Merge branch 'main' into list-dep

Author: MikeDombo

.github/workflows/ci.yml

@@ -29,6 +29,12 @@ jobs:
       - name: Build with Maven (not Windows)
         run: mvn -U -ntp clean verify
         if: matrix.os != 'windows-latest'
+      - name: Upload Failed Test Report
+        uses: actions/[email protected]
+        if: failure()
+        with:
+          name: Failed Test Report ${{ matrix.os }}
+          path: server/target/surefire-reports
       - name: Convert Jacoco to Cobertura
         run: |
           python3 ./.github/scripts/cover2cover.py client/target/jacoco-report/jacoco.xml src/main/java > client/target/jacoco-report/cobertura.xml

client/pom.xml

@@ -86,7 +86,7 @@
         <dependency>
             <groupId>software.amazon.awssdk.iotdevicesdk</groupId>
             <artifactId>aws-iot-device-sdk</artifactId>
-            <version>1.5.1-WINDOWS-SNAPSHOT</version>
+            <version>1.9.2</version>
         </dependency>
     </dependencies>
     <build>

server/pom.xml

@@ -211,7 +211,7 @@
         <dependency>
             <groupId>com.aws.greengrass</groupId>
             <artifactId>nucleus</artifactId>
-            <version>2.5.0-SNAPSHOT</version>
+            <version>2.6.0-SNAPSHOT</version>
             <scope>provided</scope>
         </dependency>
         <dependency>

server/src/main/java/com/aws/greengrass/cli/CLIEventStreamAgent.java

@@ -5,6 +5,9 @@
 
 package com.aws.greengrass.cli;
 
+import com.aws.greengrass.authorization.AuthorizationHandler;
+import com.aws.greengrass.authorization.Permission;
+import com.aws.greengrass.authorization.exceptions.AuthorizationException;
 import com.aws.greengrass.componentmanager.ComponentStore;
 import com.aws.greengrass.config.Node;
 import com.aws.greengrass.config.Topics;
@@ -96,6 +99,14 @@
 import static com.aws.greengrass.ipc.common.ExceptionUtil.translateExceptions;
 import static com.aws.greengrass.ipc.common.IPCErrorStrings.DEPLOYMENTS_QUEUE_FULL;
 import static com.aws.greengrass.ipc.common.IPCErrorStrings.DEPLOYMENTS_QUEUE_NOT_INITIALIZED;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.CREATE_DEBUG_PASSWORD;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.CREATE_LOCAL_DEPLOYMENT;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.GET_COMPONENT_DETAILS;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.GET_LOCAL_DEPLOYMENT_STATUS;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.LIST_COMPONENTS;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.LIST_LOCAL_DEPLOYMENTS;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.RESTART_COMPONENT;
+import static software.amazon.awssdk.aws.greengrass.GreengrassCoreIPCServiceModel.STOP_COMPONENT;
 
 @SuppressWarnings("PMD.CouplingBetweenObjects")
 public class CLIEventStreamAgent {
@@ -119,6 +130,9 @@ public class CLIEventStreamAgent {
     @Setter(AccessLevel.PACKAGE)
     private DeploymentQueue deploymentQueue;
 
+    @Inject
+    private AuthorizationHandler authHandler;
+
     private final SecureRandom random = new SecureRandom();
 
     public GetComponentDetailsHandler getGetComponentDetailsHandler(OperationContinuationHandlerContext context) {
@@ -190,8 +204,12 @@ protected void onStreamClosed() {
         @SuppressWarnings("PMD.PreserveStackTrace")
         public GetComponentDetailsResponse handleRequest(GetComponentDetailsRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
                 validateGetComponentDetailsRequest(request);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(request.getComponentName())
+                        .operation(GET_COMPONENT_DETAILS)
+                        .build());
                 String componentName = request.getComponentName();
                 GreengrassService service;
                 try {
@@ -219,11 +237,23 @@ private void validateGetComponentDetailsRequest(GetComponentDetailsRequest reque
         }
     }
 
