在本文中,您将会了解到关于使用JMETER做WebserviceSecurity(WSS)测试的新资讯,同时我们还将为您解释jmeterwebdriver的相关在本文中,我们将带你探索使用JMETER
在本文中,您将会了解到关于使用JMETER做Webservice Security(WSS)测试的新资讯,同时我们还将为您解释jmeter webdriver的相关在本文中,我们将带你探索使用JMETER做Webservice Security(WSS)测试的奥秘,分析jmeter webdriver的特点,并给出一些关于.Net客户端对WebService的调用(含WS-Security)、com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder的实例源码、com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient的实例源码、com.amazonaws.services.securitytoken.AWSSecurityTokenService的实例源码的实用技巧。
本文目录一览:- 使用JMETER做Webservice Security(WSS)测试(jmeter webdriver)
- .Net客户端对WebService的调用(含WS-Security)
- com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder的实例源码
- com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient的实例源码
- com.amazonaws.services.securitytoken.AWSSecurityTokenService的实例源码
使用JMETER做Webservice Security(WSS)测试(jmeter webdriver)
做压力测试,JMETER无疑是很好的选择,开源、易用、免费以及支持的协议比较多,最近要对WEBSERVICE做压力测试,我们也是选择了JMETER。不过我们碰到了一个问题,那就是我们要做WSS测试,而JMETER官方并没有支持WSS测试,需要自己写插件。不过这其中有几个问题,一是比较费事,需要先熟悉他的插件编写规范,二来UI也不是我的强项,后面想到了两个变通的办法:
1、使用JMETER调JAVA测试,自己则在JAVA中去实现调用WSS的逻辑。这个比较简单,JAVA只需要继承AbstractJavaSamplerClient,并实现runTest方法就可以了,然后我们就可以在实现的JAVA方法中去实现WSS Header的实现,然后再通过HttpClient发送并获取结果就可以了。
注:生成WSS Header,可以参看我的一篇文章:http://www.voidcn.com/article/p-gbhbdyph-bha.html
把实现的JAVA测试工程导出成jar包,放到目录${JMETER_HOME}\lib\ext\下面,把当前工程依赖的jar包放到目录${JMETER_HOME}\lib下面,重新启动JMETER,创建Sample/Java Request后就可以看到了。
2、修改JMETER的源码
我们知道,WSS请求和普通的WS请求,只是少了security header,我们只要能够在普通的WS请求发出去之前,把security header补上就好了。
我使用的JMETER版本是2.6,准备工作就是去吧JMETER的BINARY和SOURCE都下载回来了,可以去这里下载:http://mirror.bjtu.edu.cn/apache/jmeter/。
然后把源码和BINARY都解压缩,将源码导入到ECLIPSE工程中,把BINARY的LIB目录下面的JAR都拷贝到工程的LIB目录下。一切OK过后,现在我们就是修改它的源码,在WS请求的基础之上,增加一个WSS配置文件的选择框,然后我们再修改请求发送时判断是否有WSS的配置文件,如果有我们就根据配置文件把security header补充上去,否则就执行普通的WS请求,不加security header请求头。以下是需要修改的代码以及步骤。
1)、找到core工程下面的resource包:org.apache.jmeter.resources,这里面存放的就是国际化的配置文件,在这下面的每个文件都增加一行:
get_wss_config_file=Webservice Security Config Properties File
这个是WSS文件框文字说明。
2)、打开JAVA文件:org.apache.jmeter.protocol.http.sampler.WebServiceSampler,增加如下代码:
A:增加存放获取到的WSS配置文件:
private static final String wssConfigFile = "WebserviceSampler.wssConfigFile";
public String getWssConfigFile() {
return getPropertyAsstring(wssConfigFile);
}
public void setWssConfigFile(String wssConfigFileValue) {
setProperty(wssConfigFile,wssConfigFileValue);
}
B:增加判断是否存在WSS文件,并确定是否补充security header,在方法opendocument(String file)返回之前,既return doc之前增加这样的判断,如增加下面这样一行方法:
addWSSecurity(doc);
不过这个方法需要你自己去实现了,如何生成,看我的这篇文章了:http://www.voidcn.com/article/p-gbhbdyph-bha.html
这里的实现肯定会依赖其他的jar包,这些依赖的jar包都要放到目录{JMETER_HOME}\lib下面。
3)、打开JAVA文件:org.apache.jmeter.protocol.http.control.gui.WebServiceSamplerGui,需要补充四行代码,
A、增加类变量:private final FilePanel wssConfigFile = new FilePanel(JMeterUtils.getResstring("get_wss_config_file"),".properties");
B、在方法modifyTestElement(TestElement s)中,增加一行:sampler.setWssConfigFile(wssConfigFile.getFilename());
C、在方法clearGui()中,增加一行:wssConfigFile.setFilename("");
D、在方法createMessagePanel()的这一行southPane.add(ranDomXMLPane);下面增加一行:southPane.add(wssConfigFile);
4)、重新导出jar包
A、导出src/protocol/http工程,覆盖${JMETER_HOME}\lib\ext\ApacheJMeter_http.jar
B、导出src/core工程,覆盖${JMETER_HOME}\lib\ext\ApacheJMeter_core.jar
这个时候,可以重新启动JMETER了。
比较上面的两种方案,第一种要简单一点,不需要修改JMETER的源代码,不过要自己去实现WSS请求的发送处理;第二种要修改JMETER的源码,不过不需要自己去实现发送这么一个逻辑,只需要在发送之前根据条件判断是否增加security header即可。两种方案都有自己的优势与不足,各位看官自己选择了。
本文出自:冯立彬的博客
.Net客户端对WebService的调用(含WS-Security)
(本文摘自互联网单元测试及实践)
在上一节中我们介绍了测试客户端调用的方法,本章节主要讲述在.net环境下客户端调用的方法,我们将着重介绍如何生成客户端代理,如何实现WSS客户端配置。
8.6.1 接口代理类的生成
在.net下对WebService的接口调用,很重要一点需要将Soap协议进行消息编码,使之成为net下可以调用的客户端。客户端的代理类必须从
在本章节中首先介绍如何使用VS2005自带的WebRefrence方法来生成代理类的方法。
下面就以
步骤一、在VS2005中新建工程TestHello,具体过程不在这里详述。
步骤二、在工程中Refrence右击,点击添加Web引用(Add Web Refrence),如图8.5。
图
步骤三、在添加Web引用的窗体中的Url编辑框输入Wsdl的地址,并点击go,编辑器自动会获取Wsdl中的Soap协议内容。在Web refrence name的编辑框中可以编辑引用名称(如图8.6)。在本例中输入APPTEST。
图 8.6
步骤四,点击add reference之后,系统自动生成代理类文件。点击VS2005编辑器菜单->project->Show all files,在工程目录下可以看见一个APPTEST的文件包,打开包文件下面有个refrence.map->refrence.cs。下面对其中代码要点进行讲解。
代码8.14
public partial class AppConsumeService: System.Web.Services.Protocols.
