Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

Commit

Permalink
Add V2 Safe Deposit Box API with ARNs (#33)
Browse files Browse the repository at this point in the history
* Updates v2 auth endpoint to take 'iam_principal_arn' instead of 'role_arn'
* Adds v2 API for SDB
* Returns SDB in v2/safe-deposit-box PUT and POST
* Drops account id and iam role name columns from DB
* Removes AWS account id and role name from IAM role mapper
* Allows any IAM principal ARN for v2 IAM auth and SDB APIs
  • Loading branch information
sdford authored Apr 18, 2017
1 parent 0edeb4a commit def476b
Show file tree
Hide file tree
Showing 43 changed files with 1,961 additions and 480 deletions.
231 changes: 224 additions & 7 deletions API.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ This endpoint takes IAM ARN information and generates an base 64 encoded KMS enc
+ Body

{
"role_arn" : "arn:aws:iam::111111111:role/cerberus-api-tester",
"iam_principal_arn" : "arn:aws:iam::111111111:role/cerberus-api-tester",
"region": "us-west-2"
}

Expand All @@ -165,7 +165,8 @@ This endpoint takes IAM ARN information and generates an base 64 encoded KMS enc
"policies" : [ "foo-bar-read", "lookup-self" ],
"metadata" : {
"aws_region" : "us-west-2",
"username" : "arn:aws:iam::933764306573:role/cerberus-api-tester"
"iam_principal_arn" : "arn:aws:iam::111111111:role/fake-role"
"username" : "arn:aws:iam::111111111:role/fake-role"
"is_admin": "false",
"groups": "registered-iam-principals"
},
Expand Down Expand Up @@ -199,7 +200,9 @@ This endpoint takes IAM ARN information and generates an base 64 encoded KMS enc
"policies" : [ "health-check-bucket-read", "lookup-self" ],
"metadata" : {
"aws_region" : "us-west-2",
"username" : "arn:aws:iam::111111111:role/cerberus-api-tester",
"aws_account_id" : "111111111",
"aws_iam_role_name" : "fake-role",
"username" : "arn:aws:iam::111111111:role/fake-role",
"is_admin": "false",
"groups": "registered-iam-principals"
},
Expand All @@ -224,7 +227,7 @@ This endpoint will take the users `X-Vault-Token` header and proxy to Vault to r

# Group Safe Deposit Box

## Get authorized Safe Deposit Box list [/v1/safe-deposit-box]
## Safe Deposit Box V2 [/v2/safe-deposit-box]

### Get details for each authorized Safe Deposit Box [GET]

Expand Down Expand Up @@ -259,6 +262,222 @@ This endpoint will list all the Safe Deposit Box a user is authorized to see.

This endpoint will create a new Safe Deposit Box

+ Request (application/json)

+ Headers

X-Vault-Token: 7f6808f1-ede3-2177-aa9d-45f507391310

+ Body

{
"name": "Stage",
"description": "Sensitive configuration properties for the stage micro-service.",
"category_id": "f7ff85a0-faaa-11e5-a8a9-7fa3b294cd46",
"owner": "Lst-digital.platform-tools.internal",
"user_group_permissions": [
{
"name": "Lst-CDT.CloudPlatformEngine.FTE",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
{
"iam_principal_arn": ""arn:aws:iam::1111111111:role/role-name"
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
]
}

+ Response 201 (application/json)

+ Headers

X-Refresh-Token: true
Location: /v1/safe-deposit-box/a7d703da-faac-11e5-a8a9-7fa3b294cd46

+ Body

{
"id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46",
"name": "Stage",
"description": "Sensitive configuration properties for the stage micro-service.",
"path": "app/stage",
"category_id": "f7ff85a0-faaa-11e5-a8a9-7fa3b294cd46",
"owner": "Lst-digital.platform-tools.internal",
"user_group_permissions": [
{
"id": "3fc6455c-faad-11e5-a8a9-7fa3b294cd46",
"name": "Lst-CDT.CloudPlatformEngine.FTE",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
{
"id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46",
"iam_principal_arn": "arn:aws:iam::1111111111:role/role-name",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
]
}

### Get details for a specific authorized Safe Deposit Box [GET /v2/safe-deposit-box/{id}]

This endpoint returns details on a specific Safe Deposit Box.

