102,7 +102,7 @@ public CompletableFuture> executeSecureDataCall(SecureDataR } private ResponseInfo listKeys(SecureDataRequestInfo info) { - Set keys = secureDataService.listKeys(info.getPath()); + Set keys = secureDataService.listKeys(info.getSdbId(), info.getPath()); if (keys.isEmpty()) { return generateVaultStyleResponse(VaultStyleErrorResponse.Builder.create().build(), @@ -134,6 +134,7 @@ private ResponseInfo listKeys(SecureDataRequestInfo info) { private ResponseInfo readSecureDataVersion(SecureDataRequestInfo requestInfo, String versionId) { Optional secureDataVersionOpt = secureDataVersionService.getSecureDataVersionById( + requestInfo.getSdbId(), versionId, requestInfo.getCategory(), requestInfo.getPath()); diff --git a/src/main/java/com/nike/cerberus/endpoints/version/GetSecureDataVersions.java b/src/main/java/com/nike/cerberus/endpoints/version/GetSecureDataVersions.java index 53972cab8..ace2373b2 100644 --- a/src/main/java/com/nike/cerberus/endpoints/version/GetSecureDataVersions.java +++ b/src/main/java/com/nike/cerberus/endpoints/version/GetSecureDataVersions.java @@ -78,6 +78,7 @@ public ResponseInfo getVersionPathsForSdb(final Reques String pathToSecret = requestInfo.getPath(); SecureDataVersionsResult result = secureDataVersionService.getSecureDataVersionSummariesByPath( + requestInfo.getSdbId(), pathToSecret, requestInfo.getCategory(), paginationService.getLimit(request), diff --git a/src/main/java/com/nike/cerberus/mapper/SecureDataMapper.java b/src/main/java/com/nike/cerberus/mapper/SecureDataMapper.java index 0e5de1ac3..3de62e0e3 100644 --- a/src/main/java/com/nike/cerberus/mapper/SecureDataMapper.java +++ b/src/main/java/com/nike/cerberus/mapper/SecureDataMapper.java @@ -29,21 +29,22 @@ public interface SecureDataMapper { int updateSecureData(@Param("record") SecureDataRecord record); - SecureDataRecord readSecureDataByPath(@Param("path") String path); + SecureDataRecord readSecureDataByPath(@Param("sdbId") String sdbId, @Param("path") String path); - SecureDataRecord readSecureDataByPathAndType(@Param("path") String path, @Param("type") SecureDataType type); + SecureDataRecord readSecureDataByPathAndType(@Param("sdbId") String sdbId, @Param("path") String path, @Param("type") SecureDataType type); - SecureDataRecord readMetadataByPathAndType(@Param("path") String path, @Param("type") SecureDataType type); + SecureDataRecord readMetadataByPathAndType(@Param("sdbId") String sdbId, @Param("path") String path, @Param("type") SecureDataType type); - String[] getPathsByPartialPath(@Param("partialPath") String partialPath); + String[] getPathsByPartialPath(@Param("sdbId") String sdbId, @Param("partialPath") String partialPath); - String[] getPathsByPartialPathAndType(@Param("partialPath") String partialPath, @Param("type") SecureDataType type); + String[] getPathsByPartialPathAndType(@Param("sdbId") String sdbId, @Param("partialPath") String partialPath, @Param("type") SecureDataType type); List listSecureDataByPartialPathAndType( - @Param("partialPath") String partialPath, - @Param("type") SecureDataType type, - @Param("limit") int limit, - @Param("offset") int offset); + @Param("sdbId") String sdbId, + @Param("partialPath") String partialPath, + @Param("type") SecureDataType type, + @Param("limit") int limit, + @Param("offset") int offset); int countByPartialPathAndType(@Param("partialPath") String partialPath, @Param("type") SecureDataType type); @@ -53,9 +54,10 @@ List listSecureDataByPartialPathAndType( int getTotalNumberOfDataNodes(); - int deleteAllSecretsThatStartWithGivenPartialPath(@Param("partialPath") String partialPath); + int deleteAllSecretsThatStartWithGivenPartialPath(@Param("sdbId") String sdbId, + @Param("partialPath") String