Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added obtaining of IAM roles. #24

Closed
wants to merge 1 commit into from
Closed

Added obtaining of IAM roles. #24

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 55 additions & 4 deletions ...ain/java/__packageInPathFormat__/general/common/impl/security/BaseUserDetailsService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import java.util.List;

import javax.inject.Inject;
import javax.inject.Named;
Expand Down Expand Up @@ -79,14 +80,64 @@ protected Set<GrantedAuthority> getAuthorities(String username) throws Authentic
return authorities;
}

private Collection<String> getRoles(String username) {
/**
* Lists roles of AWS from IAM profile of pointed user.
*
* @param userName given userName in AWS
* @param showErrorOutput flag marking outputing errors to console
* @return collection with user's roles
*/
public static Collection<String> obtainRoles(String userName, boolean showErrorOutput) {
Collection<String> roles = new ArrayList<String>();

final String baseCommand = "aws iam list-groups-for-user --user-name";
String command = String.format("%s %s", baseCommand, userName);

BufferedReader reader = null;
Process process;
try {
process = Runtime.getRuntime().exec(command);
process.waitFor();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so you have changed the app to connect to AWS. Nice feature.
But should we have that by default? What if project does not want to use AWS? What if "aws" command is not available?
Do not get me wrong: I love the idea, but this could be an option or maybe we need more like a documentation having that as a code-snippet, or we could add some minimum module code for this that can be opted in.
See also:
oasp/oasp4j#633

reader = new BufferedReader(new InputStreamReader(process.getInputStream()));

String line;
while ((line = reader.readLine()) != null) {
String theLine = line.trim();
if (theLine.startsWith("\"GroupName\": ")) {
String roleName = theLine.substring(14, theLine.length() - 1);
roles.add(roleName);
}
}
} catch (Exception exc_1) {
if (showErrorOutput) {
exc_1.printStackTrace();
}
} finally {
if (reader != null) {
try {
reader.close();
} catch (Exception exc_2) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you could use try-with-resource syntax to reduce your code and make it simpler and more compact.
https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html

if (showErrorOutput) {
System.err.println("Couldn't even close the BufferedReader.");
}
}
}
}

Collection<String> roles = new ArrayList<>();
// TODO for a reasonable application you need to retrieve the roles of the user from a central IAM system
roles.add(username);
return roles;
}

/**
* Return list of IAM roles.
*
* @param username pointed user's name
* @return obtained roles
*/
private Collection<String> getRoles(String username) {

return this.obtainRoles(username);
}

/**
* @return amBuilder
*/
Expand Down