Skip to content
This repository has been archived by the owner on Jan 12, 2024. It is now read-only.

* fix issue where removing an assumed-role's SDB permissions will mak… #182

Merged
merged 4 commits into from
Jan 9, 2019
Merged

* fix issue where removing an assumed-role's SDB permissions will mak… #182

merged 4 commits into from
Jan 9, 2019

Conversation

mayitbeegh
Copy link
Contributor

…e the assumed-role lose access to the SDB even if the base IAM role has permissions

  • fix issue where an assumed-role doesn't inherit base IAM role's admin privileges

@mayitbeegh
* fix issue where removing an assumed-role's SDB permissions will mak…
2a08737 
…e the assumed-role lose access to the SDB even if the base IAM role has permissions

* fix issue where an assumed-role doesn't inherit base IAM role's admin privileges
@mayitbeegh
* remove useless parentheses
32e7470
@coveralls
Copy link

coveralls commented Jan 4, 2019
edited
Loading

Coverage Status

Coverage increased (+0.3%) to 55.312% when pulling 0347086 on fix/sts-lost-sdb-access into baccaf3 on master.

fieldju
fieldju reviewed Jan 8, 2019
View reviewed changes
src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java
@@ -46,6 +46,12 @@ public SafeDepositBoxDao(final SafeDepositBoxMapper safeDepositBoxMapper) {
return safeDepositBoxMapper.getIamRoleAssociatedSafeDepositBoxRoles(awsIamRoleArn, iamRootArn);
}

public List<SafeDepositBoxRoleRecord> getIamAssumedRoleAssociatedSafeDepositBoxRoles(final String iamAssumedRoleArn,
final String awsIamRoleArn,
final String iamRootArn) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whitespace looks off

fieldju
fieldju reviewed Jan 8, 2019
View reviewed changes
src/main/java/com/nike/cerberus/dao/SafeDepositBoxDao.java Outdated
@@ -59,6 +65,12 @@ public SafeDepositBoxDao(final SafeDepositBoxMapper safeDepositBoxMapper) {
return safeDepositBoxMapper.getIamPrincipalAssociatedSafeDepositBoxes(iamPrincipalArn, iamRootArn);
}

public List<SafeDepositBoxRecord> getAssumedRoleAssociatedSafeDepositBoxes(final String iamAssumedRoleArn,
final String iamRoleArn,
final String iamRootArn) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whitespace looks off

fieldju
fieldju reviewed Jan 8, 2019
View reviewed changes
src/main/java/com/nike/cerberus/mapper/PermissionsMapper.java
@@ -27,6 +27,12 @@ Boolean doesIamPrincipalHaveGivenRoleForSdb(@Param("sdbId") String sdbId,
@Param("iamRootArn") String iamRootArn,
@Param("rolesThatAllowPermission") Set<String> rolesThatAllowPermission);

Boolean doesAssumedRoleHaveGivenRoleForSdb(@Param("sdbId") String sdbId,
@Param("assumedRoleArn") String assumedRoleArn,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whitespace looks off

fieldju
fieldju reviewed Jan 8, 2019
View reviewed changes
src/main/java/com/nike/cerberus/mapper/SafeDepositBoxMapper.java Outdated
List<SafeDepositBoxRecord> getUserAssociatedSafeDepositBoxes(@Param("userGroups") Set<String> userGroups);

List<SafeDepositBoxRecord> getUserAssociatedSafeDepositBoxesIgnoreCase(@Param("userGroups") Set<String> userGroups);

List<SafeDepositBoxRecord> getIamPrincipalAssociatedSafeDepositBoxes(@Param("iamPrincipalArn") final String iamPrincipalArn,
@Param("iamRootArn") final String iamRootArn);

List<SafeDepositBoxRecord> getIamAssumedRoleAssociatedSafeDepositBoxes(@Param("iamAssumedRoleArn") final String iamAssumedRoleArn,
@Param("iamRoleArn") final String iamRoleArn,
@Param("iamRootArn") final String iamRootArn);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whitespace looks off

fieldju
fieldju reviewed Jan 8, 2019
View reviewed changes
src/main/resources/com/nike/cerberus/mapper/PermissionsMapper.xml
@@ -42,6 +42,30 @@
) as HAS_PERM;
</select>

<select id="doesAssumedRoleHaveGivenRoleForSdb" resultType="Boolean">
SELECT NOT 0 >= (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whitespace looks off

fieldju
fieldju reviewed Jan 8, 2019
View reviewed changes
src/main/java/com/nike/cerberus/util/AwsIamRoleArnParser.java Outdated
@@ -113,6 +113,18 @@ public boolean isRoleArn(final String arn) {
return iamRoleArnMatcher.find();
}

/**
* Returns true if the ARN is in format 'arn:aws:iam::000000000:role/example' and false if not
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this example arn is for a role arn and not an assume role arn

fieldju
fieldju approved these changes Jan 9, 2019
View reviewed changes
Copy link
Contributor

@fieldju fieldju left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mayitbeegh mayitbeegh merged commit f5c1ec9 into master Jan 9, 2019
@fieldju fieldju deleted the fix/sts-lost-sdb-access branch December 13, 2019 16:01
@snyk-bot snyk-bot mentioned this pull request Oct 10, 2021
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@fieldju fieldju fieldju approved these changes

@sdford sdford Awaiting requested review from sdford

@melanahammel melanahammel Awaiting requested review from melanahammel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mayitbeegh @coveralls @fieldju