SoapHttpClientProtocol {
//实现代码
}
由片段一的代码可以知道代理类是从
代码8.15
01 [System.Web.Services.Protocols.soapDocumentMethodAttribute("urn:checkBalance",
02 RequestNamespace="http://account.api.core.aep.alisoft.com",
03 ResponseNamespace="http://account.api.core.aep.alisoft.com",
04 Use=System.Web.Services.Description.soapBindingUse.Literal,
05 ParameterStyle=System.Web.Services.Protocols.soapParameterStyle.Wrapped)]
06 [return: System.Xml.Serialization.XmlElementAttribute("return",IsNullable=true)]
07 public string checkBalance([System.Xml.Serialization.XmlElementAttribute(IsNullable=true)] string param0,
08 [System.Xml.Serialization.XmlElementAttribute(IsNullable=true)] string param1,
09 double param2,
10 [System.Xml.Serialization.XmlIgnoreAttribute()] bool param2Specified) {
11 object[] results = this.Invoke("checkBalance",new object[] {
12 param0,
13 param1,
14 param2,
15 param2Specified});
16 return ((string)(results[0]));
17 }
在代码8.15中读者容易发现,由VS2005自动生成的代理类,已经根据webservice发布的wsdl文件,将其中的方法进行了映射,如例子中提到的checkbalance的方法。同时在代码1-6行,明确指出解析该段代码和wsdl之间的映射关系,包括它所属的命名空间等信息。
使用VS2005来自动生成客户端,是编写客户端测试代码比较理想的方法。但是,如果你想直接编辑客户端发送的
打开WSS(如图8.7),在编辑框WSDL ENDPOINT中输入相应的WSDL地址,还是以
图8.7
在做完前面的步骤之后,点击request/Response菜单将看到,实际上在消息层面发生的Soap消息内容。如图8.8,可以编辑红色边框中的内容,点击Send键实现直接在消息层面的测试。
图8.8
同时也可以使用WSS工具生成相应的.net代码的代理类。只要点击WSDLS&Proxy菜单。在左侧的树形编辑框中点击Proxy就可以看见相应的代理类的C#代码,读者只要拷贝的自己的工程中既可以使用。
8.6.2 有WS-Security的客户端调用
本章节将介绍一下如何用.net做为客户端调用带有数字签名验证的服务器端方法。对服务器端要求进行签名验证的方法测试,需要在调用服务器端方法之前,对消息头的信息装载签名私钥的信息。为此,本章将介绍如何制作可以在.net下使用的证书;如何在.net下应用证书进行签名;编写测试用例。
制作证书有很多方法,本文介绍的方法是如何将jks文件中信息导入到Windows环境的证书管理器中便于.net的调用。
步骤一、按8.5.2章节中的代码8.13 keygen.bat生成0001.jks。
步骤二、使用工具JKS2PFX.bat将0001.jks转换成可以导入Windows证书管理器的pfx文件。执行代码片段如:代码8.16,得到0001.pfx。
代码8.16
1 jks2pfx 0001.jks 123456 123456 0001
步骤三、将证书导入到Windows证书管理器中。在cmd中输入mmc打开Windows控制台,点击添加/删除管理单元-证书。得到如图8.9节目,点击证书(当前用户)->个人->证书。右键点击导入证书,将证书导入到个人证书文件管理组下。
图 8.9
步骤四、将个人证书下的别名是mike的证书(即步骤三导入的证书),剪切到受信任的根证书颁发机构目录下,使证书授信。
步骤五、将授信过的证书拷贝回个人->证书文件夹。
步骤六、重复步骤一至步骤五的做法,将服务器端公钥引入到证书管理器。
本文将介绍如何使用Microsoft WSE2.0完成对WS-Security签名的装载。在使用这种方法之前首先要安装Micorsoft WSE2.0的工具,工具存放路径CD:kkkkk。本例中将新建一个工程TestWSE,并在上面逐步完成WSE配置以及代码中关于配置部分的编写。
步骤一、在工程中添加Web引用,详细步骤如8.6.1中介绍。在添加完Web引用之后,在工程中会增加一个app.config文件。
步骤二、打开程序列表中WSE2.0->Configuration Editor(如图8.10),点击file->open打开在步骤一中新增的app.config文件。勾选Enable this project for Web Services Enhancements。点击Policy,勾选Enable Policy;点击Add,在弹出窗体上点击OK,进入Security配置向导,点击Next;选择Secure a client application点击Next;在消息设置框选择对Request和Response的消息进行签名设置,点击Next;点击Select Certificate,选择相应的证书Mike;在Trusted Server Certificates窗体中,点击Add,选择包含服务器端公钥的证书。点击Save,配置WSE代理文件完成。
步骤三、刷新工程,点击Show All Files会发现新增了一个文件PolicyCache.config,把该文件添加到工程中。在Reference中添加Microsoft.Web.Services2的引用,修改Reference.cs文件中代码,将代理类的基类由原先的System.Web.Services.Protocols.soapHttpClientProtocol改成Microsoft.Web.Services2.WebServicesClientProtocol。
步骤四、读者可以根据自己的实际情况编辑PolicyCache.config文件。如果只需要对发送的消息进行签名,那么只需要Request的代理如<request policy="#Sign-X.509-5" />,那么读者可以删除关于response policy相关的信息。同时也可以根据实际情况修改wssp:MessageParts决定对消息的哪些部分进行签名,这个需要设置和服务器相匹配的配置。本文只关心对客户端发送的消息进行签名,所以对删除response policy的相关内容。
完成前面四个步骤的设置,就完成了对.net下WS-Security的配置。下面介绍一下如何编写测试代码进行测试。
本小节主要介绍如何使用NUnit框架编写调用带有WS-Security测试用例。本文将在TestWSE工程的基础上进行代码编写。
首先,在工程中引入NUnit Framework组件。右键点击Add Reference,选择nunit.framework,点击OK。
在文件头中,添加代码using NUnit.Framework,在类的声明前添加[TestFixture],同时在编写每个测试用例代码时方法前面添加[Test],示例代码如代码片段8.17
代码8.17
04行:添加NUnit.Framework引用
13行:新建代理类的实例
14行:调用待测试的服务器端代码
15行:对调用的结果进行断言
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder的实例源码
项目:alexa-meets-polly
文件:ConvertService.java
public static AmazonS3 getS3Client(final String region,final String roleArn) {
final Regions awsRegion = StringUtils.isNullOrEmpty(region) ? Regions.US_EAST_1 : Regions.fromName(region);
if (StringUtils.isNullOrEmpty(roleArn)) {
return AmazonS3ClientBuilder.standard().withRegion(awsRegion).build();
} else {
final AssumeRoleRequest assumeRole = new AssumeRoleRequest().withRoleArn(roleArn).withRoleSessionName("io-klerch-mp3-converter");
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion(awsRegion).build();
final Credentials credentials = sts.assumeRole(assumeRole).getCredentials();
final BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
credentials.getAccessKeyId(),credentials.getSecretAccessKey(),credentials.getSessionToken());
return AmazonS3ClientBuilder.standard().withRegion(awsRegion).withCredentials(new AWsstaticCredentialsProvider(sessionCredentials)).build();
}
}
项目:nexus-public
文件:AmazonS3Factory.java
private AWSCredentialsProvider buildCredentialsProvider(final AWSCredentials credentials,final String region,final String assumeRole) {
AWSCredentialsProvider credentialsProvider = new AWsstaticCredentialsProvider(credentials);
if (isNullOrEmpty(assumeRole)) {
return credentialsProvider;
}
else {
// STS requires a region; fall back on the SDK default if not set
String stsRegion;
if (isNullOrEmpty(region)) {
stsRegion = defaultRegion();
}
else {
stsRegion = region;
}
AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(stsRegion)
.withCredentials(credentialsProvider).build();
return new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRole,"nexus-s3-session")
.withStsClient(securityTokenService)
.build();
}
}
项目:strongBox
文件:IAMPolicyManager.java
public static String getAccount(AWSCredentialsProvider awsCredentialsProvider,ClientConfiguration clientConfiguration) {
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(awsCredentialsProvider)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
GetCallerIdentityRequest request = new GetCallerIdentityRequest();
GetCallerIdentityResult result = client.getCallerIdentity(request);
return result.getAccount();
}
项目:strongBox
文件:GroupModel.java
private AWSCredentialsProvider assumeRole(AWSCredentialsProvider longLivedAWSCredentials,ClientConfiguration clientConfiguration,String assumeRoleArn) {
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(longLivedAWSCredentials)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
STSAssumeRoleSessionCredentialsProvider.Builder builder =
new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRoleArn,"strongBox-cli");
builder.withStsClient(client);
return builder.build();
}
项目:tdl-auth
文件:FederatedUserCredentialsProvider.java
public FederatedUserCredentialsProvider(String region,String bucket) {
tokenService = AWSSecurityTokenServiceClientBuilder
.standard()
.withRegion(region)
.build();
this.bucket = bucket;
this.region = region;
}
项目:tdl-auth
文件:FederatedUserCredentialsProvider.java
public FederatedUserCredentialsProvider(String region,String bucket,AWSCredentialsProvider credentialsProvider) {
