From 8a74b87c1b4f0702bd2142d482d43277618bc149 Mon Sep 17 00:00:00 2001 From: Henry Avetisyan Date: Wed, 7 Aug 2024 14:22:08 -0700 Subject: [PATCH] migrate instnace provider library to use aws sdk v2 Signed-off-by: Henry Avetisyan --- libs/java/instance_provider/pom.xml | 14 +- ...tAWSElasticKubernetesServiceValidator.java | 89 ++++---- .../provider/impl/InstanceAWSProvider.java | 54 ++--- ...ElasticKubernetesServiceValidatorTest.java | 203 ++++++++++-------- .../impl/InstanceAWSProviderTest.java | 31 +-- .../impl/InstanceK8SProviderTest.java | 54 ++--- .../impl/MockInstanceAWSECSProvider.java | 8 +- .../impl/MockInstanceAWSLambdaProvider.java | 8 +- .../impl/MockInstanceAWSProvider.java | 8 +- 9 files changed, 259 insertions(+), 210 deletions(-) diff --git a/libs/java/instance_provider/pom.xml b/libs/java/instance_provider/pom.xml index 8f956ffe5dc..e49afbaa3a1 100644 --- a/libs/java/instance_provider/pom.xml +++ b/libs/java/instance_provider/pom.xml @@ -36,9 +36,9 @@ - com.amazonaws - aws-java-sdk-bom - ${aws.version} + software.amazon.awssdk + bom + ${aws2.version} pom import @@ -137,8 +137,8 @@ runtime - com.amazonaws - aws-java-sdk-sts + software.amazon.awssdk + sts com.yahoo.athenz @@ -156,8 +156,8 @@ ${gcp.api-client.version} - com.amazonaws - aws-java-sdk-iam + software.amazon.awssdk + iam diff --git a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java index 91f24fcad7b..a1947aadd29 100644 --- a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java +++ b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidator.java @@ -15,18 +15,6 @@ */ package com.yahoo.athenz.instance.provider.impl; -import com.amazonaws.auth.AWSStaticCredentialsProvider; -import com.amazonaws.auth.BasicSessionCredentials; -import com.amazonaws.auth.DefaultAWSCredentialsProviderChain; -import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; -import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; -import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersRequest; -import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersResult; -import com.amazonaws.services.identitymanagement.model.OpenIDConnectProviderListEntry; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; -import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; -import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; -import com.amazonaws.services.securitytoken.model.AssumeRoleResult; import com.yahoo.athenz.auth.Authorizer; import com.yahoo.athenz.auth.Principal; import com.yahoo.athenz.auth.impl.SimplePrincipal; @@ -45,6 +33,18 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; +import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; +import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.services.sts.StsClient; +import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersRequest; +import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersResponse; +import software.amazon.awssdk.services.iam.model.OpenIDConnectProviderListEntry; +import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; +import software.amazon.awssdk.services.iam.IamClient; +import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; +import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; + import static com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton.CONFIG_MANAGER; import static com.yahoo.athenz.instance.provider.InstanceProvider.ZTS_INSTANCE_AWS_ACCOUNT; import static com.yahoo.athenz.instance.provider.impl.InstanceAWSProvider.*; @@ -61,7 +61,7 @@ public class DefaultAWSElasticKubernetesServiceValidator extends CommonKubernete private static final String ASSUME_ROLE_NAME = System.getProperty(ZTS_PROP_K8S_PROVIDER_ATTESTATION_AWS_ASSUME_ROLE_NAME, "oidc-issuers-reader"); static final String ZTS_PROP_K8S_PROVIDER_AWS_ATTR_VALIDATOR_FACTORY_CLASS = "athenz.zts.k8s_provider_aws_attr_validator_factory_class"; - AWSSecurityTokenService stsClient; + StsClient stsClient; String serverRegion; Set awsDNSSuffixes = new HashSet<>(); @@ -75,6 +75,7 @@ public class DefaultAWSElasticKubernetesServiceValidator extends CommonKubernete public static DefaultAWSElasticKubernetesServiceValidator getInstance() { return INSTANCE; } + private DefaultAWSElasticKubernetesServiceValidator() { } @@ -105,10 +106,8 @@ public void initialize(final SSLContext sslContext, Authorizer authorizer) { if (useIamRoleForIssuerValidation()) { // Create an STS client using default credentials - stsClient = AWSSecurityTokenServiceClientBuilder.standard() - .withRegion(serverRegion) - .withCredentials(DefaultAWSCredentialsProviderChain.getInstance()) - .build(); + stsClient = StsClient.builder().credentialsProvider(DefaultCredentialsProvider.builder().build()) + .region(Region.of(serverRegion)).build(); } final String dnsSuffix = System.getProperty(AWS_PROP_DNS_SUFFIX); if (!StringUtil.isEmpty(dnsSuffix)) { @@ -121,6 +120,7 @@ public void initialize(final SSLContext sslContext, Authorizer authorizer) { this.attrValidator = newAttrValidator(sslContext); } + @Override public String validateIssuer(InstanceConfirmation confirmation, IdTokenAttestationData attestationData, StringBuilder errMsg) { @@ -173,37 +173,48 @@ public String validateIssuer(InstanceConfirmation confirmation, IdTokenAttestati return issuer; } - boolean verifyIssuerPresenceInDomainAWSAccount(final String issuer, - final String awsAccount) { - boolean result = false; + IamClient getIamClient(final String awsAccount) { - String roleArn = String.format("arn:aws:iam::%s:role/%s", awsAccount, ASSUME_ROLE_NAME); - String roleSessionName = ASSUME_ROLE_NAME + "-Session"; + final String roleArn = String.format("arn:aws:iam::%s:role/%s", awsAccount, ASSUME_ROLE_NAME); + final String roleSessionName = ASSUME_ROLE_NAME + "-Session"; // Assume the role in the target AWS account - AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest() - .withRoleArn(roleArn) - .withRoleSessionName(roleSessionName); - AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest); - BasicSessionCredentials sessionCredentials = new BasicSessionCredentials( - assumeRoleResult.getCredentials().getAccessKeyId(), - assumeRoleResult.getCredentials().getSecretAccessKey(), - assumeRoleResult.getCredentials().getSessionToken() - ); - - AmazonIdentityManagement iamClient = AmazonIdentityManagementClientBuilder.standard() - .withRegion(serverRegion) - .withCredentials(new AWSStaticCredentialsProvider(sessionCredentials)) + + AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder() + .roleArn(roleArn).roleSessionName(roleSessionName).build(); + AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(assumeRoleRequest); + + AwsBasicCredentials credentials = AwsBasicCredentials.builder() + .accessKeyId(assumeRoleResponse.credentials().accessKeyId()) + .secretAccessKey(assumeRoleResponse.credentials().secretAccessKey()) .build(); + // Create Static Credentials Provider + + StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(credentials); + + // Create IAM Client + + return IamClient.builder().credentialsProvider(credentialsProvider).region(Region.of(serverRegion)).build(); + } + + boolean verifyIssuerPresenceInDomainAWSAccount(final String issuer, final String awsAccount) { + + boolean result = false; + + // get our IAM Client + + IamClient iamClient = getIamClient(awsAccount); + // Call the IAM API to get the list of OIDC issuers - ListOpenIDConnectProvidersRequest listRequest = new ListOpenIDConnectProvidersRequest(); - ListOpenIDConnectProvidersResult listResult = iamClient.listOpenIDConnectProviders(listRequest); - List oidcIssuers = listResult.getOpenIDConnectProviderList(); + + ListOpenIdConnectProvidersRequest request = ListOpenIdConnectProvidersRequest.builder().build(); + ListOpenIdConnectProvidersResponse response = iamClient.listOpenIDConnectProviders(request); + List oidcIssuers = response.openIDConnectProviderList(); if (oidcIssuers != null) { String issuerWithoutProtocol = issuer.replaceFirst("^https://", ""); for (OpenIDConnectProviderListEntry oidcIssuer : oidcIssuers) { - if (oidcIssuer != null && oidcIssuer.getArn() != null && oidcIssuer.getArn().endsWith(issuerWithoutProtocol)) { + if (oidcIssuer != null && oidcIssuer.arn() != null && oidcIssuer.arn().endsWith(issuerWithoutProtocol)) { result = true; break; } diff --git a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java index 95ed71ca8a3..f46dfccea90 100644 --- a/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java +++ b/libs/java/instance_provider/src/main/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProvider.java @@ -24,13 +24,12 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.amazonaws.regions.Regions; -import com.amazonaws.auth.BasicSessionCredentials; -import com.amazonaws.auth.AWSStaticCredentialsProvider; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; -import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; -import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest; -import com.amazonaws.services.securitytoken.model.GetCallerIdentityResult; +import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; +import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider; +import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.services.sts.StsClient; +import software.amazon.awssdk.services.sts.model.GetCallerIdentityRequest; +import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; import com.yahoo.athenz.auth.KeyStore; import com.yahoo.athenz.instance.provider.InstanceConfirmation; import com.yahoo.athenz.instance.provider.InstanceProvider; @@ -412,8 +411,8 @@ protected void setConfirmationAttributes(InstanceConfirmation confirmation, bool } confirmation.setAttributes(attributes); } - - AWSSecurityTokenService getInstanceClient(AWSAttestationData info) { + + StsClient getInstanceClient(AWSAttestationData info) { String access = info.getAccess(); if (access == null || access.isEmpty()) { @@ -432,36 +431,41 @@ AWSSecurityTokenService getInstanceClient(AWSAttestationData info) { LOGGER.error("getInstanceClient: No token available in instance document"); return null; } - - BasicSessionCredentials creds = new BasicSessionCredentials(access, secret, token); - return AWSSecurityTokenServiceClientBuilder.standard() - .withCredentials(new AWSStaticCredentialsProvider(creds)) - .withRegion(Regions.fromName(awsRegion)) + AwsBasicCredentials credentials = AwsBasicCredentials.builder() + .accessKeyId(access) + .secretAccessKey(secret) .build(); + + // Create Static Credentials Provider + + StaticCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(credentials); + + // Create STS Client + + return StsClient.builder().credentialsProvider(credentialsProvider).region(Region.of(awsRegion)).build(); } boolean verifyInstanceIdentity(AWSAttestationData info, final String awsAccount) { - - GetCallerIdentityRequest req = new GetCallerIdentityRequest(); - + try { - AWSSecurityTokenService client = getInstanceClient(info); - if (client == null) { + StsClient stsClient = getInstanceClient(info); + if (stsClient == null) { LOGGER.error("verifyInstanceIdentity - unable to get AWS STS client object"); return false; } - - GetCallerIdentityResult res = client.getCallerIdentity(req); - if (res == null) { + + GetCallerIdentityRequest request = GetCallerIdentityRequest.builder().build(); + GetCallerIdentityResponse response = stsClient.getCallerIdentity(request); + if (response == null) { LOGGER.error("verifyInstanceIdentity - unable to get caller identity"); return false; } String arn = "arn:aws:sts::" + awsAccount + ":assumed-role/" + info.getRole() + "/"; - if (!res.getArn().startsWith(arn)) { - LOGGER.error("verifyInstanceIdentity - ARN mismatch - request: {} caller-idenity: {}", - arn, res.getArn()); + if (!response.arn().startsWith(arn)) { + LOGGER.error("verifyInstanceIdentity - ARN mismatch - request: {} caller-identity: {}", + arn, response.arn()); return false; } diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidatorTest.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidatorTest.java index f30b21aa777..814db4c45ad 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidatorTest.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/DefaultAWSElasticKubernetesServiceValidatorTest.java @@ -15,24 +15,26 @@ */ package com.yahoo.athenz.instance.provider.impl; -import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; -import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; -import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersRequest; -import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersResult; -import com.amazonaws.services.identitymanagement.model.OpenIDConnectProviderListEntry; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; -import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; -import com.amazonaws.services.securitytoken.model.AssumeRoleResult; -import com.amazonaws.services.securitytoken.model.Credentials; +import com.yahoo.athenz.auth.impl.aws.AwsPrivateKeyStore; +import org.mockito.MockedStatic; +import software.amazon.awssdk.services.iam.IamClientBuilder; +import software.amazon.awssdk.services.sts.StsClient; +import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersRequest; +import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersResponse; +import software.amazon.awssdk.services.iam.model.OpenIDConnectProviderListEntry; +import software.amazon.awssdk.services.iam.IamClient; +import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; +import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; + import com.yahoo.athenz.auth.Authorizer; import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigBoolean; import com.yahoo.athenz.instance.provider.AttrValidator; import com.yahoo.athenz.instance.provider.InstanceConfirmation; -import org.mockito.MockedStatic; import org.mockito.Mockito; import org.testng.annotations.AfterMethod; import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; +import software.amazon.awssdk.services.sts.model.Credentials; import javax.net.ssl.SSLContext; import java.util.Collection; @@ -43,6 +45,8 @@ import static com.yahoo.athenz.instance.provider.InstanceProvider.ZTS_INSTANCE_SAN_DNS; import static com.yahoo.athenz.instance.provider.impl.IdTokenTestsHelper.createToken; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.doReturn; import static org.mockito.Mockito.when; import static org.testng.Assert.*; import static org.testng.Assert.assertFalse; @@ -61,53 +65,61 @@ public void shutdown() { @Test public void testVerifyIssuerPresenceInDomainAWSAccount() { DefaultAWSElasticKubernetesServiceValidator validator = DefaultAWSElasticKubernetesServiceValidator.getInstance(); - AWSSecurityTokenService sts = Mockito.mock(AWSSecurityTokenService.class); + StsClient sts = Mockito.mock(StsClient.class); validator.stsClient = sts; - AssumeRoleResult assumeRoleResult = Mockito.mock(AssumeRoleResult.class); + AssumeRoleResponse assumeRoleResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); - when(creds.getAccessKeyId()).thenReturn("abc"); - when(creds.getSecretAccessKey()).thenReturn("def"); - when(creds.getSessionToken()).thenReturn("ghi"); - when(assumeRoleResult.getCredentials()).thenReturn(creds); + when(creds.accessKeyId()).thenReturn("abc"); + when(creds.secretAccessKey()).thenReturn("def"); + when(creds.sessionToken()).thenReturn("ghi"); + when(assumeRoleResult.credentials()).thenReturn(creds); when(sts.assumeRole(any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); - try (MockedStatic iamClientBuilderStatic = Mockito.mockStatic(AmazonIdentityManagementClientBuilder.class)) { - AmazonIdentityManagementClientBuilder iamClientBuilder = Mockito.mock(AmazonIdentityManagementClientBuilder.class); - AmazonIdentityManagement iamClient = Mockito.mock(AmazonIdentityManagement.class); + try (MockedStatic iamClientStatic = Mockito.mockStatic(IamClient.class)) { + IamClientBuilder iamClientBuilder = Mockito.mock(IamClientBuilder.class); - iamClientBuilderStatic.when(AmazonIdentityManagementClientBuilder::standard).thenReturn(iamClientBuilder); - when(iamClientBuilder.withCredentials(any())).thenReturn(iamClientBuilder); - when(iamClientBuilder.withRegion(Mockito.anyString())).thenReturn(iamClientBuilder); + IamClient iamClient = Mockito.mock(IamClient.class); + + iamClientStatic.when(IamClient::builder).thenReturn(iamClientBuilder); + when(iamClientBuilder.credentialsProvider(any())).thenReturn(iamClientBuilder); + when(iamClientBuilder.region(any())).thenReturn(iamClientBuilder); when(iamClientBuilder.build()).thenReturn(iamClient); - List providers = List.of(new OpenIDConnectProviderListEntry().withArn("arn:aws:iam::123456789012:oidc-provider/athenz.provider")); - when(iamClient.listOpenIDConnectProviders(any(ListOpenIDConnectProvidersRequest.class))).thenReturn(new ListOpenIDConnectProvidersResult().withOpenIDConnectProviderList(providers)); - assertTrue(validator.verifyIssuerPresenceInDomainAWSAccount( "athenz.provider", "123456789012")); + + List providers = List.of( + OpenIDConnectProviderListEntry.builder().arn("arn:aws:iam::123456789012:oidc-provider/athenz.provider").build()); + when(iamClient.listOpenIDConnectProviders(any(ListOpenIdConnectProvidersRequest.class))) + .thenReturn(ListOpenIdConnectProvidersResponse.builder().openIDConnectProviderList(providers).build()); + assertTrue(validator.verifyIssuerPresenceInDomainAWSAccount("athenz.provider", "123456789012")); } } @Test public void