From 5868cd8d23a30919c20827cc4f5ea90589a3f2ab Mon Sep 17 00:00:00 2001 From: shuqz <95371565+shuqz@users.noreply.github.com> Date: Wed, 2 Oct 2024 10:42:32 -0700 Subject: [PATCH] add tagging permissions and Account schema file check (#81) * add tagging permissions and Account schema file check * correct account schema hexstring * correct hexstring after style check --- .../aws-organizations-account.json | 7 ++- .../account/AbstractTestBase.java | 2 + .../AccountSchemaFileCheckSumChangesTest.java | 50 +++++++++++++++++++ .../aws-organizations-organizationalunit.json | 7 ++- .../organizationalunit/AbstractTestBase.java | 2 +- .../aws-organizations-policy.json | 7 ++- .../policy/AbstractTestBase.java | 2 +- .../aws-organizations-resourcepolicy.json | 7 ++- .../resourcepolicy/AbstractTestBase.java | 2 +- 9 files changed, 79 insertions(+), 7 deletions(-) create mode 100644 aws-organizations-account/src/test/java/software/amazon/organizations/account/AccountSchemaFileCheckSumChangesTest.java diff --git a/aws-organizations-account/aws-organizations-account.json b/aws-organizations-account/aws-organizations-account.json index 697a44d..03cabed 100644 --- a/aws-organizations-account/aws-organizations-account.json +++ b/aws-organizations-account/aws-organizations-account.json @@ -109,7 +109,12 @@ "tagOnCreate": true, "tagUpdatable": true, "cloudFormationSystemTags": false, - "tagProperty": "/properties/Tags" + "tagProperty": "/properties/Tags", + "permissions": [ + "organizations:TagResource", + "organizations:UntagResource", + "organizations:ListTagsForResource" + ] }, "additionalProperties": false, "required": [ diff --git a/aws-organizations-account/src/test/java/software/amazon/organizations/account/AbstractTestBase.java b/aws-organizations-account/src/test/java/software/amazon/organizations/account/AbstractTestBase.java index 0d8b286..17354a3 100644 --- a/aws-organizations-account/src/test/java/software/amazon/organizations/account/AbstractTestBase.java +++ b/aws-organizations-account/src/test/java/software/amazon/organizations/account/AbstractTestBase.java @@ -49,6 +49,8 @@ public class AbstractTestBase { protected static final String TEST_NEXT_TOKEN = "mockNextTokenItem"; protected static final String TEST_JOINED_METHOD = "CREATED"; protected static final Instant TEST_JOINED_TIMESTAMP = Instant.parse("2017-02-03T10:47:30.00Z"); + protected static final String ACCOUNT_JSON_SCHEMA_FILE_NAME = "aws-organizations-account.json"; + protected static final String ACCOUNT_SCHEMA_SHA256_HEXSTRING = "F25AC8ED367293E5F6E354BFA4BFB6A45A3E968DD1412CF601990CA2D455FE17"; protected static final DescribeAccountResponse describeAccountResponse = DescribeAccountResponse.builder().account(Account.builder() .arn(TEST_ACCOUNT_ARN) diff --git a/aws-organizations-account/src/test/java/software/amazon/organizations/account/AccountSchemaFileCheckSumChangesTest.java b/aws-organizations-account/src/test/java/software/amazon/organizations/account/AccountSchemaFileCheckSumChangesTest.java new file mode 100644 index 0000000..f636d6f --- /dev/null +++ b/aws-organizations-account/src/test/java/software/amazon/organizations/account/AccountSchemaFileCheckSumChangesTest.java @@ -0,0 +1,50 @@ +package software.amazon.organizations.account; + +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.apache.commons.codec.binary.Hex; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.NoSuchFileException; +import java.nio.file.Paths; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; + +import static org.assertj.core.api.Assertions.assertThat; + +public class AccountSchemaFileCheckSumChangesTest extends