tokenService = AWSSecurityTokenServiceClientBuilder
.standard()
.withCredentials(credentialsProvider)
.withRegion(region)
.build();
this.bucket = bucket;
this.region = region;
}
项目:zipkin-aws
文件:ZipkinSQSCredentialsAutoConfiguration.java
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */
@Bean
@ConditionalOnMissingBean
@Conditional(STSSetCondition.class)
AWSSecurityTokenService securityTokenService(ZipkinSQSCollectorProperties properties) {
return AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(getDefaultCredentialsProvider(properties))
.withRegion(properties.awsstsRegion)
.build();
}
项目:zipkin-aws
文件:ZipkinKinesisCredentialsAutoConfiguration.java
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */
@Bean
@ConditionalOnMissingBean
@Conditional(STSSetCondition.class)
AWSSecurityTokenService securityTokenService(ZipkinKinesisCollectorProperties properties) {
return AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(getDefaultCredentialsProvider(properties))
.withRegion(properties.awsstsRegion)
.build();
}
项目:ratpack-sqs
文件:DefaultAWSCredentialsProvider.java
private AWSSecurityTokenService securityTokenService(AWSCredentialsProvider credentialsProvider) {
AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(credentialsProvider);
if (config.stsEndpoint().isPresent()) {
builder.withEndpointConfiguration(
new AwsClientBuilder.EndpointConfiguration(config.getStsEndpoint(),config.getStsRegionName())
);
} else {
builder.withRegion(config.getStsRegionName());
}
return builder.build();
}
项目:aws-ec2-ssh
文件:AAWSTest.java
public AAWStest() {
super();
if (Config.has(Config.Key.IAM_ROLE_ARN)) {
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build();
this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN),IAM_SESSION_NAME).withStsClient(sts).build();
} else {
this.credentialsProvider = new DefaultAWSCredentialsProviderChain();
}
this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.iam = AmazonIdentityManagementClientBuilder.standard().withCredentials(this.credentialsProvider).build();
}
项目:aws-cf-templates
文件:AAWSTest.java
public AAWStest() {
super();
if (Config.has(Config.Key.IAM_ROLE_ARN)) {
final AWSSecurityTokenService local = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build();
this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN),IAM_SESSION_NAME).withStsClient(local).build();
} else {
this.credentialsProvider = new DefaultAWSCredentialsProviderChain();
}
this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.route53 = AmazonRoute53ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.s3 = AmazonS3ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(this.credentialsProvider).build();
}
项目:strongBox
文件:ProfileCredentialProvider.java
/**
* Resolve AWS credentials based on MFA/Assume role
*
* We will assume that if mfa_serial is defined,then role_arn and source_profile also has to be specified.
*
* Please note that StrongBox differ from the AWS CLI in the following:
* AWS CLI: 'Note that configuration variables for using IAM roles can only be in the AWS CLI config file.'
* StrongBox: '--assume-role' can be specified explicitly
*
* https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
*/
private AWSCredentials assumeRole(ClientConfiguration clientConfiguration,ConfigProviderChain configProvider,ProfileIdentifier profile,RoleARN roletoAssume) {
Optional<ProfileIdentifier> sourceProfile = configProvider.getSourceProfile(profile);
if (!sourceProfile.isPresent()) {
throw new IllegalStateException(String.format("'%s' must be specified when using '%s' for profile '%s'",AWSConfigPropertyKey.soURCE_PROFILE,AWSConfigPropertyKey.ROLE_ARN,profile.name));
}
SessionCache sessionCache = new SessionCache(profile,roletoAssume);
Optional<BasicSessionCredentials> cachedCredentials = sessionCache.load();
if (cachedCredentials.isPresent()) {
return cachedCredentials.get();
} else {
AWSCredentialsProvider staticCredentialsProvider = new AWsstaticCredentialsProvider(getStaticCredentials(configProvider,sourceProfile.get()));
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(staticCredentialsProvider)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
String sessionId = String.format("strongBox-cli-session-%s",zoneddatetime.Now().toEpochSecond());
AssumeRoleRequest request = new AssumeRoleRequest();
request.withRoleArn(roletoAssume.toArn())
.withRoleSessionName(sessionId);
Optional<String> mfaSerial = configProvider.getMFASerial(profile);
if (mfaSerial.isPresent()) {
MFAToken mfaToken = mfaTokensupplier.get();
request.withSerialNumber(mfaSerial.get())
.withTokenCode(mfaToken.value);
}
AssumeRoleResult result = client.assumeRole(request);
Credentials credentials = result.getCredentials();
BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(),credentials.getSessionToken());
sessionCache.save(result.getAssumedRoleUser(),basicSessionCredentials,zoneddatetime.ofInstant(credentials.getExpiration().toInstant(),ZoneId.of("UTC")));
return basicSessionCredentials;
}
}
com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient的实例源码
项目:herd
文件:MockStsOperationsImpl.java
@Override
public AssumeRoleResult assumeRole(AWSSecurityTokenServiceClient awsSecurityTokenServiceClient,AssumeRoleRequest assumeRoleRequest)
{
assertNotNull(assumeRoleRequest);
if (assumeRoleRequest.getPolicy() != null && assumeRoleRequest.getPolicy().equals(MockAwsOperationsHelper.AMAZON_THRottLING_EXCEPTION))
{
AmazonServiceException throttlingException = new AmazonServiceException("test throttling exception");
throttlingException.setErrorCode("ThrottlingException");
throw throttlingException;
}
AssumeRoleResult assumeRoleResult = new AssumeRoleResult();
assumeRoleResult.setCredentials(new Credentials(MOCK_AWS_ASSUMED_ROLE_ACCESS_KEY,MOCK_AWS_ASSUMED_ROLE_SECRET_KEY,MOCK_AWS_ASSUMED_ROLE_SESSION_TOKEN,new Date(System.currentTimeMillis() + 1000 * assumeRoleRequest.getDurationSeconds())));
return assumeRoleResult;
}
项目:service-block-samples
文件:LambdaCredentialsProvider.java
/**
* Creates a new session credential that is valid for 12 hours
*
* @return an authenticated {@link Credentials} for the new session token
*/
private Credentials getSessionCredentials() {
// Create a new session with the user credentials for the service instance
AWSSecurityTokenServiceClient stsClient =
new AWSSecurityTokenServiceClient(new BasicAWSCredentials(
amazonProperties.getAws().getAccessKeyId(),amazonProperties.getAws().getAccessKeySecret()));
// Start a new session for managing a service instance's bucket
GetSessionTokenRequest getSessionTokenRequest =
new GetSessionTokenRequest().withDurationSeconds(43200);
// Get the session token for the service instance's bucket
