Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Update v2 IAM auth API to use 'principal' language (#34)
Browse files Browse the repository at this point in the history
* Rename IAM 'role' to 'principal'
  • Loading branch information
sdford authored Apr 21, 2017
1 parent def476b commit 6aa07ab
Show file tree
Hide file tree
Showing 37 changed files with 309 additions and 328 deletions.
24 changes: 12 additions & 12 deletions API.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,9 @@ This endpoint will take a Users credentials and proxy the request to Vault to ge
This endpoint will take a Users credentials and proxy the request to Vault to get a Vault token for the user with some extra metadata.

+ Request (application/json)

+ Body

{
"state_token": "jskljdklaj",
"device_id": "123456",
Expand Down Expand Up @@ -141,7 +141,7 @@ This endpoint allows a user to exchange their current token for a new one with u
}
}

## App Login v2 [/v2/auth/iam-role]
## App Login v2 [/v2/auth/iam-principal]

### Authenticate with Cerberus as an App [POST]

Expand Down Expand Up @@ -204,7 +204,7 @@ This endpoint takes IAM ARN information and generates an base 64 encoded KMS enc
"aws_iam_role_name" : "fake-role",
"username" : "arn:aws:iam::111111111:role/fake-role",
"is_admin": "false",
"groups": "registered-iam-principals"
"groups": "registered-iam-principals"
},
"lease_duration" : 3600,
"renewable" : true
Expand Down Expand Up @@ -281,7 +281,7 @@ This endpoint will create a new Safe Deposit Box
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
"iam_principal_permissions": [
{
"iam_principal_arn": ""arn:aws:iam::1111111111:role/role-name"
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
Expand Down Expand Up @@ -312,7 +312,7 @@ This endpoint will create a new Safe Deposit Box
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
"iam_principal_permissions": [
{
"id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46",
"iam_principal_arn": "arn:aws:iam::1111111111:role/role-name",
Expand All @@ -337,7 +337,7 @@ This endpoint returns details on a specific Safe Deposit Box.

+ Response 200 (application/json)

+ body
+ Body

{
"id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46",
Expand All @@ -353,7 +353,7 @@ This endpoint returns details on a specific Safe Deposit Box.
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
"iam_principal_permissions": [
{
"id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46",
"iam_principal_arn": "arn:aws:iam::1111111111:role/role-name",
Expand Down Expand Up @@ -384,7 +384,7 @@ This endpoint allows a user to update the description, user group, and iam role
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
"iam_principal_permissions": [
{
"iam_principal_arn": ""arn:aws:iam::1111111111:role/role-name2"
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
Expand All @@ -398,8 +398,8 @@ This endpoint allows a user to update the description, user group, and iam role

X-Refresh-Token: true

+ body
+ Body

{
"id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46",
"name": "Stage",
Expand All @@ -414,7 +414,7 @@ This endpoint allows a user to update the description, user group, and iam role
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
"iam_principal_permissions": [
{
"id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46",
"iam_principal_arn": "arn:aws:iam::1111111111:role/role-name",
Expand Down
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=0.16.0
version=0.17.0
groupId=com.nike.cerberus
artifactId=cms
4 changes: 2 additions & 2 deletions gradle/develop.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import org.apache.tools.ant.taskdefs.condition.Os
import groovyx.net.http.RESTClient
import static groovyx.net.http.ContentType.*

def dashboardRelease = 'v0.11.0'
def dashboardRelease = 'v0.12.0'
def vaultVersion = "0.6.4"

buildscript {
Expand Down Expand Up @@ -83,7 +83,7 @@ task extractDashboard(type: Copy, dependsOn: downloadDashboard) {
description 'Extracts the dashboard archive into the build dir for the express server to service when running the dashboard / proxy'

