Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Add new admin endpoint for getting kms key metadata (#166)
Browse files Browse the repository at this point in the history
  • Loading branch information
fieldju authored Jun 21, 2018
1 parent fb7646d commit cb05a24
Show file tree
Hide file tree
Showing 11 changed files with 219 additions and 10 deletions.
28 changes: 28 additions & 0 deletions API.md
Original file line number Diff line number Diff line change
Expand Up @@ -1549,6 +1549,34 @@ A 400 response code is given if the job wasn't found.

+ Response 204 No Content

## Get all the kms key metadata for all the kms keys creating for IAM auth [/v1/admin/authentication-kms-metadata]

### [PUT]

+ Request

+ Headers

X-Cerberus-Token: AaAAAaaaAAAabCdEF0JkLMNZ01iGabcdefGHIJKLtClQabcCVabEYab1aDaZZz12a
X-Cerberus-Client: MyClientName/1.0.0

+ Response 200 (application/json)

+ Body

{
"authentication_kms_key_metadata": [
{
"aws_iam_role_arn": "arn:aws:iam::222222222222:role/foo-role",
"aws_kms_key_id": "arn:aws:kms:us-west-2:222222222222:key/b74225a6-2222-4444-baf0-abc123456",
"aws_region": "us-west-2",
"created_ts": "2018-06-20T14:39:56-07:00",
"last_updated_ts": "2018-06-20T14:39:56-07:00",
"last_validated_ts": null
}
]
}

## Healthcheck [/healthcheck]

### Healthcheck [GET]
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -152,4 +152,4 @@ task copyDashboardResources(type: Copy, dependsOn: buildDashboard) {
into dashboardResourceFolder
}

apply from: file('gradle/develop.gradle')
apply from: file('gradle/develop.gradle')
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=3.16.2
version=3.17.0
groupId=com.nike.cerberus
artifactId=cms
4 changes: 4 additions & 0 deletions src/main/java/com/nike/cerberus/dao/AwsIamRoleDao.java
Original file line number Diff line number Diff line change
Expand Up @@ -101,4 +101,8 @@ public int deleteIamRoleById(final String id) {
public int deleteKmsKeyById(final String id) {
return awsIamRoleMapper.deleteKmsKeyById(id);
}

public Optional<List<AwsIamRoleKmsKeyRecord>> getAllKmsKeys() {
return Optional.ofNullable(awsIamRoleMapper.getAllKmsKeys());
}
}
67 changes: 67 additions & 0 deletions src/main/java/com/nike/cerberus/domain/AuthKmsKeyMetadata.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package com.nike.cerberus.domain;

import java.time.OffsetDateTime;

public class AuthKmsKeyMetadata {

private String awsIamRoleArn;
private String awsKmsKeyId;
private String awsRegion;
private OffsetDateTime createdTs;
private OffsetDateTime lastUpdatedTs;
private OffsetDateTime lastValidatedTs;

public String getAwsIamRoleArn() {
return awsIamRoleArn;
}

public AuthKmsKeyMetadata setAwsIamRoleArn(String awsIamRoleArn) {
this.awsIamRoleArn = awsIamRoleArn;
return this;
}

public String getAwsKmsKeyId() {
return awsKmsKeyId;
}

public AuthKmsKeyMetadata setAwsKmsKeyId(String awsKmsKeyId) {
this.awsKmsKeyId = awsKmsKeyId;
return this;
}

public String getAwsRegion() {
return awsRegion;
}

public AuthKmsKeyMetadata setAwsRegion(String awsRegion) {
this.awsRegion = awsRegion;
return this;
}

public OffsetDateTime getCreatedTs() {
return createdTs;
}

public AuthKmsKeyMetadata setCreatedTs(OffsetDateTime createdTs) {
this.createdTs = createdTs;
return this;
}

public OffsetDateTime getLastUpdatedTs() {
return lastUpdatedTs;
}

public AuthKmsKeyMetadata setLastUpdatedTs(OffsetDateTime lastUpdatedTs) {
this.lastUpdatedTs = lastUpdatedTs;
return this;
}

public OffsetDateTime getLastValidatedTs() {
return lastValidatedTs;
}

public AuthKmsKeyMetadata setLastValidatedTs(OffsetDateTime lastValidatedTs) {
this.lastValidatedTs = lastValidatedTs;
return this;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
package com.nike.cerberus.domain;