+ Parameters

+ id (required, string, `a7d703da-faac-11e5-a8a9-7fa3b294cd46`) - The id of the Safe Deposit Box

+ Request (application/json)

+ Headers

X-Vault-Token: 7f6808f1-ede3-2177-aa9d-45f507391310

+ Response 200 (application/json)

+ body

{
"id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46",
"name": "Stage",
"description": "Sensitive configuration properties for the stage micro-service.",
"path": "app/stage",
"category_id": "f7ff85a0-faaa-11e5-a8a9-7fa3b294cd46",
"owner": "Lst-digital.platform-tools.internal",
"user_group_permissions": [
{
"id": "3fc6455c-faad-11e5-a8a9-7fa3b294cd46",
"name": "Lst-CDT.CloudPlatformEngine.FTE",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
{
"id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46",
"iam_principal_arn": "arn:aws:iam::1111111111:role/role-name",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
]
}


### Update a specific authorized Safe Deposit Box [PUT]

This endpoint allows a user to update the description, user group, and iam role mappings

+ Request (application/json)

+ Headers

X-Vault-Token: 7f6808f1-ede3-2177-aa9d-45f507391310

+ Body

{
"description": "All configuration properties for the stage micro-service.",
"owner": "Lst-Squad.Carebears",
"user_group_permissions": [
{
"name": "Lst-CDT.CloudPlatformEngine.FTE",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
{
"iam_principal_arn": ""arn:aws:iam::1111111111:role/role-name2"
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
]
}

+ Response 200

+ Headers

X-Refresh-Token: true

+ body

{
"id": "a7d703da-faac-11e5-a8a9-7fa3b294cd46",
"name": "Stage",
"description": "Sensitive configuration properties for the stage micro-service.",
"path": "app/stage",
"category_id": "f7ff85a0-faaa-11e5-a8a9-7fa3b294cd46",
"owner": "Lst-digital.platform-tools.internal",
"user_group_permissions": [
{
"id": "3fc6455c-faad-11e5-a8a9-7fa3b294cd46",
"name": "Lst-CDT.CloudPlatformEngine.FTE",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
],
"iam_role_permissions": [
{
"id": "d05bf72e-faad-11e5-a8a9-7fa3b294cd46",
"iam_principal_arn": "arn:aws:iam::1111111111:role/role-name",
"role_id": "f800558e-faaa-11e5-a8a9-7fa3b294cd46"
}
]
}

### Delete a specific authorized Safe Deposit Box [DELETE]

This endpoint allows a user to delete a safe deposit box that they own

+ Parameters

+ id (required, string, `a7d703da-faac-11e5-a8a9-7fa3b294cd46`) - The id of the Safe Deposit Box

+ Request (application/json)

+ Headers

X-Vault-Token: 7f6808f1-ede3-2177-aa9d-45f507391310

+ Response 200

+ Headers

X-Refresh-Token: true

## Safe Deposit Box V1 [/v1/safe-deposit-box]

## Get details for each authorized Safe Deposit Box [GET]

This endpoint will list all the Safe Deposit Box a user is authorized to see.

+ Request (application/json)

+ Headers

X-Vault-Token: 7f6808f1-ede3-2177-aa9d-45f507391310

+ Response 200 (application/json)

+ Body

[
{
"id": "fb013540-fb5f-11e5-ba72-e899458df21a",
"name": "Web",
"path": "app/web",
"category_id": "f7ff85a0-faaa-11e5-a8a9-7fa3b294cd46"
},
{
"id": "06f82494-fb60-11e5-ba72-e899458df21a",
"name": "OneLogin",
"path": "shared/onelogin",
"category_id": "f7ffb890-faaa-11e5-a8a9-7fa3b294cd46"
}
]

### Create a Safe Deposit Box [POST]

This endpoint will create a new Safe Deposit Box

+ Request (application/json)

+ Headers
Expand Down Expand Up @@ -301,9 +520,7 @@ This endpoint will create a new Safe Deposit Box
}


## Safe Deposit Box [/v1/safe-deposit-box/{id}]

### Get details for a specific authorized Safe Deposit Box [GET]
### Get details for a specific authorized Safe Deposit Box [GET /v1/safe-deposit-box/{id}]

This endpoint returns details on a specific Safe Deposit Box.