-    private void authorizeRequest(String componentName) {
-        if (Utils.isEmpty(componentName) || !componentName.startsWith(GREENGRASS_CLI_CLIENT_ID_PREFIX) && !CLI_SERVICE
-                .equals(componentName)) {
+    private void authorizeRequest(Permission permission) {
+        if (Utils.isEmpty(permission.getPrincipal())) {
             throw new UnauthorizedError("Component is not authorized to call CLI APIs");
         }
+        // Allow CLI and CLI clients to call anything
+        if (permission.getPrincipal().startsWith(GREENGRASS_CLI_CLIENT_ID_PREFIX)
+                || CLI_SERVICE.equals(permission.getPrincipal())) {
+            return;
+        }
+        // Check for authorization for all other components
+        try {
+            authHandler.isAuthorized(CLI_SERVICE, permission);
+        } catch (AuthorizationException e) {
+            logger.atWarn().kv("error", e.getMessage()).kv("componentName", permission.getPrincipal())
+                    .log("Not Authorized");
+            throw new UnauthorizedError(e.getMessage());
+        }
     }
 
     private ComponentDetails getComponentDetails(GreengrassService service) {
@@ -259,7 +289,11 @@ protected void onStreamClosed() {
         @Override
         public ListComponentsResponse handleRequest(ListComponentsRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(AuthorizationHandler.ANY_REGEX)
+                        .operation(LIST_COMPONENTS)
+                        .build());
                 Collection<GreengrassService> services = kernel.orderedDependencies();
                 List<ComponentDetails> listOfComponents =
                         services.stream().filter(service -> service != kernel.getMain())
@@ -295,8 +329,12 @@ protected void onStreamClosed() {
         @SuppressWarnings("PMD.PreserveStackTrace")
         public RestartComponentResponse handleRequest(RestartComponentRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
                 validateRestartComponentRequest(request);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(request.getComponentName())
+                        .operation(RESTART_COMPONENT)
+                        .build());
                 String componentName = request.getComponentName();
                 RestartComponentResponse response = new RestartComponentResponse();
                 response.setRestartStatus(RequestStatus.SUCCEEDED);
@@ -346,8 +384,12 @@ protected void onStreamClosed() {
         @SuppressWarnings("PMD.PreserveStackTrace")
         public StopComponentResponse handleRequest(StopComponentRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
                 validateStopComponentRequest(request);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(request.getComponentName())
+                        .operation(STOP_COMPONENT)
+                        .build());
                 String componentName = request.getComponentName();
                 try {
                     GreengrassService service = kernel.locate(componentName);
@@ -396,7 +438,11 @@ protected void onStreamClosed() {
         @SuppressWarnings({"PMD.PreserveStackTrace", "PMD.AvoidCatchingGenericException"})
         public CreateLocalDeploymentResponse handleRequest(CreateLocalDeploymentRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(AuthorizationHandler.ANY_REGEX)
+                        .operation(CREATE_LOCAL_DEPLOYMENT)
+                        .build());
                 String deploymentId = UUID.randomUUID().toString();
                 //All inputs are valid. If all inputs are empty, then user might just want to retrigger the deployment
                 // with new recipes set using the updateRecipesAndArtifacts API.
@@ -492,8 +538,12 @@ protected void onStreamClosed() {
         @Override
         public GetLocalDeploymentStatusResponse handleRequest(GetLocalDeploymentStatusRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
                 validateGetLocalDeploymentStatusRequest(request);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(request.getDeploymentId())
+                        .operation(GET_LOCAL_DEPLOYMENT_STATUS)
+                        .build());
                 Topics localDeployments = cliServiceConfig.findTopics(PERSISTENT_LOCAL_DEPLOYMENTS);
                 if (localDeployments == null || localDeployments.findTopics(request.getDeploymentId()) == null) {
                     ResourceNotFoundError rnf = new ResourceNotFoundError();
@@ -558,7 +608,11 @@ public List<Node> sortDeploymentsByTime(Iterator<Node> deploymentsIterator, Comp
         @Override
         public ListLocalDeploymentsResponse handleRequest(ListLocalDeploymentsRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(AuthorizationHandler.ANY_REGEX)
+                        .operation(LIST_LOCAL_DEPLOYMENTS)
+                        .build());
                 List<LocalDeployment> persistedDeployments = new ArrayList<>();
                 Topics localDeployments = cliServiceConfig.findTopics(PERSISTENT_LOCAL_DEPLOYMENTS);
                 List<Topics> deploymentsByTime = sortDeploymentsByTime(localDeployments.iterator(),
@@ -616,7 +670,11 @@ protected void onStreamClosed() {
         @Override
         public CreateDebugPasswordResponse handleRequest(CreateDebugPasswordRequest request) {
             return translateExceptions(() -> {
-                authorizeRequest(componentName);
+                authorizeRequest(Permission.builder()
+                        .principal(componentName)
+                        .resource(AuthorizationHandler.ANY_REGEX)
+                        .operation(CREATE_DEBUG_PASSWORD)
+                        .build());
                 CreateDebugPasswordResponse response = new CreateDebugPasswordResponse();
 