from tarTree("${project.buildDir.absolutePath}${File.separator}cerberus-dashboard.tar.gz")
File dashboardDir = new File("${project.buildDir.absolutePath}${File.separator}dashbord")
File dashboardDir = new File("${project.buildDir.absolutePath}${File.separator}dashboard")
dashboardDir.mkdirs()
into dashboardDir
}
Expand Down
2 changes: 1 addition & 1 deletion reverse_proxy/server.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ redwire.http('http://127.0.0.1:9000/v2', '127.0.0.1:8080/v2');
var express = require('express')
var app = express()

app.use(express.static(__dirname + '/../build/dashbord'))
app.use(express.static(__dirname + '/../build/dashboard'))

app.listen(8000, function () {
console.log('express server listing on port 8000')
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,14 +24,14 @@
import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_PRINCIPAL_ARN_REGEX;

/**
* Represents the IAM role credentials sent during authentication.
* Represents the IAM principal credentials sent during authentication.
*/
public class IamRoleCredentialsV2 {
public class IamPrincipalCredentials {

@Pattern(regexp = AWS_IAM_PRINCIPAL_ARN_REGEX, message = "AUTH_IAM_PRINCIPAL_INVALID")
private String iamPrincipalArn;

@NotBlank(message = "AUTH_IAM_ROLE_AWS_REGION_BLANK")
@NotBlank(message = "AUTH_IAM_PRINCIPAL_AWS_REGION_BLANK")
private String region;

public String getIamPrincipalArn() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,11 @@
import java.time.OffsetDateTime;

import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_PRINCIPAL_ARN_REGEX;
import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_REGEX;

/**
* Represents a permission granted to an IAM role with regards to a safe deposit box
*/
public class IamRolePermissionV2 {
public class IamPrincipalPermission {

private String id;

Expand Down Expand Up @@ -64,7 +63,7 @@ public void setRoleId(String roleId) {
this.roleId = roleId;
}

public IamRolePermissionV2 withRoleId(String roleId) {
public IamPrincipalPermission withRoleId(String roleId) {
this.roleId = roleId;
return this;
}
Expand All @@ -77,7 +76,7 @@ public void setIamPrincipalArn(String iamPrincipalArn) {
this.iamPrincipalArn = iamPrincipalArn;
}

public IamRolePermissionV2 withIamPrincipalArn(String iamRoleArn) {
public IamPrincipalPermission withIamPrincipalArn(String iamRoleArn) {
this.iamPrincipalArn = iamRoleArn;
return this;
}
Expand Down Expand Up @@ -119,7 +118,7 @@ public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;

IamRolePermissionV2 that = (IamRolePermissionV2) o;
IamPrincipalPermission that = (IamPrincipalPermission) o;

return iamPrincipalArn != null ? iamPrincipalArn.equals(that.iamPrincipalArn) : that.iamPrincipalArn == null;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
* Represents the IAM role credentials sent during authentication.
*/
@Deprecated
public class IamRoleCredentialsV1 {
public class IamRoleCredentials {

@Pattern(regexp = IAM_ROLE_ACCT_ID_REGEX, message = "IAM_ROLE_ACCT_ID_INVALID")
private String accountId;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
/**
* Represents a permission granted to an IAM role with regards to a safe deposit box
*/
public class IamRolePermissionV1 {
public class IamRolePermission {

private String id;

Expand Down Expand Up @@ -68,7 +68,7 @@ public void setAccountId(String accountId) {
this.accountId = accountId;
}

public IamRolePermissionV1 withAccountId(String accountId) {
public IamRolePermission withAccountId(String accountId) {
this.accountId = accountId;
return this;
}
Expand All @@ -81,7 +81,7 @@ public void setIamRoleName(String iamRoleName) {
this.iamRoleName = iamRoleName;
}

public IamRolePermissionV1 withIamRoleName(String iamRoleName) {
public IamRolePermission withIamRoleName(String iamRoleName) {
this.iamRoleName = iamRoleName;
return this;
}
Expand All @@ -94,7 +94,7 @@ public void setRoleId(String roleId) {
this.roleId = roleId;
}

public IamRolePermissionV1 withRoleId(String roleId) {
public IamRolePermission withRoleId(String roleId) {
this.roleId = roleId;
return this;
}
Expand Down Expand Up @@ -136,7 +136,7 @@ public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;