testVerifyIssuerPresenceInDomainAWSAccountInvalid() { DefaultAWSElasticKubernetesServiceValidator validator = DefaultAWSElasticKubernetesServiceValidator.getInstance(); - AWSSecurityTokenService sts = Mockito.mock(AWSSecurityTokenService.class); + StsClient sts = Mockito.mock(StsClient.class); validator.stsClient = sts; - AssumeRoleResult assumeRoleResult = Mockito.mock(AssumeRoleResult.class); + AssumeRoleResponse assumeRoleResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); - when(creds.getAccessKeyId()).thenReturn("abc"); - when(creds.getSecretAccessKey()).thenReturn("def"); - when(creds.getSessionToken()).thenReturn("ghi"); - when(assumeRoleResult.getCredentials()).thenReturn(creds); + when(creds.accessKeyId()).thenReturn("abc"); + when(creds.secretAccessKey()).thenReturn("def"); + when(creds.sessionToken()).thenReturn("ghi"); + when(assumeRoleResult.credentials()).thenReturn(creds); when(sts.assumeRole(any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); - try (MockedStatic iamClientBuilderStatic = Mockito.mockStatic(AmazonIdentityManagementClientBuilder.class)) { - AmazonIdentityManagementClientBuilder iamClientBuilder = Mockito.mock(AmazonIdentityManagementClientBuilder.class); - AmazonIdentityManagement iamClient = Mockito.mock(AmazonIdentityManagement.class); + try (MockedStatic iamClientStatic = Mockito.mockStatic(IamClient.class)) { + IamClientBuilder iamClientBuilder = Mockito.mock(IamClientBuilder.class); - iamClientBuilderStatic.when(AmazonIdentityManagementClientBuilder::standard).thenReturn(iamClientBuilder); - when(iamClientBuilder.withCredentials(any())).thenReturn(iamClientBuilder); - when(iamClientBuilder.withRegion(Mockito.anyString())).thenReturn(iamClientBuilder); + IamClient iamClient = Mockito.mock(IamClient.class); + + iamClientStatic.when(IamClient::builder).thenReturn(iamClientBuilder); + when(iamClientBuilder.credentialsProvider(any())).thenReturn(iamClientBuilder); + when(iamClientBuilder.region(any())).thenReturn(iamClientBuilder); when(iamClientBuilder.build()).thenReturn(iamClient); - List providers = List.of(new OpenIDConnectProviderListEntry().withArn("arn:aws:iam::123456789012:oidc-provider/xxx.zzzz")); - when(iamClient.listOpenIDConnectProviders(any(ListOpenIDConnectProvidersRequest.class))).thenReturn(new ListOpenIDConnectProvidersResult().withOpenIDConnectProviderList(providers)); + + List providers = List.of( + OpenIDConnectProviderListEntry.builder().arn("arn:aws:iam::123456789012:oidc-provider/xxx.zzzz").build()); + when(iamClient.listOpenIDConnectProviders(any(ListOpenIdConnectProvidersRequest.class))) + .thenReturn(ListOpenIdConnectProvidersResponse.builder().openIDConnectProviderList(providers).build()); assertFalse(validator.verifyIssuerPresenceInDomainAWSAccount("athenz.provider", "123456789012")); } } @@ -115,28 +127,33 @@ public void testVerifyIssuerPresenceInDomainAWSAccountInvalid() { @Test public void testVerifyIssuerPresenceInDomainAWSAccountNullIssuer() { DefaultAWSElasticKubernetesServiceValidator validator = DefaultAWSElasticKubernetesServiceValidator.getInstance(); - AWSSecurityTokenService sts = Mockito.mock(AWSSecurityTokenService.class); + StsClient sts = Mockito.mock(StsClient.class); validator.stsClient = sts; - AssumeRoleResult assumeRoleResult = Mockito.mock(AssumeRoleResult.class); + AssumeRoleResponse assumeRoleResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); - when(creds.getAccessKeyId()).thenReturn("abc"); - when(creds.getSecretAccessKey()).thenReturn("def"); - when(creds.getSessionToken()).thenReturn("ghi"); - when(assumeRoleResult.getCredentials()).thenReturn(creds); + when(creds.accessKeyId()).thenReturn("abc"); + when(creds.secretAccessKey()).thenReturn("def"); + when(creds.sessionToken()).thenReturn("ghi"); + when(assumeRoleResult.credentials()).thenReturn(creds); when(sts.assumeRole(any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); - try (MockedStatic iamClientBuilderStatic = Mockito.mockStatic(AmazonIdentityManagementClientBuilder.class)) { - AmazonIdentityManagementClientBuilder iamClientBuilder = Mockito.mock(AmazonIdentityManagementClientBuilder.class); - AmazonIdentityManagement iamClient = Mockito.mock(AmazonIdentityManagement.class); + try (MockedStatic iamClientStatic = Mockito.mockStatic(IamClient.class)) { + IamClientBuilder iamClientBuilder = Mockito.mock(IamClientBuilder.class); + + IamClient iamClient = Mockito.mock(IamClient.class); - iamClientBuilderStatic.when(AmazonIdentityManagementClientBuilder::standard).thenReturn(iamClientBuilder); - when(iamClientBuilder.withCredentials(any())).thenReturn(iamClientBuilder); - when(iamClientBuilder.withRegion(Mockito.anyString())).thenReturn(iamClientBuilder); + iamClientStatic.when(IamClient::builder).thenReturn(iamClientBuilder); + when(iamClientBuilder.credentialsProvider(any())).thenReturn(iamClientBuilder); + when(iamClientBuilder.region(any())).thenReturn(iamClientBuilder); when(iamClientBuilder.build()).thenReturn(iamClient); - when(iamClient.listOpenIDConnectProviders(any(ListOpenIDConnectProvidersRequest.class))).thenReturn(new ListOpenIDConnectProvidersResult().withOpenIDConnectProviderList((Collection) null)); - assertFalse(validator.verifyIssuerPresenceInDomainAWSAccount( "athenz.provider", "123456789012")); + + when(iamClient.listOpenIDConnectProviders(any(ListOpenIdConnectProvidersRequest.class))) + .thenReturn(ListOpenIdConnectProvidersResponse.builder() + .openIDConnectProviderList((Collection) null).build()); + assertFalse(validator.verifyIssuerPresenceInDomainAWSAccount("athenz.provider", "123456789012")); } } + @Test public void testInit() { DefaultAWSElasticKubernetesServiceValidator validator = DefaultAWSElasticKubernetesServiceValidator.getInstance(); @@ -148,7 +165,9 @@ public void testInit() { @Test public void testValidateIssuer() { + DefaultAWSElasticKubernetesServiceValidator