com.amazonaws.services.secretsmanager.model.GetSecretValueResult Java Examples

/**
 * Return the cached result from AWS Secrets Manager for GetSecretValue.
 *
 * @return The cached GetSecretValue result.
 */
public GetSecretValueResult getSecretValue() {
    synchronized (lock) {
        refresh();
        if (null == this.data) {
            if (null != this.exception) { throw this.exception; }
        }
        GetSecretValueResult gsv = this.getSecretValue(this.getResult());

        // If there is no cached result, return null.
        if (null == gsv) { return null; }

        // We want to clone the result to prevent callers from modifying
        // the cached data.
        gsv = gsv.clone();
        // The prior clone did not perform a deep clone of all objects.
        // Handle cloning the byte buffer it one exists.
        gsv.setSecretBinary(clone(gsv.getSecretBinary()));
        gsv.setVersionStages(clone(gsv.getVersionStages()));
        return gsv;
    }
}
 

@Test
public void contextSpecificOrderExpected() {
	AwsSecretsManagerProperties properties = new AwsSecretsManagerPropertiesBuilder()
			.withDefaultContext("application").withName("messaging-service").build();

	GetSecretValueResult secretValueResult = new GetSecretValueResult();
	secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
	when(smClient.getSecretValue(any(GetSecretValueRequest.class)))
			.thenReturn(secretValueResult);

	AwsSecretsManagerPropertySourceLocator locator = new AwsSecretsManagerPropertySourceLocator(
			smClient, properties);
	env.setActiveProfiles("test");
	locator.locate(env);

	List<String> contextToBeTested = new ArrayList<>(locator.getContexts());

	assertThat(contextToBeTested.get(0)).isEqualTo("/secret/messaging-service_test");
	assertThat(contextToBeTested.get(1)).isEqualTo("/secret/messaging-service");
	assertThat(contextToBeTested.get(2)).isEqualTo("/secret/application_test");
	assertThat(contextToBeTested.get(3)).isEqualTo("/secret/application");

}
 

@Test
public void contextExpectedToHave4Elements() {
	AwsSecretsManagerProperties properties = new AwsSecretsManagerPropertiesBuilder()
			.withDefaultContext("application").withName("messaging-service").build();

	GetSecretValueResult secretValueResult = new GetSecretValueResult();
	secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
	when(smClient.getSecretValue(any(GetSecretValueRequest.class)))
			.thenReturn(secretValueResult);

	AwsSecretsManagerPropertySourceLocator locator = new AwsSecretsManagerPropertySourceLocator(
			smClient, properties);
	env.setActiveProfiles("test");
	locator.locate(env);

	assertThat(locator.getContexts()).hasSize(4);
}
 

@Test
public void contextExpectedToHave2Elements() {
	AwsSecretsManagerProperties properties = new AwsSecretsManagerPropertiesBuilder()
			.withDefaultContext("application").withName("application").build();

	GetSecretValueResult secretValueResult = new GetSecretValueResult();
	secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
	when(smClient.getSecretValue(any(GetSecretValueRequest.class)))
			.thenReturn(secretValueResult);

	AwsSecretsManagerPropertySourceLocator locator = new AwsSecretsManagerPropertySourceLocator(
			smClient, properties);
	env.setActiveProfiles("test");
	locator.locate(env);

	assertThat(locator.getContexts()).hasSize(2);
}
 

protected GetSecretValueResult getSecretValue(String secretRegion, String secretName) {
  AWSSecretsManager client =
      AWSSecretsManagerClientBuilder.standard().withRegion(secretRegion).build();

  GetSecretValueRequest getSecretValueRequest =
      new GetSecretValueRequest().withSecretId(secretName);

  try {
    return client.getSecretValue(getSecretValueRequest);
  } catch (AWSSecretsManagerException e) {
    throw new SecretException(
        String.format(
            "An error occurred when using AWS Secrets Manager to fetch: [secretName: %s, secretRegion: %s]",
            secretName, secretRegion),
        e);
  }
}
 

