diff --git a/API.md b/API.md index 746c97435..139e907d3 100644 --- a/API.md +++ b/API.md @@ -72,9 +72,9 @@ This endpoint will take a Users credentials and proxy the request to Vault to ge This endpoint will take a Users credentials and proxy the request to Vault to get a Vault token for the user with some extra metadata. + Request (application/json) - + + Body - + { "state_token": "jskljdklaj", "device_id": "123456", @@ -141,7 +141,7 @@ This endpoint allows a user to exchange their current token for a new one with u } } -## App Login v2 [/v2/auth/iam-role] +## App Login v2 [/v2/auth/iam-principal] ### Authenticate with Cerberus as an App [POST] @@ -204,7 +204,7 @@ This endpoint takes IAM ARN information and generates an base 64 encoded KMS enc "aws_iam_role_name" : "fake-role", "username" : "arn:aws:iam::111111111:role/fake-role", "is_admin": "false", - "groups": "registered-iam-principals" + "groups": "registered-iam-principals" }, "lease_duration" : 3600, "renewable" : true @@ -281,7 +281,7 @@ This endpoint will create a new Safe Deposit Box "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" } ], - "iam_role_permissions": [ + "iam_principal_permissions": [ { "iam_principal_arn": ""arn:aws:iam::1111111111:role/role-name" "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" @@ -312,7 +312,7 @@ This endpoint will create a new Safe Deposit Box "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" } ], - "iam_role_permissions": [ + "iam_principal_permissions": [ { "id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46", "iam_principal_arn": "arn:aws:iam::1111111111:role/role-name", @@ -337,7 +337,7 @@ This endpoint returns details on a specific Safe Deposit Box. + Response 200 (application/json) - + body + + Body { "id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46", @@ -353,7 +353,7 @@ This endpoint returns details on a specific Safe Deposit Box. "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" } ], - "iam_role_permissions": [ + "iam_principal_permissions": [ { "id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46", "iam_principal_arn": "arn:aws:iam::1111111111:role/role-name", @@ -384,7 +384,7 @@ This endpoint allows a user to update the description, user group, and iam role "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" } ], - "iam_role_permissions": [ + "iam_principal_permissions": [ { "iam_principal_arn": ""arn:aws:iam::1111111111:role/role-name2" "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" @@ -398,8 +398,8 @@ This endpoint allows a user to update the description, user group, and iam role X-Refresh-Token: true - + body - + + Body + { "id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46", "name": "Stage", @@ -414,7 +414,7 @@ This endpoint allows a user to update the description, user group, and iam role "role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46" } ], - "iam_role_permissions": [ + "iam_principal_permissions": [ { "id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46", "iam_principal_arn": "arn:aws:iam::1111111111:role/role-name", diff --git a/gradle.properties b/gradle.properties index 777cedbf6..48451129d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -14,6 +14,6 @@ # limitations under the License. # -version=0.16.0 +version=0.17.0 groupId=com.nike.cerberus artifactId=cms diff --git a/gradle/develop.gradle b/gradle/develop.gradle index dd3c31884..c7a6f31bd 100644 --- a/gradle/develop.gradle +++ b/gradle/develop.gradle @@ -18,7 +18,7 @@ import org.apache.tools.ant.taskdefs.condition.Os import groovyx.net.http.RESTClient import static groovyx.net.http.ContentType.* -def dashboardRelease = 'v0.11.0' +def dashboardRelease = 'v0.12.0' def vaultVersion = "0.6.4" buildscript { @@ -83,7 +83,7 @@ task extractDashboard(type: Copy, dependsOn: downloadDashboard) { description 'Extracts the dashboard archive into the build dir for the express server to service when running the dashboard / proxy' from tarTree("${project.buildDir.absolutePath}${File.separator}cerberus-dashboard.tar.gz") - File dashboardDir = new File("${project.buildDir.absolutePath}${File.separator}dashbord") + File dashboardDir = new File("${project.buildDir.absolutePath}${File.separator}dashboard") dashboardDir.mkdirs() into dashboardDir } diff --git a/reverse_proxy/server.js b/reverse_proxy/server.js index f689c8366..e0ad721c5 100644 --- a/reverse_proxy/server.js +++ b/reverse_proxy/server.js @@ -43,7 +43,7 @@ redwire.http('http://127.0.0.1:9000/v2', '127.0.0.1:8080/v2'); var express = require('express') var app = express() -app.use(express.static(__dirname + '/../build/dashbord')) +app.use(express.static(__dirname + '/../build/dashboard')) app.listen(8000, function () { console.log('express server listing on port 8000') diff --git a/src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV2.java b/src/main/java/com/nike/cerberus/domain/IamPrincipalCredentials.java similarity index 88% rename from src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV2.java rename to src/main/java/com/nike/cerberus/domain/IamPrincipalCredentials.java index e5d6a9c54..423260a13 100644 --- a/src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV2.java +++ b/src/main/java/com/nike/cerberus/domain/IamPrincipalCredentials.java @@ -24,14 +24,14 @@ import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_PRINCIPAL_ARN_REGEX; /** - * Represents the IAM role credentials sent during authentication. + * Represents the IAM principal credentials sent during authentication. */ -public class IamRoleCredentialsV2 { +public class IamPrincipalCredentials { @Pattern(regexp = AWS_IAM_PRINCIPAL_ARN_REGEX, message = "AUTH_IAM_PRINCIPAL_INVALID") private String iamPrincipalArn; - @NotBlank(message = "AUTH_IAM_ROLE_AWS_REGION_BLANK") + @NotBlank(message = "AUTH_IAM_PRINCIPAL_AWS_REGION_BLANK") private String region; public String getIamPrincipalArn() { diff --git a/src/main/java/com/nike/cerberus/domain/IamRolePermissionV2.java b/src/main/java/com/nike/cerberus/domain/IamPrincipalPermission.java similarity index 91% rename from src/main/java/com/nike/cerberus/domain/IamRolePermissionV2.java rename to src/main/java/com/nike/cerberus/domain/IamPrincipalPermission.java index 7dde8d006..c91ffe306 100644 --- a/src/main/java/com/nike/cerberus/domain/IamRolePermissionV2.java +++ b/src/main/java/com/nike/cerberus/domain/IamPrincipalPermission.java @@ -25,12 +25,11 @@ import java.time.OffsetDateTime; import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_PRINCIPAL_ARN_REGEX; -import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_REGEX; /** * Represents a permission granted to an IAM role with regards to a safe deposit box */ -public class IamRolePermissionV2 { +public class IamPrincipalPermission { private String id; @@ -64,7 +63,7 @@ public void setRoleId(String roleId) { this.roleId = roleId; } - public IamRolePermissionV2 withRoleId(String roleId) { + public IamPrincipalPermission withRoleId(String roleId) { this.roleId = roleId; return this; } @@ -77,7 +76,7 @@ public void setIamPrincipalArn(String iamPrincipalArn) { this.iamPrincipalArn = iamPrincipalArn; } - public IamRolePermissionV2 withIamPrincipalArn(String iamRoleArn) { + public IamPrincipalPermission withIamPrincipalArn(String iamRoleArn) { this.iamPrincipalArn = iamRoleArn; return this; } @@ -119,7 +118,7 @@ public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; - IamRolePermissionV2 that = (IamRolePermissionV2) o; + IamPrincipalPermission that = (IamPrincipalPermission) o; return iamPrincipalArn != null ? iamPrincipalArn.equals(that.iamPrincipalArn) : that.iamPrincipalArn == null; diff --git a/src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV1.java b/src/main/java/com/nike/cerberus/domain/IamRoleCredentials.java similarity index 97% rename from src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV1.java rename to src/main/java/com/nike/cerberus/domain/IamRoleCredentials.java index bda812613..f62d6b26b 100644 --- a/src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV1.java +++ b/src/main/java/com/nike/cerberus/domain/IamRoleCredentials.java @@ -27,7 +27,7 @@ * Represents the IAM role credentials sent during authentication. */ @Deprecated -public class IamRoleCredentialsV1 { +public class IamRoleCredentials { @Pattern(regexp = IAM_ROLE_ACCT_ID_REGEX, message = "IAM_ROLE_ACCT_ID_INVALID") private String accountId; diff --git a/src/main/java/com/nike/cerberus/domain/IamRolePermissionV1.java b/src/main/java/com/nike/cerberus/domain/IamRolePermission.java similarity index 93% rename from src/main/java/com/nike/cerberus/domain/IamRolePermissionV1.java rename to src/main/java/com/nike/cerberus/domain/IamRolePermission.java index 7c91005cc..8f053ab55 100644 --- a/src/main/java/com/nike/cerberus/domain/IamRolePermissionV1.java +++ b/src/main/java/com/nike/cerberus/domain/IamRolePermission.java @@ -29,7 +29,7 @@ /** * Represents a permission granted to an IAM role with regards to a safe deposit box */ -public class IamRolePermissionV1 { +public class IamRolePermission { private String id; @@ -68,7 +68,7 @@ public void setAccountId(String accountId) { this.accountId = accountId; } - public IamRolePermissionV1 withAccountId(String accountId) { + public IamRolePermission withAccountId(String accountId) { this.accountId = accountId; return this; } @@ -81,7 +81,7 @@ public void setIamRoleName(String iamRoleName) { this.iamRoleName = iamRoleName; } - public IamRolePermissionV1 withIamRoleName(String iamRoleName) { + public IamRolePermission withIamRoleName(String iamRoleName) { this.iamRoleName = iamRoleName; return this; } @@ -94,7 +94,7 @@ public void setRoleId(String roleId) { this.roleId = roleId; } - public IamRolePermissionV1 withRoleId(String roleId) { + public IamRolePermission withRoleId(String roleId) { this.roleId = roleId; return this; } @@ -136,7 +136,7 @@ public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; - IamRolePermissionV1 that = (IamRolePermissionV1) o; + IamRolePermission that = (IamRolePermission) o; if (accountId != null ? !accountId.equals(that.accountId) : that.accountId != null) return false; return iamRoleName != null ? iamRoleName.equals(that.iamRoleName) : that.iamRoleName == null; diff --git a/src/main/java/com/nike/cerberus/domain/SDBMetadata.java b/src/main/java/com/nike/cerberus/domain/SDBMetadata.java index 79abcdf2b..f91f64930 100644 --- a/src/main/java/com/nike/cerberus/domain/SDBMetadata.java +++ b/src/main/java/com/nike/cerberus/domain/SDBMetadata.java @@ -17,7 +17,6 @@ package com.nike.cerberus.domain; import java.time.OffsetDateTime; -import java.util.Date; import java.util.Map; public class SDBMetadata { diff --git a/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV1.java b/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV1.java index a5d37a7ac..50b9441e5 100644 --- a/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV1.java +++ b/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV1.java @@ -16,7 +16,7 @@ package com.nike.cerberus.domain; -import com.nike.cerberus.validation.UniqueIamRolePermissionsV1; +import com.nike.cerberus.validation.UniqueIamRolePermissions; import com.nike.cerberus.validation.UniqueOwner; import com.nike.cerberus.validation.UniqueUserGroupPermissions; import