/*
* Copyright 2015 herd contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.finra.herd.dao.impl;
import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.policy.Policy;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Repository;
import org.finra.herd.dao.RetryPolicyFactory;
import org.finra.herd.dao.StsDao;
import org.finra.herd.dao.StsOperations;
import org.finra.herd.model.dto.AwsParamsDto;
/**
* The STS DAO implementation.
*/
@Repository
public class StsDaoImpl implements StsDao
{
@Autowired
private StsOperations stsOperations;
@Autowired
private RetryPolicyFactory retryPolicyFactory;
/**
* Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that can be used to access
* the specified AWS resource.
*
* @param sessionName the session name that will be associated with the temporary credentials. The session name must be the same for an initial set of
* credentials and an extended set of credentials if credentials are to be refreshed. The session name also is used to identify the user in AWS logs so it
* should be something unique and useful to identify the caller/use.
* @param awsRoleArn the AWS ARN for the role required to provide access to the specified AWS resource
* @param awsRoleDurationSeconds the duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour).
* @param policy the temporary policy to apply to this request
*
* @return the assumed session credentials
*/
@Override
public Credentials getTemporarySecurityCredentials(AwsParamsDto awsParamsDto, String sessionName, String awsRoleArn, int awsRoleDurationSeconds,
Policy policy)
{
// Construct a new AWS security token service client using the specified client configuration to access Amazon S3.
// A credentials provider chain will be used that searches for credentials in this order:
// - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
// - Java System Properties - aws.accessKeyId and aws.secretKey
// - Instance Profile Credentials - delivered through the Amazon EC2 metadata service
ClientConfiguration clientConfiguration = new ClientConfiguration().withRetryPolicy(retryPolicyFactory.getRetryPolicy());
// Only set the proxy hostname and/or port if they're configured.
if (StringUtils.isNotBlank(awsParamsDto.getHttpProxyHost()))
{
clientConfiguration.setProxyHost(awsParamsDto.getHttpProxyHost());
}
if (awsParamsDto.getHttpProxyPort() != null)
{
clientConfiguration.setProxyPort(awsParamsDto.getHttpProxyPort());
}
AWSSecurityTokenServiceClient awsSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(clientConfiguration);
// Create the request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleSessionName(sessionName);
assumeRoleRequest.setRoleArn(awsRoleArn);
assumeRoleRequest.setDurationSeconds(awsRoleDurationSeconds);
if (policy != null)
{
assumeRoleRequest.setPolicy(policy.toJson());
}
// Get the temporary security credentials.
AssumeRoleResult assumeRoleResult = stsOperations.assumeRole(awsSecurityTokenServiceClient, assumeRoleRequest);
return assumeRoleResult.getCredentials();
}
}