private static void cleanUpKMSKeys(Regions testRegion, String testResourcePrefix, Date createdBeforeThreshold, AWSCredentialsProvider awsCredentials) { LOG.info("Cleaning KMS..."); AWSKMS kmsClient = AWSKMSClientBuilder.standard() .withCredentials(awsCredentials) .withRegion(testRegion) .build(); List<AliasListEntry> keys = kmsClient.listAliases().getAliases(); for (AliasListEntry entry: keys) { if (!entry.getAliasName().startsWith("alias/" + testResourcePrefix)) { continue; } DescribeKeyRequest request = new DescribeKeyRequest().withKeyId(entry.getTargetKeyId()); KeyMetadata metadata = kmsClient.describeKey(request).getKeyMetadata(); if (KMSKeyState.fromString(metadata.getKeyState()) != KMSKeyState.PENDING_DELETION && metadata.getCreationDate().before(createdBeforeThreshold)) { LOG.info("Scheduling KMS key for deletion:" + entry.getAliasName()); scheduleKeyDeletion(kmsClient, entry); } } }
@Test public void testCreateAdminPolicy() throws Exception { String policyDocument = new String(Files.readAllBytes(Paths.get(TEST_DATA_DIR, "test_admin_policy"))); CreatePolicyRequest request = constructCreatePolicyRequest("admin", policyDocument); CreatePolicyResult result = new CreatePolicyResult().withPolicy(new Policy().withArn(ADMIN_POLICY_ARN)); when(mockClient.createPolicy(request)).thenReturn(result); // When constructing policy statement for KMS, the KMSManager checks that the key exists with a // DescribeKeyRequest. So we need to mock this result as well. DescribeKeyRequest keyRequest = new DescribeKeyRequest().withKeyId(KMS_ALIAS_ARN); when(mockKMSClient.describeKey(keyRequest)).thenReturn(constructDescribeKeyResult()); // Create the policy and verify the policy is as expected and expected calls to AWS were made. String policyArn = partiallyMockedPolicyManager.createAdminPolicy(group, kmsEncryptor, partiallyMockedStore); verify(mockClient, times(1)).createPolicy(request); verify(mockKMSClient, times(1)).describeKey(keyRequest); assertEquals(policyArn, ADMIN_POLICY_ARN); }
@Test public void testCreateReadOnlyPolicy() throws Exception { String policyDocument = new String(Files.readAllBytes(Paths.get(TEST_DATA_DIR, "test_readonly_policy"))); CreatePolicyRequest request = constructCreatePolicyRequest("readonly", policyDocument); CreatePolicyResult result = new CreatePolicyResult().withPolicy(new Policy().withArn(READONLY_POLICY_ARN)); when(mockClient.createPolicy(request)).thenReturn(result); // When constructing policy statement for KMS, the KMSManager checks that the key exists with a // DescribeKeyRequest. So we need to mock this result as well. DescribeKeyRequest keyRequest = new DescribeKeyRequest().withKeyId(KMS_ALIAS_ARN); when(mockKMSClient.describeKey(keyRequest)).thenReturn(constructDescribeKeyResult()); // Create the policy and verify the policy is as expected and expected calls to AWS were made. String policyArn = partiallyMockedPolicyManager.createReadOnlyPolicy(group, kmsEncryptor, partiallyMockedStore); verify(mockClient, times(1)).createPolicy(request); verify(mockKMSClient, times(1)).describeKey(keyRequest); assertEquals(policyArn, READONLY_POLICY_ARN); }
/** * Get the state of the KMS key * @param kmsKeyId - The AWS KMS Key ID * @param region - The KMS key region * @return - KMS key state */ protected String getKmsKeyState(String kmsKeyId, String region) { AWSKMSClient kmsClient = kmsClientFactory.getClient(region); DescribeKeyRequest request = new DescribeKeyRequest().withKeyId(kmsKeyId); return kmsClient.describeKey(request) .getKeyMetadata() .getKeyState(); }
@Override public DescribeKeyResult describeKey(DescribeKeyRequest arg0) throws AmazonServiceException, AmazonClientException { final String arn = retrieveArn(arg0.getKeyId()); final KeyMetadata keyMetadata = new KeyMetadata().withArn(arn).withKeyId(arn); final DescribeKeyResult describeKeyResult = new DescribeKeyResult().withKeyMetadata(keyMetadata); return describeKeyResult; }
public DescribeKeyResult describeKey(DescribeKeyRequest request) { // Default AWS limit was 30 as of Aug 2017 return execute("KmsDescribeKey", () -> client.describeKey(request)); }