partialPath); - int deleteSecret(@Param("path") String path); + int deleteSecret(@Param("sdbId") String sdbId, @Param("path") String path); Integer getSumTopLevelKeyValuePairs(); } diff --git a/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java b/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java index 262850041..50a01b5f4 100644 --- a/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java +++ b/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java @@ -378,7 +378,7 @@ public void deleteSafeDepositBox(CerberusPrincipal authPrincipal, final String i // 2. Delete all secrets and versions from the safe deposit box. String sdbPathWithoutCategory = StringUtils.substringAfter(box.getPath(), "/"); - secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbPathWithoutCategory); + secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(id, sdbPathWithoutCategory); secureDataVersionDao.deleteAllVersionsThatStartWithPartialPath(sdbPathWithoutCategory); // 3. Remove metadata diff --git a/src/main/java/com/nike/cerberus/service/SecureDataService.java b/src/main/java/com/nike/cerberus/service/SecureDataService.java index e595c2102..1889206e9 100644 --- a/src/main/java/com/nike/cerberus/service/SecureDataService.java +++ b/src/main/java/com/nike/cerberus/service/SecureDataService.java @@ -86,7 +86,7 @@ public void writeSecret(String sdbId, String path, String plainTextPayload, Stri OffsetDateTime now = dateTimeSupplier.get(); // Fetch the current version if there is one, so that on update it can be moved to the versions table - Optional secureDataRecordOpt = secureDataDao.readSecureDataByPath(path); + Optional secureDataRecordOpt = secureDataDao.readSecureDataByPath(sdbId, path); if (secureDataRecordOpt.isPresent()) { SecureDataRecord secureData = secureDataRecordOpt.get(); if (secureData.getType() != SecureDataType.OBJECT) { @@ -132,7 +132,7 @@ public void writeSecureFile(String sdbId, String path, byte[] bytes, int sizeInB OffsetDateTime now = dateTimeSupplier.get(); // Fetch the current version if there is one, so that on update it can be moved to the versions table - Optional secureDataRecordOpt = secureDataDao.readSecureDataByPath(path); + Optional secureDataRecordOpt = secureDataDao.readSecureDataByPath(sdbId, path); if (secureDataRecordOpt.isPresent()) { SecureDataRecord secureData = secureDataRecordOpt.get(); if (secureData.getType() != SecureDataType.FILE) { @@ -187,9 +187,9 @@ protected int getTopLevelKVPairCount(String plainTextPayload) { return kvCount; } - public Optional readSecret(String path) { + public Optional readSecret(String sdbId, String path) { log.debug("Reading secure data: Path: {}", path); - Optional secureDataRecordOpt = secureDataDao.readSecureDataByPathAndType(path, SecureDataType.OBJECT); + Optional secureDataRecordOpt = secureDataDao.readSecureDataByPathAndType(sdbId, path, SecureDataType.OBJECT); if (! secureDataRecordOpt.isPresent()) { return Optional.empty(); } @@ -213,9 +213,9 @@ public Optional readSecret(String path) { return Optional.of(secureData); } - public Optional readFile(String path) { + public Optional readFile(String sdbId, String path) { log.debug("Reading secure file: Path: {}", path); - Optional secureDataRecordOpt = secureDataDao.readSecureDataByPathAndType(path, SecureDataType.FILE); + Optional secureDataRecordOpt = secureDataDao.readSecureDataByPathAndType(sdbId, path, SecureDataType.FILE); if (! secureDataRecordOpt.isPresent()) { return Optional.empty(); } @@ -237,9 +237,9 @@ public Optional readFile(String path) { return Optional.of(secureFile); } - public Optional readFileMetadataOnly(String path) { + public Optional readFileMetadataOnly(String sdbId, String path) { log.debug("Reading