IAMSecretKeyValidator.java example

Explorer

aws-iam-ldap-bridge-master
- src
  - com
    - denismo
      - apacheds
        ApacheDSUtils.java
        Runner.java
        auth
        AWSIAMAuthenticator.java
      - aws
        iam
        IAMAccountPasswordValidator.java
        IAMDualValidator.java
        IAMSecretKeyValidator.java
        LDAPIAMPoller.java
        _IAMPasswordValidator.java

/*
 * Copyright (c) 2013 Denis Mikhalkin.
 *
 * This software is provided to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except
 * in compliance with the License.  You may obtain a copy of the
 * License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package com.denismo.aws.iam;

import com.amazonaws.AmazonClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * User: Denis Mikhalkin
 * Date: 30/03/13
 * Time: 10:40 PM
 */
public class IAMSecretKeyValidator implements _IAMPasswordValidator {
    private static final Logger LOG = LoggerFactory.getLogger(IAMSecretKeyValidator.class);
    @Override
    public boolean verifyIAMPassword(Entry user, String pw) throws LdapInvalidAttributeValueException, LdapAuthenticationException {
        boolean role = false;
        AWSCredentials creds;
        if (isRole(user)) {
            role = true;
            String[] parts = pw.split("\\|");
            if (parts == null || parts.length < 3) throw new LdapAuthenticationException();
            creds = new BasicSessionCredentials(parts[0], parts[1], parts[2]);
        } else {
            creds = new BasicAWSCredentials(user.get("accessKey").getString(), pw);
        }
        LOG.debug("Verifying {} {} with accessKey <hidden> and secretKey <hidden>",
                role ? "role":"user", user.get("uid").getString());
        AmazonIdentityManagementClient client = new AmazonIdentityManagementClient(creds);
        try {
            client.getAccountSummary();
        } catch (AmazonClientException e) {
            System.err.println(e.getMessage());
            return false;
        } finally {
            client.shutdown();
        }
        return true;
    }

    private boolean isRole(Entry user) {
        return user.hasObjectClass("iamrole");
    }
}