@Override
public byte[] decrypt(EncryptedSecret encryptedSecret) {
  String secretRegion = encryptedSecret.getParams().get(SECRET_REGION);
  String secretName = encryptedSecret.getParams().get(SECRET_NAME);
  String secretKey = encryptedSecret.getParams().get(SECRET_KEY);

  if (encryptedSecret.isEncryptedFile()) {
    GetSecretValueResult secretFileValue = getSecretValue(secretRegion, secretName);
    if (secretFileValue.getSecretBinary() != null) {
      return secretFileValue.getSecretBinary().array();
    } else {
      return secretFileValue.getSecretString().getBytes();
    }
  } else if (secretKey != null) {
    return getSecretString(secretRegion, secretName, secretKey);
  } else {
    return getSecretString(secretRegion, secretName);
  }
}
 

@Test
public final void verifyGetSecretStageRetrievesBinary() throws UnsupportedEncodingException {
    // given
    final GetSecretValueRequest request = new GetSecretValueRequest();
    request.setSecretId("secret");
    request.setVersionStage("AWSPENDING");
    final GetSecretValueResult response = new GetSecretValueResult();
    response.setSecretBinary(ByteBuffer.wrap("expected".getBytes("UTF-8")));
    given(delegate.getSecretValue(eq(request))).willReturn(response);

    // when
    final ByteBuffer result = manager.getSecretStage("secret", PENDING);

    // then
    final byte[] buffer = new byte[result.remaining()];
    result.get(buffer);
    assertEquals("expected", new String(buffer, "UTF-8"));
}
 

@Test
public final void verifyGetSecretVersionRetrievesBinary() throws UnsupportedEncodingException {
    // given
    final GetSecretValueRequest request = new GetSecretValueRequest();
    request.setSecretId("secret");
    request.setVersionId("version");
    final GetSecretValueResult response = new GetSecretValueResult();
    response.setSecretBinary(ByteBuffer.wrap("expected".getBytes("UTF-8")));
    given(delegate.getSecretValue(eq(request))).willReturn(response);

    // when
    final ByteBuffer result = manager.getSecretVersion("secret", "version");

    // then
    final byte[] buffer = new byte[result.remaining()];
    result.get(buffer);
    assertEquals("expected", new String(buffer, "UTF-8"));
}
 

/**
 * Retrieves a secret from SecretsManager, first checking the cache. Newly fetched secrets are added to the cache.
 *
 * @param secretName The name of the secret to retrieve.
 * @return The value of the secret, throws if no such secret is found.
 */
public String getSecret(String secretName)
{
    CacheEntry cacheEntry = cache.get(secretName);

    if (cacheEntry == null || cacheEntry.getAge() > MAX_CACHE_AGE_MS) {
        logger.info("getSecret: Resolving secret[{}].", secretName);
        GetSecretValueResult secretValueResult = secretsManager.getSecretValue(new GetSecretValueRequest()
                .withSecretId(secretName));
        cacheEntry = new CacheEntry(secretName, secretValueResult.getSecretString());
        evictCache(cache.size() >= MAX_CACHE_SIZE);
        cache.put(secretName, cacheEntry);
    }

    return cacheEntry.getValue();
}
 

@Test
public void expirationTest()
{
    cachableSecretsManager.addCacheEntry("test", "value", System.currentTimeMillis());
    assertEquals("value", cachableSecretsManager.getSecret("test"));
    verifyNoMoreInteractions(mockSecretsManager);
    reset(mockSecretsManager);

    when(mockSecretsManager.getSecretValue(any(GetSecretValueRequest.class)))
            .thenAnswer((InvocationOnMock invocation) -> {
                GetSecretValueRequest request = invocation.getArgumentAt(0, GetSecretValueRequest.class);
                if (request.getSecretId().equalsIgnoreCase("test")) {
                    return new GetSecretValueResult().withSecretString("value2");
                }
                throw new RuntimeException();
            });

    cachableSecretsManager.addCacheEntry("test", "value", 0);
    assertEquals("value2", cachableSecretsManager.getSecret("test"));
}
 

