1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.cloud.aws;
import com.google.inject.Inject;
import com.yahoo.container.jdisc.HttpRequest;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.container.jdisc.LoggingRequestHandler;
import com.yahoo.io.IOUtils;
import com.yahoo.restapi.ErrorResponse;
import com.yahoo.restapi.SlimeJsonResponse;
import com.yahoo.slime.Cursor;
import com.yahoo.slime.Slime;
import com.yahoo.slime.SlimeUtils;
import com.yahoo.yolean.Exceptions;
import java.io.IOException;
import java.io.InputStream;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
* Attempts to validate the AWS Systems Manager Parameter Store settings to see if we can
* run a working Vespa Cloud Secret Store with them.
*
* @author ogronnesby
*/
public class AwsParameterStoreValidationHandler extends LoggingRequestHandler {
private static final Logger log = Logger.getLogger(AwsParameterStoreValidationHandler.class.getName());
private final VespaAwsCredentialsProvider credentialsProvider;
@Inject
public AwsParameterStoreValidationHandler(Context ctx) {
this(ctx, new VespaAwsCredentialsProvider());
}
public AwsParameterStoreValidationHandler(Context ctx, VespaAwsCredentialsProvider credentialsProvider) {
super(ctx);
this.credentialsProvider = credentialsProvider;
}
@Override
public HttpResponse handle(HttpRequest request) {
try {
if (request.getMethod() == com.yahoo.jdisc.http.HttpRequest.Method.POST) {
return handlePOST(request);
}
return ErrorResponse.methodNotAllowed("Method '" + request.getMethod() + "' is not supported");
} catch (RuntimeException e) {
log.log(Level.WARNING, "Unexpected error handling '" + request.getUri() + "'", e);
return ErrorResponse.internalServerError(Exceptions.toMessageString(e));
}
}
private HttpResponse handlePOST(HttpRequest request) {
var json = toSlime(request.getData());
var settings = AwsSettings.fromSlime(json);
var response = new Slime();
var root = response.setObject();
settings.toSlime(root.setObject("settings"));
try {
var arn = "arn:aws:iam::" + settings.awsId + ":role/" + settings.role;
var store = new AwsParameterStore(this.credentialsProvider, arn, settings.externalId);
store.getSecret("vespa-secret");
root.setString("status", "ok");
} catch (RuntimeException e) {
root.setString("status", "error");
var error = root.setArray("errors").addObject();
error.setString("type", e.getClass().getSimpleName());
error.setString("message", Exceptions.toMessageString(e));
}
return new SlimeJsonResponse(response);
}
private Slime toSlime(InputStream jsonStream) {
try {
byte[] jsonBytes = IOUtils.readBytes(jsonStream, 1000 * 1000);
return SlimeUtils.jsonToSlime(jsonBytes);
} catch (IOException e) {
throw new RuntimeException();
}
}
private static class AwsSettings {
String name;
String role;
String awsId;
String externalId;
AwsSettings(String name, String role, String awsId, String externalId) {
this.name = name;
this.role = role;
this.awsId = awsId;
this.externalId = externalId;
}
static AwsSettings fromSlime(Slime slime) {
var json = slime.get();
return new AwsSettings(
json.field("name").asString(),
json.field("role").asString(),
json.field("awsId").asString(),
json.field("externalId").asString()
);
}
void toSlime(Cursor slime) {
slime.setString("name", name);
slime.setString("role", role);
slime.setString("awsId", awsId);
slime.setString("externalId", "*****");
}
}
}
|