secure file metadata: Path: {}", path); - Optional secureDataRecordOpt = secureDataDao.readMetadataByPathAndType(path, SecureDataType.FILE); + Optional secureDataRecordOpt = secureDataDao.readMetadataByPathAndType(sdbId, path, SecureDataType.FILE); if (! secureDataRecordOpt.isPresent()) { return Optional.empty(); } @@ -285,13 +285,13 @@ public void restoreSdbSecrets(String sdbId, Map> dat * @param partialPath path to a node in the data structure that potentially has children * @return Array of keys if the key is a data node it will not end with "/" */ - public Set listKeys(String partialPath) { + public Set listKeys(String sdbId, String partialPath) { if (! partialPath.endsWith("/")) { partialPath = partialPath + "/"; } Set keys = new HashSet<>(); - String[] pArray = secureDataDao.getPathsByPartialPathAndType(partialPath, SecureDataType.OBJECT); + String[] pArray = secureDataDao.getPathsByPartialPathAndType(sdbId, partialPath, SecureDataType.OBJECT); if (pArray == null || pArray.length < 1) { return keys; } @@ -321,14 +321,14 @@ public Set listKeys(String partialPath) { * @param partialPath path to a node in the data structure that potentially has children * @return Array of keys if the key is a data node it will not end with "/" */ - public SecureFileSummaryResult listSecureFilesSummaries(String partialPath, int limit, int offset) { + public SecureFileSummaryResult listSecureFilesSummaries(String sdbId, String partialPath, int limit, int offset) { if (!partialPath.endsWith("/")) { partialPath = partialPath + "/"; } int totalNumFiles = secureDataDao.countByPartialPathAndType(partialPath, SecureDataType.FILE); List fileSummaries = Lists.newArrayList(); - List secureDataRecords = secureDataDao.listSecureDataByPartialPathAndType(partialPath, SecureDataType.FILE, limit, offset); + List secureDataRecords = secureDataDao.listSecureDataByPartialPathAndType(sdbId, partialPath, SecureDataType.FILE, limit, offset); secureDataRecords.forEach(secureDataRecord -> { fileSummaries.add(new SecureFileSummary() .setCreatedBy(secureDataRecord.getCreatedBy()) @@ -379,9 +379,9 @@ public int getTotalNumberOfDataNodes() { * @param subPath The sub path to delete all secrets that have paths that start with */ @Transactional - public void deleteAllSecretsThatStartWithGivenPartialPath(String subPath) { - log.warn("Deleting all secrets under path: {}", subPath); - secureDataDao.deleteAllSecretsThatStartWithGivenPartialPath(subPath); + public void deleteAllSecretsThatStartWithGivenPartialPath(String sdbId, String subPath) { + log.warn("Deleting all secrets under path: {} for sdbId: {}", subPath, sdbId); + secureDataDao.deleteAllSecretsThatStartWithGivenPartialPath(sdbId, subPath); } /** @@ -389,9 +389,9 @@ public void deleteAllSecretsThatStartWithGivenPartialPath(String subPath) { * * @param path The sub path to delete all secrets that have paths that start with */ - public void deleteSecret(String path, SecureDataType type, String principal) { + public void deleteSecret(String sdbId, String path, SecureDataType type, String principal) { OffsetDateTime now = dateTimeSupplier.get(); - SecureDataRecord secureDataRecord = secureDataDao.readSecureDataByPathAndType(path, type) + SecureDataRecord secureDataRecord = secureDataDao.readSecureDataByPathAndType(sdbId, path, type) .orElseThrow(() -> new ApiException(DefaultApiError.ENTITY_NOT_FOUND) ); @@ -409,7 +409,7 @@ public void deleteSecret(String path, SecureDataType type, String principal) { now ); - secureDataDao.deleteSecret(path); + secureDataDao.deleteSecret(sdbId, path); } public int getTotalNumberOfKeyValuePairs() { @@ -426,8 +426,8 @@ boolean secureDataHasBeenUpdated(SecureDataRecord secureDataRecord) { return ! (createdBySameAsUpdatedBy && createdTsSameAsUpdatedTs); } - public Optional getSecureDataRecordForPath(String path) { - return secureDataDao.readSecureDataByPath(path); + public Optional getSecureDataRecordForPath(String sdbId, String path) { + return secureDataDao.readSecureDataByPath(sdbId, path); } public Map parseSecretMetadata(SecureData secureData) { diff --git a/src/main/java/com/nike/cerberus/service/SecureDataVersionService.java b/src/main/java/com/nike/cerberus/service/SecureDataVersionService.java index d722ab7a4..71add146b 100644 --- a/src/main/java/com/nike/cerberus/service/SecureDataVersionService.java +++ b/src/main/java/com/nike/cerberus/service/SecureDataVersionService.java @@ -58,10 +58,10 @@ public SecureDataVersionService(SecureDataVersionDao secureDataVersionDao, this.encryptionService = encryptionService; } - public Optional getSecureDataVersionById(String versionId, String sdbCategory, String pathToSecureData) { + public Optional getSecureDataVersionById(String sdbId, String versionId, String sdbCategory, String pathToSecureData) { log.debug("Reading secure data version: ID: {}", versionId); Optional secureDataVersionRecord = StringUtils.equals(versionId, DEFAULT_ID_FOR_CURRENT_VERSIONS) ? - getCurrentSecureDataVersion(pathToSecureData) : + getCurrentSecureDataVersion(sdbId, pathToSecureData) : secureDataVersionDao.readSecureDataVersionById(versionId); if (! secureDataVersionRecord.isPresent() || @@ -90,10 +90,10 @@ public Optional getSecureDataVersionById(String versionId, St .setVersionCreatedTs(secureDataVersion.getVersionCreatedTs())); } - public Optional getSecureFileVersionById(String versionId, String sdbCategory, String pathToSecureData) { + public Optional getSecureFileVersionById(String sdbId, String versionId, String sdbCategory, String pathToSecureData) { log.debug("Reading secure data version: ID: {}", versionId); Optional secureDataVersionRecord = StringUtils.equals(versionId, DEFAULT_ID_FOR_CURRENT_VERSIONS) ? - getCurrentSecureDataVersion(pathToSecureData) : + getCurrentSecureDataVersion(sdbId, pathToSecureData) : secureDataVersionDao.readSecureDataVersionById(versionId); if (! secureDataVersionRecord.isPresent() || @@ -121,7 +121,8 @@ public Optional getSecureFileVersionById(String versionId, St } - public SecureDataVersionsResult getSecureDataVersionSummariesByPath(String pathToSecureData, + public SecureDataVersionsResult getSecureDataVersionSummariesByPath(String sdbId, + String pathToSecureData, String sdbCategory, int limit, int offset) { @@ -133,7 +134,7 @@ public SecureDataVersionsResult getSecureDataVersionSummariesByPath(String pathT int totalNumVersionsForPath = secureDataVersionDao.getTotalNumVersionsForPath(pathToSecureData); // retrieve current secrets versions from secure data table - Optional currentSecureDataVersionOpt = getCurrentSecureDataVersion(pathToSecureData); + Optional currentSecureDataVersionOpt = getCurrentSecureDataVersion(sdbId, pathToSecureData); if (currentSecureDataVersionOpt.isPresent()) { if (offset == 0) { SecureDataVersionRecord currentSecureDataVersion = currentSecureDataVersionOpt.get(); @@ -189,8 +190,8 @@ public SecureDataVersionsResult generateSecureDataVersionsResult(List getCurrentSecureDataVersion(String pathToSecureData) { - Optional currentSecureDataRecordOpt = secureDataService.getSecureDataRecordForPath(pathToSecureData); + private Optional getCurrentSecureDataVersion(String sdbId, String pathToSecureData) { + Optional currentSecureDataRecordOpt = secureDataService.getSecureDataRecordForPath(sdbId, pathToSecureData); SecureDataVersionRecord newSecureDataVersionRecord = null; if (currentSecureDataRecordOpt.isPresent()) { diff --git