@Test
public void evictionTest()
{
    for (int i = 0; i < CachableSecretsManager.MAX_CACHE_SIZE; i++) {
        cachableSecretsManager.addCacheEntry("test" + i, "value" + i, System.currentTimeMillis());
    }
    when(mockSecretsManager.getSecretValue(any(GetSecretValueRequest.class)))
            .thenAnswer((InvocationOnMock invocation) -> {
                GetSecretValueRequest request = invocation.getArgumentAt(0, GetSecretValueRequest.class);
                return new GetSecretValueResult().withSecretString(request.getSecretId() + "_value");
            });

    assertEquals("test_value", cachableSecretsManager.getSecret("test"));
    assertEquals("test0_value", cachableSecretsManager.getSecret("test0"));

    verify(mockSecretsManager, times(2)).getSecretValue(any(GetSecretValueRequest.class));
}
 

@Before
public void setUp()
        throws Exception
{
    logger.info("{}: enter", testName.getMethodName());

    when(mockFactory.getOrCreateConn(eq(decodedEndpoint))).thenReturn(mockClient);

    handler = new RedisMetadataHandler(mockGlue, new LocalKeyFactory(), mockSecretsManager, mockAthena, mockFactory, "bucket", "prefix");
    allocator = new BlockAllocatorImpl();

    when(mockSecretsManager.getSecretValue(any(GetSecretValueRequest.class)))
            .thenAnswer((InvocationOnMock invocation) -> {
                GetSecretValueRequest request = invocation.getArgumentAt(0, GetSecretValueRequest.class);
                if ("endpoint".equalsIgnoreCase(request.getSecretId())) {
                    return new GetSecretValueResult().withSecretString(decodedEndpoint);
                }
                throw new RuntimeException("Unknown secret " + request.getSecretId());
            });
}
 

@Before
public void setup()
{
    this.jdbcConnectionFactory = Mockito.mock(JdbcConnectionFactory.class);
    this.connection = Mockito.mock(Connection.class, Mockito.RETURNS_DEEP_STUBS);
    Mockito.when(this.jdbcConnectionFactory.getConnection(Mockito.any(JdbcCredentialProvider.class))).thenReturn(this.connection);
    this.secretsManager = Mockito.mock(AWSSecretsManager.class);
    this.athena = Mockito.mock(AmazonAthena.class);
    Mockito.when(this.secretsManager.getSecretValue(Mockito.eq(new GetSecretValueRequest().withSecretId("testSecret")))).thenReturn(new GetSecretValueResult().withSecretString("{\"username\": \"testUser\", \"password\": \"testPassword\"}"));
    this.mySqlMetadataHandler = new MySqlMetadataHandler(databaseConnectionConfig, this.secretsManager, this.athena, this.jdbcConnectionFactory);
    this.federatedIdentity = Mockito.mock(FederatedIdentity.class);
}
 

@Test
public void resolveSecrets()
{
    when(mockSecretsManager.getSecretValue(any(GetSecretValueRequest.class)))
            .thenAnswer((InvocationOnMock invocation) -> {
                GetSecretValueRequest request = invocation.getArgumentAt(0, GetSecretValueRequest.class);
                String result = request.getSecretId();
                if (result.equalsIgnoreCase("unknown")) {
                    throw new RuntimeException("Unknown secret!");
                }
                return new GetSecretValueResult().withSecretString(result);
            });

    String oneSecret = "${OneSecret}";
    String oneExpected = "OneSecret";
    assertEquals(oneExpected, cachableSecretsManager.resolveSecrets(oneSecret));

    String twoSecrets = "ThisIsMyStringWith${TwoSecret}SuperSecret${Secrets}";
    String twoExpected = "ThisIsMyStringWithTwoSecretSuperSecretSecrets";
    assertEquals(twoExpected, cachableSecretsManager.resolveSecrets(twoSecrets));

    String noSecrets = "ThisIsMyStringWithTwoSecretSuperSecretSecrets";
    String noSecretsExpected = "ThisIsMyStringWithTwoSecretSuperSecretSecrets";
    assertEquals(noSecretsExpected, cachableSecretsManager.resolveSecrets(noSecrets));

    String commonErrors = "ThisIsM}yStringWi${thTwoSecretS{uperSecretSecrets";
    String commonErrorsExpected = "ThisIsM}yStringWi${thTwoSecretS{uperSecretSecrets";
    assertEquals(commonErrorsExpected, cachableSecretsManager.resolveSecrets(commonErrors));