import java.util.List;

public class AuthKmsKeyMetadataResult {
private List<AuthKmsKeyMetadata> authenticationKmsKeyMetadata;

public AuthKmsKeyMetadataResult() {
}

public AuthKmsKeyMetadataResult(List<AuthKmsKeyMetadata> authenticationKmsKeyMetadata) {
this.authenticationKmsKeyMetadata = authenticationKmsKeyMetadata;
}

public List<AuthKmsKeyMetadata> getAuthenticationKmsKeyMetadata() {
return authenticationKmsKeyMetadata;
}

public void setAuthenticationKmsKeyMetadata(List<AuthKmsKeyMetadata> authenticationKmsKeyMetadata) {
this.authenticationKmsKeyMetadata = authenticationKmsKeyMetadata;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package com.nike.cerberus.endpoints.admin;

import com.nike.cerberus.domain.AuthKmsKeyMetadataResult;
import com.nike.cerberus.endpoints.AdminStandardEndpoint;
import com.nike.cerberus.service.KmsService;
import com.nike.riposte.server.http.RequestInfo;
import com.nike.riposte.server.http.ResponseInfo;
import com.nike.riposte.server.http.impl.FullResponseInfo;
import com.nike.riposte.util.AsyncNettyHelper;
import com.nike.riposte.util.Matcher;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.HttpMethod;

import javax.inject.Inject;
import javax.ws.rs.core.SecurityContext;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;

/**
* Endpoint for retrieving kms key metadata for all created keys in the db
*/
public class GetAuthKmsKeyMetadata extends AdminStandardEndpoint<Void, AuthKmsKeyMetadataResult> {

private final KmsService kmsService;

@Inject
public GetAuthKmsKeyMetadata(KmsService kmsService) {
this.kmsService = kmsService;
}

@Override
public CompletableFuture<ResponseInfo<AuthKmsKeyMetadataResult>> doExecute(RequestInfo<Void> request,
Executor longRunningTaskExecutor,
ChannelHandlerContext ctx,
SecurityContext securityContext) {

return CompletableFuture.supplyAsync(
AsyncNettyHelper.supplierWithTracingAndMdc(() -> getAuthKmsKeyMetadata(request), ctx),
longRunningTaskExecutor
);
}

private FullResponseInfo<AuthKmsKeyMetadataResult> getAuthKmsKeyMetadata(RequestInfo<Void> request) {
return ResponseInfo.newBuilder(new AuthKmsKeyMetadataResult(
kmsService.getAuthenticationKmsMetadata()
)).build();
}

@Override
public Matcher requestMatcher() {
return Matcher.match("/v1/admin/authentication-kms-metadata", HttpMethod.GET);
}
}
2 changes: 2 additions & 0 deletions src/main/java/com/nike/cerberus/mapper/AwsIamRoleMapper.java
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,6 @@ int deleteIamRolePermission(@Param("safeDepositBoxId") String safeDepositBoxId,
int deleteIamRoleById(@Param("id") final String id);

int deleteKmsKeyById(@Param("id") final String id);

List<AwsIamRoleKmsKeyRecord> getAllKmsKeys();
}
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,7 @@
import com.nike.cerberus.endpoints.GetDashboardRedirect;
import com.nike.cerberus.endpoints.HealthCheckEndpoint;
import com.nike.cerberus.endpoints.RobotsEndpoint;
import com.nike.cerberus.endpoints.admin.GetSDBMetadata;
import com.nike.cerberus.endpoints.admin.OverrideSdbOwner;
import com.nike.cerberus.endpoints.admin.PutSDBMetadata;
import com.nike.cerberus.endpoints.admin.RestoreSafeDepositBox;
import com.nike.cerberus.endpoints.admin.TriggerScheduledJob;
import com.nike.cerberus.endpoints.admin.*;
import com.nike.cerberus.endpoints.authentication.AuthenticateIamPrincipal;
import com.nike.cerberus.endpoints.authentication.AuthenticateIamRole;
import com.nike.cerberus.endpoints.authentication.AuthenticateUser;
Expand Down Expand Up @@ -212,7 +208,8 @@ public Set<Endpoint<?>> appEndpoints(
ReadSecureFile readSecureFile,
HeadSecureFile headSecureFile,
GetSecureFiles getSecureFiles,
DeleteSecureFile deleteSecureFile
DeleteSecureFile deleteSecureFile,
GetAuthKmsKeyMetadata getAuthKmsKeyMetadata
) {
return new LinkedHashSet<>(Arrays.<Endpoint<?>>asList(
healthCheckEndpoint,
Expand All @@ -229,7 +226,7 @@ public Set<Endpoint<?>> appEndpoints(
getDashboard, getDashboardRedirect,
writeSecureFile, readSecureFile, deleteSecureFile, headSecureFile, getSecureFiles,
restoreSafeDepositBox,
getSecretVersionPathsForSdb, getSecureDataVersions
getSecretVersionPathsForSdb, getSecureDataVersions, getAuthKmsKeyMetadata
));
}

