Use a secondary role to test cross-account functionality (#39)

This supports a less permissive policy on the test queue, and is better than requiring long-lived credentials.
awslabs · May 1, 2020 · 8042357 · 8042357
1 parent 335d929
commit 8042357
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 14 deletions.
diff --git a/pom.xml b/pom.xml
@@ -67,6 +67,11 @@
  <version>4.0.2</version>
  <scope>test</scope>
  </dependency>
+ <dependency>
+ <groupId>com.amazonaws</groupId>
+ <artifactId>aws-java-sdk-sts</artifactId>
+ <scope>test</scope>
+ </dependency>
  </dependencies>
 
  <build>

diff --git a/src/test/java/com/amazonaws/services/sqs/AmazonSQSResponsesClientCrossAccountIT.java b/src/test/java/com/amazonaws/services/sqs/AmazonSQSResponsesClientCrossAccountIT.java
@@ -28,12 +28,14 @@ protected String testSuiteName() {
 
  @Before
  public void setup() {
- String policyString = allowSendMessagePolicy().toJson();
+ // Use the secondary role for the responder
+ sqsResponder = new AmazonSQSResponderClient(getBuddyPrincipalClient());
+
+ String policyString = allowSendMessagePolicy(getBuddyRoleARN()).toJson();
  sqsRequester = new AmazonSQSRequesterClient(sqs, queueNamePrefix,
  Collections.singletonMap(QueueAttributeName.Policy.toString(), policyString),
  exceptionHandler);
- // Use the second account for the responder
- sqsResponder = new AmazonSQSResponderClient(getBuddyPrincipalClient());
+
  requestQueueUrl = sqs.createQueue("RequestQueue-" + UUID.randomUUID().toString()).getQueueUrl();
  }
 

diff --git a/src/test/java/com/amazonaws/services/sqs/AmazonSQSTemporaryQueuesClientCrossAccountIT.java b/src/test/java/com/amazonaws/services/sqs/AmazonSQSTemporaryQueuesClientCrossAccountIT.java
@@ -86,7 +86,7 @@ public void accessDenied() {
 
  @Test
  public void withAccess() {
- String policyString = allowSendMessagePolicy().toJson();
+ String policyString = allowSendMessagePolicy(getBuddyRoleARN()).toJson();
  CreateQueueRequest createQueueRequest = new CreateQueueRequest()
  .withQueueName(queueNamePrefix + "TestQueueWithAccess")
  .withAttributes(Collections.singletonMap(QueueAttributeName.Policy.toString(), policyString));

diff --git a/src/test/java/com/amazonaws/services/sqs/util/IntegrationTest.java b/src/test/java/com/amazonaws/services/sqs/util/IntegrationTest.java
@@ -3,13 +3,21 @@
 import java.util.Collections;
 import java.util.concurrent.ThreadLocalRandom;
 
+import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
+import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
 import com.amazonaws.auth.policy.Policy;
 import com.amazonaws.auth.policy.Principal;
 import com.amazonaws.auth.policy.Resource;
 import com.amazonaws.auth.policy.Statement;
 import com.amazonaws.auth.policy.actions.SQSActions;
 import com.amazonaws.auth.profile.ProfileCredentialsProvider;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
+import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
+import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
+import com.amazonaws.services.securitytoken.model.Credentials;
+import com.amazonaws.services.securitytoken.model.GetCallerIdentityRequest;
 import com.amazonaws.services.sqs.model.AmazonSQSException;
 import org.junit.After;
 import org.junit.Before;
@@ -62,14 +70,20 @@ public void teardownSQSClient() {
  exceptionHandler.assertNothingThrown();
  }
 
- protected AmazonSQS getBuddyPrincipalClient() {
- AWSCredentialsProvider credentialsProvider = new ProfileCredentialsProvider("buddy");
- try {
- credentialsProvider.getCredentials();
- } catch (Exception e) {
- assumeNoException("This test requires a second 'buddy' credential profile.", e);
+ protected String getBuddyRoleARN() {
+ String roleARN = System.getenv("BUDDY_ROLE_ARN");
+ if (roleARN == null) {
+ assumeTrue("This test requires a second 'buddy' AWS role, provided with the BUDDY_ROLE_ARN environment variable.", false);
  }
+ return roleARN;
+ }
 
+ protected AWSCredentialsProvider getBuddyCredentials() {
+ return new STSAssumeRoleSessionCredentialsProvider.Builder(getBuddyRoleARN(), testSuiteName()).build();
+ }
+
+ protected AmazonSQS getBuddyPrincipalClient() {
+ AWSCredentialsProvider credentialsProvider = getBuddyCredentials();
  AmazonSQS client = AmazonSQSClientBuilder.standard()
  .withRegion("us-west-2")
  .withCredentials(credentialsProvider)
@@ -90,13 +104,11 @@ protected AmazonSQS getBuddyPrincipalClient() {
  return client;
  }
 
- protected Policy allowSendMessagePolicy() {
+ protected Policy allowSendMessagePolicy(String roleARN) {
  Policy policy = new Policy();
  Statement statement = new Statement(Statement.Effect.Allow);
  statement.setActions(Collections.singletonList(SQSActions.SendMessage));
- // Ideally we would only allow the principal we're testing with, but we
- // only have access to the credentials and not necessarily the account number.
- statement.setPrincipals(Principal.All);
+ statement.setPrincipals(new Principal(roleARN));
  statement.setResources(Collections.singletonList(new Resource("arn:aws:sqs:*:*:*")));
  policy.setStatements(Collections.singletonList(statement));
  return policy;