validator = DefaultAWSElasticKubernetesServiceValidator.getInstance(); + SSLContext sslContext = Mockito.mock(SSLContext.class); Authorizer authorizer = Mockito.mock(Authorizer.class); when(authorizer.access(any(), any(), any(), any())).thenReturn(true); @@ -156,28 +175,35 @@ public void testValidateIssuer() { InstanceConfirmation instanceConfirmation = new InstanceConfirmation(); instanceConfirmation.setAttributes(new HashMap<>()); IdTokenAttestationData attestationData = new IdTokenAttestationData(); - attestationData.setIdentityToken(createToken("athenz.api", "https://zts.athenz.io/zts/v1", "https://oidc.eks.us-east-1.amazonaws.com/id/123456789012")); - AWSSecurityTokenService sts = Mockito.mock(AWSSecurityTokenService.class); + attestationData.setIdentityToken(createToken("athenz.api", "https://zts.athenz.io/zts/v1", + "https://oidc.eks.us-east-1.amazonaws.com/id/123456789012")); + + StsClient sts = Mockito.mock(StsClient.class); validator.stsClient = sts; - AssumeRoleResult assumeRoleResult = Mockito.mock(AssumeRoleResult.class); + AssumeRoleResponse assumeRoleResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); - when(creds.getAccessKeyId()).thenReturn("abc"); - when(creds.getSecretAccessKey()).thenReturn("def"); - when(creds.getSessionToken()).thenReturn("ghi"); - when(assumeRoleResult.getCredentials()).thenReturn(creds); + when(creds.accessKeyId()).thenReturn("abc"); + when(creds.secretAccessKey()).thenReturn("def"); + when(creds.sessionToken()).thenReturn("ghi"); + when(assumeRoleResult.credentials()).thenReturn(creds); when(sts.assumeRole(any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); - try (MockedStatic iamClientBuilderStatic = Mockito.mockStatic(AmazonIdentityManagementClientBuilder.class)) { - AmazonIdentityManagementClientBuilder iamClientBuilder = Mockito.mock(AmazonIdentityManagementClientBuilder.class); - AmazonIdentityManagement iamClient = Mockito.mock(AmazonIdentityManagement.class); + try (MockedStatic iamClientStatic = Mockito.mockStatic(IamClient.class)) { + IamClientBuilder iamClientBuilder = Mockito.mock(IamClientBuilder.class); - iamClientBuilderStatic.when(AmazonIdentityManagementClientBuilder::standard).thenReturn(iamClientBuilder); - when(iamClientBuilder.withCredentials(any())).thenReturn(iamClientBuilder); - when(iamClientBuilder.withRegion(Mockito.anyString())).thenReturn(iamClientBuilder); + IamClient iamClient = Mockito.mock(IamClient.class); + + iamClientStatic.when(IamClient::builder).thenReturn(iamClientBuilder); + when(iamClientBuilder.credentialsProvider(any())).thenReturn(iamClientBuilder); + when(iamClientBuilder.region(any())).thenReturn(iamClientBuilder); when(iamClientBuilder.build()).thenReturn(iamClient); - List providers = List.of(new OpenIDConnectProviderListEntry().withArn("arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/123456789012")); - when(iamClient.listOpenIDConnectProviders(any(ListOpenIDConnectProvidersRequest.class))).thenReturn(new ListOpenIDConnectProvidersResult().withOpenIDConnectProviderList(providers)); - assertEquals(validator.validateIssuer(instanceConfirmation, attestationData, new StringBuilder()), "https://oidc.eks.us-east-1.amazonaws.com/id/123456789012"); + + List providers = List.of( + OpenIDConnectProviderListEntry.builder().arn("arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/123456789012").build()); + when(iamClient.listOpenIDConnectProviders(any(ListOpenIdConnectProvidersRequest.class))) + .thenReturn(ListOpenIdConnectProvidersResponse.builder().openIDConnectProviderList(providers).build()); + assertEquals(validator.validateIssuer(instanceConfirmation, attestationData, + new StringBuilder()), "https://oidc.eks.us-east-1.amazonaws.com/id/123456789012"); } } @@ -189,7 +215,7 @@ public void testValidateIssuerWithoutIAM() { Authorizer authorizer = Mockito.mock(Authorizer.class); when(authorizer.access(any(), any(), any(), any())).thenReturn(true); validator.initialize(sslContext, authorizer); - validator.useIamRoleForIssuerAttestation = new DynamicConfigBoolean(Boolean.valueOf(false)); + validator.useIamRoleForIssuerAttestation = new DynamicConfigBoolean(Boolean.FALSE); InstanceConfirmation instanceConfirmation = new InstanceConfirmation(); instanceConfirmation.setAttributes(new HashMap<>()); IdTokenAttestationData attestationData = new IdTokenAttestationData(); @@ -205,7 +231,7 @@ public void testValidateIssuerWithoutIAMFail() { System.setProperty(DefaultAWSElasticKubernetesServiceValidator.ZTS_PROP_K8S_PROVIDER_AWS_ATTR_VALIDATOR_FACTORY_CLASS, "com.yahoo.athenz.instance.provider.impl.MockFailingAttrValidatorFactory"); Authorizer authorizer = Mockito.mock(Authorizer.class); validator.initialize(sslContext, authorizer); - validator.useIamRoleForIssuerAttestation = new DynamicConfigBoolean(Boolean.valueOf(false)); + validator.useIamRoleForIssuerAttestation = new DynamicConfigBoolean(Boolean.FALSE); InstanceConfirmation instanceConfirmation = new InstanceConfirmation(); instanceConfirmation.setAttributes(new HashMap<>()); IdTokenAttestationData attestationData = new IdTokenAttestationData(); @@ -222,7 +248,7 @@ public void testValidateIssuerNoLaunchAuthorization() { Authorizer authorizer = Mockito.mock(Authorizer.class); when(authorizer.access(any(), any(), any(), any())).thenReturn(false); validator.initialize(sslContext, authorizer); - validator.useIamRoleForIssuerAttestation = new DynamicConfigBoolean(Boolean.valueOf(false)); + validator.useIamRoleForIssuerAttestation = new DynamicConfigBoolean(Boolean.FALSE); InstanceConfirmation instanceConfirmation = new InstanceConfirmation(); instanceConfirmation.setAttributes(new HashMap<>()); IdTokenAttestationData attestationData = new IdTokenAttestationData(); @@ -244,6 +270,7 @@ public void