aboutsummaryrefslogtreecommitdiffstats
path: root/jdisc-cloud-aws/src/main/java/com/yahoo/jdisc/cloud/aws/AwsParameterStoreValidationHandler.java
blob: 5d5cad2f75d4826f56a49b8684b7f7173d7c3e15 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.jdisc.cloud.aws;

import com.google.inject.Inject;
import com.yahoo.cloud.config.SecretStoreConfig;
import com.yahoo.container.jdisc.HttpRequest;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.container.jdisc.LoggingRequestHandler;
import com.yahoo.io.IOUtils;
import com.yahoo.restapi.ErrorResponse;
import com.yahoo.restapi.SlimeJsonResponse;
import com.yahoo.slime.Cursor;
import com.yahoo.slime.Slime;
import com.yahoo.slime.SlimeUtils;
import com.yahoo.yolean.Exceptions;

import java.io.IOException;
import java.io.InputStream;
import java.util.logging.Level;
import java.util.logging.Logger;

/**
 * Attempts to validate the AWS Systems Manager Parameter Store settings to see if we can
 * run a working Vespa Cloud Secret Store with them.
 *
 * @author ogronnesby
 */
public class AwsParameterStoreValidationHandler extends LoggingRequestHandler {

    private static final Logger log = Logger.getLogger(AwsParameterStoreValidationHandler.class.getName());
    private final VespaAwsCredentialsProvider credentialsProvider;
    private final SecretStoreConfig secretStoreConfig;

    @Inject
    public AwsParameterStoreValidationHandler(Context ctx, SecretStoreConfig secretStoreConfig) {
        this(ctx, secretStoreConfig, new VespaAwsCredentialsProvider());
    }


    public AwsParameterStoreValidationHandler(Context ctx, SecretStoreConfig secretStoreConfig, VespaAwsCredentialsProvider credentialsProvider) {
        super(ctx);
        this.credentialsProvider = credentialsProvider;
        this.secretStoreConfig = secretStoreConfig;
    }


    @Override
    public HttpResponse handle(HttpRequest request) {
        try {
            if (request.getMethod() == com.yahoo.jdisc.http.HttpRequest.Method.POST) {
                return handlePOST(request);
            }
            return ErrorResponse.methodNotAllowed("Method '" + request.getMethod() + "' is not supported");
        } catch (RuntimeException e) {
            log.log(Level.WARNING, "Unexpected error handling '" + request.getUri() + "'", e);
            return ErrorResponse.internalServerError(Exceptions.toMessageString(e));
        }
    }

    private HttpResponse handlePOST(HttpRequest request) {
        var json = toSlime(request.getData());
        var settings = AwsSettings.fromSlime(json);

        var response = new Slime();
        var root = response.setObject();
        settings.toSlime(root.setObject("settings"));

        try {
            var arn = "arn:aws:iam::" + settings.awsId + ":role/" + settings.role;
            var region = getRegion(settings);
            var store = new AwsParameterStore(this.credentialsProvider, arn, settings.externalId, region);
            store.getSecret("vespa-secret");
            root.setString("status", "ok");
        } catch (RuntimeException e) {
            root.setString("status", "error");
            var error = root.setArray("errors").addObject();
            error.setString("type", e.getClass().getSimpleName());
            error.setString("message", Exceptions.toMessageString(e));
        }

        return new SlimeJsonResponse(response);
    }

    private Slime toSlime(InputStream jsonStream) {
        try {
            byte[] jsonBytes = IOUtils.readBytes(jsonStream, 1000 * 1000);
            return SlimeUtils.jsonToSlime(jsonBytes);
        } catch (IOException e) {
            throw new RuntimeException();
        }
    }

    private String getRegion(AwsSettings settings) {
        return secretStoreConfig.groups()
                .stream()
                .filter(group -> group.name().equals(settings.name))
                .map(SecretStoreConfig.Groups::region)
                .findFirst()
                .orElseThrow(() -> new RuntimeException("No secret store named '" + settings.name + "' configured in services.xml"));
    }

    private static class AwsSettings {
        String name;
        String role;
        String awsId;
        String externalId;

        AwsSettings(String name, String role, String awsId, String externalId) {
            this.name = name;
            this.role = role;
            this.awsId = awsId;
            this.externalId = externalId;
        }

        static AwsSettings fromSlime(Slime slime) {
            var json = slime.get();
            return new AwsSettings(
                    json.field("name").asString(),
                    json.field("role").asString(),
                    json.field("awsId").asString(),
                    json.field("externalId").asString()
            );
        }

        void toSlime(Cursor slime) {
            slime.setString("name", name);
            slime.setString("role", role);
            slime.setString("awsId", awsId);
            slime.setString("externalId", "*****");
        }
    }
}