com.nike.cerberus.validation.group.Updatable; @@ -66,8 +66,8 @@ public class SafeDepositBoxV1 implements SafeDepositBox { private Set userGroupPermissions = new HashSet<>(); @Valid - @UniqueIamRolePermissionsV1(groups = {Default.class, Updatable.class}) - private Set iamRolePermissions = new HashSet<>(); + @UniqueIamRolePermissions(groups = {Default.class, Updatable.class}) + private Set iamRolePermissions = new HashSet<>(); public String getId() { return id; @@ -157,11 +157,11 @@ public void setUserGroupPermissions(Set userGroupPermission this.userGroupPermissions = userGroupPermissions; } - public Set getIamRolePermissions() { + public Set getIamRolePermissions() { return iamRolePermissions; } - public void setIamRolePermissions(Set iamRolePermissions) { + public void setIamRolePermissions(Set iamRolePermissions) { this.iamRolePermissions = iamRolePermissions; } diff --git a/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV2.java b/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV2.java index ff3be66ac..9b8f7c51f 100644 --- a/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV2.java +++ b/src/main/java/com/nike/cerberus/domain/SafeDepositBoxV2.java @@ -17,7 +17,7 @@ package com.nike.cerberus.domain; -import com.nike.cerberus.validation.UniqueIamRolePermissionsV2; +import com.nike.cerberus.validation.UniqueIamPrincipalPermissions; import com.nike.cerberus.validation.UniqueOwner; import com.nike.cerberus.validation.UniqueUserGroupPermissions; import com.nike.cerberus.validation.group.Updatable; @@ -67,8 +67,8 @@ public class SafeDepositBoxV2 implements SafeDepositBox { private Set userGroupPermissions = new HashSet<>(); @Valid - @UniqueIamRolePermissionsV2(groups = {Default.class, Updatable.class}) - private Set iamRolePermissions = new HashSet<>(); + @UniqueIamPrincipalPermissions(groups = {Default.class, Updatable.class}) + private Set iamPrincipalPermissions = new HashSet<>(); public String getId() { return id; @@ -158,12 +158,12 @@ public void setUserGroupPermissions(Set userGroupPermission this.userGroupPermissions = userGroupPermissions; } - public Set getIamRolePermissions() { - return iamRolePermissions; + public Set getIamPrincipalPermissions() { + return iamPrincipalPermissions; } - public void setIamRolePermissions(Set iamRolePermissions) { - this.iamRolePermissions = iamRolePermissions; + public void setIamPrincipalPermissions(Set iamPrincipalPermissions) { + this.iamPrincipalPermissions = iamPrincipalPermissions; } @Override @@ -187,7 +187,7 @@ public boolean equals(Object o) { if (owner != null ? !owner.equals(that.owner) : that.owner != null) return false; if (userGroupPermissions != null ? !userGroupPermissions.equals(that.userGroupPermissions) : that.userGroupPermissions != null) return false; - return iamRolePermissions != null ? iamRolePermissions.equals(that.iamRolePermissions) : that.iamRolePermissions == null; + return iamPrincipalPermissions != null ? iamPrincipalPermissions.equals(that.iamPrincipalPermissions) : that.iamPrincipalPermissions == null; } @@ -204,7 +204,7 @@ public int hashCode() { result = 31 * result + (lastUpdatedBy != null ? lastUpdatedBy.hashCode() : 0); result = 31 * result + (owner != null ? owner.hashCode() : 0); result = 31 * result + (userGroupPermissions != null ? userGroupPermissions.hashCode() : 0); - result = 31 * result + (iamRolePermissions != null ? iamRolePermissions.hashCode() : 0); + result = 31 * result + (iamPrincipalPermissions != null ? iamPrincipalPermissions.hashCode() : 0); return result; } } diff --git a/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV2.java b/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamPrincipal.java similarity index 83% rename from src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV2.java rename to src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamPrincipal.java index f71a671f7..3f3965848 100644 --- a/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV2.java +++ b/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamPrincipal.java @@ -18,7 +18,7 @@ package com.nike.cerberus.endpoints.authentication; import com.nike.cerberus.domain.IamRoleAuthResponse; -import com.nike.cerberus.domain.IamRoleCredentialsV2; +import com.nike.cerberus.domain.IamPrincipalCredentials; import com.nike.cerberus.service.AuthenticationService; import com.nike.riposte.server.http.RequestInfo; import com.nike.riposte.server.http.ResponseInfo; @@ -37,23 +37,23 @@ * Authentication endpoint for IAM roles. If valid, a client token that is encrypted via KMS is returned. The * IAM role will be the only role capable of decrypting the client token via KMS. */ -public class AuthenticateIamRoleV2 extends StandardEndpoint { +public class AuthenticateIamPrincipal extends StandardEndpoint { private final Logger log = LoggerFactory.getLogger(getClass()); private final AuthenticationService authenticationService; @Inject - public AuthenticateIamRoleV2(final AuthenticationService authenticationService) { + public AuthenticateIamPrincipal(final AuthenticationService authenticationService) { this.authenticationService = authenticationService; } @Override - public CompletableFuture> execute(final RequestInfo request, + public CompletableFuture> execute(final RequestInfo request, final Executor longRunningTaskExecutor, final ChannelHandlerContext ctx) { return CompletableFuture.supplyAsync(() -> { - IamRoleCredentialsV2 credentials = request.getContent(); + IamPrincipalCredentials credentials = request.getContent(); log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}", credentials.getIamPrincipalArn(), credentials.getRegion()); @@ -63,6 +63,6 @@ public CompletableFuture> execute(final Reques @Override public Matcher requestMatcher() { - return Matcher.match("/v2/auth/iam-role", HttpMethod.POST); + return Matcher.match("/v2/auth/iam-principal", HttpMethod.POST); } } diff --git a/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV1.java b/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRole.java similarity index 87% rename from src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV1.java rename to src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRole.java index 26c24125c..99aa83b3b 100644 --- a/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV1.java +++ b/src/main/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRole.java @@ -17,7 +17,7 @@ package com.nike.cerberus.endpoints.authentication; import com.nike.cerberus.domain.IamRoleAuthResponse; -import com.nike.cerberus.domain.IamRoleCredentialsV1; +import com.nike.cerberus.domain.IamRoleCredentials; import com.nike.cerberus.service.AuthenticationService; import com.nike.cerberus.util.AwsIamRoleArnParser; import com.nike.riposte.server.http.RequestInfo; @@ -38,23 +38,23 @@ * IAM role will be the only role capable of decrypting the client token via KMS. */ @Deprecated -public class AuthenticateIamRoleV1 extends StandardEndpoint { +public class AuthenticateIamRole extends StandardEndpoint { private final Logger log = LoggerFactory.getLogger(getClass()); private final AuthenticationService authenticationService; @Inject - public AuthenticateIamRoleV1(final AuthenticationService authenticationService) { + public AuthenticateIamRole(final AuthenticationService authenticationService) { this.authenticationService = authenticationService; } @Override - public CompletableFuture> execute(final RequestInfo request, + public CompletableFuture> execute(final RequestInfo request, final Executor longRunningTaskExecutor, final ChannelHandlerContext ctx) { return CompletableFuture.supplyAsync(() -> { - IamRoleCredentialsV1 credentials = request.getContent(); + IamRoleCredentials credentials = request.getContent(); log.info("IAM Auth Event: the IAM principal {} in attempting to authenticate in region {}", String.format(AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_TEMPLATE, credentials.getAccountId(), credentials.getRoleName()), credentials.getRegion()); diff --git a/src/main/java/com/nike/cerberus/error/DefaultApiError.java b/src/main/java/com/nike/cerberus/error/DefaultApiError.java index 65ebec88d..615a6fa2e 100644 --- a/src/main/java/com/nike/cerberus/error/DefaultApiError.java +++ b/src/main/java/com/nike/cerberus/error/DefaultApiError.java @@ -156,6 +156,11 @@ public enum DefaultApiError implements ApiError { */ SDB_IAM_ROLE_PERMISSION_AWS_REGION_INVALID(99217, "Invalid AWS region specified for the IAM role.", HttpServletResponse.SC_BAD_REQUEST), + /** + * IAM Role permission on SDB specifies in invalid AWS region. + */ + SDB_IAM_ROLE_PERMISSION_IAM_ROLE_INVALID(99226, "Invalid AWS IAM role specified for the SDB.", HttpServletResponse.SC_BAD_REQUEST), + /** * User group permissions contain duplicate entries. */ @@ -202,6 +207,16 @@ public enum DefaultApiError implements ApiError { */ SDB_IAM_PRINCIPAL_PERMISSION_ARN_INVALID(99226, "Invalid AWS IAM role specified for the SDB.", HttpServletResponse.SC_BAD_REQUEST), + /** + * IAM role permissions contain duplicate entries. + */ + SDB_IAM_PRINCIPAL_REPEATED(99227, "The IAM principal permissions contains duplicate entries.", HttpServletResponse.SC_BAD_REQUEST), + + /** + * IAM Role account id is blank + */ + AUTH_IAM_PRINCIPAL_AWS_REGION_BLANK(99228, "AWS region is malformed.", HttpServletResponse.SC_BAD_REQUEST), + /** * Generic not found error. */ diff --git a/src/main/java/com/nike/cerberus/mapper/AwsIamRoleMapper.java b/src/main/java/com/nike/cerberus/mapper/AwsIamRoleMapper.java index fd16ea9e1..d6aedddeb 100644 --- a/src/main/java/com/nike/cerberus/mapper/AwsIamRoleMapper.java +++ b/src/main/java/com/nike/cerberus/mapper/AwsIamRoleMapper.java @@ -44,7 +44,7 @@ AwsIamRoleKmsKeyRecord getKmsKey(@Param("awsIamRoleId") String awsIamRoleId, int updateIamRolePermission(@Param("record") AwsIamRolePermissionRecord record); int deleteIamRolePermission(@Param("safeDepositBoxId") String safeDepositBoxId, - @Param("awsIamRoleId") String awsIamRoleId); + @Param("awsIamRoleId") String awsIamRoleId); List getIamRolePermissions(@Param("safeDepositBoxId") String safeDepositBoxId); diff --git a/src/main/java/com/nike/cerberus/record/AwsIamRoleRecord.java b/src/main/java/com/nike/cerberus/record/AwsIamRoleRecord.java index 2f7700d1e..c8596fe5b 100644 --- a/src/main/java/com/nike/cerberus/record/AwsIamRoleRecord.java +++ b/src/main/java/com/nike/cerberus/record/AwsIamRoleRecord.java @@ -26,12 +26,6 @@ public class AwsIamRoleRecord { private String id; - // TODO: remove - private String awsAccountId; - - // TODO: remove - private String awsIamRoleName; - private String createdBy; private String lastUpdatedBy; @@ -51,24 +45,6 @@ public AwsIamRoleRecord setId(String id) { return this; } - public String getAwsAccountId() { - return awsAccountId; - } - - public AwsIamRoleRecord setAwsAccountId(String awsAccountId) { - this.awsAccountId = awsAccountId; - return this; - } - - public String getAwsIamRoleName() { - return awsIamRoleName; - } - - public AwsIamRoleRecord setAwsIamRoleName(String awsIamRoleName) { - this.awsIamRoleName = awsIamRoleName; - return this; - } - public String getCreatedBy() { return createdBy; } @@ -120,16 +96,15 @@ public boolean equals(Object o) { if (o == null || getClass() != o.getClass()) return