Expand Down
2 changes: 1 addition & 1 deletion gradle.properties
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,6 @@
# limitations under the License.
#

version=0.15.0
version=0.16.0
groupId=com.nike.cerberus
artifactId=cms
14 changes: 7 additions & 7 deletions src/main/java/com/nike/cerberus/domain/IamRoleCredentialsV2.java
Original file line number Diff line number Diff line change
Expand Up @@ -21,25 +21,25 @@

import javax.validation.constraints.Pattern;

import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_ROLE_ARN_REGEX;
import static com.nike.cerberus.util.AwsIamRoleArnParser.AWS_IAM_PRINCIPAL_ARN_REGEX;

/**
* Represents the IAM role credentials sent during authentication.
*/
public class IamRoleCredentialsV2 {

@Pattern(regexp = AWS_IAM_ROLE_ARN_REGEX, message = "AUTH_IAM_ROLE_NAME_INVALID")
private String roleArn;
@Pattern(regexp = AWS_IAM_PRINCIPAL_ARN_REGEX, message = "AUTH_IAM_PRINCIPAL_INVALID")
private String iamPrincipalArn;

@NotBlank(message = "AUTH_IAM_ROLE_AWS_REGION_BLANK")
private String region;

public String getRoleArn() {
return roleArn;
public String getIamPrincipalArn() {
return iamPrincipalArn;
}

public void setRoleArn(String roleArn) {
this.roleArn = roleArn;
public void setIamPrincipalArn(String iamPrincipalArn) {
this.iamPrincipalArn = iamPrincipalArn;
}

public String getRegion() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
/**
* Represents a permission granted to an IAM role with regards to a safe deposit box
*/
public class IamRolePermission {
public class IamRolePermissionV1 {

private String id;

Expand All @@ -44,8 +44,6 @@ public class IamRolePermission {
@NotBlank(message = "IAM_ROLE_ROLE_ID_INVALID", groups = {Default.class, Updatable.class})
private String roleId;

private String iamRoleArn;

private OffsetDateTime createdTs;

private OffsetDateTime lastUpdatedTs;
Expand All @@ -70,7 +68,7 @@ public void setAccountId(String accountId) {
this.accountId = accountId;
}

public IamRolePermission withAccountId(String accountId) {
public IamRolePermissionV1 withAccountId(String accountId) {
this.accountId = accountId;
return this;
}
Expand All @@ -83,7 +81,7 @@ public void setIamRoleName(String iamRoleName) {
this.iamRoleName = iamRoleName;
}

public IamRolePermission withIamRoleName(String iamRoleName) {
public IamRolePermissionV1 withIamRoleName(String iamRoleName) {
this.iamRoleName = iamRoleName;
return this;
}
Expand All @@ -96,24 +94,11 @@ public void setRoleId(String roleId) {
this.roleId = roleId;
}

public IamRolePermission withRoleId(String roleId) {
public IamRolePermissionV1 withRoleId(String roleId) {
this.roleId = roleId;
return this;
}

public String getIamRoleArn() {
return iamRoleArn;
}

public void setIamRoleArn(String iamRoleArn) {
this.iamRoleArn = iamRoleArn;
}

public IamRolePermission withIamRoleArn(String iamRoleArn) {
this.iamRoleArn = iamRoleArn;
return this;
}

public OffsetDateTime getCreatedTs() {
return createdTs;
}
Expand Down Expand Up @@ -151,19 +136,17 @@ public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;

IamRolePermission that = (IamRolePermission) o;
IamRolePermissionV1 that = (IamRolePermissionV1) o;

if (accountId != null ? !accountId.equals(that.accountId) : that.accountId != null) return false;
if (iamRoleName != null ? !iamRoleName.equals(that.iamRoleName) : that.iamRoleName == null) return false;
return iamRoleArn != null ? iamRoleArn.equals(that.iamRoleArn) : that.iamRoleArn == null;
return iamRoleName != null ? iamRoleName.equals(that.iamRoleName) : that.iamRoleName == null;

}

@Override
public int hashCode() {
int result = accountId != null ? accountId.hashCode() : 0;
result = 31 * result + (iamRoleName != null ? iamRoleName.hashCode() : 0);
result = 31 * result + (iamRoleArn != null ? iamRoleArn.hashCode() : 0);
return result;
}
}
Loading

0 comments on commit def476b

Please sign in to comment.