Java 类com.amazonaws.services.kms.model.DescribeKeyResult 实例源码

@Test
public void test_getKmsKeyState_happy() {
    String awsRegion = "aws region";

    String kmsKeyId = "kms key id";
    String state = "state";
    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(state)));

    String result = kmsService.getKmsKeyState(kmsKeyId, awsRegion);

    assertEquals(state, result);
}

@Test
public void test_validateKmsKeyIsUsable_returns_true_when_state_is_pending_deletion() {
    String keyId = "key id";
    String awsRegion = "aws region";

    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(KeyState.PendingDeletion)));

    boolean result = kmsService.kmsKeyIsDisabledOrScheduledForDeletion(keyId, awsRegion);

    assertTrue(result);
}

@Test
public void test_validateKmsKeyIsUsable_return_true_when_state_is_disabled() {
    String keyId = "key id";
    String awsRegion = "aws region";

    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(KeyState.Disabled)));

    boolean result = kmsService.kmsKeyIsDisabledOrScheduledForDeletion(keyId, awsRegion);

    assertTrue(result);
}

@Test
public void test_validateKmsKeyIsUsable_returns_false_when_state_is_not_deletion_or_disabled() {
    String keyId = "key id";
    String awsRegion = "aws region";

    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(KeyState.Enabled)));

    boolean result = kmsService.kmsKeyIsDisabledOrScheduledForDeletion(keyId, awsRegion);

    assertFalse(result);
}

@Test(expected = ApiException.class)
public void test_validateKmsKeyIsUsable_deletes_kms_key_when_not_usable() {

    String id = "id";
    String awsKmsKeyArn = "aws kms key arn";
    String iamPrincipalArn = "arn";
    String awsRegion = "aws region";

    AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
    when(kmsKey.getId()).thenReturn(id);
    when(kmsKey.getAwsKmsKeyId()).thenReturn(awsKmsKeyArn);
    when(kmsKey.getAwsRegion()).thenReturn(awsRegion);

    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(KeyState.PendingDeletion)));

    kmsService.validateKmsKeyIsUsable(kmsKey, iamPrincipalArn);
}

@Test
public void test_validateKmsKeyIsUsable_does_not_delete_kms_key_when_usable() {

    String id = "id";
    String awsKmsKeyArn = "aws kms key arn";
    String iamPrincipalArn = "arn";
    String awsRegion = "aws region";

    AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
    when(kmsKey.getId()).thenReturn(id);
    when(kmsKey.getAwsKmsKeyId()).thenReturn(awsKmsKeyArn);
    when(kmsKey.getAwsRegion()).thenReturn(awsRegion);

    AWSKMSClient kmsClient = mock(AWSKMSClient.class);
    when(kmsClientFactory.getClient(awsRegion)).thenReturn(kmsClient);
    when(kmsClient.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(KeyState.Enabled)));

    kmsService.validateKmsKeyIsUsable(kmsKey, iamPrincipalArn);

    verify(awsIamRoleDao, never()).deleteKmsKeyById(id);
}

@Test
public void test_validatePolicy_validates_policy_when_validate_interval_has_passed() {
    String kmsKeyArn = "kms key arn";
    String awsIamRoleRecordId = "aws iam role record id";
    String kmsCMKRegion = "kmsCMKRegion";
    String policy = "policy";
    OffsetDateTime lastValidated = OffsetDateTime.of(2016, 1, 1, 1, 1,
            1, 1, ZoneOffset.UTC);
    OffsetDateTime now = OffsetDateTime.now();

    AWSKMSClient client = mock(AWSKMSClient.class);
    when(client.describeKey(anyObject())).thenReturn(
            new DescribeKeyResult()
                    .withKeyMetadata(
                            new KeyMetadata()
                                    .withKeyState(KeyState.Enabled)));

    when(kmsClientFactory.getClient(kmsCMKRegion)).thenReturn(client);

    GetKeyPolicyResult result = mock(GetKeyPolicyResult.class);
    when(result.getPolicy()).thenReturn(policy);
    when(client.getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn)
            .withPolicyName("default"))).thenReturn(result);
    when(kmsPolicyService.isPolicyValid(policy)).thenReturn(true);

    AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
    when(kmsKey.getAwsIamRoleId()).thenReturn(awsIamRoleRecordId);
    when(kmsKey.getAwsKmsKeyId()).thenReturn(kmsKeyArn);
    when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
    when(kmsKey.getLastValidatedTs()).thenReturn(lastValidated);
    when(awsIamRoleDao.getKmsKey(awsIamRoleRecordId, kmsCMKRegion)).thenReturn(Optional.of(kmsKey));

    when(dateTimeSupplier.get()).thenReturn(now);
    kmsService.validateKeyAndPolicy(kmsKey, kmsKeyArn);

    verify(client, times(1)).getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn)
            .withPolicyName("default"));
    verify(kmsPolicyService, times(1)).isPolicyValid(policy);
}

@Override
public DescribeKeyResult describeKey(DescribeKeyRequest arg0) throws AmazonServiceException, AmazonClientException {
    final String arn = retrieveArn(arg0.getKeyId());

    final KeyMetadata keyMetadata = new KeyMetadata().withArn(arn).withKeyId(arn);
    final DescribeKeyResult describeKeyResult = new DescribeKeyResult().withKeyMetadata(keyMetadata);

    return describeKeyResult;
}

private DescribeKeyResult constructDescribeKeyResult() {
    KeyMetadata keyMetadata = new KeyMetadata().withArn(KMS_ARN);
    return new DescribeKeyResult().withKeyMetadata(keyMetadata);
}

private static DescribeKeyResult constructDescribeKeyResult(KeyState state) {
    return new DescribeKeyResult().withKeyMetadata(
            new KeyMetadata().withKeyState(state).withArn(KMS_ARN));
}

private static DescribeKeyResult enabledKeyResult() {
    return constructDescribeKeyResult(KeyState.Enabled);
}

private static DescribeKeyResult disabledKeyResult() {
    return constructDescribeKeyResult(KeyState.Disabled);
}

private static DescribeKeyResult pendingDeletionKeyResult() {
    return constructDescribeKeyResult(KeyState.PendingDeletion);
}

public DescribeKeyResult describeKey(DescribeKeyRequest request) {
    // Default AWS limit was 30 as of Aug 2017
    return execute("KmsDescribeKey", () -> client.describeKey(request));
}