false; AwsIamRoleRecord that = (AwsIamRoleRecord) o; return Objects.equals(id, that.id) && - Objects.equals(awsAccountId, that.awsAccountId) && - Objects.equals(awsIamRoleName, that.awsIamRoleName) && Objects.equals(createdBy, that.createdBy) && Objects.equals(lastUpdatedBy, that.lastUpdatedBy) && Objects.equals(createdTs, that.createdTs) && - Objects.equals(lastUpdatedTs, that.lastUpdatedTs); + Objects.equals(lastUpdatedTs, that.lastUpdatedTs) && + Objects.equals(awsIamRoleArn, that.awsIamRoleArn); } @Override public int hashCode() { - return Objects.hash(id, awsAccountId, awsIamRoleName, createdBy, lastUpdatedBy, createdTs, lastUpdatedTs); + return Objects.hash(id, createdBy, lastUpdatedBy, createdTs, lastUpdatedTs); } } diff --git a/src/main/java/com/nike/cerberus/server/config/guice/CmsGuiceModule.java b/src/main/java/com/nike/cerberus/server/config/guice/CmsGuiceModule.java index 88f1f8a71..08ad8a3e3 100644 --- a/src/main/java/com/nike/cerberus/server/config/guice/CmsGuiceModule.java +++ b/src/main/java/com/nike/cerberus/server/config/guice/CmsGuiceModule.java @@ -24,8 +24,8 @@ import com.nike.cerberus.endpoints.HealthCheckEndpoint; import com.nike.cerberus.endpoints.admin.GetSDBMetadata; import com.nike.cerberus.endpoints.admin.PutSDBMetadata; -import com.nike.cerberus.endpoints.authentication.AuthenticateIamRoleV1; -import com.nike.cerberus.endpoints.authentication.AuthenticateIamRoleV2; +import com.nike.cerberus.endpoints.authentication.AuthenticateIamRole; +import com.nike.cerberus.endpoints.authentication.AuthenticateIamPrincipal; import com.nike.cerberus.endpoints.authentication.AuthenticateUser; import com.nike.cerberus.endpoints.authentication.MfaCheck; import com.nike.cerberus.endpoints.authentication.RefreshUserToken; @@ -169,8 +169,8 @@ public Set> appEndpoints( AuthenticateUser authenticateUser, MfaCheck mfaCheck, RefreshUserToken refreshUserToken, - AuthenticateIamRoleV1 authenticateIamRole, - AuthenticateIamRoleV2 authenticateIamRoleV2, + AuthenticateIamRole authenticateIamRole, + AuthenticateIamPrincipal authenticateIamPrincipal, RevokeToken revokeToken, GetAllRoles getAllRoles, GetRole getRole, @@ -189,7 +189,7 @@ public Set> appEndpoints( healthCheckEndpoint, // Cerberus endpoints getAllCategories, getCategory, createCategory, deleteCategory, - authenticateUser, authenticateIamRoleV2, mfaCheck, refreshUserToken, authenticateIamRole, revokeToken, + authenticateUser, authenticateIamPrincipal, mfaCheck, refreshUserToken, authenticateIamRole, revokeToken, getAllRoles, getRole, getSafeDepositBoxes, getSafeDepositBoxV1, getSafeDepositBoxV2, deleteSafeDepositBox, updateSafeDepositBoxV1, updateSafeDepositBoxV2, createSafeDepositBoxV1, createSafeDepositBoxV2, @@ -286,8 +286,8 @@ public List> authProtectedEndpoints(@Named("appEndpoints") Set !(i instanceof HealthCheckEndpoint || i instanceof AuthenticateUser || i instanceof MfaCheck - || i instanceof AuthenticateIamRoleV1 - || i instanceof AuthenticateIamRoleV2)).collect(Collectors.toList()); + || i instanceof AuthenticateIamRole + || i instanceof AuthenticateIamPrincipal)).collect(Collectors.toList()); } @Provides diff --git a/src/main/java/com/nike/cerberus/service/AuthenticationService.java b/src/main/java/com/nike/cerberus/service/AuthenticationService.java index 02b099706..59196b17b 100644 --- a/src/main/java/com/nike/cerberus/service/AuthenticationService.java +++ b/src/main/java/com/nike/cerberus/service/AuthenticationService.java @@ -39,8 +39,8 @@ import com.nike.cerberus.dao.AwsIamRoleDao; import com.nike.cerberus.dao.SafeDepositBoxDao; import com.nike.cerberus.domain.IamRoleAuthResponse; -import com.nike.cerberus.domain.IamRoleCredentialsV1; -import com.nike.cerberus.domain.IamRoleCredentialsV2; +import com.nike.cerberus.domain.IamRoleCredentials; +import com.nike.cerberus.domain.IamPrincipalCredentials; import com.nike.cerberus.domain.MfaCheckRequest; import com.nike.cerberus.domain.UserCredentials; import com.nike.cerberus.error.DefaultApiError; @@ -177,24 +177,24 @@ public AuthResponse mfaCheck(final MfaCheckRequest mfaCheckRequest) { * @param credentials IAM role credentials * @return Encrypted auth response */ - public IamRoleAuthResponse authenticate(IamRoleCredentialsV1 credentials) { + public IamRoleAuthResponse authenticate(IamRoleCredentials credentials) { final String iamPrincipalArn = String.format(AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_TEMPLATE, credentials.getAccountId(), credentials.getRoleName()); final String region = credentials.getRegion(); - final IamRoleCredentialsV2 iamRoleCredentialsV2 = new IamRoleCredentialsV2(); - iamRoleCredentialsV2.setIamPrincipalArn(iamPrincipalArn); - iamRoleCredentialsV2.setRegion(region); + final IamPrincipalCredentials iamPrincipalCredentials = new IamPrincipalCredentials(); + iamPrincipalCredentials.setIamPrincipalArn(iamPrincipalArn); + iamPrincipalCredentials.setRegion(region); final Map vaultAuthPrincipalMetadata = generateCommonVaultPrincipalAuthMetadata(iamPrincipalArn, region); vaultAuthPrincipalMetadata.put(VaultAuthPrincipal.METADATA_KEY_AWS_ACCOUNT_ID,awsIamRoleArnParser.getAccountId(iamPrincipalArn)); vaultAuthPrincipalMetadata.put(VaultAuthPrincipal.METADATA_KEY_AWS_IAM_ROLE_NAME, awsIamRoleArnParser.getRoleName(iamPrincipalArn)); - return authenticate(iamRoleCredentialsV2, vaultAuthPrincipalMetadata); + return authenticate(iamPrincipalCredentials, vaultAuthPrincipalMetadata); } - public IamRoleAuthResponse authenticate(IamRoleCredentialsV2 credentials) { + public IamRoleAuthResponse authenticate(IamPrincipalCredentials credentials) { final String iamPrincipalArn = credentials.getIamPrincipalArn(); final Map vaultAuthPrincipalMetadata = generateCommonVaultPrincipalAuthMetadata(iamPrincipalArn, credentials.getRegion()); @@ -203,7 +203,7 @@ public IamRoleAuthResponse authenticate(IamRoleCredentialsV2 credentials) { return authenticate(credentials, vaultAuthPrincipalMetadata); } - public IamRoleAuthResponse authenticate(IamRoleCredentialsV2 credentials, Map vaultAuthPrincipalMetadata) { + public IamRoleAuthResponse authenticate(IamPrincipalCredentials credentials, Map vaultAuthPrincipalMetadata) { final String keyId; try { keyId = getKeyId(credentials); @@ -360,7 +360,7 @@ private Set buildPolicySet(final String iamRoleArn) { * @param credentials IAM role credentials * @return KMS Key id */ - private String getKeyId(IamRoleCredentialsV2 credentials) { + private String getKeyId(IamPrincipalCredentials credentials) { final Optional iamRole = awsIamRoleDao.getIamRole(credentials.getIamPrincipalArn()); if (!iamRole.isPresent()) { diff --git a/src/main/java/com/nike/cerberus/service/IamRolePermissionService.java b/src/main/java/com/nike/cerberus/service/IamPrincipalPermissionService.java similarity index 60% rename from src/main/java/com/nike/cerberus/service/IamRolePermissionService.java rename to src/main/java/com/nike/cerberus/service/IamPrincipalPermissionService.java index d4a4a7858..d5bb612ec 100644 --- a/src/main/java/com/nike/cerberus/service/IamRolePermissionService.java +++ b/src/main/java/com/nike/cerberus/service/IamPrincipalPermissionService.java @@ -19,12 +19,11 @@ import com.google.common.collect.Sets; import com.nike.backstopper.exception.ApiException; import com.nike.cerberus.dao.AwsIamRoleDao; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; import com.nike.cerberus.domain.Role; import com.nike.cerberus.error.DefaultApiError; import com.nike.cerberus.record.AwsIamRolePermissionRecord; import com.nike.cerberus.record.AwsIamRoleRecord; -import com.nike.cerberus.util.AwsIamRoleArnParser; import com.nike.cerberus.util.UuidSupplier; import org.mybatis.guice.transactional.Transactional; @@ -39,7 +38,7 @@ * Provides operations for granting, updating and revoking IAM role permissions. */ @Singleton -public class IamRolePermissionService { +public class IamPrincipalPermissionService { private final UuidSupplier uuidSupplier; @@ -47,34 +46,30 @@ public class IamRolePermissionService { private final AwsIamRoleDao awsIamRoleDao; - private final AwsIamRoleArnParser awsIamRoleArnParser; - @Inject - public IamRolePermissionService(final UuidSupplier uuidSupplier, - final RoleService roleService, - final AwsIamRoleDao awsIamRoleDao, - final AwsIamRoleArnParser awsIamRoleArnParser) { + public IamPrincipalPermissionService(final UuidSupplier uuidSupplier, + final RoleService roleService, + final AwsIamRoleDao awsIamRoleDao) { this.uuidSupplier = uuidSupplier; this.roleService = roleService; this.awsIamRoleDao = awsIamRoleDao; - this.awsIamRoleArnParser = awsIamRoleArnParser; } /** * Grants a set of IAM role permissions. * * @param safeDepositBoxId The safe deposit box id - * @param iamRolePermissionSet The set of IAM role permissions + * @param iamPrincipalPermissionSet The set of IAM principal permissions * @param user The user making the changes * @param dateTime The time of the changes */ @Transactional - public void grantIamRolePermissions(final String safeDepositBoxId, - final Set iamRolePermissionSet, - final String user, - final OffsetDateTime dateTime) { - for (IamRolePermissionV2 iamRolePermission : iamRolePermissionSet) { - grantIamRolePermission(safeDepositBoxId, iamRolePermission, user, dateTime); + public void grantIamPrincipalPermissions(final String safeDepositBoxId, + final Set iamPrincipalPermissionSet, + final String user, + final OffsetDateTime dateTime) { + for (IamPrincipalPermission iamRolePermission : iamPrincipalPermissionSet) { + grantIamPrincipalPermission(safeDepositBoxId, iamRolePermission, user, dateTime); } } @@ -82,19 +77,19 @@ public void grantIamRolePermissions(final String safeDepositBoxId, * Grants a IAM role permission. * * @param safeDepositBoxId The safe deposit box id - * @param iamRolePermission The IAM role permission + * @param iamPrincipalPermission The IAM principal permission * @param user The user making the changes * @param dateTime The time of the changes */ @Transactional - public void grantIamRolePermission(final String safeDepositBoxId, - final IamRolePermissionV2 iamRolePermission, - final String user, - final OffsetDateTime dateTime) { + public void grantIamPrincipalPermission(final String safeDepositBoxId, + final IamPrincipalPermission iamPrincipalPermission, + final String user, + final OffsetDateTime dateTime) { final Optional possibleIamRoleRecord = - awsIamRoleDao.getIamRole(iamRolePermission.getIamPrincipalArn()); + awsIamRoleDao.getIamRole(iamPrincipalPermission.getIamPrincipalArn()); - final Optional role = roleService.getRoleById(iamRolePermission.getRoleId()); + final Optional role = roleService.getRoleById(iamPrincipalPermission.getRoleId()); if (!role.isPresent()) { throw ApiException.newBuilder() @@ -109,7 +104,7 @@ public void grantIamRolePermission(final String safeDepositBoxId, iamRoleId = uuidSupplier.get(); AwsIamRoleRecord awsIamRoleRecord = new AwsIamRoleRecord(); awsIamRoleRecord.setId(iamRoleId); - awsIamRoleRecord.setAwsIamRoleArn(iamRolePermission.getIamPrincipalArn()); + awsIamRoleRecord.setAwsIamRoleArn(iamPrincipalPermission.getIamPrincipalArn()); awsIamRoleRecord.setCreatedBy(user); awsIamRoleRecord.setLastUpdatedBy(user); awsIamRoleRecord.setCreatedTs(dateTime); @@ -120,7 +115,7 @@ public