testValidateIssuerNoIssuerInToken() { assertNull(validator.validateIssuer(instanceConfirmation, attestationData, new StringBuilder())); } + @Test public void testValidateIssuerNullIssuerDomain() { DefaultAWSElasticKubernetesServiceValidator validator = DefaultAWSElasticKubernetesServiceValidator.getInstance(); @@ -282,26 +309,30 @@ public void testValidateIssuerNoIssuerMatch() { IdTokenAttestationData attestationData = new IdTokenAttestationData(); attestationData.setIdentityToken(createToken("athenz.api", "https://zts.athenz.io/zts/v1", "https://oidc.eks.us-east-1.amazonaws.com/id/123456789012")); - AWSSecurityTokenService sts = Mockito.mock(AWSSecurityTokenService.class); + StsClient sts = Mockito.mock(StsClient.class); validator.stsClient = sts; - AssumeRoleResult assumeRoleResult = Mockito.mock(AssumeRoleResult.class); + AssumeRoleResponse assumeRoleResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); - when(creds.getAccessKeyId()).thenReturn("abc"); - when(creds.getSecretAccessKey()).thenReturn("def"); - when(creds.getSessionToken()).thenReturn("ghi"); - when(assumeRoleResult.getCredentials()).thenReturn(creds); + when(creds.accessKeyId()).thenReturn("abc"); + when(creds.secretAccessKey()).thenReturn("def"); + when(creds.sessionToken()).thenReturn("ghi"); + when(assumeRoleResult.credentials()).thenReturn(creds); when(sts.assumeRole(any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); - try (MockedStatic iamClientBuilderStatic = Mockito.mockStatic(AmazonIdentityManagementClientBuilder.class)) { - AmazonIdentityManagementClientBuilder iamClientBuilder = Mockito.mock(AmazonIdentityManagementClientBuilder.class); - AmazonIdentityManagement iamClient = Mockito.mock(AmazonIdentityManagement.class); + try (MockedStatic iamClientStatic = Mockito.mockStatic(IamClient.class)) { + IamClientBuilder iamClientBuilder = Mockito.mock(IamClientBuilder.class); - iamClientBuilderStatic.when(AmazonIdentityManagementClientBuilder::standard).thenReturn(iamClientBuilder); - when(iamClientBuilder.withCredentials(any())).thenReturn(iamClientBuilder); - when(iamClientBuilder.withRegion(Mockito.anyString())).thenReturn(iamClientBuilder); + IamClient iamClient = Mockito.mock(IamClient.class); + + iamClientStatic.when(IamClient::builder).thenReturn(iamClientBuilder); + when(iamClientBuilder.credentialsProvider(any())).thenReturn(iamClientBuilder); + when(iamClientBuilder.region(any())).thenReturn(iamClientBuilder); when(iamClientBuilder.build()).thenReturn(iamClient); - List providers = List.of(new OpenIDConnectProviderListEntry().withArn("arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/999999999999")); - when(iamClient.listOpenIDConnectProviders(any(ListOpenIDConnectProvidersRequest.class))).thenReturn(new ListOpenIDConnectProvidersResult().withOpenIDConnectProviderList(providers)); + + List providers = List.of( + OpenIDConnectProviderListEntry.builder().arn("arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/999999999999").build()); + when(iamClient.listOpenIDConnectProviders(any(ListOpenIdConnectProvidersRequest.class))) + .thenReturn(ListOpenIdConnectProvidersResponse.builder().openIDConnectProviderList(providers).build()); assertNull(validator.validateIssuer(instanceConfirmation, attestationData, new StringBuilder())); } } diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProviderTest.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProviderTest.java index 34be50073ce..9aaef5a5f06 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProviderTest.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceAWSProviderTest.java @@ -15,6 +15,7 @@ */ package com.yahoo.athenz.instance.provider.impl; +import static org.mockito.ArgumentMatchers.any; import static org.testng.Assert.assertNull; import static org.testng.Assert.assertNotNull; import static org.testng.Assert.assertEquals; @@ -26,18 +27,18 @@ import java.util.Map; import com.yahoo.athenz.instance.provider.InstanceProvider; -import org.mockito.ArgumentMatchers; import org.mockito.Mockito; import org.testng.annotations.AfterMethod; import org.testng.annotations.BeforeMethod; import org.testng.annotations.Test; -import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient; -import com.amazonaws.services.securitytoken.model.GetCallerIdentityResult; import com.yahoo.athenz.instance.provider.InstanceConfirmation; import com.yahoo.athenz.instance.provider.ResourceException; import com.yahoo.rdl.Timestamp; +import software.amazon.awssdk.services.sts.StsClient; +import software.amazon.awssdk.services.sts.model.GetCallerIdentityRequest; +import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse; public class InstanceAWSProviderTest { @@ -566,8 +567,8 @@ public void testVerifyInstanceIdentityNullClient() { public void testVerifyInstanceIdentityNullIdentity() { MockInstanceAWSProvider provider = new MockInstanceAWSProvider(); provider.setIdentitySuper(true); - AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class); - Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(null); + StsClient mockClient = Mockito.mock(StsClient.class); + Mockito.when(mockClient.