sessionCredentials = stsClient.getSessionToken(getSessionTokenRequest).getCredentials();
return sessionCredentials;
}
项目:aws-codebuild-jenkins-plugin
文件:CodeBuildCredentials.java
@Override
public AWSCredentials getCredentials() {
AWSCredentialsProvider credentialsProvider = AWSClientFactory.getBasicCredentialsOrDefaultChain(accessKey,secretKey);
AWSCredentials initialCredentials = credentialsProvider.getCredentials();
if (iamRoleArn.isEmpty()) {
return initialCredentials;
} else {
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(iamRoleArn)
.withExternalId(externalId)
.withDurationSeconds(3600)
.withRoleSessionName("CodeBuild-Jenkins-Plugin");
AssumeRoleResult assumeResult = new AWSSecurityTokenServiceClient(initialCredentials).assumeRole(assumeRequest);
return new BasicSessionCredentials(
assumeResult.getCredentials().getAccessKeyId(),assumeResult.getCredentials().getSecretAccessKey(),assumeResult.getCredentials().getSessionToken());
}
}
项目:athenz
文件:InstanceAWSProvider.java
AWSSecurityTokenServiceClient getInstanceClient(AWSAttestationData info) {
String access = info.getAccess();
if (access == null || access.isEmpty()) {
LOGGER.error("getInstanceClient: No access key id available in instance document");
return null;
}
String secret = info.getSecret();
if (secret == null || secret.isEmpty()) {
LOGGER.error("getInstanceClient: No secret access key available in instance document");
return null;
}
String token = info.getToken();
if (token == null || token.isEmpty()) {
LOGGER.error("getInstanceClient: No token available in instance document");
return null;
}
BasicSessionCredentials creds = new BasicSessionCredentials(access,secret,token);
return new AWSSecurityTokenServiceClient(creds);
}
项目:fullstop
文件:ExamplePlugin.java
private AmazonEC2Client getClientForAccount(final String accountId,final Region region) {
final AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(new ProfileCredentialsProvider());
final AssumeRoleRequest assumeRequest = new AssumeRoleRequest().withRoleArn(
"arn:aws:iam::ACCOUNT_ID:role/fullstop-role")
.withDurationSeconds(3600).withRoleSessionName(
"fullstop-role");
final AssumeRoleResult assumeResult = stsClient.assumeRole(assumeRequest);
final BasicSessionCredentials temporaryCredentials = new BasicSessionCredentials(
assumeResult.getCredentials()
.getAccessKeyId(),assumeResult.getCredentials().getSessionToken());
final AmazonEC2Client amazonEC2Client = new AmazonEC2Client(temporaryCredentials);
amazonEC2Client.setRegion(region);
return amazonEC2Client;
}
项目:aws-credentials-plugin
文件:AWSCredentialsImpl.java
public AWSCredentials getCredentials() {
AWSCredentials initialCredentials = new BasicAWSCredentials(accessKey,secretKey.getPlainText());
if (StringUtils.isBlank(iamRoleArn)) {
return initialCredentials;
} else {
// Handle the case of delegation to instance profile
if (StringUtils.isBlank(accessKey) && StringUtils.isBlank(secretKey.getPlainText()) ) {
initialCredentials = (new InstanceProfileCredentialsProvider()).getCredentials();
}
AssumeRoleRequest assumeRequest = createAssumeRoleRequest(iamRoleArn);
AssumeRoleResult assumeResult = new AWSSecurityTokenServiceClient(initialCredentials).assumeRole(assumeRequest);
return new BasicSessionCredentials(
assumeResult.getCredentials().getAccessKeyId(),assumeResult.getCredentials().getSessionToken());
}
}
项目:jets3t-aws-roles
文件:AWSRoleSessionCredentials.java
private void assumeRoleAndGetCredentials() {
int defaultRequestedExpiryTimeInMinutes = jets3tProperties.getIntProperty("aws.session-credentials.expiry-time.to-be-requested",60);
com.amazonaws.auth.AWSCredentials awsCredentials = new BasicAWSCredentials(iamAccessKey,iamSecretKey);
AWSSecurityTokenServiceClient stsClient =
new AWSSecurityTokenServiceClient(awsCredentials);
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(roletoBeAssumed)
.withDurationSeconds(defaultRequestedExpiryTimeInMinutes * 60)
.withRoleSessionName(DEFAULT_SESSION_NAME);
if(externalId != null) {
assumeRequest = assumeRequest.withExternalId(externalId);
}
AssumeRoleResult assumeResult =
stsClient.assumeRole(assumeRequest);
this.accessKey = assumeResult.getCredentials().getAccessKeyId();
this.secretKey = assumeResult.getCredentials().getSecretAccessKey();
this.sessionToken = assumeResult.getCredentials().getSessionToken();
this.expirationDate = assumeResult.getCredentials().getExpiration();
}
项目:spring-boot-starter-amazon-s3
文件:AmazonS3Template.java
/**
* Creates a new session credential that is valid for 12 hours
*
* @return an authenticated {@link Credentials} for the new session token
*/
private Credentials getSessionCredentials() {
// Create a new session with the user credentials for the service instance
AWSSecurityTokenServiceClient stsClient =
new AWSSecurityTokenServiceClient(new BasicAWSCredentials(accessKeyId,accessKeySecret));
// Start a new session for managing a service instance's bucket
GetSessionTokenRequest getSessionTokenRequest =
new GetSessionTokenRequest().withDurationSeconds(43200);
// Get the session token for the service instance's bucket
sessionCredentials = stsClient.getSessionToken(getSessionTokenRequest).getCredentials();
return sessionCredentials;
}
项目:aws-codebuild-jenkins-plugin
文件:CodeBuildCredentials.java
public FormValidation doCheckIamRoleArn(@QueryParameter("proxyHost") final String proxyHost,@QueryParameter("proxyPort") final String proxyPort,@QueryParameter("accessKey") final String accessKey,@QueryParameter("secretKey") final String secretKey,@QueryParameter("iamRoleArn") final String iamRoleArn,@QueryParameter("externalId") final String externalId) {
if (accessKey.isEmpty() || secretKey.isEmpty()) {
return FormValidation.error("AWS access and secret keys are required to use an IAM role for authorization");
}
if(iamRoleArn.isEmpty()) {
return FormValidation.ok();
}
try {
AWSCredentials initialCredentials = new BasicAWSCredentials(accessKey,secretKey);
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(iamRoleArn)
.withExternalId(externalId)
.withDurationSeconds(3600)
.withRoleSessionName("jenkins-codebuild-plugin");
new AWSSecurityTokenServiceClient(initialCredentials,getClientConfiguration(proxyHost,proxyPort)).assumeRole(assumeRequest);
} catch (Exception e) {
String errorMessage = e.getMessage();
if(errorMessage.length() >= ERROR_MESSAGE_MAX_LENGTH) {
errorMessage = errorMessage.substring(ERROR_MESSAGE_MAX_LENGTH);
}
return FormValidation.error("Authorization Failed: " + errorMessage);
}
return FormValidation.ok("IAM role authorization successful.");
}
项目:cerberus-lifecycle-cli
文件:CerberusModule.java
/**
* Binds all the Amazon services used.