AbstractTestBase { + private byte[] hashedAccountSchema; + private static byte[] accountSchema; + private static Logger logger = LoggerFactory.getLogger(AccountSchemaFileCheckSumChangesTest.class); + + @BeforeAll + public static void setup() { + // Read the account JSON file in a byte array. Since this file is of fixed size, we can read it without looping. + try { + accountSchema = Files.readAllBytes(Paths.get(ACCOUNT_JSON_SCHEMA_FILE_NAME)); + } catch (NoSuchFileException e) { + logger.info("Account schema json file not found. {}", e.toString()); + } catch (IOException e) { + logger.info(e.toString()); + } + } + + // This test is to make sure we don't modify the Account resource schema json file. It matches the HEX string of SHA-256 + // representation of Account schema file. If we ever need to modify the Account schema file, we should calculate the new Hex string. + // We can get the string by logging actualHexString variable in test below and update the variable AccountSCHEMA_SHA256_HEXSTRING. + @Test + public void checkIfAccountSchemaFileCheckSumMatches() { + // Get the SHA-256 representation of Account schema file to a byte array. + try { + hashedAccountSchema = MessageDigest.getInstance("SHA-256").digest(accountSchema); + } catch (NoSuchAlgorithmException e) { + logger.info("No such algorithm found. {}", e.toString()); + } + // Convert the byte array to a Hex String for matching. + String actualHexString = Hex.encodeHexString(hashedAccountSchema, false); // false to return upper case + assertThat(actualHexString).isEqualTo(ACCOUNT_SCHEMA_SHA256_HEXSTRING); + } +} diff --git a/aws-organizations-organizationalunit/aws-organizations-organizationalunit.json b/aws-organizations-organizationalunit/aws-organizations-organizationalunit.json index 66f262a..fc02dfb 100644 --- a/aws-organizations-organizationalunit/aws-organizations-organizationalunit.json +++ b/aws-organizations-organizationalunit/aws-organizations-organizationalunit.json @@ -105,7 +105,12 @@ "tagOnCreate": true, "tagUpdatable": true, "cloudFormationSystemTags": false, - "tagProperty": "/properties/Tags" + "tagProperty": "/properties/Tags", + "permissions": [ + "organizations:TagResource", + "organizations:UntagResource", + "organizations:ListTagsForResource" + ] }, "required": [ "Name", diff --git a/aws-organizations-organizationalunit/src/test/java/software/amazon/organizations/organizationalunit/AbstractTestBase.java b/aws-organizations-organizationalunit/src/test/java/software/amazon/organizations/organizationalunit/AbstractTestBase.java index d26501f..36dcdfd 100644 --- a/aws-organizations-organizationalunit/src/test/java/software/amazon/organizations/organizationalunit/AbstractTestBase.java +++ b/aws-organizations-organizationalunit/src/test/java/software/amazon/organizations/organizationalunit/AbstractTestBase.java @@ -24,7 +24,7 @@ public class AbstractTestBase { protected static final String TEST_OU_ID_CHANGED = "4321dcba"; protected static final String TEST_PARENT_ID = "r-hhhu"; protected static final String OU_JSON_SCHEMA_FILE_NAME = "aws-organizations-organizationalunit.json"; - protected static final String OU_SCHEMA_SHA256_HEXSTRING = "BB043EDEAC284DAFD18E89A23A59373C3ECAC4C4CD1B063D525C3028D98EC463"; + protected static final String OU_SCHEMA_SHA256_HEXSTRING = "F2E41908B0563ED7D624883328DAE2E89D915917ACCA323E6CB34F8602D9C528"; protected static final Credentials MOCK_CREDENTIALS; protected static final LoggerProxy loggerProxy; diff --git a/aws-organizations-policy/aws-organizations-policy.json b/aws-organizations-policy/aws-organizations-policy.json index 1920010..a5b93b8 100644 --- a/aws-organizations-policy/aws-organizations-policy.json +++ b/aws-organizations-policy/aws-organizations-policy.json @@ -104,7 +104,12 @@ "tagOnCreate": true, "tagUpdatable": true, "cloudFormationSystemTags": false, - "tagProperty": "/properties/Tags" + "tagProperty": "/properties/Tags", + "permissions": [ + "organizations:TagResource", + "organizations:UntagResource", + "organizations:ListTagsForResource" + ] }, "required": [ "Name", diff --git a/aws-organizations-policy/src/test/java/software/amazon/organizations/policy/AbstractTestBase.java b/aws-organizations-policy/src/test/java/software/amazon/organizations/policy/AbstractTestBase.java index 9486f38..98e6026 100644 --- a/aws-organizations-policy/src/test/java/software/amazon/organizations/policy/AbstractTestBase.java +++ b/aws-organizations-policy/src/test/java/software/amazon/organizations/policy/AbstractTestBase.java @@ -49,7 +49,7 @@ public class AbstractTestBase { protected static final Set TEST_TARGET_IDS = ImmutableSet.of(TEST_TARGET_ROOT_ID, TEST_TARGET_OU_ID); protected static final Set TEST_UPDATED_TARGET_IDS = ImmutableSet.of(TEST_TARGET_ROOT_ID, TEST_TARGET_ACCOUNT_ID); protected static final String TEST_NEXT_TOKEN = "mockNextTokenItem"; - protected static final String POLICY_SCHEMA_SHA256_HEXSTRING = "2D6EC3A321FCB847C3D82D496E0E831B047C74ABE67B4E797CB9C30DD1E149DF"; + protected static final String POLICY_SCHEMA_SHA256_HEXSTRING = "570EA2A5670352042505D77D1921807BDD013D474A62202278E616BC94423BF0"; protected static final String POLICY_JSON_SCHEMA_FILE_NAME = "aws-organizations-policy.json"; protected static final Credentials MOCK_CREDENTIALS; diff --git a/aws-organizations-resourcepolicy/aws-organizations-resourcepolicy.json b/aws-organizations-resourcepolicy/aws-organizations-resourcepolicy.json index 98aeb52..7416ec6 100644 --- a/aws-organizations-resourcepolicy/aws-organizations-resourcepolicy.json +++ b/aws-organizations-resourcepolicy/aws-organizations-resourcepolicy.json @@ -98,7 +98,12 @@ "tagOnCreate": true, "tagUpdatable": true, "cloudFormationSystemTags": false, - "tagProperty": "/properties/Tags" + "tagProperty": "/properties/Tags", + "permissions": [ + "organizations:TagResource", + "organizations:UntagResource", + "organizations:ListTagsForResource" + ] }, "required": [ "Content" diff --git a/aws-organizations-resourcepolicy/src/test/java/software/amazon/organizations/resourcepolicy/AbstractTestBase.java b/aws-organizations-resourcepolicy/src/test/java/software/amazon/organizations/resourcepolicy/AbstractTestBase.java index 4f6544d..113b404 100644 --- a/aws-organizations-resourcepolicy/src/test/java/software/amazon/organizations/resourcepolicy/AbstractTestBase.java +++ b/aws-organizations-resourcepolicy/src/test/java/software/amazon/organizations/resourcepolicy/AbstractTestBase.java @@ -49,7 +49,7 @@ public class AbstractTestBase { protected static final Map TEST_RESOURCEPOLICY_CONTENT_JSON = convertStringToJsonObject(TEST_RESOURCEPOLICY_CONTENT); protected static final Map TEST_RESOURCEPOLICY_UPDATED_CONTENT_JSON = convertStringToJsonObject(TEST_RESOURCEPOLICY_UPDATED_CONTENT); protected static final String TEST_NEXT_TOKEN = "mockNextTokenItem"; - protected static final String RESOURCE_POLICY_SCHEMA_SHA256_HEXSTRING = "95A60E71BAFB423D08B4B465782CA3225FB500ED3160ECCEDA0E00FE7628D6C1"; + protected static final String RESOURCE_POLICY_SCHEMA_SHA256_HEXSTRING = "C48EDAD6CE9CC65CC1E5FC37BBAC107D685574B0DA9CC4C46090D56761E714BF"; protected static final String RESOURCE_POLICY_JSON_SCHEMA_FILE_NAME = "aws-organizations-resourcepolicy.json"; protected static final Credentials MOCK_CREDENTIALS;