a/src/main/resources/com/nike/cerberus/mapper/SecureDataMapper.xml b/src/main/resources/com/nike/cerberus/mapper/SecureDataMapper.xml index 2ad26c15b..31a386460 100644 --- a/src/main/resources/com/nike/cerberus/mapper/SecureDataMapper.xml +++ b/src/main/resources/com/nike/cerberus/mapper/SecureDataMapper.xml @@ -78,6 +78,8 @@ SECURE_DATA WHERE PATH = #{path} + AND + SDBOX_ID = #{sdbId} - DELETE FROM SECURE_DATA WHERE PATH LIKE '${partialPath}%'; + DELETE FROM SECURE_DATA WHERE PATH LIKE '${partialPath}%' AND SDBOX_ID = #{sdbId}; - DELETE FROM SECURE_DATA WHERE PATH = #{path} + DELETE FROM SECURE_DATA WHERE PATH = #{path} AND SDBOX_ID = #{sdbId} \ No newline at end of file diff --git a/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java b/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java index 8263e8429..40573ac47 100644 --- a/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java +++ b/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java @@ -367,7 +367,7 @@ public void test_that_deleteSafeDepositBox_deletes_permissions_secrets_and_versi verify(iamPrincipalPermissionService).deleteIamPrincipalPermissions(sdbId); verify(userGroupPermissionService).deleteUserGroupPermissions(sdbId); verify(secureDataVersionDao).deleteAllVersionsThatStartWithPartialPath(sdbPathNoCategory); - verify(secureDataService).deleteAllSecretsThatStartWithGivenPartialPath(sdbPathNoCategory); + verify(secureDataService).deleteAllSecretsThatStartWithGivenPartialPath(sdbId, sdbPathNoCategory); } @Test diff --git a/src/test/java/com/nike/cerberus/service/SecureDataServiceTest.java b/src/test/java/com/nike/cerberus/service/SecureDataServiceTest.java index 29158b549..121de81da 100644 --- a/src/test/java/com/nike/cerberus/service/SecureDataServiceTest.java +++ b/src/test/java/com/nike/cerberus/service/SecureDataServiceTest.java @@ -97,7 +97,7 @@ public void test_that_writeSecret_encrypts_the_payload_and_calls_update() { when(secureDataRecord.getType()).thenReturn(SecureDataType.OBJECT); when(secureDataRecord.getCreatedBy()).thenReturn(SYSTEM_USER); when(secureDataRecord.getCreatedTs()).thenReturn(now); - when(secureDataDao.readSecureDataByPath(path)).thenReturn(Optional.of(secureDataRecord)); + when(secureDataDao.readSecureDataByPath(sdbId, path)).thenReturn(Optional.of(secureDataRecord)); secureDataService.writeSecret(sdbId, path, secret, principal); verify(secureDataDao).updateSecureData( @@ -115,21 +115,21 @@ public void test_that_writeSecret_encrypts_the_payload_and_calls_update() { @Test public void test_that_readSecret_returns_empty_optional_if_dao_returns_nothing() { - when(secureDataDao.readSecureDataByPathAndType(path, SecureDataType.OBJECT)).thenReturn(Optional.empty()); + when(secureDataDao.readSecureDataByPathAndType(sdbId, path, SecureDataType.OBJECT)).thenReturn(Optional.empty()); - Optional result = secureDataService.readSecret(path); + Optional result = secureDataService.readSecret(sdbId, path); assertFalse(result.isPresent()); } @Test public void test_that_readSecret_decrypts_the_payload_when_present() { - when(secureDataDao.readSecureDataByPathAndType(path, SecureDataType.OBJECT)) + when(secureDataDao.readSecureDataByPathAndType(sdbId, path, SecureDataType.OBJECT)) .thenReturn(Optional.of(new SecureDataRecord().setEncryptedBlob(ciphertext.getBytes()))); when(encryptionService.decrypt(ciphertext, path)).thenReturn(secret); - Optional result = secureDataService.readSecret(path); + Optional result = secureDataService.readSecret(sdbId, path); assertTrue(result.isPresent()); assertTrue(result.get().getData().equals(secret)); @@ -138,28 +138,31 @@ public void test_that_readSecret_decrypts_the_payload_when_present() { @Test public void