                 String password = generatePassword(DEBUG_PASSWORD_LENGTH_REQUIREMENT);

server/src/main/java/com/aws/greengrass/cli/CLIService.java

@@ -48,7 +48,7 @@
 
 @ImplementsService(name = CLIService.CLI_SERVICE, autostart = true)
 public class CLIService extends PluginService {
-    public static final String GREENGRASS_CLI_CLIENT_ID_PREFIX = "greengrass-cli-";
+    public static final String GREENGRASS_CLI_CLIENT_ID_PREFIX = "greengrass-cli#";
     public static final String GREENGRASS_CLI_CLIENT_ID_FMT = GREENGRASS_CLI_CLIENT_ID_PREFIX + "%s";
     public static final String CLI_SERVICE = "aws.greengrass.Cli";
     public static final String CLI_CLIENT_ARTIFACT = "aws.greengrass.cli.client";

server/src/test/java/com/aws/greengrass/cli/CLIEventStreamAgentTest.java

@@ -5,6 +5,8 @@
 
 package com.aws.greengrass.cli;
 
+import com.aws.greengrass.authorization.AuthorizationHandler;
+import com.aws.greengrass.authorization.exceptions.AuthorizationException;
 import com.aws.greengrass.componentmanager.ComponentStore;
 import com.aws.greengrass.config.Topics;
 import com.aws.greengrass.dependency.Context;
@@ -61,6 +63,7 @@
 import java.util.UUID;
 
 import static com.aws.greengrass.cli.CLIEventStreamAgent.PERSISTENT_LOCAL_DEPLOYMENTS;
+import static com.aws.greengrass.cli.CLIService.CLI_SERVICE;
 import static com.aws.greengrass.cli.CLIService.GREENGRASS_CLI_CLIENT_ID_FMT;
 import static com.aws.greengrass.componentmanager.KernelConfigResolver.CONFIGURATION_CONFIG_KEY;
 import static com.aws.greengrass.componentmanager.KernelConfigResolver.VERSION_CONFIG_KEY;
@@ -76,6 +79,8 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -101,27 +106,46 @@ class CLIEventStreamAgentTest {
     @Mock
     DeploymentQueue deploymentQueue;
 
+    @Mock
+    AuthorizationHandler authorizationHandler;
+
     @Mock
     private ComponentStore componentStore;
 
     @InjectMocks
     private CLIEventStreamAgent cliEventStreamAgent;
 