void grantIamRolePermission(final String safeDepositBoxId, AwsIamRolePermissionRecord permissionRecord = new AwsIamRolePermissionRecord(); permissionRecord.setId(uuidSupplier.get()); permissionRecord.setAwsIamRoleId(iamRoleId); - permissionRecord.setRoleId(iamRolePermission.getRoleId()); + permissionRecord.setRoleId(iamPrincipalPermission.getRoleId()); permissionRecord.setSdboxId(safeDepositBoxId); permissionRecord.setCreatedBy(user); permissionRecord.setLastUpdatedBy(user); @@ -133,17 +128,17 @@ public void grantIamRolePermission(final String safeDepositBoxId, * Updates a set of IAM role permissions. * * @param safeDepositBoxId The safe deposit box id - * @param iamRolePermissionSet The set of IAM role permissions + * @param iamPrincipalPermissionSet The set of IAM principal permissions * @param user The user making the changes * @param dateTime The time of the changes */ @Transactional - public void updateIamRolePermissions(final String safeDepositBoxId, - final Set iamRolePermissionSet, - final String user, - final OffsetDateTime dateTime) { - for (IamRolePermissionV2 iamRolePermission : iamRolePermissionSet) { - updateIamRolePermission(safeDepositBoxId, iamRolePermission, user, dateTime); + public void updateIamPrincipalPermissions(final String safeDepositBoxId, + final Set iamPrincipalPermissionSet, + final String user, + final OffsetDateTime dateTime) { + for (IamPrincipalPermission iamRolePermission : iamPrincipalPermissionSet) { + updateIamPrincipalPermission(safeDepositBoxId, iamRolePermission, user, dateTime); } } @@ -151,17 +146,17 @@ public void updateIamRolePermissions(final String safeDepositBoxId, * Updates a IAM role permission. * * @param safeDepositBoxId The safe deposit box id - * @param iamRolePermission The IAM role permission + * @param iamPrincipalPermission The IAM principal permission * @param user The user making the changes * @param dateTime The time of the changes */ @Transactional - public void updateIamRolePermission(final String safeDepositBoxId, - final IamRolePermissionV2 iamRolePermission, - final String user, - final OffsetDateTime dateTime) { + public void updateIamPrincipalPermission(final String safeDepositBoxId, + final IamPrincipalPermission iamPrincipalPermission, + final String user, + final OffsetDateTime dateTime) { final Optional iamRole = - awsIamRoleDao.getIamRole(iamRolePermission.getIamPrincipalArn()); + awsIamRoleDao.getIamRole(iamPrincipalPermission.getIamPrincipalArn()); if (!iamRole.isPresent()) { throw ApiException.newBuilder() @@ -173,7 +168,7 @@ public void updateIamRolePermission(final String safeDepositBoxId, AwsIamRolePermissionRecord record = new AwsIamRolePermissionRecord(); record.setSdboxId(safeDepositBoxId); record.setAwsIamRoleId(iamRole.get().getId()); - record.setRoleId(iamRolePermission.getRoleId()); + record.setRoleId(iamPrincipalPermission.getRoleId()); record.setLastUpdatedBy(user); record.setLastUpdatedTs(dateTime); awsIamRoleDao.updateIamRolePermission(record); @@ -183,17 +178,17 @@ public void updateIamRolePermission(final String safeDepositBoxId, * Revokes a set of IAM role permissions. * * @param safeDepositBoxId The safe deposit box id - * @param iamRolePermissionSet The set of IAM role permissions + * @param iamPrincipalPermissionSet The set of IAM principal permissions * @param user The user making the changes * @param dateTime The time of the changes */ @Transactional - public void revokeIamRolePermissions(final String safeDepositBoxId, - final Set iamRolePermissionSet, - final String user, - final OffsetDateTime dateTime) { - for (IamRolePermissionV2 iamRolePermission : iamRolePermissionSet) { - revokeIamRolePermission(safeDepositBoxId, iamRolePermission, user, dateTime); + public void revokeIamPrincipalPermissions(final String safeDepositBoxId, + final Set iamPrincipalPermissionSet, + final String user, + final OffsetDateTime dateTime) { + for (IamPrincipalPermission iamRolePermission : iamPrincipalPermissionSet) { + revokeIamPrincipalPermission(safeDepositBoxId, iamRolePermission, user, dateTime); } } @@ -201,17 +196,17 @@ public void revokeIamRolePermissions(final String safeDepositBoxId, * Revokes a IAM role permission. * * @param safeDepositBoxId The safe deposit box id - * @param iamRolePermission The IAM role permission + * @param iamPrincipalPermission The IAM principal permission * @param user The user making the changes * @param dateTime The time of the changes */ @Transactional - public void revokeIamRolePermission(final String safeDepositBoxId, - final IamRolePermissionV2 iamRolePermission, - final String user, - final OffsetDateTime dateTime) { + public void revokeIamPrincipalPermission(final String safeDepositBoxId, + final IamPrincipalPermission iamPrincipalPermission, + final String user, + final OffsetDateTime dateTime) { final Optional iamRole = - awsIamRoleDao.getIamRole(iamRolePermission.getIamPrincipalArn()); + awsIamRoleDao.getIamRole(iamPrincipalPermission.getIamPrincipalArn()); if (!iamRole.isPresent()) { throw ApiException.newBuilder() @@ -223,15 +218,15 @@ public void revokeIamRolePermission(final String safeDepositBoxId, awsIamRoleDao.deleteIamRolePermission(safeDepositBoxId, iamRole.get().getId()); } - public Set getIamRolePermissions(final String safeDepositBoxId) { - final Set iamRolePermissionSet = Sets.newHashSet(); + public Set getIamPrincipalPermissions(final String safeDepositBoxId) { + final Set iamPrincipalPermissionSet = Sets.newHashSet(); final List permissionRecords = awsIamRoleDao.getIamRolePermissions(safeDepositBoxId); permissionRecords.forEach(r -> { final Optional iamRoleRecord = awsIamRoleDao.getIamRoleById(r.getAwsIamRoleId()); if (iamRoleRecord.isPresent()) { - final IamRolePermissionV2 permission = new IamRolePermissionV2(); + final IamPrincipalPermission permission = new IamPrincipalPermission(); permission.setId(r.getId()); permission.setIamPrincipalArn(iamRoleRecord.get().getAwsIamRoleArn()); permission.setRoleId(r.getRoleId()); @@ -239,15 +234,15 @@ public Set getIamRolePermissions(final String safeDepositBo permission.setLastUpdatedBy(r.getLastUpdatedBy()); permission.setCreatedTs(r.getCreatedTs()); permission.setLastUpdatedTs(r.getLastUpdatedTs()); - iamRolePermissionSet.add(permission); + iamPrincipalPermissionSet.add(permission); } }); - return iamRolePermissionSet; + return iamPrincipalPermissionSet; } @Transactional - public void deleteIamRolePermissions(final String safeDepositBoxId) { + public void deleteIamPrincipalPermissions(final String safeDepositBoxId) { awsIamRoleDao.deleteIamRolePermissions(safeDepositBoxId); } } diff --git a/src/main/java/com/nike/cerberus/service/KmsService.java b/src/main/java/com/nike/cerberus/service/KmsService.java index 175c23b6b..041befe51 100644 --- a/src/main/java/com/nike/cerberus/service/KmsService.java +++ b/src/main/java/com/nike/cerberus/service/KmsService.java @@ -73,7 +73,7 @@ public KmsService(final AwsIamRoleDao awsIamRoleDao, * Provisions a new KMS CMK in the specified region to be used by the specified role. * * @param iamRoleId The IAM role that this CMK will be associated with - * @param iamRoleArn The AWS IAM role ARN + * @param iamPrincipalArn The AWS IAM principal ARN * @param awsRegion The region to provision the key in * @param user The user requesting it * @param dateTime The date of creation @@ -81,29 +81,29 @@ public KmsService(final AwsIamRoleDao awsIamRoleDao, */ @Transactional public String provisionKmsKey(final String iamRoleId, - final String iamRoleArn, + final String iamPrincipalArn, final String awsRegion, final String user, final OffsetDateTime dateTime) { final AWSKMSClient kmsClient = kmsClientFactory.getClient(awsRegion); - final String awsIamRoleKmsKeyId = uuidSupplier.get(); + final String awsIamPrincipalKmsKeyId = uuidSupplier.get(); final CreateKeyRequest request = new CreateKeyRequest(); request.setKeyUsage(KeyUsageType.ENCRYPT_DECRYPT); request.setDescription("Key used by Cerberus for IAM role authentication."); - request.setPolicy(kmsPolicyService.generateStandardKmsPolicy(iamRoleArn)); + request.setPolicy(kmsPolicyService.generateStandardKmsPolicy(iamPrincipalArn)); final CreateKeyResult result = kmsClient.createKey(request); final CreateAliasRequest aliasRequest = new CreateAliasRequest(); - aliasRequest.setAliasName(getAliasName(awsIamRoleKmsKeyId)); + aliasRequest.setAliasName(getAliasName(awsIamPrincipalKmsKeyId)); KeyMetadata keyMetadata = result.getKeyMetadata(); String arn = keyMetadata.getArn(); aliasRequest.setTargetKeyId(arn); kmsClient.createAlias(aliasRequest); final AwsIamRoleKmsKeyRecord awsIamRoleKmsKeyRecord = new AwsIamRoleKmsKeyRecord(); - awsIamRoleKmsKeyRecord.setId(awsIamRoleKmsKeyId); + awsIamRoleKmsKeyRecord.setId(awsIamPrincipalKmsKeyId); awsIamRoleKmsKeyRecord.setAwsIamRoleId(iamRoleId); awsIamRoleKmsKeyRecord.setAwsKmsKeyId(result.getKeyMetadata().getArn()); awsIamRoleKmsKeyRecord.setAwsRegion(awsRegion); @@ -135,10 +135,10 @@ protected String getAliasName(String awsIamRoleKmsKeyId) { * or recreate the policy. * * @param keyId - The CMK Id to validate the policies on. - * @param iamRoleArn - The Role ARN that should have decrypt permission + * @param iamPrincipalArn - The principal ARN that should have decrypt permission * @param kmsCMKRegion - The region that the key was provisioned for */ - public void validatePolicy(String keyId, String iamRoleArn, String kmsCMKRegion) { + public void validatePolicy(String keyId, String iamPrincipalArn, String kmsCMKRegion) { AWSKMSClient kmsClient = kmsClientFactory.getClient(kmsCMKRegion); GetKeyPolicyResult policyResult = null; try { @@ -149,14 +149,14 @@ public void validatePolicy(String keyId, String iamRoleArn, String kmsCMKRegion) .withExceptionCause(e) .withExceptionMessage( String.format("Failed to validate KMS key policy for keyId: " + - "%s for IAM role: %s in region: %s", keyId, iamRoleArn, kmsCMKRegion)) + "%s for IAM principal: %s in region: %s", keyId, iamPrincipalArn, kmsCMKRegion)) .build(); } - if (!kmsPolicyService.isPolicyValid(policyResult.getPolicy(), iamRoleArn)) { - logger.info("The KMS key: {} generated for IAM Role: {} contained an invalid policy, regenerating", - keyId, iamRoleArn); - String updatedPolicy = kmsPolicyService.generateStandardKmsPolicy(iamRoleArn); + if (!kmsPolicyService.isPolicyValid(policyResult.getPolicy(), iamPrincipalArn)) { + logger.info("The KMS key: {} generated for IAM principal: {} contained an invalid policy, regenerating", + keyId, iamPrincipalArn); + String updatedPolicy = kmsPolicyService.generateStandardKmsPolicy(iamPrincipalArn); kmsClient.putKeyPolicy(new PutKeyPolicyRequest() .withKeyId(keyId) .withPolicyName("default") diff --git a/src/main/java/com/nike/cerberus/service/MetadataService.java b/src/main/java/com/nike/cerberus/service/MetadataService.java index 863f1fab3..16bda2e24 100644 --- a/src/main/java/com/nike/cerberus/service/MetadataService.java +++ b/src/main/java/com/nike/cerberus/service/MetadataService.java @@ -17,7 +17,7 @@ package com.nike.cerberus.service; import com.nike.backstopper.exception.ApiException; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; import com.nike.cerberus.domain.Role; import com.nike.cerberus.domain.SDBMetadata; import