@Test public void testCreate() throws Exception { // Mocks the responses from AWS. CreateKeyRequest createKeyRequest = new CreateKeyRequest().withDescription( "This key is automatically managed by Strongbox"); CreateKeyResult createKeyResult = new CreateKeyResult().withKeyMetadata(new KeyMetadata().withArn(KMS_ARN)); CreateAliasRequest createAliasRequest = new CreateAliasRequest().withAliasName(ALIAS_KEY_NAME).withTargetKeyId(KMS_ARN); when(mockKMSClient.describeKey(describeKeyRequest)) .thenThrow(NotFoundException.class) .thenThrow(NotFoundException.class) // still waiting for creation .thenReturn(enabledKeyResult()); when(mockKMSClient.createKey(createKeyRequest)).thenReturn(createKeyResult); // Check the result from create method. String arn = kmsManager.create(); assertEquals(arn, KMS_ARN); // Verify correct number of calls was made to AWS. verify(mockKMSClient, times(3)).describeKey(describeKeyRequest); verify(mockKMSClient, times(1)).createAlias(createAliasRequest); verify(mockKMSClient, times(1)).createKey(createKeyRequest); }
@Override public CreateKeyResult createKey(CreateKeyRequest req) throws AmazonServiceException, AmazonClientException { String keyId = UUID.randomUUID().toString(); String arn = "arn:aws:kms:" + region_.getName() + ":" + ACCOUNT_ID + ":key/" + keyId; idToArnMap.put(keyId, arn); activeKeys.add(arn); CreateKeyResult result = new CreateKeyResult(); result.setKeyMetadata(new KeyMetadata().withAWSAccountId(ACCOUNT_ID).withCreationDate(new Date()) .withDescription(req.getDescription()).withEnabled(true).withKeyId(keyId) .withKeyUsage(KeyUsageType.ENCRYPT_DECRYPT).withArn(arn)); return result; }
private String provisionKmsCmkForBackupRegion(String region) { Policy kmsPolicy = new Policy(); final List<Statement> statements = new LinkedList<>(); // allow the configured admin iam principals all permissions configStore.getBackupAdminIamPrincipals().forEach( principal -> { log.debug("Adding principal: {} to the CMK Policy for region {}", principal, region); statements.add(new Statement(Statement.Effect.Allow) .withId("Principal " + principal + " Has All Actions") .withPrincipals(new Principal(AWS_PROVIDER, principal, false)) .withActions(KMSActions.AllKMSActions) .withResources(new Resource("*"))); }); kmsPolicy.setStatements(statements); String policyString = kmsPolicy.toJson(); log.debug("Creating key for region {} with policy {}", region, policyString); AWSKMS kms = AWSKMSClient.builder().withCredentials(getAWSCredentialsProviderChain()).withRegion(region).build(); CreateKeyResult createKeyResult = kms.createKey( new CreateKeyRequest() .withPolicy(policyString) .withBypassPolicyLockoutSafetyCheck(true) .withDescription(String.format("Cerberus Backup Encryption key for env: %S region: %s", environmentMetadata.getName(), region)) .withTags( new Tag().withTagKey("env").withTagValue(environmentMetadata.getName()), new Tag().withTagKey("region").withTagValue(region), new Tag().withTagKey("cerberus-backup-key").withTagValue("true") ) ); String keyId = createKeyResult.getKeyMetadata().getKeyId(); log.info("Created new backup KMS CMK with id: {} for region: {}", keyId, region); return keyId; }
@Override public CreateKeyResult createKey(CreateKeyRequest req) throws AmazonServiceException, AmazonClientException { String keyId = UUID.randomUUID().toString(); String arn = "arn:aws:testing:kms:" + ACCOUNT_ID + ":key/" + keyId; CreateKeyResult result = new CreateKeyResult(); result.setKeyMetadata(new KeyMetadata().withAWSAccountId(ACCOUNT_ID) .withCreationDate(new Date()).withDescription(req.getDescription()) .withEnabled(true).withKeyId(keyId).withKeyUsage(KeyUsageType.ENCRYPT_DECRYPT) .withArn(arn)); return result; }
public CreateKeyResult createKey(CreateKeyRequest request) { // Default AWS limit was 5 as of Aug 2017 return execute("KmsCreateKey", () -> client.createKey(request)); }