test_that_listKeys_appends_a_slash_to_the_partial_path_if_not_present() { when(secureDataDao.getPathsByPartialPathAndType( - partialPathWithoutTrailingSlash + "/", + sdbId, + partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(keysRes); - secureDataService.listKeys(partialPathWithoutTrailingSlash); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); } @Test public void test_that_listKeys_does_not_append_a_slash_to_the_partial_path_if_already_present() { when(secureDataDao.getPathsByPartialPathAndType( + sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(keysRes); - secureDataService.listKeys(partialPathWithoutTrailingSlash + "/"); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash + "/"); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); } @Test public void test_that_listKeys_returns_empty_set_if_dao_returns_null() { when(secureDataDao.getPathsByPartialPathAndType( - partialPathWithoutTrailingSlash + "/", + sdbId, + partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(null); - Set res = secureDataService.listKeys(partialPathWithoutTrailingSlash ); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + Set res = secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash ); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); assertTrue(res != null && res.isEmpty()); } @@ -167,10 +170,11 @@ public void test_that_listKeys_returns_empty_set_if_dao_returns_null() { @Test public void test_that_listKeys_returns_empty_set_if_dao_returns_empty() { when(secureDataDao.getPathsByPartialPathAndType( + sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(new String[] {}); - Set res = secureDataService.listKeys(partialPathWithoutTrailingSlash ); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + Set res = secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash ); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); assertTrue(res != null && res.isEmpty()); } @@ -178,10 +182,11 @@ public void test_that_listKeys_returns_empty_set_if_dao_returns_empty() { @Test public void test_that_listKeys_returns_expected_set_of_keys() { when(secureDataDao.getPathsByPartialPathAndType( - partialPathWithoutTrailingSlash + "/", + sdbId, + partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(keysRes); - Set res = secureDataService.listKeys(partialPathWithoutTrailingSlash); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + Set res = secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); assertEquals("There should be 2 keys", 2, res.size()); assertTrue("the list of keys should contain the 2 api keys", res.containsAll(ImmutableSet.of("signal-fx-api-key", "splunk-api-key"))); @@ -190,12 +195,13 @@ public void test_that_listKeys_returns_expected_set_of_keys() { @Test public void test_that_listKeys_returns_expected_set_of_keys_with_sub_folder_paths_stripped_to_nearest_folder() { when(secureDataDao.getPathsByPartialPathAndType( + sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(new String[]{ "apps/checkout-service/api-keys/sub-folder/some-different-key" }); - Set res = secureDataService.listKeys(partialPathWithoutTrailingSlash); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + Set res = secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); assertEquals("There should be 1 key", 1, res.size()); assertTrue(res.contains("sub-folder/")); @@ -204,13 +210,14 @@ public void test_that_listKeys_returns_expected_set_of_keys_with_sub_folder_path @Test public void test_that_listKeys_returns_expected_set_of_keys_with_sub_folder_paths_stripped_to_nearest_folder_and_contains_key_without_slash_if_present() { when(secureDataDao.getPathsByPartialPathAndType( - partialPathWithoutTrailingSlash + "/", + sdbId, + partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT)).thenReturn(new