com.nike.cerberus.domain.SDBMetadataResult; @@ -79,7 +79,7 @@ public void restoreMetadata(SDBMetadata sdbMetadata, String adminUser) { String id = getSdbId(sdbMetadata); String categoryId = getCategoryId(sdbMetadata); Set userGroupPermissionSet = getUserGroupPermissionSet(sdbMetadata); - Set iamRolePermissionSet = getIamRolePermissionSet(sdbMetadata); + Set iamPrincipalPermissionSet = getIamPrincipalPermissionSet(sdbMetadata); SafeDepositBoxV2 sdb = new SafeDepositBoxV2(); sdb.setId(id); @@ -93,7 +93,7 @@ public void restoreMetadata(SDBMetadata sdbMetadata, String adminUser) { sdb.setCreatedBy(sdbMetadata.getCreatedBy()); sdb.setLastUpdatedBy(sdbMetadata.getLastUpdatedBy()); sdb.setUserGroupPermissions(userGroupPermissionSet); - sdb.setIamRolePermissions(iamRolePermissionSet); + sdb.setIamPrincipalPermissions(iamPrincipalPermissionSet); safeDepositBoxService.restoreSafeDepositBox(sdb, adminUser); } @@ -101,18 +101,18 @@ public void restoreMetadata(SDBMetadata sdbMetadata, String adminUser) { /** * Retrieves the IAM Role Permission Set for SDB Metadata Object. * @param sdbMetadata the sdb metadata - * @return IAM Role Permission Set + * @return IAM Principal Permission Set */ - private Set getIamRolePermissionSet(SDBMetadata sdbMetadata) { - Set iamRolePermissionSet = new HashSet<>(); - sdbMetadata.getIamRolePermissions().forEach((iamRoleArn, roleName) -> { + private Set getIamPrincipalPermissionSet(SDBMetadata sdbMetadata) { + Set iamPrincipalPermissionSet = new HashSet<>(); + sdbMetadata.getIamRolePermissions().forEach((iamPrincipalArn, roleName) -> { - iamRolePermissionSet.add(new IamRolePermissionV2() - .withIamPrincipalArn(iamRoleArn) + iamPrincipalPermissionSet.add(new IamPrincipalPermission() + .withIamPrincipalArn(iamPrincipalArn) .withRoleId(getRoleIdFromName(roleName)) ); }); - return iamRolePermissionSet; + return iamPrincipalPermissionSet; } /** @@ -219,7 +219,7 @@ protected List getSDBMetadataList(int limit, int offset) { data.setLastUpdatedTs(sdb.getLastUpdatedTs()); data.setOwner(sdb.getOwner()); data.setUserGroupPermissions(getUserGroupPermissionsMap(roleIdToStringMap, sdb.getUserGroupPermissions())); - data.setIamRolePermissions(getIamRolePermissionMap(roleIdToStringMap, sdb.getIamRolePermissions())); + data.setIamRolePermissions(getIamPrincipalPermissionMap(roleIdToStringMap, sdb.getIamPrincipalPermissions())); sdbs.add(data); }); @@ -242,16 +242,16 @@ protected Map getUserGroupPermissionsMap(Map rol /** * Retrieves a simplified iam permission map that is only strings so it can be transported across Cerberus environments */ - protected Map getIamRolePermissionMap(Map roleIdToStringMap, - Set iamPerms) { + protected Map getIamPrincipalPermissionMap(Map roleIdToStringMap, + Set iamPerms) { - Map iamRoleMap = new HashMap<>(iamPerms.size()); + Map iamPrincipalMap = new HashMap<>(iamPerms.size()); iamPerms.forEach(perm -> { String role = roleIdToStringMap.get(perm.getRoleId()); - iamRoleMap.put(perm.getIamPrincipalArn(), role); + iamPrincipalMap.put(perm.getIamPrincipalArn(), role); }); - return iamRoleMap; + return iamPrincipalMap; } /** diff --git a/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java b/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java index 484d1e07a..e1e579f38 100644 --- a/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java +++ b/src/main/java/com/nike/cerberus/service/SafeDepositBoxService.java @@ -22,8 +22,8 @@ import com.nike.cerberus.dao.SafeDepositBoxDao; import com.nike.cerberus.dao.UserGroupDao; import com.nike.cerberus.domain.Category; -import com.nike.cerberus.domain.IamRolePermissionV1; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; +import com.nike.cerberus.domain.IamRolePermission; import com.nike.cerberus.domain.Role; import com.nike.cerberus.domain.SafeDepositBoxV1; import com.nike.cerberus.domain.SafeDepositBoxSummary; @@ -78,7 +78,7 @@ public class SafeDepositBoxService { private final UserGroupPermissionService userGroupPermissionService; - private final IamRolePermissionService iamRolePermissionService; + private final IamPrincipalPermissionService iamPrincipalPermissionService; private final Slugger slugger; @@ -95,7 +95,7 @@ public SafeDepositBoxService(final SafeDepositBoxDao safeDepositBoxDao, final VaultAdminClient vaultAdminClient, final VaultPolicyService vaultPolicyService, final UserGroupPermissionService userGroupPermissionService, - final IamRolePermissionService iamRolePermissionService, + final IamPrincipalPermissionService iamPrincipalPermissionService, final Slugger slugger, final DateTimeSupplier dateTimeSupplier, final AwsIamRoleArnParser awsIamRoleArnParser) { @@ -107,7 +107,7 @@ public SafeDepositBoxService(final SafeDepositBoxDao safeDepositBoxDao, this.vaultAdminClient = vaultAdminClient; this.vaultPolicyService = vaultPolicyService; this.userGroupPermissionService = userGroupPermissionService; - this.iamRolePermissionService = iamRolePermissionService; + this.iamPrincipalPermissionService = iamPrincipalPermissionService; this.slugger = slugger; this.dateTimeSupplier = dateTimeSupplier; this.awsIamRoleArnParser = awsIamRoleArnParser; @@ -198,7 +198,7 @@ protected SafeDepositBoxV2 getSDBFromRecordV2(SafeDepositBoxRecord safeDepositBo owner = possibleOwner.get(); } - final Set iamRolePermissions = iamRolePermissionService.getIamRolePermissions(id); + final Set iamRolePermissions = iamPrincipalPermissionService.getIamPrincipalPermissions(id); SafeDepositBoxV2 safeDepositBox = new SafeDepositBoxV2(); @@ -213,7 +213,7 @@ protected SafeDepositBoxV2 getSDBFromRecordV2(SafeDepositBoxRecord safeDepositBo safeDepositBox.setLastUpdatedTs(safeDepositBoxRecord.getLastUpdatedTs()); safeDepositBox.setOwner(owner); safeDepositBox.setUserGroupPermissions(userGroupPermissions); - safeDepositBox.setIamRolePermissions(iamRolePermissions); + safeDepositBox.setIamPrincipalPermissions(iamRolePermissions); return safeDepositBox; } @@ -249,7 +249,7 @@ public SafeDepositBoxV2 createSafeDepositBoxV2(final SafeDepositBoxV2 safeDeposi final Set userGroupPermissionSet = safeDepositBox.getUserGroupPermissions(); addOwnerPermission(userGroupPermissionSet, safeDepositBox.getOwner()); - final Set iamRolePermissionSet = safeDepositBox.getIamRolePermissions(); + final Set iamRolePermissionSet = safeDepositBox.getIamPrincipalPermissions(); final boolean isPathInUse = safeDepositBoxDao.isPathInUse(boxRecordToStore.getPath()); @@ -267,7 +267,7 @@ public SafeDepositBoxV2 createSafeDepositBoxV2(final SafeDepositBoxV2 safeDeposi user, now); - iamRolePermissionService.grantIamRolePermissions( + iamPrincipalPermissionService.grantIamPrincipalPermissions( boxRecordToStore.getId(), iamRolePermissionSet, user, @@ -320,7 +320,7 @@ public SafeDepositBoxV2 updateSafeDepositBoxV2(final SafeDepositBoxV2 safeDeposi final OffsetDateTime now = dateTimeSupplier.get(); final SafeDepositBoxRecord boxToUpdate = buildBoxToUpdate(id, safeDepositBox, user, now); final Set userGroupPermissionSet = safeDepositBox.getUserGroupPermissions(); - final Set iamRolePermissionSet = safeDepositBox.getIamRolePermissions(); + final Set iamRolePermissionSet = safeDepositBox.getIamPrincipalPermissions(); if (!StringUtils.equals(currentBox.get().getDescription(), boxToUpdate.getDescription())) { safeDepositBoxDao.updateSafeDepositBox(boxToUpdate); @@ -328,7 +328,7 @@ public SafeDepositBoxV2 updateSafeDepositBoxV2(final SafeDepositBoxV2 safeDeposi updateOwner(currentBox.get().getId(), safeDepositBox.getOwner(), user, now); modifyUserGroupPermissions(currentBox.get(), userGroupPermissionSet, user, now); - modifyIamRolePermissions(currentBox.get(), iamRolePermissionSet, user, now); + modifyIamPrincipalPermissions(currentBox.get(), iamRolePermissionSet, user, now); Optional updatedSafeDepositBox = getAssociatedSafeDepositBoxV2(groups, id); if (updatedSafeDepositBox.isPresent()) { @@ -359,7 +359,7 @@ public void deleteSafeDepositBox(final Set groups, final String id) { assertIsOwner(groups, box.get()); // 1. Remove permissions and metadata from database. - iamRolePermissionService.deleteIamRolePermissions(id); + iamPrincipalPermissionService.deleteIamPrincipalPermissions(id); userGroupPermissionService.deleteUserGroupPermissions(id); safeDepositBoxDao.deleteSafeDepositBox(id); @@ -560,31 +560,31 @@ protected void modifyUserGroupPermissions(final SafeDepositBoxV2 currentBox, /** * Sorts out the set of permissions into, grant, update and revoke sets. After that it applies those changes. */ - protected void modifyIamRolePermissions(final SafeDepositBoxV2 currentBox, - final Set iamRolePermissionSet, - final String user, - final OffsetDateTime dateTime) { - Set toAddSet = Sets.newHashSet(); - Set toUpdateSet = Sets.newHashSet(); - Set toDeleteSet = Sets.newHashSet(); - - for (IamRolePermissionV2 iamRolePermission : iamRolePermissionSet) { - if (currentBox.getIamRolePermissions().contains(iamRolePermission)) { + protected void modifyIamPrincipalPermissions(final SafeDepositBoxV2 currentBox, + final Set iamPrincipalPermissionSet, + final String user, + final OffsetDateTime dateTime) { + Set toAddSet = Sets.newHashSet(); + Set toUpdateSet = Sets.newHashSet(); + Set toDeleteSet = Sets.newHashSet(); + + for (IamPrincipalPermission iamRolePermission : iamPrincipalPermissionSet) { + if (currentBox.getIamPrincipalPermissions().contains(iamRolePermission)) { toUpdateSet.add(iamRolePermission); } else { toAddSet.add(iamRolePermission); } } - toDeleteSet.addAll(currentBox.getIamRolePermissions().stream() - .filter(iamRolePermission -> !iamRolePermissionSet.contains(iamRolePermission)) + toDeleteSet.addAll(currentBox.getIamPrincipalPermissions().stream() + .filter(iamRolePermission -> !iamPrincipalPermissionSet.contains(iamRolePermission)) .collect(Collectors.toList())); final String safeDepositBoxId = currentBox.getId(); - iamRolePermissionService.grantIamRolePermissions(safeDepositBoxId, toAddSet, user, dateTime); - iamRolePermissionService.updateIamRolePermissions(safeDepositBoxId, toUpdateSet, user, dateTime); - iamRolePermissionService.revokeIamRolePermissions(safeDepositBoxId, toDeleteSet, user, dateTime); + iamPrincipalPermissionService.grantIamPrincipalPermissions(safeDepositBoxId, toAddSet, user, dateTime); + iamPrincipalPermissionService.updateIamPrincipalPermissions(safeDepositBoxId, toUpdateSet, user, dateTime); + iamPrincipalPermissionService.revokeIamPrincipalPermissions(safeDepositBoxId, toDeleteSet, user, dateTime); } /** @@ -643,8 +643,8 @@ protected SafeDepositBoxV1 convertSafeDepositBoxV2ToV1(SafeDepositBoxV2 safeDepo safeDepositBoxV1.setLastUpdatedTs(safeDepositBoxV2.getLastUpdatedTs()); safeDepositBoxV1.setOwner(safeDepositBoxV2.getOwner()); safeDepositBoxV1.setUserGroupPermissions(safeDepositBoxV2.getUserGroupPermissions()); - safeDepositBoxV1.setIamRolePermissions(safeDepositBoxV2.getIamRolePermissions().stream() - .map(iamRolePermission -> new IamRolePermissionV1() + safeDepositBoxV1.setIamRolePermissions(safeDepositBoxV2.getIamPrincipalPermissions().stream() + .map(iamRolePermission -> new IamRolePermission() .withAccountId(awsIamRoleArnParser.getAccountId(iamRolePermission.getIamPrincipalArn())) .withIamRoleName(awsIamRoleArnParser.getRoleName(iamRolePermission.getIamPrincipalArn())) .withRoleId(iamRolePermission.getRoleId())) @@ -672,8 +672,8 @@ protected SafeDepositBoxV2 convertSafeDepositBoxV1ToV2(SafeDepositBoxV1 safeDepo safeDepositBoxV2.setLastUpdatedTs(safeDepositBoxV1.getLastUpdatedTs()); safeDepositBoxV2.setOwner(safeDepositBoxV1.getOwner()); safeDepositBoxV2.setUserGroupPermissions(safeDepositBoxV1.getUserGroupPermissions()); - safeDepositBoxV2.setIamRolePermissions(safeDepositBoxV1.getIamRolePermissions().stream() - .map(iamRolePermission -> new IamRolePermissionV2() + safeDepositBoxV2.setIamPrincipalPermissions(safeDepositBoxV1.getIamRolePermissions().stream() + .map(iamRolePermission -> new IamPrincipalPermission() .withIamPrincipalArn(String.format(AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_TEMPLATE, iamRolePermission.getAccountId(), iamRolePermission.getIamRoleName())) .withRoleId(iamRolePermission.getRoleId())) @@ -748,7 +748,7 @@ public void restoreSafeDepositBox(SafeDepositBoxV2 safeDepositBox, SafeDepositBoxV2 existingBox = getSDBFromRecordV2(existingBoxRecord.get()); updateOwner(safeDepositBox.getId(), safeDepositBox.getOwner(), adminUser, now); modifyUserGroupPermissions(existingBox, safeDepositBox.getUserGroupPermissions(), adminUser, now); - modifyIamRolePermissions(existingBox, safeDepositBox.getIamRolePermissions(), adminUser, now); + modifyIamPrincipalPermissions(existingBox, safeDepositBox.getIamPrincipalPermissions(), adminUser, now); } else { safeDepositBoxDao.createSafeDepositBox(boxToStore); addOwnerPermission(safeDepositBox.getUserGroupPermissions(), safeDepositBox.getOwner()); @@ -758,9 +758,9 @@ public void restoreSafeDepositBox(SafeDepositBoxV2 safeDepositBox, adminUser, now); - iamRolePermissionService.grantIamRolePermissions( + iamPrincipalPermissionService.grantIamPrincipalPermissions( safeDepositBox.getId(), - safeDepositBox.getIamRolePermissions(), + safeDepositBox.getIamPrincipalPermissions(), adminUser, now); diff --git a/src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV2.java b/src/main/java/com/nike/cerberus/validation/IamPrincipalPermissionsValidator.java similarity index 75% rename from src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV2.java rename to src/main/java/com/nike/cerberus/validation/IamPrincipalPermissionsValidator.java index 6730e00ff..971c927af 100644 --- a/src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV2.java +++ b/src/main/java/com/nike/cerberus/validation/IamPrincipalPermissionsValidator.java @@ -17,7 +17,7 @@ package com.nike.cerberus.validation; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; import org.apache.commons.lang3.StringUtils; import javax.validation.ConstraintValidator; @@ -29,14 +29,14 @@ /** * Validator class for validating that a set of IAM role permissions contain no duplicate user group names. */ -public class IamRolePermissionsValidatorV2 - implements ConstraintValidator> { +public class IamPrincipalPermissionsValidator + implements ConstraintValidator> { - public void initialize(UniqueIamRolePermissionsV2 constraint) { + public void initialize(UniqueIamPrincipalPermissions constraint) { // no-op } - public boolean isValid(Set iamRolePermissionSet, ConstraintValidatorContext context) { + public boolean isValid(Set iamRolePermissionSet, ConstraintValidatorContext context) { if (iamRolePermissionSet == null || iamRolePermissionSet.isEmpty()) { return true; } @@ -44,7 +44,7 @@ public boolean isValid(Set iamRolePermissionSet, Constraint boolean isValid = true; Set iamRoles = new HashSet<>(); - for (IamRolePermissionV2 iamRolePermission : iamRolePermissionSet) { + for (IamPrincipalPermission iamRolePermission : iamRolePermissionSet) { final String key = buildKey(iamRolePermission); if (iamRoles.contains(key)) { isValid = false; @@ -57,7 +57,7 @@ public boolean isValid(Set iamRolePermissionSet, Constraint return isValid; } - private String buildKey(IamRolePermissionV2 iamRolePermission) { + private String buildKey(IamPrincipalPermission iamRolePermission) { StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append(StringUtils.lowerCase(iamRolePermission.getIamPrincipalArn(), Locale.ENGLISH)); diff --git a/src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV1.java b/src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidator.java similarity index 77% rename from src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV1.java rename to src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidator.java index 94c7a01fc..b9c8aa94d 100644 --- a/src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV1.java +++ b/src/main/java/com/nike/cerberus/validation/IamRolePermissionsValidator.java @@ -16,7 +16,7 @@ package com.nike.cerberus.validation; -import com.nike.cerberus.domain.IamRolePermissionV1; +import com.nike.cerberus.domain.IamRolePermission; import org.apache.commons.lang3.StringUtils; import javax.validation.ConstraintValidator; @@ -28,14 +28,15 @@ /** * Validator class for validating that a set of IAM role permissions contain no duplicate user group names. */ -public class IamRolePermissionsValidatorV1 - implements ConstraintValidator> { +@Deprecated +public class IamRolePermissionsValidator + implements ConstraintValidator> { - public void initialize(UniqueIamRolePermissionsV1 constraint) { + public void initialize(UniqueIamRolePermissions constraint) { // no-op } - public boolean isValid(Set iamRolePermissionSet, ConstraintValidatorContext context) { + public boolean isValid(Set iamRolePermissionSet, ConstraintValidatorContext context) { if (iamRolePermissionSet == null || iamRolePermissionSet.isEmpty()) { return true; } @@ -43,7 +44,7 @@ public boolean isValid(Set iamRolePermissionSet, Constraint boolean isValid = true; Set iamRoles = new HashSet<>(); - for (IamRolePermissionV1 iamRolePermission : iamRolePermissionSet) { + for (IamRolePermission iamRolePermission : iamRolePermissionSet) { final String key = buildKey(iamRolePermission); if (iamRoles.contains(key)) { isValid = false; @@ -56,7 +57,7 @@ public boolean isValid(Set iamRolePermissionSet, Constraint return isValid; } - private String buildKey(IamRolePermissionV1 iamRolePermission) { + private String buildKey(IamRolePermission iamRolePermission) { StringBuilder stringBuilder = new StringBuilder(); stringBuilder.append(StringUtils.lowerCase(iamRolePermission.getAccountId(), Locale.ENGLISH)); diff --git a/src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissionsV2.java b/src/main/java/com/nike/cerberus/validation/UniqueIamPrincipalPermissions.java similarity index 88% rename from src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissionsV2.java rename to src/main/java/com/nike/cerberus/validation/UniqueIamPrincipalPermissions.java index da0d997bc..7e93da40b 100644 --- a/src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissionsV2.java +++ b/src/main/java/com/nike/cerberus/validation/UniqueIamPrincipalPermissions.java @@ -34,10 +34,10 @@ */ @Target({ FIELD, METHOD, PARAMETER, ANNOTATION_TYPE }) @Retention(RUNTIME) -@Constraint(validatedBy = IamRolePermissionsValidatorV2.class) +@Constraint(validatedBy = IamPrincipalPermissionsValidator.class) @Documented -public @interface UniqueIamRolePermissionsV2 { - String message() default "SDB_IAM_ROLE_REPEATED"; +public @interface UniqueIamPrincipalPermissions { + String message() default "SDB_IAM_PRINCIPAL_REPEATED"; Class[] groups() default { }; diff --git a/src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissionsV1.java b/src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissions.java similarity index 92% rename from src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissionsV1.java rename to src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissions.java index 20f02c44a..1fce1f769 100644 --- a/src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissionsV1.java +++ b/src/main/java/com/nike/cerberus/validation/UniqueIamRolePermissions.java @@ -33,9 +33,10 @@ */ @Target({ FIELD, METHOD, PARAMETER, ANNOTATION_TYPE }) @Retention(RUNTIME) -@Constraint(validatedBy = IamRolePermissionsValidatorV1.class) +@Constraint(validatedBy = IamRolePermissionsValidator.class) @Documented -public @interface UniqueIamRolePermissionsV1 { +@Deprecated +public @interface UniqueIamRolePermissions { String message() default "SDB_IAM_ROLE_REPEATED"; Class[] groups() default { }; diff --git a/src/main/resources/com/nike/cerberus/migration/V1.3.0.0__add_arn_index_and_do_not_allow_null_arn.sql b/src/main/resources/com/nike/cerberus/migration/V1.3.0.0__add_arn_index_and_do_not_allow_null_arn.sql new file mode 100644 index 000000000..2fc25cb70 --- /dev/null +++ b/src/main/resources/com/nike/cerberus/migration/V1.3.0.0__add_arn_index_and_do_not_allow_null_arn.sql @@ -0,0 +1,3 @@ +ALTER TABLE AWS_IAM_ROLE + MODIFY AWS_IAM_ROLE_ARN VARCHAR(255) NOT NULL, + ADD UNIQUE INDEX `IX_AWS_IAM_ROLE_ARN` (AWS_IAM_ROLE_ARN); \ No newline at end of file diff --git a/src/test/java/com/nike/cerberus/IamRolePermissionV2Test.java b/src/test/java/com/nike/cerberus/IamPrincipalPermissionTest.java similarity index 50% rename from src/test/java/com/nike/cerberus/IamRolePermissionV2Test.java rename to src/test/java/com/nike/cerberus/IamPrincipalPermissionTest.java index 0a0635179..df0b7ad5b 100644 --- a/src/test/java/com/nike/cerberus/IamRolePermissionV2Test.java +++ b/src/test/java/com/nike/cerberus/IamPrincipalPermissionTest.java @@ -17,7 +17,7 @@ package com.nike.cerberus; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; import org.junit.Test; import javax.validation.Validation; @@ -27,41 +27,41 @@ import static org.junit.Assert.assertTrue; /** - * Tests the IamRolePermissionV2 class + * Tests the IamPrincipalPermission class */ -public class IamRolePermissionV2Test { +public class IamPrincipalPermissionTest { private Validator validator = Validation.buildDefaultValidatorFactory().getValidator(); @Test - public void test_that_IamRolePermissionV2_can_be_constructed_with_a_user_iam_principal_arn() { + public void test_that_IamPrincipalPermission_can_be_constructed_with_a_user_iam_principal_arn() { assertTrue(validator.validate( - new IamRolePermissionV2().withIamPrincipalArn("arn:aws:iam::123456789012:user/Bob").withRoleId("role id")).isEmpty()); + new IamPrincipalPermission().withIamPrincipalArn("arn:aws:iam::123456789012:user/Bob").withRoleId("role id")).isEmpty()); } @Test - public void test_that_IamRolePermissionV2_fails_with_invalid_iam_principal_arn() { + public void test_that_IamPrincipalPermission_fails_with_invalid_iam_principal_arn() { assertFalse(validator.validate( - new IamRolePermissionV2().withIamPrincipalArn("arn:aws:foo::123456789012:user/Bob").withRoleId("role id")).isEmpty()); + new IamPrincipalPermission().withIamPrincipalArn("arn:aws:foo::123456789012:user/Bob").withRoleId("role id")).isEmpty()); } @Test - public void test_that_IamRolePermissionV2_can_be_constructed_with_a_federated_user_iam_principal_arn() { + public void test_that_IamPrincipalPermission_can_be_constructed_with_a_federated_user_iam_principal_arn() { assertTrue(validator.validate( - new IamRolePermissionV2().withIamPrincipalArn("arn:aws:sts::123456789012:federated-user/Bob").withRoleId("role id")).isEmpty()); + new IamPrincipalPermission().withIamPrincipalArn("arn:aws:sts::123456789012:federated-user/Bob").withRoleId("role