IamRolePermissionV1 that = (IamRolePermissionV1) o;
IamRolePermission that = (IamRolePermission) o;

if (accountId != null ? !accountId.equals(that.accountId) : that.accountId != null) return false;
return iamRoleName != null ? iamRoleName.equals(that.iamRoleName) : that.iamRoleName == null;
Expand Down
1 change: 0 additions & 1 deletion src/main/java/com/nike/cerberus/domain/SDBMetadata.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
package com.nike.cerberus.domain;

import java.time.OffsetDateTime;
import java.util.Date;
import java.util.Map;

public class SDBMetadata {
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/com/nike/cerberus/domain/SafeDepositBoxV1.java
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

package com.nike.cerberus.domain;

import com.nike.cerberus.validation.UniqueIamRolePermissionsV1;
import com.nike.cerberus.validation.UniqueIamRolePermissions;
import com.nike.cerberus.validation.UniqueOwner;
import com.nike.cerberus.validation.UniqueUserGroupPermissions;
import com.nike.cerberus.validation.group.Updatable;
Expand Down Expand Up @@ -66,8 +66,8 @@ public class SafeDepositBoxV1 implements SafeDepositBox {
private Set<UserGroupPermission> userGroupPermissions = new HashSet<>();

@Valid
@UniqueIamRolePermissionsV1(groups = {Default.class, Updatable.class})
private Set<IamRolePermissionV1> iamRolePermissions = new HashSet<>();
@UniqueIamRolePermissions(groups = {Default.class, Updatable.class})
private Set<IamRolePermission> iamRolePermissions = new HashSet<>();

public String getId() {
return id;
Expand Down Expand Up @@ -157,11 +157,11 @@ public void setUserGroupPermissions(Set<UserGroupPermission> userGroupPermission
this.userGroupPermissions = userGroupPermissions;
}

public Set<IamRolePermissionV1> getIamRolePermissions() {
public Set<IamRolePermission> getIamRolePermissions() {
return iamRolePermissions;
}

public void setIamRolePermissions(Set<IamRolePermissionV1> iamRolePermissions) {
public void setIamRolePermissions(Set<IamRolePermission> iamRolePermissions) {
this.iamRolePermissions = iamRolePermissions;
}

Expand Down
18 changes: 9 additions & 9 deletions src/main/java/com/nike/cerberus/domain/SafeDepositBoxV2.java
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@

package com.nike.cerberus.domain;

import com.nike.cerberus.validation.UniqueIamRolePermissionsV2;
import com.nike.cerberus.validation.UniqueIamPrincipalPermissions;
import com.nike.cerberus.validation.UniqueOwner;
import com.nike.cerberus.validation.UniqueUserGroupPermissions;
import com.nike.cerberus.validation.group.Updatable;
Expand Down Expand Up @@ -67,8 +67,8 @@ public class SafeDepositBoxV2 implements SafeDepositBox {
private Set<UserGroupPermission> userGroupPermissions = new HashSet<>();

@Valid
@UniqueIamRolePermissionsV2(groups = {Default.class, Updatable.class})
private Set<IamRolePermissionV2> iamRolePermissions = new HashSet<>();
@UniqueIamPrincipalPermissions(groups = {Default.class, Updatable.class})
private Set<IamPrincipalPermission> iamPrincipalPermissions = new HashSet<>();

public String getId() {
return id;
Expand Down Expand Up @@ -158,12 +158,12 @@ public void setUserGroupPermissions(Set<UserGroupPermission> userGroupPermission
this.userGroupPermissions = userGroupPermissions;
}

public Set<IamRolePermissionV2> getIamRolePermissions() {
return iamRolePermissions;
public Set<IamPrincipalPermission> getIamPrincipalPermissions() {
return iamPrincipalPermissions;
}

public void setIamRolePermissions(Set<IamRolePermissionV2> iamRolePermissions) {
this.iamRolePermissions = iamRolePermissions;
public void setIamPrincipalPermissions(Set<IamPrincipalPermission> iamPrincipalPermissions) {
this.iamPrincipalPermissions = iamPrincipalPermissions;
}