/** * Provisions a new KMS CMK in the specified region to be used by the specified role. * * @param iamRoleId The IAM role that this CMK will be associated with * @param iamPrincipalArn The AWS IAM principal ARN * @param awsRegion The region to provision the key in * @param user The user requesting it * @param dateTime The date of creation * @return The AWS Key ID ARN */ @Transactional public String provisionKmsKey(final String iamRoleId, final String iamPrincipalArn, final String awsRegion, final String user, final OffsetDateTime dateTime) { final AWSKMSClient kmsClient = kmsClientFactory.getClient(awsRegion); final String awsIamPrincipalKmsKeyId = uuidSupplier.get(); final CreateKeyRequest request = new CreateKeyRequest(); request.setKeyUsage(KeyUsageType.ENCRYPT_DECRYPT); request.setDescription("Key used by Cerberus for IAM role authentication."); String policy = kmsPolicyService.generateStandardKmsPolicy(iamPrincipalArn); request.setPolicy(policy); CreateKeyResult result; try { result = kmsClient.createKey(request); } catch (Throwable t) { logger.error("Failed to provision KMS key using policy: {}", policy, t); throw t; } final CreateAliasRequest aliasRequest = new CreateAliasRequest(); aliasRequest.setAliasName(getAliasName(awsIamPrincipalKmsKeyId)); KeyMetadata keyMetadata = result.getKeyMetadata(); String arn = keyMetadata.getArn(); aliasRequest.setTargetKeyId(arn); kmsClient.createAlias(aliasRequest); final AwsIamRoleKmsKeyRecord awsIamRoleKmsKeyRecord = new AwsIamRoleKmsKeyRecord(); awsIamRoleKmsKeyRecord.setId(awsIamPrincipalKmsKeyId); awsIamRoleKmsKeyRecord.setAwsIamRoleId(iamRoleId); awsIamRoleKmsKeyRecord.setAwsKmsKeyId(result.getKeyMetadata().getArn()); awsIamRoleKmsKeyRecord.setAwsRegion(awsRegion); awsIamRoleKmsKeyRecord.setCreatedBy(user); awsIamRoleKmsKeyRecord.setLastUpdatedBy(user); awsIamRoleKmsKeyRecord.setCreatedTs(dateTime); awsIamRoleKmsKeyRecord.setLastUpdatedTs(dateTime); awsIamRoleKmsKeyRecord.setLastValidatedTs(dateTime); awsIamRoleDao.createIamRoleKmsKey(awsIamRoleKmsKeyRecord); return result.getKeyMetadata().getArn(); }
@Test public void test_provisionKmsKey() { String iamRoleId = "role-id"; String awsRegion = "aws-region"; String user = "user"; OffsetDateTime dateTime = OffsetDateTime.now(); String policy = "policy"; String arn = "arn"; String awsIamRoleKmsKeyId = "awsIamRoleKmsKeyId"; when(uuidSupplier.get()).thenReturn(awsIamRoleKmsKeyId); when(kmsPolicyService.generateStandardKmsPolicy(arn)).thenReturn(policy); AWSKMSClient client = mock(AWSKMSClient.class); when(kmsClientFactory.getClient(awsRegion)).thenReturn(client); CreateKeyRequest request = new CreateKeyRequest(); request.setKeyUsage(KeyUsageType.ENCRYPT_DECRYPT); request.setDescription("Key used by Cerberus for IAM role authentication."); request.setPolicy(policy); CreateKeyResult createKeyResult = mock(CreateKeyResult.class); KeyMetadata metadata = mock(KeyMetadata.class); when(metadata.getArn()).thenReturn(arn); when(createKeyResult.getKeyMetadata()).thenReturn(metadata); when(client.createKey(request)).thenReturn(createKeyResult); // invoke method under test String actualResult = kmsService.provisionKmsKey(iamRoleId, arn, awsRegion, user, dateTime); assertEquals(arn, actualResult); CreateAliasRequest aliasRequest = new CreateAliasRequest(); aliasRequest.setAliasName(kmsService.getAliasName(awsIamRoleKmsKeyId)); aliasRequest.setTargetKeyId(arn); verify(client).createAlias(aliasRequest); AwsIamRoleKmsKeyRecord awsIamRoleKmsKeyRecord = new AwsIamRoleKmsKeyRecord(); awsIamRoleKmsKeyRecord.setId(awsIamRoleKmsKeyId); awsIamRoleKmsKeyRecord.setAwsIamRoleId(iamRoleId); awsIamRoleKmsKeyRecord.setAwsKmsKeyId(arn); awsIamRoleKmsKeyRecord.setAwsRegion(awsRegion); awsIamRoleKmsKeyRecord.setCreatedBy(user); awsIamRoleKmsKeyRecord.setLastUpdatedBy(user); awsIamRoleKmsKeyRecord.setCreatedTs(dateTime); awsIamRoleKmsKeyRecord.setLastUpdatedTs(dateTime); awsIamRoleKmsKeyRecord.setLastValidatedTs(dateTime); verify(awsIamRoleDao).createIamRoleKmsKey(awsIamRoleKmsKeyRecord); }
@Override public CreateKeyResult createKey() throws AmazonServiceException, AmazonClientException { return createKey(new CreateKeyRequest()); }