*/
@Override
protected void configure() {
final Region region = Region.getRegion(Regions.fromName(regionName));
bind(AmazonEC2.class).toInstance(createAmazonClientInstance(AmazonEC2Client.class,region));
bind(AmazonCloudFormation.class).toInstance(createAmazonClientInstance(AmazonCloudFormationClient.class,region));
bind(AmazonIdentityManagement.class).toInstance(createAmazonClientInstance(AmazonIdentityManagementClient.class,region));
bind(AWSKMS.class).toInstance(createAmazonClientInstance(AWSKMSClient.class,region));
bind(AmazonS3.class).toInstance(createAmazonClientInstance(AmazonS3Client.class,region));
bind(AmazonAutoScaling.class).toInstance(createAmazonClientInstance(AmazonAutoScalingClient.class,region));
bind(AWSSecurityTokenService.class).toInstance(createAmazonClientInstance(AWSSecurityTokenServiceClient.class,region));
bind(AWSLambda.class).toInstance(createAmazonClientInstance(AWSLambdaClient.class,region));
bind(AmazonSNS.class).toInstance(createAmazonClientInstance(AmazonSNSClient.class,region));
}
项目:athenz
文件:InstanceAWSProvider.java
public boolean verifyInstanceIdentity(AWSAttestationData info,final String awsAccount) {
GetCallerIdentityRequest req = new GetCallerIdentityRequest();
try {
AWSSecurityTokenServiceClient client = getInstanceClient(info);
if (client == null) {
LOGGER.error("verifyInstanceIdentity - unable to get AWS STS client object");
return false;
}
GetCallerIdentityResult res = client.getCallerIdentity(req);
if (res == null) {
LOGGER.error("verifyInstanceIdentity - unable to get caller identity");
return false;
}
String arn = "arn:aws:sts::" + awsAccount + ":assumed-role/" + info.getRole() + "/";
if (!res.getArn().startsWith(arn)) {
LOGGER.error("verifyInstanceIdentity - ARN mismatch - request: {} caller-idenity: {}",arn,res.getArn());
return false;
}
return true;
} catch (Exception ex) {
LOGGER.error("CloudStore: verifyInstanceIdentity - unable get caller identity: {}",ex.getMessage());
return false;
}
}
项目:athenz
文件:InstanceAWSProviderTest.java
@Test
public void testVerifyInstanceIdentityNullIdentity() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(null);
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
assertFalse(provider.verifyInstanceIdentity(info,"1234"));
}
项目:athenz
文件:InstanceAWSProviderTest.java
@Test
public void testVerifyInstanceIdentityException() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenThrow(new ResourceException(101));
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
assertFalse(provider.verifyInstanceIdentity(info,"1234"));
}
项目:athenz
文件:InstanceAWSProviderTest.java
@Test
public void testVerifyInstanceIdentityARNMismatch() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
GetCallerIdentityResult result = Mockito.mock(GetCallerIdentityResult.class);
Mockito.when(result.getArn()).thenReturn("arn:aws:sts::1235:assumed-role/athenz.service/athenz.service");
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(result);
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
info.setRole("athenz.service");
assertFalse(provider.verifyInstanceIdentity(info,"1234"));
}
项目:athenz
文件:InstanceAWSProviderTest.java
@Test
public void testVerifyInstanceIdentity() {
MockInstanceAWSProvider provider = new MockInstanceAWSProvider();
provider.setIdentitySuper(true);
AWSSecurityTokenServiceClient mockClient = Mockito.mock(AWSSecurityTokenServiceClient.class);
GetCallerIdentityResult result = Mockito.mock(GetCallerIdentityResult.class);
Mockito.when(result.getArn()).thenReturn("arn:aws:sts::1234:assumed-role/athenz.service/athenz.service");
Mockito.when(mockClient.getCallerIdentity(ArgumentMatchers.any())).thenReturn(result);
provider.setStsClient(mockClient);
AWSAttestationData info = new AWSAttestationData();
info.setRole("athenz.service");
assertTrue(provider.verifyInstanceIdentity(info,"1234"));
}
项目:athenz
文件:CloudStore.java
public AWstemporaryCredentials assumeAWSRole(String account,String roleName,String principal) {
if (!awsEnabled) {
throw new ResourceException(ResourceException.INTERNAL_SERVER_ERROR,"AWS Support not enabled");
}
AssumeRoleRequest req = getAssumeRoleRequest(account,roleName,principal);
AWstemporaryCredentials tempCreds = null;
try {
AWSSecurityTokenServiceClient client = getTokenServiceClient();
AssumeRoleResult res = client.assumeRole(req);
Credentials awsCreds = res.getCredentials();
tempCreds = new AWstemporaryCredentials()
.setAccessKeyId(awsCreds.getAccessKeyId())
.setSecretAccessKey(awsCreds.getSecretAccessKey())
.setSessionToken(awsCreds.getSessionToken())
.setExpiration(Timestamp.fromMillis(awsCreds.getExpiration().getTime()));
} catch (Exception ex) {
LOGGER.error("CloudStore: assumeAWSRole - unable to assume role: " + ex.getMessage());
return null;
}
return tempCreds;
}
项目:athenz
文件:MockCloudStore.java
@Override
AWSSecurityTokenServiceClient getTokenServiceClient() {
AWSSecurityTokenServiceClient client = Mockito.mock(AWSSecurityTokenServiceClient.class);
Mockito.when(client.assumeRole(Mockito.any(AssumeRoleRequest.class))).thenReturn(assumeRoleResult);
Mockito.when(client.getCallerIdentity(Mockito.any(GetCallerIdentityRequest.class))).thenReturn(callerIdentityResult);
return client;
}
项目:herd
文件:StsDaoImpl.java
/**
* Returns a set of temporary security credentials (consisting of an access key ID,a secret access key,and a security token) that can be used to access
* the specified AWS resource.
*
* @param sessionName the session name that will be associated with the temporary credentials. The session name must be the same for an initial set of
* credentials and an extended set of credentials if credentials are to be refreshed. The session name also is used to identify the user in AWS logs so it
* should be something unique and useful to identify the caller/use.
* @param awsRoleArn the AWS ARN for the role required to provide access to the specified AWS resource
* @param awsRoleDurationSeconds the duration,in seconds,of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour).
* @param policy the temporary policy to apply to this request
*
* @return the assumed session credentials
*/
@Override
public Credentials getTemporarySecurityCredentials(AwsParamsDto awsParamsDto,String sessionName,String awsRoleArn,int awsRoleDurationSeconds,Policy policy)
{
// Construct a new AWS security token service client using the specified client configuration to access Amazon S3.
// A credentials provider chain will be used that searches for credentials in this order:
// - Environment Variables - AWS_ACCESS_KEY_ID and AWS_SECRET_KEY
// - Java System Properties - aws.accessKeyId and aws.secretKey
// - Instance Profile Credentials - delivered through the Amazon EC2 Metadata service
ClientConfiguration clientConfiguration = new ClientConfiguration().withRetryPolicy(retryPolicyFactory.getRetryPolicy());
// Only set the proxy hostname and/or port if they're configured.
if (StringUtils.isNotBlank(awsParamsDto.getHttpProxyHost()))
{
clientConfiguration.setProxyHost(awsParamsDto.getHttpProxyHost());
}
if (awsParamsDto.getHttpProxyPort() != null)
{
clientConfiguration.setProxyPort(awsParamsDto.getHttpProxyPort());
}
AWSSecurityTokenServiceClient awsSecurityTokenServiceClient = new AWSSecurityTokenServiceClient(clientConfiguration);
// Create the request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleSessionName(sessionName);
assumeRoleRequest.setRoleArn(awsRoleArn);
assumeRoleRequest.setDurationSeconds(awsRoleDurationSeconds);
if (policy != null)
{
assumeRoleRequest.setPolicy(policy.toJson());
}
// Get the temporary security credentials.
