diff --git a/src/main/java/com/nike/cerberus/error/DefaultApiError.java b/src/main/java/com/nike/cerberus/error/DefaultApiError.java index 272339a6c..bc177b642 100644 --- a/src/main/java/com/nike/cerberus/error/DefaultApiError.java +++ b/src/main/java/com/nike/cerberus/error/DefaultApiError.java @@ -141,11 +141,6 @@ public enum DefaultApiError implements ApiError { */ SDB_OWNER_TOO_LONG(99214, "Owner may not exceed 255 characters.", HttpServletResponse.SC_BAD_REQUEST), - /** - * SDB has too many owners - */ - SDB_TOO_MANY_OWNERS(99221, "The SDB has more than one owners!", HttpServletResponse.SC_INTERNAL_SERVER_ERROR), - /** * The AWS region specified is invalid. */ @@ -176,11 +171,22 @@ public enum DefaultApiError implements ApiError { */ SDB_OWNER_IN_USER_GROUP_PERMS(99220, "The owner can not be included in the user group permissions.", HttpServletResponse.SC_BAD_REQUEST), + /** + * SDB has too many owners + */ + SDB_TOO_MANY_OWNERS(99221, "The SDB has more than one owners!", HttpServletResponse.SC_INTERNAL_SERVER_ERROR), + /** * Authentication error for when a user attempts to login and MFA is required but not setup on their account. */ MFA_SETUP_REQUIRED(99222, "MFA is required but the user has not set up any factors.", HttpServletResponse.SC_BAD_REQUEST), + + /** + * The IAM Role + Region don't have a KMS key provisioned to encrypt the auth response. + */ + AUTH_IAM_ROLE_REJECTED(99223, "KMS rejected the IAM Role ARN with an InvalidArnException.", HttpServletResponse.SC_INTERNAL_SERVER_ERROR), + /** * Generic not found error. */ diff --git a/src/main/java/com/nike/cerberus/service/AuthenticationService.java b/src/main/java/com/nike/cerberus/service/AuthenticationService.java index d192179d3..d671a4afb 100644 --- a/src/main/java/com/nike/cerberus/service/AuthenticationService.java +++ b/src/main/java/com/nike/cerberus/service/AuthenticationService.java @@ -22,6 +22,7 @@ import com.amazonaws.services.kms.AWSKMSClient; import com.amazonaws.services.kms.model.EncryptRequest; import com.amazonaws.services.kms.model.EncryptResult; +import com.amazonaws.services.kms.model.InvalidArnException; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import com.google.common.collect.Maps; @@ -167,7 +168,16 @@ public AuthResponse mfaCheck(final MfaCheckRequest mfaCheckRequest) { * @return Encrypted auth response */ public IamRoleAuthResponse authenticate(IamRoleCredentials credentials) { - final String keyId = getKeyId(credentials); + final String keyId; + try { + keyId = getKeyId(credentials); + } catch (InvalidArnException e) { + throw ApiException.newBuilder() + .withApiErrors(DefaultApiError.AUTH_IAM_ROLE_REJECTED) + .withExceptionCause(e) + .withExceptionMessage("Failed to lazily provision KMS key for arn:aws:iam::%s:role/%s in region: %s") + .build(); + } final Set policies = buildPolicySet(credentials.getAccountId(), credentials.getRoleName());