add tagging permissions and Account schema file check (#81)

* add tagging permissions and Account schema file check

* correct account schema hexstring

* correct hexstring after style check

aws-organizations-account/aws-organizations-account.json

@@ -109,7 +109,12 @@
     "tagOnCreate": true,
     "tagUpdatable": true,
     "cloudFormationSystemTags": false,
-    "tagProperty": "/properties/Tags"
+    "tagProperty": "/properties/Tags",
+    "permissions": [
+      "organizations:TagResource",
+      "organizations:UntagResource",
+      "organizations:ListTagsForResource"
+    ]
   },
   "additionalProperties": false,
   "required": [

aws-organizations-account/src/test/java/software/amazon/organizations/account/AbstractTestBase.java

@@ -49,6 +49,8 @@ public class AbstractTestBase {
     protected static final String TEST_NEXT_TOKEN = "mockNextTokenItem";
     protected static final String TEST_JOINED_METHOD = "CREATED";
     protected static final Instant TEST_JOINED_TIMESTAMP = Instant.parse("2017-02-03T10:47:30.00Z");
+    protected static final String ACCOUNT_JSON_SCHEMA_FILE_NAME = "aws-organizations-account.json";
+    protected static final String ACCOUNT_SCHEMA_SHA256_HEXSTRING = "F25AC8ED367293E5F6E354BFA4BFB6A45A3E968DD1412CF601990CA2D455FE17";
 
     protected static final DescribeAccountResponse describeAccountResponse = DescribeAccountResponse.builder().account(Account.builder()
                                                                                                           .arn(TEST_ACCOUNT_ARN)

aws-organizations-account/src/test/java/software/amazon/organizations/account/AccountSchemaFileCheckSumChangesTest.java

@@ -0,0 +1,50 @@
+package software.amazon.organizations.account;
+
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.commons.codec.binary.Hex;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.NoSuchFileException;
+import java.nio.file.Paths;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class AccountSchemaFileCheckSumChangesTest extends AbstractTestBase {
+    private byte[] hashedAccountSchema;
+    private static byte[] accountSchema;
+    private static Logger logger = LoggerFactory.getLogger(AccountSchemaFileCheckSumChangesTest.class);
+
+    @BeforeAll
+    public static void setup() {
+        // Read the account JSON file in a byte array. Since this file is of fixed size, we can read it without looping.
+        try {
+            accountSchema = Files.readAllBytes(Paths.get(ACCOUNT_JSON_SCHEMA_FILE_NAME));
+        } catch (NoSuchFileException e) {
+            logger.info("Account schema json file not found. {}", e.toString());
+        } catch (IOException e) {
+            logger.info(e.toString());
+        }
+    }
+
+    // This test is to make sure we don't modify the Account resource schema json file. It matches the HEX string of SHA-256
+    // representation of Account schema file. If we ever need to modify the Account schema file, we should calculate the new Hex string.
+    // We can get the string by logging actualHexString variable in test below and update the variable AccountSCHEMA_SHA256_HEXSTRING.
+    @Test
+    public void checkIfAccountSchemaFileCheckSumMatches() {
+        // Get the SHA-256 representation of Account schema file to a byte array.
+        try {
+            hashedAccountSchema = MessageDigest.getInstance("SHA-256").digest(accountSchema);
+        } catch (NoSuchAlgorithmException e) {
+            logger.info("No such algorithm found. {}", e.toString());
+        }
+        // Convert the byte array to a Hex String for matching.
+        String actualHexString = Hex.encodeHexString(hashedAccountSchema, false); // false to return upper case
+        assertThat(actualHexString).isEqualTo(ACCOUNT_SCHEMA_SHA256_HEXSTRING);
+    }
+}

aws-organizations-organizationalunit/aws-organizations-organizationalunit.json

@@ -105,7 +105,12 @@
     "tagOnCreate": true,
     "tagUpdatable": true,
     "cloudFormationSystemTags": false,
-    "tagProperty": "/properties/Tags"
+    "tagProperty": "/properties/Tags",
+    "permissions": [
+      "organizations:TagResource",
+      "organizations:UntagResource",
+      "organizations:ListTagsForResource"
+    ]
   },
   "required": [
     "Name",

aws-organizations-organizationalunit/src/test/java/software/amazon/organizations/organizationalunit/AbstractTestBase.java