    String unknownSecret = "This${Unknown}";
    try {
        cachableSecretsManager.resolveSecrets(unknownSecret);
        fail("Should not see this!");
    }
    catch (RuntimeException ex) {}
}
 

@Test
void locate_nameNotSpecifiedInConstructor_returnsPropertySourceWithDefaultName() {
	GetSecretValueResult secretValueResult = new GetSecretValueResult();
	secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
	when(smClient.getSecretValue(any(GetSecretValueRequest.class)))
			.thenReturn(secretValueResult);

	AwsSecretsManagerProperties properties = new AwsSecretsManagerProperties();
	AwsSecretsManagerPropertySourceLocator locator = new AwsSecretsManagerPropertySourceLocator(
			smClient, properties);
	PropertySource propertySource = locator.locate(env);

	assertThat(propertySource.getName()).isEqualTo("aws-secrets-manager");
}
 

@Test
void locate_nameSpecifiedInConstructor_returnsPropertySourceWithSpecifiedName() {
	GetSecretValueResult secretValueResult = new GetSecretValueResult();
	secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
	when(smClient.getSecretValue(any(GetSecretValueRequest.class)))
			.thenReturn(secretValueResult);

	AwsSecretsManagerProperties properties = new AwsSecretsManagerProperties();
	AwsSecretsManagerPropertySourceLocator locator = new AwsSecretsManagerPropertySourceLocator(
			"my-name", smClient, properties);

	PropertySource propertySource = locator.locate(env);

	assertThat(propertySource.getName()).isEqualTo("my-name");
}
 

@Test
void shouldParseSecretValue() {
	GetSecretValueResult secretValueResult = new GetSecretValueResult();
	secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");

	when(smClient.getSecretValue(any(GetSecretValueRequest.class)))
			.thenReturn(secretValueResult);

	propertySource.init();

	assertThat(propertySource.getPropertyNames()).containsExactly("key1", "key2");
	assertThat(propertySource.getProperty("key1")).isEqualTo("value1");
	assertThat(propertySource.getProperty("key2")).isEqualTo("value2");
}
 

@Before
public void setup()
{
    this.jdbcConnectionFactory = Mockito.mock(JdbcConnectionFactory.class);
    this.connection = Mockito.mock(Connection.class, Mockito.RETURNS_DEEP_STUBS);
    Mockito.when(this.jdbcConnectionFactory.getConnection(Mockito.any(JdbcCredentialProvider.class))).thenReturn(this.connection);
    this.secretsManager = Mockito.mock(AWSSecretsManager.class);
    this.athena = Mockito.mock(AmazonAthena.class);
    Mockito.when(this.secretsManager.getSecretValue(Mockito.eq(new GetSecretValueRequest().withSecretId("testSecret")))).thenReturn(new GetSecretValueResult().withSecretString("{\"username\": \"testUser\", \"password\": \"testPassword\"}"));
    DatabaseConnectionConfig databaseConnectionConfig = new DatabaseConnectionConfig("testCatalog", JdbcConnectionFactory.DatabaseEngine.MYSQL,
            "mysql://jdbc:mysql://hostname/${testSecret}", "testSecret");
    this.jdbcMetadataHandler = new JdbcMetadataHandler(databaseConnectionConfig, this.secretsManager, this.athena, jdbcConnectionFactory)
    {
        @Override
        public Schema getPartitionSchema(final String catalogName)
        {
            return PARTITION_SCHEMA;
        }

        @Override
        public void getPartitions(final BlockWriter blockWriter, final GetTableLayoutRequest getTableLayoutRequest, QueryStatusChecker queryStatusChecker)
        {
        }

        @Override
        public GetSplitsResponse doGetSplits(BlockAllocator blockAllocator, GetSplitsRequest getSplitsRequest)
        {
            return null;
        }
    };
    this.federatedIdentity = Mockito.mock(FederatedIdentity.class);
    this.blockAllocator = Mockito.mock(BlockAllocator.class);
}
 