AssumeRoleResult assumeRoleResult = stsOperations.assumeRole(awsSecurityTokenServiceClient,assumeRoleRequest);
return assumeRoleResult.getCredentials();
}
项目:aws-credentials-plugin
文件:AWSCredentialsImpl.java
public AWSCredentials getCredentials(String mfaToken) {
AWSCredentials initialCredentials = new BasicAWSCredentials(accessKey,secretKey.getPlainText());
AssumeRoleRequest assumeRequest = createAssumeRoleRequest(iamRoleArn)
.withSerialNumber(iamMfaSerialNumber)
.withTokenCode(mfaToken);
AssumeRoleResult assumeResult = new AWSSecurityTokenServiceClient(initialCredentials).assumeRole(assumeRequest);
return new BasicSessionCredentials(
assumeResult.getCredentials().getAccessKeyId(),assumeResult.getCredentials().getSessionToken());
}
项目:aws-codedeploy-plugin
文件:AWSClients.java
private static AWSCredentials getCredentials(String iamRole,String externalId) {
if (isEmpty(iamRole)) return null;
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient();
int credsDuration = (int) (AWSCodeDeployPublisher.DEFAULT_TIMEOUT_SECONDS
* AWSCodeDeployPublisher.DEFAULT_POLLING_FREQUENCY_SECONDS);
if (credsDuration > 3600) {
credsDuration = 3600;
}
AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
.withRoleArn(iamRole)
.withExternalId(externalId)
.withDurationSeconds(credsDuration)
.withRoleSessionName(AWSCodeDeployPublisher.ROLE_SESSION_NAME)
);
Credentials stsCredentials = assumeRoleResult.getCredentials();
BasicSessionCredentials credentials = new BasicSessionCredentials(
stsCredentials.getAccessKeyId(),stsCredentials.getSecretAccessKey(),stsCredentials.getSessionToken()
);
return credentials;
}
项目:cloudbreak
文件:AwsSessionCredentialClient.java
public BasicSessionCredentials retrieveSessionCredentials(AwsCredentialView awsCredential) {
LOGGER.debug("retrieving session credential");
AWSSecurityTokenServiceClient client = awsSecurityTokenServiceClient();
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
.withDurationSeconds(DEFAULT_SESSION_CREDENTIALS_DURATION)
.withExternalId(externalId)
.withRoleArn(awsCredential.getRoleArn())
.withRoleSessionName("hadoop-provisioning");
AssumeRoleResult result = client.assumeRole(assumeRoleRequest);
return new BasicSessionCredentials(
result.getCredentials().getAccessKeyId(),result.getCredentials().getSecretAccessKey(),result.getCredentials().getSessionToken());
}
项目:cloudbreak
文件:AwsSessionCredentialClient.java
private AWSSecurityTokenServiceClient awsSecurityTokenServiceClient() {
if (!awsEnvironmentvariableChecker.isAwsAccessKeyAvailable() || !awsEnvironmentvariableChecker.isAwsSecretAccessKeyAvailable()) {
InstanceProfileCredentialsProvider instanceProfileCredentialsProvider = new InstanceProfileCredentialsProvider();
LOGGER.info("AWSSecurityTokenServiceClient will use aws Metadata because environment variables are undefined");
return new AWSSecurityTokenServiceClient(instanceProfileCredentialsProvider);
} else {
LOGGER.info("AWSSecurityTokenServiceClient will use environment variables");
return new AWSSecurityTokenServiceClient();
}
}
项目:athenz
文件:MockInstanceAWSProvider.java
void setStsClient(AWSSecurityTokenServiceClient client) {
stsClient = client;
}
项目:athenz
文件:MockInstanceAWSProvider.java
@Override
public AWSSecurityTokenServiceClient getInstanceClient(AWSAttestationData info) {
return stsClient != null ? stsClient : super.getInstanceClient(info);
}
项目:athenz
文件:MockInstanceAWSECSProvider.java
void setStsClient(AWSSecurityTokenServiceClient client) {
stsClient = client;
}
项目:athenz
文件:MockInstanceAWSECSProvider.java
@Override
public AWSSecurityTokenServiceClient getInstanceClient(AWSAttestationData info) {
return stsClient != null ? stsClient : super.getInstanceClient(info);
}
项目:athenz
文件:CloudStore.java
AWSSecurityTokenServiceClient getTokenServiceClient() {
return new AWSSecurityTokenServiceClient(credentials);
}
项目:herd
文件:StsOperationsImpl.java
@Override
public AssumeRoleResult assumeRole(AWSSecurityTokenServiceClient awsSecurityTokenServiceClient,AssumeRoleRequest assumeRoleRequest)
{
return awsSecurityTokenServiceClient.assumeRole(assumeRoleRequest);
}
项目:herd
文件:StsDaoTest.java
@Test
public void testGetTemporarySecurityCredentials()
{
// Create an AWS parameters DTO with proxy settings.
AwsParamsDto awsParamsDto = new AwsParamsDto();
awsParamsDto.setHttpProxyHost(HTTP_PROXY_HOST);
awsParamsDto.setHttpProxyPort(HTTP_PROXY_PORT);
// Specify the duration,of the role session.
int awsRoleDurationSeconds = INTEGER_VALUE;
// Create an IAM policy.
Policy policy = new Policy(STRING_VALUE);
// Create a retry policy.
RetryPolicy retryPolicy =
new RetryPolicy(PredefinedRetryPolicies.DEFAULT_RETRY_CONDITION,PredefinedRetryPolicies.DEFAULT_BACKOFF_STRATEGY,INTEGER_VALUE,true);
// Create the expected assume role request.
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(AWS_ROLE_ARN).withRoleSessionName(SESSION_NAME).withPolicy(policy.toJson())
.withDurationSeconds(awsRoleDurationSeconds);
// Create AWS credentials for API authentication.
Credentials credentials = new Credentials();
credentials.setAccessKeyId(AWS_ASSUMED_ROLE_ACCESS_KEY);
credentials.setSecretAccessKey(AWS_ASSUMED_ROLE_SECRET_KEY);
credentials.setSessionToken(AWS_ASSUMED_ROLE_SESSION_TOKEN);
// Create an assume role result.
AssumeRoleResult assumeRoleResult = new AssumeRoleResult();
assumeRoleResult.setCredentials(credentials);
// Mock the external calls.
when(retryPolicyFactory.getRetryPolicy()).thenReturn(retryPolicy);
when(stsOperations.assumeRole(any(AWSSecurityTokenServiceClient.class),eq(assumeRoleRequest))).thenReturn(assumeRoleResult);
// Call the method under test.
Credentials result = stsDaoImpl.getTemporarySecurityCredentials(awsParamsDto,SESSION_NAME,AWS_ROLE_ARN,awsRoleDurationSeconds,policy);
// Verify the external calls.
verify(retryPolicyFactory).getRetryPolicy();
verify(stsOperations).assumeRole(any(AWSSecurityTokenServiceClient.class),eq(assumeRoleRequest));
verifyNoMoreInteractionsHelper();
// Validate the returned object.
assertEquals(credentials,result);
}
项目:herd
文件:StsDaoTest.java
@Test
public void testGetTemporarySecurityCredentialsMissingOptionalParameters()
{
// Create an AWS parameters DTO without proxy settings.
AwsParamsDto awsParamsDto = new AwsParamsDto();
// Specify the duration,of the role session.
int awsRoleDurationSeconds = INTEGER_VALUE;
// Create a retry policy.
RetryPolicy retryPolicy =
new RetryPolicy(PredefinedRetryPolicies.DEFAULT_RETRY_CONDITION,true);
// Create the expected assume role request.
AssumeRoleRequest assumeRoleRequest =
new AssumeRoleRequest().withRoleArn(AWS_ROLE_ARN).withRoleSessionName(SESSION_NAME).withDurationSeconds(awsRoleDurationSeconds);
// Create AWS credentials for API authentication.
Credentials credentials = new Credentials();
credentials.setAccessKeyId(AWS_ASSUMED_ROLE_ACCESS_KEY);
credentials.setSecretAccessKey(AWS_ASSUMED_ROLE_SECRET_KEY);
credentials.setSessionToken(AWS_ASSUMED_ROLE_SESSION_TOKEN);
// Create an assume role result.
AssumeRoleResult assumeRoleResult = new AssumeRoleResult();
assumeRoleResult.setCredentials(credentials);
// Mock the external calls.
when(retryPolicyFactory.getRetryPolicy()).thenReturn(retryPolicy);
when(stsOperations.assumeRole(any(AWSSecurityTokenServiceClient.class),eq(assumeRoleRequest))).thenReturn(assumeRoleResult);
// Call the method under test. Please note that we do not specify an IAM policy.