@@ -24,7 +24,7 @@ public class AbstractTestBase {
     protected static final String TEST_OU_ID_CHANGED = "4321dcba";
     protected static final String TEST_PARENT_ID = "r-hhhu";
     protected static final String OU_JSON_SCHEMA_FILE_NAME = "aws-organizations-organizationalunit.json";
-    protected static final String OU_SCHEMA_SHA256_HEXSTRING = "BB043EDEAC284DAFD18E89A23A59373C3ECAC4C4CD1B063D525C3028D98EC463";
+    protected static final String OU_SCHEMA_SHA256_HEXSTRING = "F2E41908B0563ED7D624883328DAE2E89D915917ACCA323E6CB34F8602D9C528";
 
     protected static final Credentials MOCK_CREDENTIALS;
     protected static final LoggerProxy loggerProxy;

aws-organizations-policy/aws-organizations-policy.json

@@ -104,7 +104,12 @@
     "tagOnCreate": true,
     "tagUpdatable": true,
     "cloudFormationSystemTags": false,
-    "tagProperty": "/properties/Tags"
+    "tagProperty": "/properties/Tags",
+    "permissions": [
+      "organizations:TagResource",
+      "organizations:UntagResource",
+      "organizations:ListTagsForResource"
+    ]
   },
   "required": [
     "Name",

aws-organizations-policy/src/test/java/software/amazon/organizations/policy/AbstractTestBase.java

@@ -49,7 +49,7 @@ public class AbstractTestBase {
     protected static final Set<String> TEST_TARGET_IDS = ImmutableSet.of(TEST_TARGET_ROOT_ID, TEST_TARGET_OU_ID);
     protected static final Set<String> TEST_UPDATED_TARGET_IDS = ImmutableSet.of(TEST_TARGET_ROOT_ID, TEST_TARGET_ACCOUNT_ID);
     protected static final String TEST_NEXT_TOKEN = "mockNextTokenItem";
-    protected static final String POLICY_SCHEMA_SHA256_HEXSTRING = "2D6EC3A321FCB847C3D82D496E0E831B047C74ABE67B4E797CB9C30DD1E149DF";
+    protected static final String POLICY_SCHEMA_SHA256_HEXSTRING = "570EA2A5670352042505D77D1921807BDD013D474A62202278E616BC94423BF0";
     protected static final String POLICY_JSON_SCHEMA_FILE_NAME = "aws-organizations-policy.json";
 
     protected static final Credentials MOCK_CREDENTIALS;

aws-organizations-resourcepolicy/aws-organizations-resourcepolicy.json

@@ -98,7 +98,12 @@
     "tagOnCreate": true,
     "tagUpdatable": true,
     "cloudFormationSystemTags": false,
-    "tagProperty": "/properties/Tags"
+    "tagProperty": "/properties/Tags",
+    "permissions": [
+      "organizations:TagResource",
+      "organizations:UntagResource",
+      "organizations:ListTagsForResource"
+    ]
   },
   "required": [
     "Content"

aws-organizations-resourcepolicy/src/test/java/software/amazon/organizations/resourcepolicy/AbstractTestBase.java

@@ -49,7 +49,7 @@ public class AbstractTestBase {
   protected static final Map<String, Object> TEST_RESOURCEPOLICY_CONTENT_JSON = convertStringToJsonObject(TEST_RESOURCEPOLICY_CONTENT);
   protected static final Map<String, Object> TEST_RESOURCEPOLICY_UPDATED_CONTENT_JSON = convertStringToJsonObject(TEST_RESOURCEPOLICY_UPDATED_CONTENT);
   protected static final String TEST_NEXT_TOKEN = "mockNextTokenItem";
-  protected static final String RESOURCE_POLICY_SCHEMA_SHA256_HEXSTRING = "95A60E71BAFB423D08B4B465782CA3225FB500ED3160ECCEDA0E00FE7628D6C1";
+  protected static final String RESOURCE_POLICY_SCHEMA_SHA256_HEXSTRING = "C48EDAD6CE9CC65CC1E5FC37BBAC107D685574B0DA9CC4C46090D56761E714BF";
   protected static final String RESOURCE_POLICY_JSON_SCHEMA_FILE_NAME = "aws-organizations-resourcepolicy.json";
 
   protected static final Credentials MOCK_CREDENTIALS;