@Override
Expand All @@ -187,7 +187,7 @@ public boolean equals(Object o) {
if (owner != null ? !owner.equals(that.owner) : that.owner != null) return false;
if (userGroupPermissions != null ? !userGroupPermissions.equals(that.userGroupPermissions) : that.userGroupPermissions != null)
return false;
return iamRolePermissions != null ? iamRolePermissions.equals(that.iamRolePermissions) : that.iamRolePermissions == null;
return iamPrincipalPermissions != null ? iamPrincipalPermissions.equals(that.iamPrincipalPermissions) : that.iamPrincipalPermissions == null;

}

Expand All @@ -204,7 +204,7 @@ public int hashCode() {
result = 31 * result + (lastUpdatedBy != null ? lastUpdatedBy.hashCode() : 0);
result = 31 * result + (owner != null ? owner.hashCode() : 0);
result = 31 * result + (userGroupPermissions != null ? userGroupPermissions.hashCode() : 0);
result = 31 * result + (iamRolePermissions != null ? iamRolePermissions.hashCode() : 0);
result = 31 * result + (iamPrincipalPermissions != null ? iamPrincipalPermissions.hashCode() : 0);
return result;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
package com.nike.cerberus.endpoints.authentication;

import com.nike.cerberus.domain.IamRoleAuthResponse;
import com.nike.cerberus.domain.IamRoleCredentialsV2;
import com.nike.cerberus.domain.IamPrincipalCredentials;
import com.nike.cerberus.service.AuthenticationService;
import com.nike.riposte.server.http.RequestInfo;
import com.nike.riposte.server.http.ResponseInfo;
Expand All @@ -37,23 +37,23 @@
* Authentication endpoint for IAM roles. If valid, a client token that is encrypted via KMS is returned. The
* IAM role will be the only role capable of decrypting the client token via KMS.
*/
public class AuthenticateIamRoleV2 extends StandardEndpoint<IamRoleCredentialsV2, IamRoleAuthResponse> {
public class AuthenticateIamPrincipal extends StandardEndpoint<IamPrincipalCredentials, IamRoleAuthResponse> {

private final Logger log = LoggerFactory.getLogger(getClass());

private final AuthenticationService authenticationService;

@Inject
public AuthenticateIamRoleV2(final AuthenticationService authenticationService) {
public AuthenticateIamPrincipal(final AuthenticationService authenticationService) {
this.authenticationService = authenticationService;
}

@Override
public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final RequestInfo<IamRoleCredentialsV2> request,
public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final RequestInfo<IamPrincipalCredentials> request,
final Executor longRunningTaskExecutor,
final ChannelHandlerContext ctx) {
return CompletableFuture.supplyAsync(() -> {
IamRoleCredentialsV2 credentials = request.getContent();
IamPrincipalCredentials credentials = request.getContent();
log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}",
credentials.getIamPrincipalArn(), credentials.getRegion());

Expand All @@ -63,6 +63,6 @@ public CompletableFuture<ResponseInfo<IamRoleAuthResponse>> execute(final Reques

@Override
public Matcher requestMatcher() {
return Matcher.match("/v2/auth/iam-role", HttpMethod.POST);
return Matcher.match("/v2/auth/iam-principal", HttpMethod.POST);
}
}
Loading

0 comments on commit 6aa07ab

Please sign in to comment.