@Before
public void setup()
        throws SQLException
{
    this.connection = Mockito.mock(Connection.class, Mockito.RETURNS_DEEP_STUBS);
    this.jdbcConnectionFactory = Mockito.mock(JdbcConnectionFactory.class);
    Mockito.when(this.jdbcConnectionFactory.getConnection(Mockito.any(JdbcCredentialProvider.class))).thenReturn(this.connection);
    this.amazonS3 = Mockito.mock(AmazonS3.class);
    this.secretsManager = Mockito.mock(AWSSecretsManager.class);
    this.athena = Mockito.mock(AmazonAthena.class);
    this.queryStatusChecker = Mockito.mock(QueryStatusChecker.class);
    Mockito.when(this.secretsManager.getSecretValue(Mockito.eq(new GetSecretValueRequest().withSecretId("testSecret")))).thenReturn(new GetSecretValueResult().withSecretString("{\"username\": \"testUser\", \"password\": \"testPassword\"}"));
    this.preparedStatement = Mockito.mock(PreparedStatement.class);
    Mockito.when(this.connection.prepareStatement("someSql")).thenReturn(this.preparedStatement);
    DatabaseConnectionConfig databaseConnectionConfig = new DatabaseConnectionConfig("testCatalog", JdbcConnectionFactory.DatabaseEngine.MYSQL,
            "mysql://jdbc:mysql://hostname/${testSecret}", "testSecret");
    this.jdbcRecordHandler = new JdbcRecordHandler(this.amazonS3, this.secretsManager, this.athena, databaseConnectionConfig, this.jdbcConnectionFactory)
    {
        @Override
        public PreparedStatement buildSplitSql(Connection jdbcConnection, String catalogName, TableName tableName, Schema schema, Constraints constraints, Split split)
                throws SQLException
        {
            return jdbcConnection.prepareStatement("someSql");
        }
    };
    this.federatedIdentity = Mockito.mock(FederatedIdentity.class);
}
 

@Override
public byte[] decrypt(EncryptedSecret encryptedSecret) {
  String secretName = encryptedSecret.getParams().get(SECRET_NAME);
  String secretRegion = encryptedSecret.getParams().get(SECRET_REGION);
  String secretKey = encryptedSecret.getParams().get(SECRET_KEY);

  AWSSecretsManager client =
      AWSSecretsManagerClientBuilder.standard().withRegion(secretRegion).build();

  byte[] binarySecret = null;
  GetSecretValueRequest getSecretValueRequest =
      new GetSecretValueRequest().withSecretId(secretName);
  GetSecretValueResult getSecretValueResult = null;

  try {
    getSecretValueResult = client.getSecretValue(getSecretValueRequest);
  } catch (Exception e) {
    log.error(
        "An error occurred when trying to use AWS Secrets Manager to fetch: [secretName: {}, secretRegion: {}, secretKey: {}]",
        secretName,
        secretRegion,
        secretKey,
        e);
    throw new RuntimeException("Failed to fetch secret from AWS Secrets Manager", e);
  }

  if (getSecretValueResult.getSecretString() != null) {
    String secret = getSecretValueResult.getSecretString();
    Gson gson = new Gson();
    Type type = new TypeToken<Map<String, String>>() {}.getType();
    Map<String, String> myMap = gson.fromJson(secret, type);
    binarySecret = myMap.get(secretKey).getBytes(StandardCharsets.UTF_8);
  } else {
    binarySecret = getSecretValueResult.getSecretBinary().array();
  }
  return binarySecret;
}
 

@Before
public void setup()
{
    this.jdbcConnectionFactory = Mockito.mock(JdbcConnectionFactory.class);
    this.connection = Mockito.mock(Connection.class, Mockito.RETURNS_DEEP_STUBS);
    Mockito.when(this.jdbcConnectionFactory.getConnection(Mockito.any(JdbcCredentialProvider.class))).thenReturn(this.connection);
    this.secretsManager = Mockito.mock(AWSSecretsManager.class);
    Mockito.when(this.secretsManager.getSecretValue(Mockito.eq(new GetSecretValueRequest().withSecretId("testSecret")))).thenReturn(new GetSecretValueResult().withSecretString("{\"username\": \"testUser\", \"password\": \"testPassword\"}"));
    this.postGreSqlMetadataHandler = new PostGreSqlMetadataHandler(databaseConnectionConfig, this.secretsManager, this.athena, this.jdbcConnectionFactory);
    this.federatedIdentity = Mockito.mock(FederatedIdentity.class);
}
 