String[]{ "apps/checkout-service/api-keys/sub-folder/some-different-key", "apps/checkout-service/api-keys/sub-folder" }); - Set res = secureDataService.listKeys(partialPathWithoutTrailingSlash); - verify(secureDataDao).getPathsByPartialPathAndType(partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); + Set res = secureDataService.listKeys(sdbId, partialPathWithoutTrailingSlash); + verify(secureDataDao).getPathsByPartialPathAndType(sdbId, partialPathWithoutTrailingSlash + "/", SecureDataType.OBJECT); assertEquals("There should be 2 key", 2, res.size()); assertTrue(res.contains("sub-folder/")); @@ -219,19 +226,19 @@ public void test_that_listKeys_returns_expected_set_of_keys_with_sub_folder_path @Test public void test_that_deleteAllSecretsThatStartWithGivenPartialPath_proxies_to_dao() { - secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(partialPathWithoutTrailingSlash); - verify(secureDataDao).deleteAllSecretsThatStartWithGivenPartialPath(partialPathWithoutTrailingSlash); + secureDataService.deleteAllSecretsThatStartWithGivenPartialPath(sdbId, partialPathWithoutTrailingSlash); + verify(secureDataDao).deleteAllSecretsThatStartWithGivenPartialPath(sdbId, partialPathWithoutTrailingSlash); } @Test public void test_that_deleteSecret_proxies_to_dao() { OffsetDateTime now = OffsetDateTime.now(ZoneId.of("UTC")); when(dateTimeSupplier.get()).thenReturn(now); - when(secureDataDao.readSecureDataByPathAndType(partialPathWithoutTrailingSlash, SecureDataType.OBJECT)) + when(secureDataDao.readSecureDataByPathAndType(sdbId, partialPathWithoutTrailingSlash, SecureDataType.OBJECT)) .thenReturn(Optional.of(secureDataRecord)); - secureDataService.deleteSecret(partialPathWithoutTrailingSlash, SecureDataType.OBJECT, principal); - verify(secureDataDao).deleteSecret(partialPathWithoutTrailingSlash); + secureDataService.deleteSecret(sdbId, partialPathWithoutTrailingSlash, SecureDataType.OBJECT, principal); + verify(secureDataDao).deleteSecret(sdbId, partialPathWithoutTrailingSlash); } @Test @@ -255,7 +262,7 @@ public void test_that_restoreSdbSecrets_proxies_to_dao() throws JsonProcessingEx OffsetDateTime now = OffsetDateTime.now(ZoneId.of("UTC")); when(dateTimeSupplier.get()).thenReturn(now); - when(secureDataDao.readSecureDataByPath(path)).thenReturn(Optional.empty()); + when(secureDataDao.readSecureDataByPath(sdbId, path)).thenReturn(Optional.empty()); secureDataService.restoreSdbSecrets(sdbId, data, principal); verify(secureDataDao).writeSecureData( @@ -327,18 +334,18 @@ public void test_that_writeSecret_does_now_allow_other_types_to_be_overwritten() String pathToFile = "app/sdb/file.pem"; SecureDataRecord fileRecord = new SecureDataRecord().setType(SecureDataType.FILE); when(encryptionService.encrypt(secret, pathToFile)).thenReturn(ciphertext); - when(secureDataDao.readSecureDataByPath(pathToFile)).thenReturn(Optional.of(fileRecord)); + when(secureDataDao.readSecureDataByPath(sdbId, pathToFile)).thenReturn(Optional.of(fileRecord)); - secureDataService.writeSecret("sdb id", pathToFile, secret, "principal"); + secureDataService.writeSecret(sdbId, pathToFile, secret, "principal"); } @Test(expected = ApiException.class) public void test_that_writeFile_does_now_allow_other_types_to_be_overwritten() { String pathToObject = "app/sdb/object"; SecureDataRecord objectRecord = new SecureDataRecord().setType(SecureDataType.OBJECT); - when(secureDataDao.readSecureDataByPath(pathToObject)).thenReturn(Optional.of(objectRecord)); + when(secureDataDao.readSecureDataByPath(sdbId, pathToObject)).thenReturn(Optional.of(objectRecord)); - secureDataService.writeSecureFile("sdbId", pathToObject, new byte[] {}, 0, pathToObject); + secureDataService.writeSecureFile(sdbId, pathToObject, new