     @BeforeEach
-    void setup() {
+    void setup() throws AuthorizationException {
         when(mockContext.getContinuation()).thenReturn(mock(ServerConnectionContinuation.class));
         when(mockContext.getAuthenticationData()).thenReturn(() -> String.format(GREENGRASS_CLI_CLIENT_ID_FMT, "abc"));
+        lenient().when(authorizationHandler.isAuthorized(eq(CLI_SERVICE), any()))
+                .thenThrow(new AuthorizationException("bad"));
     }
 
     @Test
     void test_GetComponentDetails_with_bad_auth_token_rejects() {
         // Pretend that TEST_SERVICE has connected and wants to call the CLI APIs
         when(mockContext.getAuthenticationData()).thenReturn(() -> TEST_SERVICE);
         GetComponentDetailsRequest request = new GetComponentDetailsRequest();
+        request.setComponentName("any");
         assertThrows(UnauthorizedError.class,
                 () -> cliEventStreamAgent.getGetComponentDetailsHandler(mockContext).handleRequest(request));
     }
 
+    @Test
+    void test_GetComponentDetails_with_non_cli_auth_token_calls_authZ()
+            throws AuthorizationException, ServiceLoadException {
+        // Pretend that TEST_SERVICE has connected and wants to call the CLI APIs
+        when(mockContext.getAuthenticationData()).thenReturn(() -> TEST_SERVICE);
+        GetComponentDetailsRequest request = new GetComponentDetailsRequest();
+        request.setComponentName("any");
+        when(authorizationHandler.isAuthorized(eq(CLI_SERVICE), any())).thenReturn(true);
+        when(kernel.locate("any")).thenThrow(ServiceLoadException.class);
+        assertThrows(ResourceNotFoundError.class,
+                () -> cliEventStreamAgent.getGetComponentDetailsHandler(mockContext).handleRequest(request));
+    }
+
     @Test
     void test_GetComponentDetails_empty_component_name() {
         GetComponentDetailsRequest request = new GetComponentDetailsRequest();

server/src/test/java/com/aws/greengrass/cli/CLIServiceTest.java

@@ -130,7 +130,7 @@ void testStartup_default_auth() throws Exception {
         cliService.startup();
         verifyHandlersRegisteredForAllOperations();
         verify(authenticationHandler).registerAuthenticationTokenForExternalClient
-                (anyString(), startsWith("greengrass-cli-user"));
+                (anyString(), startsWith("greengrass-cli#user"));
 
         Path authDir = nucleusPaths.cliIpcInfoPath();
         assertTrue(Files.exists(authDir));
@@ -154,9 +154,9 @@ void testStartup_group_auth(ExtensionContext context) throws Exception {
         when(authenticationHandler.registerAuthenticationTokenForExternalClient(anyString(), anyString()))
                 .thenAnswer(i -> {
                     Object clientId = i.getArgument(1);
-                    if ("greengrass-cli-group-123".equals(clientId)) {
+                    if ("greengrass-cli#group-123".equals(clientId)) {
                         return MOCK_AUTH_TOKEN;
-                    } else if ("greengrass-cli-group-456".equals(clientId)) {
+                    } else if ("greengrass-cli#group-456".equals(clientId)) {
                         return MOCK_AUTH_TOKEN_2;
                     }
                     throw new InvalidUseOfMatchersException(
@@ -197,8 +197,8 @@ void testStartup_group_auth(ExtensionContext context) throws Exception {
         ArgumentCaptor<String> argument = ArgumentCaptor.forClass(String.class);
         verify(authenticationHandler, times(2)).registerAuthenticationTokenForExternalClient
                 (anyString(), argument.capture());
-        assertThat(argument.getAllValues(), containsInRelativeOrder("greengrass-cli-group-123",
-                "greengrass-cli-group-456"));
+        assertThat(argument.getAllValues(), containsInRelativeOrder("greengrass-cli#group-123",
+                "greengrass-cli#group-456"));
 
         Path authDir = nucleusPaths.cliIpcInfoPath();
         assertTrue(Files.exists(authDir.resolve("group-123")));