id")).isEmpty()); } @Test - public void test_that_IamRolePermissionV2_can_be_constructed_with_a_assumed_role_iam_principal_arn() { + public void test_that_IamPrincipalPermission_can_be_constructed_with_a_assumed_role_iam_principal_arn() { assertTrue(validator.validate( - new IamRolePermissionV2().withIamPrincipalArn("arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary").withRoleId("role id")).isEmpty()); + new IamPrincipalPermission().withIamPrincipalArn("arn:aws:sts::123456789012:assumed-role/Accounting-Role/Mary").withRoleId("role id")).isEmpty()); } diff --git a/src/test/java/com/nike/cerberus/dao/AwsIamRoleDaoTest.java b/src/test/java/com/nike/cerberus/dao/AwsIamRoleDaoTest.java index 50d5052af..dc2cdfa9a 100644 --- a/src/test/java/com/nike/cerberus/dao/AwsIamRoleDaoTest.java +++ b/src/test/java/com/nike/cerberus/dao/AwsIamRoleDaoTest.java @@ -35,10 +35,6 @@ public class AwsIamRoleDaoTest { - private final String awsAccountId = "ACCOUNT_ID"; - - private final String awsIamRoleName = "IAM_ROLE"; - private final String awsIamRoleArn = "IAM_ROLE_ARN"; private final String awsRegion = "us-west-2"; @@ -65,8 +61,6 @@ public class AwsIamRoleDaoTest { private final AwsIamRoleRecord awsIamRoleRecord = new AwsIamRoleRecord() .setId(iamRoleId) - .setAwsAccountId(awsAccountId) - .setAwsIamRoleName(awsIamRoleName) .setAwsIamRoleArn(awsIamRoleArn) .setCreatedBy(createdBy) .setLastUpdatedBy(lastUpdatedBy) diff --git a/src/test/java/com/nike/cerberus/dao/SafeDepositBoxV1DaoTest.java b/src/test/java/com/nike/cerberus/dao/SafeDepositBoxDaoTest.java similarity index 97% rename from src/test/java/com/nike/cerberus/dao/SafeDepositBoxV1DaoTest.java rename to src/test/java/com/nike/cerberus/dao/SafeDepositBoxDaoTest.java index 7ec71705b..a13141c8e 100644 --- a/src/test/java/com/nike/cerberus/dao/SafeDepositBoxV1DaoTest.java +++ b/src/test/java/com/nike/cerberus/dao/SafeDepositBoxDaoTest.java @@ -34,7 +34,7 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -public class SafeDepositBoxV1DaoTest { +public class SafeDepositBoxDaoTest { private final String safeDepositBoxId = "SDB_ID"; @@ -60,7 +60,7 @@ public class SafeDepositBoxV1DaoTest { private final Set userGroupSet = Sets.newHashSet(userGroup); - private final String awsIamPrincipalArn = "AWS_IAM_PRINCIPAL_ARN"; + private final String awsIamRoleArn = "AWS_IAM_ROLE_ARN"; private final SafeDepositBoxRecord safeDepositBoxRecord = new SafeDepositBoxRecord() .setId(safeDepositBoxId) @@ -105,11 +105,11 @@ public void getUserAssociatedSafeDepositBoxRoles_returns_list_of_role_records() @Test public void getIamRoleAssociatedSafeDepositBoxRoles_returns_list_of_role_records() { - when(safeDepositBoxMapper.getIamRoleAssociatedSafeDepositBoxRoles(awsIamPrincipalArn)) + when(safeDepositBoxMapper.getIamRoleAssociatedSafeDepositBoxRoles(awsIamRoleArn)) .thenReturn(safeDepositBoxRoleRecordList); List actual = - subject.getIamRoleAssociatedSafeDepositBoxRoles(awsIamPrincipalArn); + subject.getIamRoleAssociatedSafeDepositBoxRoles(awsIamRoleArn); assertThat(actual).isNotEmpty(); assertThat(actual).hasSameElementsAs(safeDepositBoxRoleRecordList); diff --git a/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV2Test.java b/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamPrincipalTest.java similarity index 86% rename from src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV2Test.java rename to src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamPrincipalTest.java index 3dccbf17a..850fb8bee 100644 --- a/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV2Test.java +++ b/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamPrincipalTest.java @@ -18,7 +18,7 @@ package com.nike.cerberus.endpoints.authentication; import com.nike.cerberus.domain.IamRoleAuthResponse; -import com.nike.cerberus.domain.IamRoleCredentialsV2; +import com.nike.cerberus.domain.IamPrincipalCredentials; import com.nike.cerberus.service.AuthenticationService; import com.nike.riposte.server.http.RequestInfo; import com.nike.riposte.server.http.ResponseInfo; @@ -35,18 +35,18 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -public class AuthenticateIamRoleV2Test { +public class AuthenticateIamPrincipalTest { private final Executor executor = Executors.newSingleThreadExecutor(); private AuthenticationService authenticationService; - private AuthenticateIamRoleV2 subject; + private AuthenticateIamPrincipal subject; @Before public void setUp() throws Exception { authenticationService = mock(AuthenticationService.class); - subject = new AuthenticateIamRoleV2(authenticationService); + subject = new AuthenticateIamPrincipal(authenticationService); } @Test @@ -61,8 +61,8 @@ public void requestMatcher_is_http_post() { public void execute_returns_iam_role_auth_response() { final IamRoleAuthResponse iamRoleAuthResponse = new IamRoleAuthResponse(); iamRoleAuthResponse.setAuthData("AUTH_DATA"); - final IamRoleCredentialsV2 credentials = new IamRoleCredentialsV2(); - final RequestInfo requestInfo = mock(RequestInfo.class); + final IamPrincipalCredentials credentials = new IamPrincipalCredentials(); + final RequestInfo requestInfo = mock(RequestInfo.class); when(requestInfo.getContent()).thenReturn(credentials); when(authenticationService.authenticate(credentials)).thenReturn(iamRoleAuthResponse); diff --git a/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV1Test.java b/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleTest.java similarity index 87% rename from src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV1Test.java rename to src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleTest.java index fc482effa..793d114ee 100644 --- a/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleV1Test.java +++ b/src/test/java/com/nike/cerberus/endpoints/authentication/AuthenticateIamRoleTest.java @@ -17,7 +17,7 @@ package com.nike.cerberus.endpoints.authentication; import com.nike.cerberus.domain.IamRoleAuthResponse; -import com.nike.cerberus.domain.IamRoleCredentialsV1; +import com.nike.cerberus.domain.IamRoleCredentials; import com.nike.cerberus.service.AuthenticationService; import com.nike.riposte.server.http.RequestInfo; import com.nike.riposte.server.http.ResponseInfo; @@ -34,18 +34,18 @@ import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; -public class AuthenticateIamRoleV1Test { +public class AuthenticateIamRoleTest { private final Executor executor = Executors.newSingleThreadExecutor(); private AuthenticationService authenticationService; - private AuthenticateIamRoleV1 subject; + private AuthenticateIamRole subject; @Before public void setUp() throws Exception { authenticationService = mock(AuthenticationService.class); - subject = new AuthenticateIamRoleV1(authenticationService); + subject = new AuthenticateIamRole(authenticationService); } @Test @@ -60,8 +60,8 @@ public void requestMatcher_is_http_post() { public void execute_returns_iam_role_auth_response() { final IamRoleAuthResponse iamRoleAuthResponse = new IamRoleAuthResponse(); iamRoleAuthResponse.setAuthData("AUTH_DATA"); - final IamRoleCredentialsV1 credentials = new IamRoleCredentialsV1(); - final RequestInfo requestInfo = mock(RequestInfo.class); + final IamRoleCredentials credentials = new IamRoleCredentials(); + final RequestInfo requestInfo = mock(RequestInfo.class); when(requestInfo.getContent()).thenReturn(credentials); when(authenticationService.authenticate(credentials)).thenReturn(iamRoleAuthResponse); diff --git a/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java b/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java index bc2fb6d31..279f14921 100644 --- a/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java +++ b/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java @@ -37,7 +37,6 @@ import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.when; import static org.mockito.MockitoAnnotations.initMocks; /** diff --git a/src/test/java/com/nike/cerberus/service/MetadataServiceTest.java b/src/test/java/com/nike/cerberus/service/MetadataServiceTest.java index 60a239bd0..cfcb5b4d4 100644 --- a/src/test/java/com/nike/cerberus/service/MetadataServiceTest.java +++ b/src/test/java/com/nike/cerberus/service/MetadataServiceTest.java @@ -17,7 +17,7 @@ package com.nike.cerberus.service; import com.fasterxml.jackson.databind.ObjectMapper; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; import com.nike.cerberus.domain.Role; import com.nike.cerberus.domain.SDBMetadata; import com.nike.cerberus.domain.SDBMetadataResult; @@ -161,9 +161,9 @@ public void test_that_get_sdb_metadata_list_returns_valid_list() { userPerms.add(new UserGroupPermission().withName(grumpyBearsGroup).withRoleId(readId)); box.setUserGroupPermissions(userPerms); - Set iamPerms = new HashSet<>(); - iamPerms.add(new IamRolePermissionV2().withIamPrincipalArn(arn).withRoleId(readId)); - box.setIamRolePermissions(iamPerms); + Set iamPerms = new HashSet<>(); + iamPerms.add(new IamPrincipalPermission().withIamPrincipalArn(arn).withRoleId(readId)); + box.setIamPrincipalPermissions(iamPerms); when(safeDepositBoxService.getSafeDepositBoxes(1,0)).thenReturn(Arrays.asList(box)); @@ -181,7 +181,7 @@ public void test_that_get_sdb_metadata_list_returns_valid_list() { Map expectedIamPermMap = new HashMap<>(); expectedIamPermMap.put(arn, RoleRecord.ROLE_READ); - assertEquals("iam role perm map should match what is returned by getIamRolePermissionMap", + assertEquals("iam role perm map should match what is returned by getIamPrincipalPermissionMap", expectedIamPermMap, data.getIamRolePermissions()); Map expectedGroupPermMap = new HashMap<>(); @@ -231,13 +231,13 @@ public void test_that_restore_metadata_calls_the_sdb_service_with_expected_sdb_b userPerms.add(new UserGroupPermission().withName("Lst-NIKE.FOO.ISL").withRoleId(readId)); expectedSdb.setUserGroupPermissions(userPerms); - Set iamPerms = new HashSet<>(); + Set iamPerms = new HashSet<>(); String arn = "arn:aws:iam::1111111111:role/lambda_prod_healthcheck"; - iamPerms.add(new IamRolePermissionV2().withIamPrincipalArn(arn).withRoleId(readId)); - expectedSdb.setIamRolePermissions(iamPerms); + iamPerms.add(new IamPrincipalPermission().withIamPrincipalArn(arn).withRoleId(readId)); + expectedSdb.setIamPrincipalPermissions(iamPerms); expectedSdb.setUserGroupPermissions(userPerms); - expectedSdb.setIamRolePermissions(iamPerms); + expectedSdb.setIamPrincipalPermissions(iamPerms); verify(safeDepositBoxService, times(1)).restoreSafeDepositBox(expectedSdb, user); } diff --git a/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java b/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java index 402dc4dd9..92697bf9b 100644 --- a/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java +++ b/src/test/java/com/nike/cerberus/service/SafeDepositBoxServiceTest.java @@ -18,8 +18,8 @@ import com.nike.cerberus.dao.SafeDepositBoxDao; import com.nike.cerberus.dao.UserGroupDao; -import com.nike.cerberus.domain.IamRolePermissionV1; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; +import com.nike.cerberus.domain.IamRolePermission; import com.nike.cerberus.domain.SafeDepositBoxV1; import com.nike.cerberus.domain.SafeDepositBoxV2; import com.nike.cerberus.domain.UserGroupPermission; @@ -77,7 +77,7 @@ public class SafeDepositBoxServiceTest { private UserGroupPermissionService userGroupPermissionService; @Mock - private IamRolePermissionService iamRolePermissionService; + private IamPrincipalPermissionService iamPrincipalPermissionService; @Mock private Slugger slugger; @@ -124,12 +124,12 @@ public void test_that_restore_safe_deposit_box_creates_with_expected_sdb_record_ userPerms.add(new UserGroupPermission().withName("Lst-NIKE.FOO.ISL").withRoleId(readId)); sdbObject.setUserGroupPermissions(userPerms); - Set iamPerms = new HashSet<>(); - iamPerms.add(new IamRolePermissionV2().withIamPrincipalArn("arn:aws:iam::1111111111:role/lambda_prod_healthcheck").withRoleId(readId)); - sdbObject.setIamRolePermissions(iamPerms); + Set iamPerms = new HashSet<>(); + iamPerms.add(new IamPrincipalPermission().withIamPrincipalArn("arn:aws:iam::1111111111:role/lambda_prod_healthcheck").withRoleId(readId)); + sdbObject.setIamPrincipalPermissions(iamPerms); sdbObject.setUserGroupPermissions(userPerms); - sdbObject.setIamRolePermissions(iamPerms); + sdbObject.setIamPrincipalPermissions(iamPerms); SafeDepositBoxRecord boxToStore = new SafeDepositBoxRecord(); boxToStore.setId(sdbObject.getId()); @@ -175,12 +175,12 @@ public void test_that_restore_safe_deposit_box_updates_with_expected_sdb_record_ userPerms.add(new UserGroupPermission().withName("Lst-NIKE.FOO.ISL").withRoleId(readId)); sdbObject.setUserGroupPermissions(userPerms); - Set iamPerms = new HashSet<>(); - iamPerms.add(new IamRolePermissionV2().withIamPrincipalArn("arn:aws:iam::1111111111:role/lambda_prod_healthcheck").withRoleId(readId)); - sdbObject.setIamRolePermissions(iamPerms); + Set iamPerms = new HashSet<>(); + iamPerms.add(new IamPrincipalPermission().withIamPrincipalArn("arn:aws:iam::1111111111:role/lambda_prod_healthcheck").withRoleId(readId)); + sdbObject.setIamPrincipalPermissions(iamPerms); sdbObject.setUserGroupPermissions(userPerms); - sdbObject.setIamRolePermissions(iamPerms); + sdbObject.setIamPrincipalPermissions(iamPerms); SafeDepositBoxRecord boxToStore = new SafeDepositBoxRecord(); boxToStore.setId(sdbObject.getId()); @@ -198,7 +198,7 @@ public void test_that_restore_safe_deposit_box_updates_with_expected_sdb_record_ when(safeDepositBoxDao.getSafeDepositBox(sdbObject.getId())).thenReturn(Optional.of(existingRecord)); doNothing().when(safeDepositBoxServiceSpy).updateOwner(any(), any(), any(), any()); doNothing().when(safeDepositBoxServiceSpy).modifyUserGroupPermissions(any(), any(), any(), any()); - doNothing().when(safeDepositBoxServiceSpy).modifyIamRolePermissions(any(), any(), any(), any()); + doNothing().when(safeDepositBoxServiceSpy).modifyIamPrincipalPermissions(any(), any(), any(), any()); doReturn(sdbObject).when(safeDepositBoxServiceSpy).getSDBFromRecordV2(any()); safeDepositBoxServiceSpy.restoreSafeDepositBox(sdbObject, "admin-user"); @@ -228,8 +228,8 @@ public void test_that_convertSafeDepositBoxV1ToV2_creates_expected_safe_deposit_ UserGroupPermission userGroupPermission = new UserGroupPermission(); userGroupPermissions.add(userGroupPermission); - Set iamRolePermissions = Sets.newHashSet(); - IamRolePermissionV2 iamRolePermission = new IamRolePermissionV2().withIamPrincipalArn(arn).withRoleId(roleId); + Set iamRolePermissions = Sets.newHashSet(); + IamPrincipalPermission iamRolePermission = new IamPrincipalPermission().withIamPrincipalArn(arn).withRoleId(roleId); iamRolePermissions.add(iamRolePermission); SafeDepositBoxV2 safeDepositBoxV2 = new SafeDepositBoxV2(); @@ -244,7 +244,7 @@ public void test_that_convertSafeDepositBoxV1ToV2_creates_expected_safe_deposit_ safeDepositBoxV2.setLastUpdatedTs(lastUpdatedTs); safeDepositBoxV2.setOwner(owner); safeDepositBoxV2.setUserGroupPermissions(userGroupPermissions); - safeDepositBoxV2.setIamRolePermissions(iamRolePermissions); + safeDepositBoxV2.setIamPrincipalPermissions(iamRolePermissions); when(awsIamRoleArnParser.getAccountId(arn)).thenReturn(accountId); when(awsIamRoleArnParser.getRoleName(arn)).thenReturn(roleName); @@ -263,9 +263,9 @@ public void test_that_convertSafeDepositBoxV1ToV2_creates_expected_safe_deposit_ expectedSdbV1.setLastUpdatedTs(lastUpdatedTs); expectedSdbV1.setOwner(owner); expectedSdbV1.setUserGroupPermissions(userGroupPermissions); - Set expectedIamRolePermissionsV1 = Sets.newHashSet(); - IamRolePermissionV1 expectedIamRolePermissionV1 = new IamRolePermissionV1().withAccountId(accountId).withIamRoleName(roleName).withRoleId(roleId); - expectedIamRolePermissionsV1.add(expectedIamRolePermissionV1); + Set expectedIamRolePermissionsV1 = Sets.newHashSet(); + IamRolePermission expectedIamRolePermission = new IamRolePermission().withAccountId(accountId).withIamRoleName(roleName).withRoleId(roleId); + expectedIamRolePermissionsV1.add(expectedIamRolePermission); expectedSdbV1.setIamRolePermissions(expectedIamRolePermissionsV1); assertEquals(expectedSdbV1, resultantSDBV1); @@ -293,8 +293,8 @@ public void test_that_convertSafeDepositBoxV2ToV1_creates_expected_safe_deposit_ UserGroupPermission userGroupPermission = new UserGroupPermission(); userGroupPermissions.add(userGroupPermission); - Set iamRolePermissions = Sets.newHashSet(); - IamRolePermissionV1 iamRolePermission = new IamRolePermissionV1().withAccountId(accountId).withIamRoleName(roleName).withRoleId(roleId); + Set iamRolePermissions = Sets.newHashSet(); + IamRolePermission iamRolePermission = new IamRolePermission().withAccountId(accountId).withIamRoleName(roleName).withRoleId(roleId); iamRolePermissions.add(iamRolePermission); SafeDepositBoxV1 safeDepositBoxV1 = new SafeDepositBoxV1(); @@ -325,10 +325,10 @@ public void test_that_convertSafeDepositBoxV2ToV1_creates_expected_safe_deposit_ expectedSdbV2.setLastUpdatedTs(lastUpdatedTs); expectedSdbV2.setOwner(owner); expectedSdbV2.setUserGroupPermissions(userGroupPermissions); - Set expectedIamRolePermissionsV2 = Sets.newHashSet(); - IamRolePermissionV2 expectedIamRolePermissionV2 = new IamRolePermissionV2().withIamPrincipalArn(arn).withRoleId(roleId); - expectedIamRolePermissionsV2.add(expectedIamRolePermissionV2); - expectedSdbV2.setIamRolePermissions(expectedIamRolePermissionsV2); + Set expectedIamRolePermissionsV2 = Sets.newHashSet(); + IamPrincipalPermission expectedIamPrincipalPermission = new IamPrincipalPermission().withIamPrincipalArn(arn).withRoleId(roleId); + expectedIamRolePermissionsV2.add(expectedIamPrincipalPermission); + expectedSdbV2.setIamPrincipalPermissions(expectedIamRolePermissionsV2); assertEquals(expectedSdbV2, resultantSDBV1); } diff --git a/src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV2Test.java b/src/test/java/com/nike/cerberus/validation/IamPrincipalPermissionsValidatorTest.java similarity index 78% rename from src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV2Test.java rename to src/test/java/com/nike/cerberus/validation/IamPrincipalPermissionsValidatorTest.java index d498f879c..65abe52d9 100644 --- a/src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV2Test.java +++ b/src/test/java/com/nike/cerberus/validation/IamPrincipalPermissionsValidatorTest.java @@ -17,7 +17,7 @@ package com.nike.cerberus.validation; -import com.nike.cerberus.domain.IamRolePermissionV2; +import com.nike.cerberus.domain.IamPrincipalPermission; import org.junit.Before; import org.junit.Test; import org.mockito.internal.util.collections.Sets; @@ -29,18 +29,18 @@ import static org.mockito.Mockito.mock; /** - * Tests the IamRolePermissionsValidatorV1 class + * Tests the IamRolePermissionsValidator class */ -public class IamRolePermissionsValidatorV2Test { +public class IamPrincipalPermissionsValidatorTest { private ConstraintValidatorContext mockConstraintValidatorContext; - private IamRolePermissionsValidatorV2 subject; + private IamPrincipalPermissionsValidator subject; @Before public void setup() { mockConstraintValidatorContext = mock(ConstraintValidatorContext.class); - subject = new IamRolePermissionsValidatorV2(); + subject = new IamPrincipalPermissionsValidator(); } @Test @@ -56,9 +56,9 @@ public void empty_set_is_valid() { @Test public void unique_set_is_valid() { - IamRolePermissionV2 a = new IamRolePermissionV2(); + IamPrincipalPermission a = new IamPrincipalPermission(); a.withIamPrincipalArn("arn:aws:iam::123:role/abc"); - IamRolePermissionV2 b = new IamRolePermissionV2(); + IamPrincipalPermission b = new IamPrincipalPermission(); b.withIamPrincipalArn("arn:aws:iam::123:role/def"); assertThat(subject.isValid(Sets.newSet(a, b), mockConstraintValidatorContext)).isTrue(); @@ -67,9 +67,9 @@ public void unique_set_is_valid() { @Test public void duplicate_set_is_invalid() { - IamRolePermissionV2 a = new IamRolePermissionV2(); + IamPrincipalPermission a = new IamPrincipalPermission(); a.withIamPrincipalArn("arn:aws:iam::123:role/abc"); - IamRolePermissionV2 b = new IamRolePermissionV2(); + IamPrincipalPermission b = new IamPrincipalPermission(); b.withIamPrincipalArn("arn:aws:iam::123:role/ABC"); assertThat(subject.isValid(Sets.newSet(a, b), mockConstraintValidatorContext)).isFalse(); diff --git a/src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV1Test.java b/src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorTest.java similarity index 80% rename from src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV1Test.java rename to src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorTest.java index fe4b854bd..259798db3 100644 --- a/src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorV1Test.java +++ b/src/test/java/com/nike/cerberus/validation/IamRolePermissionsValidatorTest.java @@ -16,7 +16,7 @@ package com.nike.cerberus.validation; -import com.nike.cerberus.domain.IamRolePermissionV1; +import com.nike.cerberus.domain.IamRolePermission; import org.junit.Before; import org.junit.Test; import org.mockito.internal.util.collections.Sets; @@ -28,18 +28,18 @@ import static org.mockito.Mockito.mock; /** - * Tests the IamRolePermissionsValidatorV1 class + * Tests the IamRolePermissionsValidator class */ -public class IamRolePermissionsValidatorV1Test { +public class IamRolePermissionsValidatorTest { private ConstraintValidatorContext mockConstraintValidatorContext; - private IamRolePermissionsValidatorV1 subject; + private IamRolePermissionsValidator subject; @Before public void setup() { mockConstraintValidatorContext = mock(ConstraintValidatorContext.class); - subject = new IamRolePermissionsValidatorV1(); + subject = new IamRolePermissionsValidator(); } @Test @@ -54,10 +54,10 @@ public void empty_set_is_valid() { @Test public void unique_set_is_valid() { - IamRolePermissionV1 a = new IamRolePermissionV1(); + IamRolePermission a = new IamRolePermission(); a.setAccountId("123"); a.setIamRoleName("abc"); - IamRolePermissionV1 b = new IamRolePermissionV1(); + IamRolePermission b = new IamRolePermission(); b.setAccountId("123"); b.setIamRoleName("def"); @@ -66,10 +66,10 @@ public void unique_set_is_valid() { @Test public void duplicate_set_is_invalid() { - IamRolePermissionV1 a = new IamRolePermissionV1(); + IamRolePermission a = new IamRolePermission(); a.setAccountId("123"); a.setIamRoleName("abc"); - IamRolePermissionV1 b = new IamRolePermissionV1(); + IamRolePermission b = new IamRolePermission(); b.setAccountId("123"); b.setIamRoleName("ABC");