byte[] {}, 0, pathToObject); } @Test @@ -348,11 +355,11 @@ public void test_that_readSecret_reads_secrets_by_the_correct_type() { .setEncryptedBlob(ciphertextBytes) .setSizeInBytes(ciphertextBytes.length); when(encryptionService.decrypt(ciphertextBytes, pathToObject)).thenReturn(plaintextBytes); - when(secureDataDao.readSecureDataByPathAndType(pathToObject, SecureDataType.OBJECT)).thenReturn(Optional.of(record)); + when(secureDataDao.readSecureDataByPathAndType(sdbId, pathToObject, SecureDataType.OBJECT)).thenReturn(Optional.of(record)); - secureDataService.readSecret(pathToObject); + secureDataService.readSecret(sdbId, pathToObject); - verify(secureDataDao).readSecureDataByPathAndType(pathToObject, SecureDataType.OBJECT); + verify(secureDataDao).readSecureDataByPathAndType(sdbId, pathToObject, SecureDataType.OBJECT); } @Test @@ -364,11 +371,11 @@ public void test_that_readFile_reads_secrets_by_the_correct_type() { .setEncryptedBlob(ciphertextBytes) .setSizeInBytes(ciphertextBytes.length); when(encryptionService.decrypt(ciphertextBytes, pathToFile)).thenReturn(plaintextBytes); - when(secureDataDao.readSecureDataByPathAndType(pathToFile, SecureDataType.FILE)).thenReturn(Optional.of(record)); + when(secureDataDao.readSecureDataByPathAndType(sdbId, pathToFile, SecureDataType.FILE)).thenReturn(Optional.of(record)); - secureDataService.readFile(pathToFile); + secureDataService.readFile(sdbId, pathToFile); - verify(secureDataDao).readSecureDataByPathAndType(pathToFile, SecureDataType.FILE); + verify(secureDataDao).readSecureDataByPathAndType(sdbId, pathToFile, SecureDataType.FILE); } @Test @@ -381,11 +388,11 @@ public void test_that_deleteSecret_checks_type_before_deleting() { .setPath(pathToFile) .setEncryptedBlob(ciphertextBytes) .setSizeInBytes(ciphertextBytes.length); - when(secureDataDao.readSecureDataByPathAndType(pathToFile, type)).thenReturn(Optional.of(record)); + when(secureDataDao.readSecureDataByPathAndType(sdbId, pathToFile, type)).thenReturn(Optional.of(record)); - secureDataService.deleteSecret(pathToFile, SecureDataType.FILE, principal); + secureDataService.deleteSecret(sdbId, pathToFile, SecureDataType.FILE, principal); - verify(secureDataDao).readSecureDataByPathAndType(pathToFile, SecureDataType.FILE); + verify(secureDataDao).readSecureDataByPathAndType(sdbId, pathToFile, SecureDataType.FILE); verify(secureDataVersionDao).writeSecureDataVersion(null, pathToFile, ciphertextBytes, SecureDataVersionRecord.SecretsAction.DELETE, type, diff --git a/src/test/java/com/nike/cerberus/service/SecureDataVersionServiceTest.java b/src/test/java/com/nike/cerberus/service/SecureDataVersionServiceTest.java index bae83719d..0c96d6ec9 100644 --- a/src/test/java/com/nike/cerberus/service/SecureDataVersionServiceTest.java +++ b/src/test/java/com/nike/cerberus/service/SecureDataVersionServiceTest.java @@ -75,9 +75,9 @@ public void test_that_getSecureDataVersionsByPath_returns_versions() { List versions = Lists.newArrayList(record); - when(secureDataService.getSecureDataRecordForPath(pathToSecureData)).thenReturn(Optional.empty()); + when(secureDataService.getSecureDataRecordForPath(sdbId, pathToSecureData)).thenReturn(Optional.empty()); when(secureDataVersionDao.listSecureDataVersionByPath(pathToSecureData, 1, 0)).thenReturn(versions); - SecureDataVersionsResult summaries = secureDataVersionService.getSecureDataVersionSummariesByPath(pathToSecureData, sdbCategory, 1, 0); + SecureDataVersionsResult summaries = secureDataVersionService.getSecureDataVersionSummariesByPath(sdbId, pathToSecureData, sdbCategory, 1, 0); SecureDataVersionSummary result = summaries.getSecureDataVersionSummaries().get(0); assertEquals(record.getAction(), result.getAction());