Expand Down
29 changes: 29 additions & 0 deletions src/main/java/com/nike/cerberus/service/KmsService.java
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
import com.nike.backstopper.exception.ApiException;
import com.nike.cerberus.aws.KmsClientFactory;
import com.nike.cerberus.dao.AwsIamRoleDao;
import com.nike.cerberus.domain.AuthKmsKeyMetadata;
import com.nike.cerberus.error.DefaultApiError;
import com.nike.cerberus.record.AwsIamRoleKmsKeyRecord;
import com.nike.cerberus.util.AwsIamRoleArnParser;
Expand All @@ -48,6 +49,8 @@
import javax.inject.Singleton;
import java.time.OffsetDateTime;
import java.time.temporal.ChronoUnit;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.TimeUnit;
Expand Down Expand Up @@ -125,6 +128,9 @@ public AwsIamRoleKmsKeyRecord provisionKmsKey(final String iamRoleRecordId,
final String kmsKeyRecordId = uuidSupplier.get();

final String awsKmsKeyArn = createKmsKeyInAws(iamPrincipalArn, kmsKeyRecordId, awsRegion);

logger.info("Created KMS Key with id: {} for ARN: {}, REGION: {}", awsKmsKeyArn, iamPrincipalArn, awsRegion);

return createKmsKeyRecord(iamRoleRecordId, kmsKeyRecordId, awsKmsKeyArn,
awsRegion,
user,
Expand Down Expand Up @@ -243,6 +249,29 @@ public void deleteKmsKeyById(final String kmsKeyId) {
awsIamRoleDao.deleteKmsKeyById(kmsKeyId);
}

public List<AuthKmsKeyMetadata> getAuthenticationKmsMetadata() {
List<AuthKmsKeyMetadata> result = new LinkedList<>();

Optional<List<AwsIamRoleKmsKeyRecord>> keysOptional = awsIamRoleDao.getAllKmsKeys();
List<AwsIamRoleKmsKeyRecord> keys = keysOptional.orElse(new LinkedList<>());

keys.forEach(key -> {
AuthKmsKeyMetadata metadata = new AuthKmsKeyMetadata()
.setAwsKmsKeyId(key.getAwsKmsKeyId())
.setAwsRegion(key.getAwsRegion())
.setCreatedTs(key.getCreatedTs())
.setLastUpdatedTs(key.getLastUpdatedTs())
.setLastUpdatedTs(key.getLastUpdatedTs());

awsIamRoleDao.getIamRoleById(key.getAwsIamRoleId())
.ifPresent(awsIamRoleRecord -> metadata.setAwsIamRoleArn(awsIamRoleRecord.getAwsIamRoleArn()));

result.add(metadata);
});

return result;
}

/**
* Generate a unique and descriptive alias name for a KMS key
* @param awsIamRoleKmsKeyId UUID
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,13 @@
AWS_IAM_ROLE.ID = AWS_IAM_ROLE_PERMISSIONS.AWS_IAM_ROLE_ID)
</select>

<select id="getAllKmsKeys" resultType="AwsIamRoleKmsKeyRecord">
SELECT
*
FROM
AWS_IAM_ROLE_KMS_KEY
</select>

<select id="getKmsKey" resultType="AwsIamRoleKmsKeyRecord">
SELECT
ID,
Expand Down Expand Up @@ -242,4 +249,4 @@
ID = #{id}
</delete>

</mapper>
</mapper>

0 comments on commit cb05a24

Please sign in to comment.