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(null); provider.setStsClient(mockClient); AWSAttestationData info = new AWSAttestationData(); @@ -578,8 +579,8 @@ public void testVerifyInstanceIdentityNullIdentity() { public void testVerifyInstanceIdentityException() { MockInstanceAWSProvider provider = new MockInstanceAWSProvider(); provider.setIdentitySuper(true); - AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class); - Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())) + StsClient mockClient = Mockito.mock(StsClient.class); + Mockito.when(mockClient.getCallerIdentity(any(GetCallerIdentityRequest.class))) .thenThrow(new ResourceException(101, "invaliderror")); provider.setStsClient(mockClient); @@ -591,10 +592,10 @@ public void testVerifyInstanceIdentityException() { public void testVerifyInstanceIdentityARNMismatch() { MockInstanceAWSProvider provider = new MockInstanceAWSProvider(); provider.setIdentitySuper(true); - AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class); - GetCallerIdentityResult result = Mockito.mock(GetCallerIdentityResult.class); - Mockito.when(result.getArn()).thenReturn("arn:aws:sts::1235:assumed-role/athenz.service/athenz.service"); - Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(result); + StsClient mockClient = Mockito.mock(StsClient.class); + GetCallerIdentityResponse result = Mockito.mock(GetCallerIdentityResponse.class); + Mockito.when(result.arn()).thenReturn("arn:aws:sts::1235:assumed-role/athenz.service/athenz.service"); + Mockito.when(mockClient.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(result); provider.setStsClient(mockClient); AWSAttestationData info = new AWSAttestationData(); @@ -606,10 +607,10 @@ public void testVerifyInstanceIdentityARNMismatch() { public void testVerifyInstanceIdentity() { MockInstanceAWSProvider provider = new MockInstanceAWSProvider(); provider.setIdentitySuper(true); - AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class); - GetCallerIdentityResult result = Mockito.mock(GetCallerIdentityResult.class); - Mockito.when(result.getArn()).thenReturn("arn:aws:sts::1234:assumed-role/athenz.service/athenz.service"); - Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(result); + StsClient mockClient = Mockito.mock(StsClient.class); + GetCallerIdentityResponse result = Mockito.mock(GetCallerIdentityResponse.class); + Mockito.when(result.arn()).thenReturn("arn:aws:sts::1234:assumed-role/athenz.service/athenz.service"); + Mockito.when(mockClient.getCallerIdentity(any(GetCallerIdentityRequest.class))).thenReturn(result); provider.setStsClient(mockClient); AWSAttestationData info = new AWSAttestationData(); diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceK8SProviderTest.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceK8SProviderTest.java index ed49455d4c4..0978b9c24bf 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceK8SProviderTest.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/InstanceK8SProviderTest.java @@ -15,15 +15,6 @@ */ package com.yahoo.athenz.instance.provider.impl; -import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; -import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; -import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersRequest; -import com.amazonaws.services.identitymanagement.model.ListOpenIDConnectProvidersResult; -import com.amazonaws.services.identitymanagement.model.OpenIDConnectProviderListEntry; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; -import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; -import com.amazonaws.services.securitytoken.model.AssumeRoleResult; -import com.amazonaws.services.securitytoken.model.Credentials; import com.yahoo.athenz.auth.Authorizer; import com.yahoo.athenz.auth.token.jwts.JwtsHelper; import com.yahoo.athenz.auth.util.Crypto; @@ -33,6 +24,15 @@ import org.mockito.MockedStatic; import org.mockito.Mockito; import org.testng.annotations.Test; +import software.amazon.awssdk.services.iam.IamClient; +import software.amazon.awssdk.services.iam.IamClientBuilder; +import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersRequest; +import software.amazon.awssdk.services.iam.model.ListOpenIdConnectProvidersResponse; +import software.amazon.awssdk.services.iam.model.OpenIDConnectProviderListEntry; +import software.amazon.awssdk.services.sts.StsClient; +import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; +import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; +import software.amazon.awssdk.services.sts.model.Credentials; import java.io.File; import java.io.IOException; @@ -180,34 +180,36 @@ public void testConfirmInstanceHappyPathAWS() throws IOException { confirmation.setAttestationData("{\"identityToken\": \"" + createToken("system:serviceaccount:default:my-domain.my-service", "https://zts.athenz.io/zts/v1", "https://oidc.eks.us-east-1.amazonaws.com/id/123456789012") + "\"}"); - AWSSecurityTokenService sts = Mockito.mock(AWSSecurityTokenService.class); - AWSSecurityTokenService stsOrig = DefaultAWSElasticKubernetesServiceValidator.getInstance().stsClient; + StsClient sts = Mockito.mock(StsClient.class); + StsClient stsOrig = DefaultAWSElasticKubernetesServiceValidator.getInstance().stsClient; DefaultAWSElasticKubernetesServiceValidator.getInstance().stsClient = sts; - AssumeRoleResult assumeRoleResult = Mockito.mock(AssumeRoleResult.class); + AssumeRoleResponse assumeRoleResult = Mockito.mock(AssumeRoleResponse.class); Credentials creds = Mockito.mock(Credentials.class); - when(creds.getAccessKeyId()).thenReturn("abc"); - when(creds.getSecretAccessKey()).thenReturn("def"); - when(creds.getSessionToken()).thenReturn("ghi"); - when(assumeRoleResult.getCredentials()).thenReturn(creds); + when(creds.accessKeyId()).thenReturn("abc"); + when(creds.secretAccessKey()).thenReturn("def"); + when(creds.sessionToken()).thenReturn("ghi"); + when(assumeRoleResult.credentials()).thenReturn(creds); when(sts.assumeRole(any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult); - try (MockedStatic iamClientBuilderStatic = Mockito.mockStatic(AmazonIdentityManagementClientBuilder.class)) { - AmazonIdentityManagementClientBuilder iamClientBuilder = Mockito.mock(AmazonIdentityManagementClientBuilder.class); - AmazonIdentityManagement iamClient = Mockito.mock(AmazonIdentityManagement.class); + try (MockedStatic iamClientStatic = Mockito.mockStatic(IamClient.class)) { + IamClientBuilder iamClientBuilder = Mockito.mock(IamClientBuilder.class); - iamClientBuilderStatic.when(AmazonIdentityManagementClientBuilder::standard).thenReturn(iamClientBuilder); - when(iamClientBuilder.withCredentials(any())).thenReturn(iamClientBuilder); - when(iamClientBuilder.withRegion(Mockito.anyString())).thenReturn(iamClientBuilder); + IamClient iamClient = Mockito.mock(IamClient.class); + + iamClientStatic.when(IamClient::builder).thenReturn(iamClientBuilder); + when(iamClientBuilder.credentialsProvider(any())).thenReturn(iamClientBuilder); + when(iamClientBuilder.region(any())).thenReturn(iamClientBuilder); when(iamClientBuilder.build()).thenReturn(iamClient); - List providers = List.of(new OpenIDConnectProviderListEntry().withArn("arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/123456789012")); - when(iamClient.listOpenIDConnectProviders(any(ListOpenIDConnectProvidersRequest.class))).thenReturn(new ListOpenIDConnectProvidersResult().withOpenIDConnectProviderList(providers)); + + List providers = List.of( + OpenIDConnectProviderListEntry.builder().arn("arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/123456789012").build()); + when(iamClient.listOpenIDConnectProviders(any(ListOpenIdConnectProvidersRequest.class))) + .thenReturn(ListOpenIdConnectProvidersResponse.builder().openIDConnectProviderList(providers).build()); provider.confirmInstance(confirmation); assertEquals(confirmation.getAttributes().size(), 2); assertEquals(confirmation.getAttributes().get(InstanceProvider.ZTS_CERT_REFRESH), "false"); assertEquals(confirmation.getAttributes().get(InstanceProvider.ZTS_CERT_EXPIRY_TIME), "10080"); - - } catch (ResourceException re) { fail(); } diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSECSProvider.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSECSProvider.java index 32e5b79cb14..c24fa537c69 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSECSProvider.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSECSProvider.java @@ -15,8 +15,8 @@ */ package com.yahoo.athenz.instance.provider.impl; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; import com.yahoo.athenz.auth.KeyStore; +import software.amazon.awssdk.services.sts.StsClient; import javax.net.ssl.SSLContext; @@ -24,7 +24,7 @@ public class MockInstanceAWSECSProvider extends InstanceAWSECSProvider { boolean identityResult = true; boolean identitySuper = false; - AWSSecurityTokenService stsClient; + StsClient stsClient; @Override public void initialize(String provider, String providerEndpoint, SSLContext sslContext, KeyStore keyStore) { @@ -44,7 +44,7 @@ void setIdentitySuper(boolean value) { identitySuper = value; } - void setStsClient(AWSSecurityTokenService client) { + void setStsClient(StsClient client) { stsClient = client; } @@ -54,7 +54,7 @@ public boolean verifyInstanceIdentity(AWSAttestationData info, final String awsA } @Override - public AWSSecurityTokenService getInstanceClient(AWSAttestationData info) { + public StsClient getInstanceClient(AWSAttestationData info) { return stsClient != null ? stsClient : super.getInstanceClient(info); } } diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSLambdaProvider.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSLambdaProvider.java index b85594c37a7..849a470ce6d 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSLambdaProvider.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSLambdaProvider.java @@ -15,14 +15,14 @@ */ package com.yahoo.athenz.instance.provider.impl; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import software.amazon.awssdk.services.sts.StsClient; @SuppressWarnings("unused") public class MockInstanceAWSLambdaProvider extends InstanceAWSLambdaProvider { boolean identityResult = true; boolean identitySuper = false; - AWSSecurityTokenService stsClient; + StsClient stsClient; void setIdentityResult(boolean value) { identityResult = value; @@ -32,7 +32,7 @@ void setIdentitySuper(boolean value) { identitySuper = value; } - void setStsClient(AWSSecurityTokenService client) { + void setStsClient(StsClient client) { stsClient = client; } @@ -42,7 +42,7 @@ public boolean verifyInstanceIdentity(AWSAttestationData info, final String awsA } @Override - public AWSSecurityTokenService getInstanceClient(AWSAttestationData info) { + public StsClient getInstanceClient(AWSAttestationData info) { return stsClient != null ? stsClient : super.getInstanceClient(info); } } diff --git a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSProvider.java b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSProvider.java index dfbdc559227..de8e3ef9a87 100644 --- a/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSProvider.java +++ b/libs/java/instance_provider/src/test/java/com/yahoo/athenz/instance/provider/impl/MockInstanceAWSProvider.java @@ -15,8 +15,8 @@ */ package com.yahoo.athenz.instance.provider.impl; -import com.amazonaws.services.securitytoken.AWSSecurityTokenService; import com.yahoo.athenz.auth.KeyStore; +import software.amazon.awssdk.services.sts.StsClient; import javax.net.ssl.SSLContext; @@ -26,7 +26,7 @@ public class MockInstanceAWSProvider extends InstanceAWSProvider { boolean signatureResult = true; boolean identityResult = true; boolean identitySuper = false; - AWSSecurityTokenService stsClient; + StsClient stsClient; @Override public void initialize(String provider, String providerEndpoint, SSLContext sslContext, KeyStore keyStore) { @@ -46,7 +46,7 @@ void setIdentitySuper(boolean value) { identitySuper = value; } - void setStsClient(AWSSecurityTokenService client) { + void setStsClient(StsClient client) { stsClient = client; } @@ -56,7 +56,7 @@ public boolean verifyInstanceIdentity(AWSAttestationData info, final String awsA } @Override - public AWSSecurityTokenService getInstanceClient(AWSAttestationData info) { + public StsClient getInstanceClient(AWSAttestationData info) { return stsClient != null ? stsClient : super.getInstanceClient(info); } }