Credentials result = stsDaoImpl.getTemporarySecurityCredentials(awsParamsDto,null);
// Verify the external calls.
verify(retryPolicyFactory).getRetryPolicy();
verify(stsOperations).assumeRole(any(AWSSecurityTokenServiceClient.class),result);
}
项目:reinvent2013-mobile-photo-share
文件:TemporaryCredentialManagement.java
public TemporaryCredentialManagement() {
BasicAWSCredentials creds = new BasicAWSCredentials(Configuration.AWS_ACCESS_KEY_ID,Configuration.AWS_SECRET_KEY);
sts = new AWSSecurityTokenServiceClient(creds);
}
项目:herd
文件:StsOperations.java
/** * Returns a set of temporary security credentials (consisting of an access key ID,and a security token) that can be used to access * the specified AWS resource. * * @param awsSecurityTokenServiceClient the client for accessing the AWS Security Token Service * @param assumeRoleRequest the assume role request * * @return the response from the AssumeRole service method,as returned by AWS Security Token Service */ public AssumeRoleResult assumeRole(AWSSecurityTokenServiceClient awsSecurityTokenServiceClient,AssumeRoleRequest assumeRoleRequest);
com.amazonaws.services.securitytoken.AWSSecurityTokenService的实例源码
项目:alexa-meets-polly
文件:ConvertService.java
public static AmazonS3 getS3Client(final String region,final String roleArn) {
final Regions awsRegion = StringUtils.isNullOrEmpty(region) ? Regions.US_EAST_1 : Regions.fromName(region);
if (StringUtils.isNullOrEmpty(roleArn)) {
return AmazonS3ClientBuilder.standard().withRegion(awsRegion).build();
} else {
final AssumeRoleRequest assumeRole = new AssumeRoleRequest().withRoleArn(roleArn).withRoleSessionName("io-klerch-mp3-converter");
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion(awsRegion).build();
final Credentials credentials = sts.assumeRole(assumeRole).getCredentials();
final BasicSessionCredentials sessionCredentials = new BasicSessionCredentials(
credentials.getAccessKeyId(),credentials.getSecretAccessKey(),credentials.getSessionToken());
return AmazonS3ClientBuilder.standard().withRegion(awsRegion).withCredentials(new AWsstaticCredentialsProvider(sessionCredentials)).build();
}
}
项目:zipkin-aws
文件:ZipkinSQSCollectorAutoConfigurationTest.java
@Test
public void provideSecurityTokenService_whenAwsstsRoleArnIsSet() {
context = new AnnotationConfigApplicationContext();
addEnvironment(context,"zipkin.collector.sqs.queue-url:" + sqsRule.queueUrl());
addEnvironment(context,"zipkin.collector.sqs.wait-time-seconds:1");
addEnvironment(context,"zipkin.collector.sqs.aws-access-key-id: x");
addEnvironment(context,"zipkin.collector.sqs.aws-secret-access-key: x");
addEnvironment(context,"zipkin.collector.sqs.aws-sts-role-arn: test");
context.register(PropertyPlaceholderAutoConfiguration.class,Region.class,ZipkinSQSCollectorAutoConfiguration.class,ZipkinSQSCredentialsAutoConfiguration.class,InMemoryConfiguration.class);
context.refresh();
assertthat(context.getBean(SQSCollector.class)).isNotNull();
assertthat(context.getBean(AWSSecurityTokenService.class)).isNotNull();
assertthat(context.getBean(AWSCredentialsProvider.class)).isinstanceOf(STSAssumeRoleSessionCredentialsProvider.class);
}
项目:zipkin-aws
文件:ZipkinKinesisCollectorAutoConfigurationTest.java
@Test
public void kinesisCollectorConfiguredForAWSWithGivenCredentials() {
addEnvironment(context,"zipkin.collector.kinesis.stream-name: zipkin-test");
addEnvironment(context,"zipkin.collector.kinesis.app-name: zipkin");
addEnvironment(context,"zipkin.collector.kinesis.aws-access-key-id: x");
addEnvironment(context,"zipkin.collector.kinesis.aws-secret-access-key: x");
addEnvironment(context,"zipkin.collector.kinesis.aws-sts-role-arn: test");
context.register(PropertyPlaceholderAutoConfiguration.class,ZipkinKinesisCollectorAutoConfiguration.class,ZipkinKinesisCredentialsAutoConfiguration.class,InMemoryConfiguration.class);
context.refresh();
assertthat(context.getBean(KinesisCollector.class)).isNotNull();
assertthat(context.getBean(AWSSecurityTokenService.class)).isNotNull();
assertthat(context.getBean(AWSCredentialsProvider.class)).isinstanceOf(STSAssumeRoleSessionCredentialsProvider.class);
}
项目:ratpack-sqs
文件:DefaultAWSCredentialsProvider.java
@Override
public AWSCredentialsProvider get() {
List<AWSCredentialsProvider> providers = new ArrayList<>();
if (!isNullOrEmpty(config.getAwsAccessKey()) && !isNullOrEmpty(config.getAwsSecretKey())) {
providers.add(new BasicAWSCredentialsProvider(config.getAwsAccessKey(),config.getAwsSecretKey()));
}
providers.add(new DefaultAWSCredentialsProviderChain());
if (!isNullOrEmpty(config.getStsRoleArn())) {
final AWSSecurityTokenService sts = securityTokenService(new AWSCredentialsProviderChain(providers));
return new STSAssumeRoleSessionCredentialsProvider.Builder(config.getStsRoleArn(),"ratpack-sqs")
.withStsClient(sts)
.build();
}
return new AWSCredentialsProviderChain(
providers.toArray(new AWSCredentialsProvider[providers.size()])
);
}
项目:cerberus-lifecycle-cli
文件:ConfigStore.java
@Inject
public ConfigStore(final AmazonS3 s3Client,final CloudFormationService cloudFormationService,final IdentityManagementService iamService,final AWSSecurityTokenService securityTokenService,final EnvironmentMetadata environmentMetadata,@Named(CONfig_OBJECT_MAPPER) final ObjectMapper configObjectMapper,@Named(CF_OBJECT_MAPPER) final ObjectMapper cloudFormationObjectMapper) {
this.cloudFormationService = cloudFormationService;
this.iamService = iamService;
this.configObjectMapper = configObjectMapper;
this.cloudFormationObjectMapper = cloudFormationObjectMapper;
this.s3Client = s3Client;
this.environmentMetadata = environmentMetadata;
this.securityTokenService = securityTokenService;
}
项目:nexus-public
文件:AmazonS3Factory.java
private AWSCredentialsProvider buildCredentialsProvider(final AWSCredentials credentials,final String region,final String assumeRole) {
AWSCredentialsProvider credentialsProvider = new AWsstaticCredentialsProvider(credentials);
if (isNullOrEmpty(assumeRole)) {
return credentialsProvider;
}
else {
// STS requires a region; fall back on the SDK default if not set
String stsRegion;
if (isNullOrEmpty(region)) {
stsRegion = defaultRegion();
}
else {
stsRegion = region;
}
AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(stsRegion)
.withCredentials(credentialsProvider).build();
return new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRole,"nexus-s3-session")
.withStsClient(securityTokenService)
.build();
}
}
项目:strongBox
文件:IAMPolicyManager.java
public static String getAccount(AWSCredentialsProvider awsCredentialsProvider,ClientConfiguration clientConfiguration) {
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(awsCredentialsProvider)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
GetCallerIdentityRequest request = new GetCallerIdentityRequest();
GetCallerIdentityResult result = client.getCallerIdentity(request);
return result.getAccount();
}
项目:strongBox
文件:GroupModel.java
private AWSCredentialsProvider assumeRole(AWSCredentialsProvider longLivedAWSCredentials,ClientConfiguration clientConfiguration,String assumeRoleArn) {
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(longLivedAWSCredentials)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
STSAssumeRoleSessionCredentialsProvider.Builder builder =
new STSAssumeRoleSessionCredentialsProvider.Builder(assumeRoleArn,"strongBox-cli");
builder.withStsClient(client);
return builder.build();
}
项目:zipkin-aws
文件:ZipkinSQSCredentialsAutoConfiguration.java
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */
@Bean
@ConditionalOnMissingBean
@Conditional(STSSetCondition.class)
AWSSecurityTokenService securityTokenService(ZipkinSQSCollectorProperties properties) {
return AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(getDefaultCredentialsProvider(properties))
.withRegion(properties.awsstsRegion)
.build();
}
项目:zipkin-aws
文件:ZipkinSQSCollectorAutoConfigurationTest.java
@Test
public void provideCollectorComponent_whenSqsQueueUrlIsSet() {
context = new AnnotationConfigApplicationContext();
addEnvironment(context,"zipkin.collector.sqs.aws-secret-access-key: x");
context.register(PropertyPlaceholderAutoConfiguration.class,InMemoryConfiguration.class);
context.refresh();
assertthat(context.getBean(SQSCollector.class)).isNotNull();
assertthat(context.getBean(AWSCredentialsProvider.class)).isNotNull();
assertthatExceptionOfType(NoSuchBeanDeFinitionException.class).isThrownBy(() -> context.getBean(AWSSecurityTokenService.class));
}
项目:zipkin-aws
文件:ZipkinKinesisCredentialsAutoConfiguration.java
/** Setup {@link AWSSecurityTokenService} client an IAM role to assume is given. */
@Bean
@ConditionalOnMissingBean
@Conditional(STSSetCondition.class)
AWSSecurityTokenService securityTokenService(ZipkinKinesisCollectorProperties properties) {
return AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(getDefaultCredentialsProvider(properties))
.withRegion(properties.awsstsRegion)
.build();
}
项目:ratpack-sqs
文件:DefaultAWSCredentialsProvider.java
private AWSSecurityTokenService securityTokenService(AWSCredentialsProvider credentialsProvider) {
AWSSecurityTokenServiceClientBuilder builder = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(credentialsProvider);
if (config.stsEndpoint().isPresent()) {
builder.withEndpointConfiguration(
new AwsClientBuilder.EndpointConfiguration(config.getStsEndpoint(),config.getStsRegionName())
);
} else {
builder.withRegion(config.getStsRegionName());
}
return builder.build();
}
项目:aws-ec2-ssh
文件:AAWSTest.java
public AAWStest() {
super();
if (Config.has(Config.Key.IAM_ROLE_ARN)) {
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build();
this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN),IAM_SESSION_NAME).withStsClient(sts).build();
} else {
this.credentialsProvider = new DefaultAWSCredentialsProviderChain();
}
this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.iam = AmazonIdentityManagementClientBuilder.standard().withCredentials(this.credentialsProvider).build();
}
项目:cerberus-lifecycle-cli
文件:SetBackupAdminPrincipalsOperation.java
@Inject
public SetBackupAdminPrincipalsOperation(ConfigStore configStore,AWSSecurityTokenService sts) {
this.configStore = configStore;
this.sts = sts;
}
项目:cerberus-lifecycle-cli
文件:CerberusModule.java
/**
* Binds all the Amazon services used.
*/
@Override
protected void configure() {
final Region region = Region.getRegion(Regions.fromName(regionName));
bind(AmazonEC2.class).toInstance(createAmazonClientInstance(AmazonEC2Client.class,region));
bind(AmazonCloudFormation.class).toInstance(createAmazonClientInstance(AmazonCloudFormationClient.class,region));
bind(AmazonIdentityManagement.class).toInstance(createAmazonClientInstance(AmazonIdentityManagementClient.class,region));
bind(AWSKMS.class).toInstance(createAmazonClientInstance(AWSKMSClient.class,region));
bind(AmazonS3.class).toInstance(createAmazonClientInstance(AmazonS3Client.class,region));
bind(AmazonAutoScaling.class).toInstance(createAmazonClientInstance(AmazonAutoScalingClient.class,region));
bind(AWSSecurityTokenService.class).toInstance(createAmazonClientInstance(AWSSecurityTokenServiceClient.class,region));
bind(AWSLambda.class).toInstance(createAmazonClientInstance(AWSLambdaClient.class,region));
bind(AmazonSNS.class).toInstance(createAmazonClientInstance(AmazonSNSClient.class,region));
}
项目:aws-cf-templates
文件:AAWSTest.java
public AAWStest() {
super();
if (Config.has(Config.Key.IAM_ROLE_ARN)) {
final AWSSecurityTokenService local = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new DefaultAWSCredentialsProviderChain()).build();
this.credentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(Config.get(Config.Key.IAM_ROLE_ARN),IAM_SESSION_NAME).withStsClient(local).build();
} else {
this.credentialsProvider = new DefaultAWSCredentialsProviderChain();
}
this.ec2 = AmazonEC2ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.route53 = AmazonRoute53ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.s3 = AmazonS3ClientBuilder.standard().withCredentials(this.credentialsProvider).build();
this.sts = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(this.credentialsProvider).build();
}
项目:strongBox
文件:ProfileCredentialProvider.java
/**
* Resolve AWS credentials based on MFA/Assume role
*
* We will assume that if mfa_serial is defined,then role_arn and source_profile also has to be specified.
*
* Please note that StrongBox differ from the AWS CLI in the following:
* AWS CLI: 'Note that configuration variables for using IAM roles can only be in the AWS CLI config file.'
* StrongBox: '--assume-role' can be specified explicitly
*
* https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#using-aws-iam-roles
*/
private AWSCredentials assumeRole(ClientConfiguration clientConfiguration,ConfigProviderChain configProvider,ProfileIdentifier profile,RoleARN roletoAssume) {
Optional<ProfileIdentifier> sourceProfile = configProvider.getSourceProfile(profile);
if (!sourceProfile.isPresent()) {
throw new IllegalStateException(String.format("'%s' must be specified when using '%s' for profile '%s'",AWSConfigPropertyKey.soURCE_PROFILE,AWSConfigPropertyKey.ROLE_ARN,profile.name));
}
SessionCache sessionCache = new SessionCache(profile,roletoAssume);
Optional<BasicSessionCredentials> cachedCredentials = sessionCache.load();
if (cachedCredentials.isPresent()) {
return cachedCredentials.get();
} else {
AWSCredentialsProvider staticCredentialsProvider = new AWsstaticCredentialsProvider(getStaticCredentials(configProvider,sourceProfile.get()));
AWSSecurityTokenService client = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(staticCredentialsProvider)
.withClientConfiguration(transformAndVerifyOrThrow(clientConfiguration))
.withRegion(RegionResolver.getRegion())
.build();
String sessionId = String.format("strongBox-cli-session-%s",zoneddatetime.Now().toEpochSecond());
AssumeRoleRequest request = new AssumeRoleRequest();
request.withRoleArn(roletoAssume.toArn())
.withRoleSessionName(sessionId);
Optional<String> mfaSerial = configProvider.getMFASerial(profile);
if (mfaSerial.isPresent()) {
MFAToken mfaToken = mfaTokensupplier.get();
request.withSerialNumber(mfaSerial.get())
.withTokenCode(mfaToken.value);
}
AssumeRoleResult result = client.assumeRole(request);
Credentials credentials = result.getCredentials();
BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(),credentials.getSessionToken());
sessionCache.save(result.getAssumedRoleUser(),basicSessionCredentials,zoneddatetime.ofInstant(credentials.getExpiration().toInstant(),ZoneId.of("UTC")));
return basicSessionCredentials;
}
}
项目:aws-sam-gradle
文件:AwsMetadataService.java
public AwsMetadataService(AWSSecurityTokenService tokenService) {
this.tokenService = tokenService;
}
项目:datamung
文件:AssumedSessionCredentialsfactorybean.java
public AssumedSessionCredentialsfactorybean( AWSSecurityTokenService sts,AgentConfig config )
{
this.sts = sts;
this.assumedRoleArn = config.getControllerRoleArn();
}
今天关于使用JMETER做Webservice Security(WSS)测试和jmeter webdriver的讲解已经结束,谢谢您的阅读,如果想了解更多关于.Net客户端对WebService的调用(含WS-Security)、com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder的实例源码、com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient的实例源码、com.amazonaws.services.securitytoken.AWSSecurityTokenService的实例源码的相关知识,请在本站搜索。
本文标签:
