in aws-core-server/src/main/java/jetbrains/buildServer/clouds/amazon/connector/keyRotation/impl/OldKeysCleaner.java [40:134]
public OldKeysCleaner(@NotNull MultiNodeTasks multiNodeTasks,
@NotNull final ServerResponsibility serverResponsibility,
@NotNull final OAuthConnectionsManager oAuthConnectionsManager,
@NotNull final ProjectManager projectManager,
@NotNull final IamClientBuilder iamClientBuilder) {
myMultiNodeTasks = multiNodeTasks;
myServerResponsibility = serverResponsibility;
myOAuthConnectionsManager = oAuthConnectionsManager;
myProjectManager = projectManager;
setOldKeyPreserveTime();
myMultiNodeTasks.subscribe(DELETE_OLD_AWS_KEY_TASK_TYPE, new MultiNodeTasks.TaskConsumer() {
@Override
public boolean beforeAccept(@NotNull final MultiNodeTasks.PerformingTask task) {
if (!myServerResponsibility.canWriteToConfigDirectory() ||
!DELETE_OLD_AWS_KEY_TASK_TYPE.equals(task.getType()) ||
task.getStringArg() == null) {
return false;
}
try {
DeleteKeyTaskArg taskArgObject = DeleteKeyTaskArg.fromTask(task);
ZonedDateTime currentDate = ZonedDateTime.now(ZoneId.systemDefault());
ZonedDateTime keyDeletionTime = ZonedDateTime.parse(taskArgObject.keyDeletionTime);
return currentDate.isAfter(keyDeletionTime);
} catch (KeyRotationException e) {
Loggers.CLOUD.warn("Task to delete the old key is rejected: " + e.getMessage());
task.finished();
return false;
}
}
@Override
public void accept(final MultiNodeTasks.PerformingTask task) {
if (!myServerResponsibility.canWriteToConfigDirectory() ||
!DELETE_OLD_AWS_KEY_TASK_TYPE.equals(task.getType()) ||
task.getStringArg() == null) {
return;
}
Loggers.CLOUD.debug("AWS Key Rotation task is accepted, task ID is: " + task.getId());
DeleteKeyTaskArg taskArgObject = null;
try {
taskArgObject = DeleteKeyTaskArg.fromTask(task);
Loggers.CLOUD.debug("Deleting the AWS key after rotation: " + ParamUtil.maskKey(taskArgObject.oldAccessKeyId));
SProject curProject = myProjectManager.findProjectByExternalId(taskArgObject.projectId);
if (curProject == null) {
throw new KeyRotationException("The project with id " + taskArgObject.projectId + " does not exist");
}
OAuthConnectionDescriptor awsConnectionDescriptor = myOAuthConnectionsManager.findConnectionById(curProject, taskArgObject.connectionId);
if (awsConnectionDescriptor == null) {
throw new KeyRotationException("The connection with id " + taskArgObject.connectionId + " does not exist");
}
String connectionRegion = awsConnectionDescriptor.getParameters().get(AwsCloudConnectorConstants.REGION_NAME_PARAM);
String currentAccessKeyId = awsConnectionDescriptor.getParameters().get(AwsAccessKeysParams.ACCESS_KEY_ID_PARAM);
String secretAccessKey = awsConnectionDescriptor.getParameters().get(AwsAccessKeysParams.SECURE_SECRET_ACCESS_KEY_PARAM);
if(connectionRegion == null) {
throw new KeyRotationException("The connection region cannot be null");
}
if(currentAccessKeyId == null) {
throw new KeyRotationException("The connection with id " + taskArgObject.connectionId + " does not have access key id");
}
if(secretAccessKey == null) {
throw new KeyRotationException("The connection with key " + ParamUtil.maskKey(currentAccessKeyId) + " does not have secret access key");
}
IamClient iam = iamClientBuilder.createIamClient(
connectionRegion,
StaticCredentialsProvider.create(AwsBasicCredentials.create(currentAccessKeyId, secretAccessKey))
);
deletePreviousAccessKey(taskArgObject.oldAccessKeyId, iam);
Loggers.CLOUD.debug("Deleted the old AWS key: " + ParamUtil.maskKey(taskArgObject.oldAccessKeyId));
} catch (KeyRotationException e) {
String errMsg;
if (taskArgObject == null) {
errMsg = "Task to delete the old key cannot be completed: " + e.getMessage();
} else {
errMsg = "Cannot delete the old AWS key " + ParamUtil.maskKey(taskArgObject.oldAccessKeyId) + ": ";
}
Loggers.CLOUD.warnAndDebugDetails(errMsg, e);
}
task.finished();
}
});
}