com.amazonaws.services.kms.model.GetKeyPolicyRequest Java Examples

public static void main(String[] args) {
    final String USAGE =
        "To run this example, supply a key id or ARN\n" +
        "Usage: GetKeyPolicy <key-id>\n" +
        "Example: GetKeyPolicy 1234abcd-12ab-34cd-56ef-1234567890ab\n";

    if (args.length != 1) {
        System.out.println(USAGE);
        System.exit(1);
    }

    String keyId = args[0];

    AWSKMS kmsClient = AWSKMSClientBuilder.standard().build();

    // Get the policy for a CMK
    String policyName = "default";

    GetKeyPolicyRequest req = new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName(policyName);
    GetKeyPolicyResult result = kmsClient.getKeyPolicy(req);

    System.out.printf("Found key policy for %s:%n%s%n", keyId, result.getPolicy());

}
 

@Test
public void test_validatePolicy_validates_policy_when_validate_interval_has_passed() {
  String kmsKeyArn = "kms key arn";
  String awsIamRoleRecordId = "aws iam role record id";
  String kmsCMKRegion = "kmsCMKRegion";
  String policy = "policy";
  OffsetDateTime lastValidated = OffsetDateTime.of(2016, 1, 1, 1, 1, 1, 1, ZoneOffset.UTC);
  OffsetDateTime now = OffsetDateTime.now();

  AWSKMSClient client = mock(AWSKMSClient.class);
  when(client.describeKey(anyObject()))
      .thenReturn(
          new DescribeKeyResult()
              .withKeyMetadata(new KeyMetadata().withKeyState(KeyState.Enabled)));

  when(kmsClientFactory.getClient(kmsCMKRegion)).thenReturn(client);

  GetKeyPolicyResult result = mock(GetKeyPolicyResult.class);
  when(result.getPolicy()).thenReturn(policy);
  when(client.getKeyPolicy(
          new GetKeyPolicyRequest().withKeyId(kmsKeyArn).withPolicyName("default")))
      .thenReturn(result);
  when(kmsPolicyService.isPolicyValid(policy)).thenReturn(true);

  AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
  when(kmsKey.getAwsIamRoleId()).thenReturn(awsIamRoleRecordId);
  when(kmsKey.getAwsKmsKeyId()).thenReturn(kmsKeyArn);
  when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
  when(kmsKey.getLastValidatedTs()).thenReturn(lastValidated);
  when(awsIamRoleDao.getKmsKey(awsIamRoleRecordId, kmsCMKRegion)).thenReturn(Optional.of(kmsKey));

  when(dateTimeSupplier.get()).thenReturn(now);
  kmsService.validateKeyAndPolicy(kmsKey, kmsKeyArn);

  verify(client, times(1))
      .getKeyPolicy(new GetKeyPolicyRequest().withKeyId(kmsKeyArn).withPolicyName("default"));
  verify(kmsPolicyService, times(1)).isPolicyValid(policy);
}
 

@Test
public void test_validateKeyAndPolicy_does_not_throw_error_when_cannot_validate() {
  String keyId = "key-id";
  String iamPrincipalArn = "arn";
  String kmsCMKRegion = "kmsCMKRegion";
  String policy = "policy";
  OffsetDateTime lastValidated = OffsetDateTime.of(2016, 1, 1, 1, 1, 1, 1, ZoneOffset.UTC);
  OffsetDateTime now = OffsetDateTime.now();
  when(dateTimeSupplier.get()).thenReturn(now);

  AwsIamRoleKmsKeyRecord kmsKey = mock(AwsIamRoleKmsKeyRecord.class);
  when(kmsKey.getAwsKmsKeyId()).thenReturn(keyId);
  when(kmsKey.getAwsIamRoleId()).thenReturn(iamPrincipalArn);
  when(kmsKey.getAwsRegion()).thenReturn(kmsCMKRegion);
  when(kmsKey.getLastValidatedTs()).thenReturn(lastValidated);

  AWSKMSClient client = mock(AWSKMSClient.class);
  when(kmsClientFactory.getClient(kmsCMKRegion)).thenReturn(client);

  GetKeyPolicyResult result = mock(GetKeyPolicyResult.class);
  when(result.getPolicy()).thenReturn(policy);
  when(client.getKeyPolicy(new GetKeyPolicyRequest().withKeyId(keyId).withPolicyName("default")))
      .thenThrow(AmazonServiceException.class);

  kmsService.validateKeyAndPolicy(kmsKey, iamPrincipalArn);

  verify(kmsPolicyService, never()).isPolicyValid(policy);
  verify(client, never()).putKeyPolicy(anyObject());
}
 

@Override
public GetKeyPolicyResult getKeyPolicy(GetKeyPolicyRequest arg0) throws AmazonServiceException,
        AmazonClientException {
    throw new java.lang.UnsupportedOperationException();
}