@Test
public final void verifyAssertDoesNothing() {
    // given
    final GetSecretValueRequest request = new GetSecretValueRequest();
    request.setSecretId("secret");
    request.setVersionStage("AWSCURRENT");
    given(delegate.getSecretValue(eq(request))).willReturn(new GetSecretValueResult());

    // when
    manager.assertCurrentStageExists("secret");

    // then (nothing)
}
 

/**
 * Retrieve a specific stage of the secret.
 *
 * @param secretId the ARN of the secret
 * @param stage the stage of the secret to retrieve
 * @return the Fernet key or keys in binary form
 */
public ByteBuffer getSecretStage(final String secretId, final Stage stage) {
    final GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest();
    getSecretValueRequest.setSecretId(secretId);
    getSecretValueRequest.setVersionStage(stage.getAwsName());
    final GetSecretValueResult result = getDelegate().getSecretValue(getSecretValueRequest);
    return result.getSecretBinary();
}
 

/**
 * Retrieve a specific version of the secret. This requires the permission <code>secretsmanager:GetSecretValue</code>
 *
 * @param secretId the ARN of the secret
 * @param clientRequestToken the version identifier of the secret
 * @return the Fernet key or keys in binary form
 */
public ByteBuffer getSecretVersion(final String secretId, final String clientRequestToken) {
    final GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest();
    getSecretValueRequest.setSecretId(secretId);
    getSecretValueRequest.setVersionId(clientRequestToken);
    final GetSecretValueResult result = getDelegate().getSecretValue(getSecretValueRequest);
    return result.getSecretBinary();
}
 

@BeforeMethod
public void setUp() {
    getSecretValueResult = new GetSecretValueResult().withVersionStages(Arrays.asList("v1"));
    MockitoAnnotations.initMocks(this);
    Mockito.when(asm.describeSecret(Mockito.any())).thenReturn(describeSecretResult);
    Mockito.when(asm.getSecretValue(Mockito.any())).thenReturn(getSecretValueResult);
}
 

/**
 * Execute the logic to perform the actual refresh of the item.
 *
 * @return The result from AWS Secrets Manager for the refresh.
 */
@Override
protected GetSecretValueResult executeRefresh() {
    return client.getSecretValue(
            updateUserAgent(new GetSecretValueRequest()
                    .withSecretId(this.secretId).withVersionId(this.versionId)));
}
 

/**
 * Method to retrieve a string secret from AWS Secrets Manager.
 *
 * @param secretId
 *        The identifier for the secret being requested.
 * @return The string secret
 */
public String getSecretString(final String secretId) {
    SecretCacheItem secret = this.getCachedSecret(secretId);
    GetSecretValueResult gsv = secret.getSecretValue();
    if (null == gsv) { return null; }
    return gsv.getSecretString();
}
 

/**
 * Return the cached result from AWS Secrets Manager for GetSecretValue.
 *
 * @param describeResult
 *            The result of the Describe Secret request to AWS Secrets Manager.
 * @return The cached GetSecretValue result.
 */
@Override
protected GetSecretValueResult getSecretValue(DescribeSecretResult describeResult) {
    SecretCacheVersion version = getVersion(describeResult);
    if (null == version) { return null; }
    return version.getSecretValue();
}
 

/**
 * Method to retrieve a binary secret from AWS Secrets Manager.
 *
 * @param secretId
 *        The identifier for the secret being requested.
 * @return The binary secret
 */
public ByteBuffer getSecretBinary(final String secretId) {
    SecretCacheItem secret = this.getCachedSecret(secretId);
    GetSecretValueResult gsv = secret.getSecretValue();
    if (null == gsv) { return null; }
    return gsv.getSecretBinary();
}
 

/**
 * Execute the actual refresh of the cached secret state.
 *
 * @param result
 *            The AWS Secrets Manager result for the secret state.
 * @return The cached GetSecretValue result based on the current
 *         cached state.
 */
protected abstract GetSecretValueResult getSecretValue(T result);