@Test public void test_that_overwriteCMSPolicy_returns_policy_that_includes_missing_actions() throws IOException { InputStream policy = getClass().getClassLoader() .getResourceAsStream("com/nike/cerberus/service/invalid-cerberus-kms-key-policy-cms-cannot-delete.json"); String policyJsonAsString = IOUtils.toString(policy, "UTF-8"); Action actionNotIncludedInInvalidJson1 = KMSActions.ScheduleKeyDeletion; Action actionNotIncludedInInvalidJson2 = KMSActions.CancelKeyDeletion; String result = kmsPolicyService.overwriteCMSPolicy(policyJsonAsString); assertFalse(StringUtils.equals(policyJsonAsString, result)); assertTrue(StringUtils.contains(result, actionNotIncludedInInvalidJson1.getActionName())); assertTrue(StringUtils.contains(result, actionNotIncludedInInvalidJson2.getActionName())); assertTrue(kmsPolicyService.cmsHasKeyDeletePermissions(result)); policy.close(); }
/** * Generates a list of actions from the Action Json Node. * * @param actionNodes * the action Json node to be parsed. * @return the list of actions. */ private List<Action> actionsOf(JsonNode actionNodes) { List<Action> actions = new LinkedList<Action>(); if (actionNodes.isArray()) { for (JsonNode action : actionNodes) { actions.add(new NamedAction(action.asText())); } } else { actions.add(new NamedAction(actionNodes.asText())); } return actions; }
/** * Writes the list of <code>Action</code>s to the JSONGenerator. * * @param actions * the list of the actions to be written. */ private void writeActions(List<Action> actions) throws JsonGenerationException, IOException { List<String> actionStrings = new ArrayList<String>(); for (Action action : actions) { actionStrings.add(action.getActionName()); } writeJsonArray(JsonDocumentFields.ACTION, actionStrings); }
private String getPolicy(List<String> accountIds) { Policy policy = new Policy("AuthorizedWorkerAccessPolicy"); Statement stmt = new Statement(Effect.Allow); Action action = SQSActions.SendMessage; stmt.getActions().add(action); stmt.setResources(new LinkedList<>()); for(String accountId : accountIds) { Principal principal = new Principal(accountId); stmt.getPrincipals().add(principal); } stmt.getResources().add(new Resource(getQueueARN())); policy.getStatements().add(stmt); return policy.toJson(); }
/** * Validates that the given KMS key policy statement includes the given action */ protected boolean statementIncludesAction(Statement statement, Action action) { return statement.getActions() .stream() .anyMatch(statementAction -> StringUtils.equals(statementAction.getActionName(), action.getActionName())); }
private Boolean statementEquals(Statement statement1, Statement statement2) { List<Action> actions1 = statement1.getActions(); List<Action> actions2 = statement2.getActions(); boolean actionMatches = actions1.size() == actions2.size() && actions1.stream().allMatch(action1 -> actions2.stream().anyMatch(action2 -> action1.getActionName().equals(action2.getActionName()))); if (!actionMatches) return false; boolean effectMatches = statement1.getEffect().equals(statement2.getEffect()); if (!effectMatches) return false; List<Resource> resources1 = statement1.getResources(); List<Resource> resources2 = statement2.getResources(); boolean resourceMatches = resources1.size() == resources2.size() && resources1.stream().allMatch(resource1 -> resources2.stream().anyMatch(resource2 -> resource1.getId().equals(resource2.getId()))); if (!resourceMatches) return false; List<Condition> conditions1 = statement1.getConditions(); List<Condition> conditions2 = statement2.getConditions(); boolean conditionMatches = conditions1.size() == conditions2.size() && conditions1.stream().allMatch(condition1 -> conditions2.stream().anyMatch(condition2 -> conditionEquals(condition1, condition2))); if (!conditionMatches) return false; List<Principal> principals1 = statement1.getPrincipals(); List<Principal> principals2 = statement2.getPrincipals(); boolean principleMatches = principals1.size() == principals2.size() && principals1.stream().allMatch(principle1 -> principals2.stream().anyMatch(principal2 -> principleEquals(principle1, principal2))); if (!principleMatches) return false; return true; }
/** * Converts the given <code>Policy</code> into a JSON String. * * @param policy * the policy to be converted. * @return a JSON String of the specified policy object. */ private String jsonStringOf(Policy policy) throws JsonGenerationException, IOException { generator.writeStartObject(); writeJsonKeyValue(JsonDocumentFields.VERSION, policy.getVersion()); if (isNotNull(policy.getId())) writeJsonKeyValue(JsonDocumentFields.POLICY_ID, policy.getId()); writeJsonArrayStart(JsonDocumentFields.STATEMENT); for (Statement statement : policy.getStatements()) { generator.writeStartObject(); if (isNotNull(statement.getId())) { writeJsonKeyValue(JsonDocumentFields.STATEMENT_ID, statement.getId()); } writeJsonKeyValue(JsonDocumentFields.STATEMENT_EFFECT, statement .getEffect().toString()); List<Principal> principals = statement.getPrincipals(); if (isNotNull(principals) && !principals.isEmpty()) writePrincipals(principals); List<Action> actions = statement.getActions(); if (isNotNull(actions) && !actions.isEmpty()) writeActions(actions); List<Resource> resources = statement.getResources(); if (isNotNull(resources) && !resources.isEmpty()) writeResources(resources); List<Condition> conditions = statement.getConditions(); if (isNotNull(conditions) && !conditions.isEmpty()) writeConditions(conditions); generator.writeEndObject(); } writeJsonArrayEnd(); generator.writeEndObject(); generator.flush(); return writer.toString(); }
@Test public void test_that_statementAllowsAction_returns_true_when_action_in_statement() { Action action = KMSActions.CancelKeyDeletion; Statement statement = new Statement(Statement.Effect.Allow).withActions(action); assertTrue(kmsPolicyService.statementIncludesAction(statement, action)); }
