Skip to content

Fix RemoteS3Connection for rewritten bucket and key #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -112,28 +112,44 @@ public void shutDown()
}
}

public void proxyRequest(Optional<Identity> identity, SigningMetadata signingMetadata, ParsedS3Request request, AsyncResponse asyncResponse,
public void proxyRequest(Optional<Identity> identity, SigningMetadata signingMetadata, ParsedS3Request originalRequest, AsyncResponse asyncResponse,
RequestLoggingSession requestLoggingSession)
{
SecurityResponse securityResponse = s3SecurityController.apply(request, identity);
SecurityResponse securityResponse = s3SecurityController.apply(originalRequest, identity);
if (securityResponse instanceof Failure(var error)) {
log.debug("SecurityController check failed. AccessKey: %s, Request: %s, SecurityResponse: %s", signingMetadata.credential().accessKey(), request, securityResponse);
log.debug("SecurityController check failed. AccessKey: %s, Request: %s, SecurityResponse: %s", signingMetadata.credential().accessKey(), originalRequest, securityResponse);
requestLoggingSession.logError("request.security.fail.credentials", signingMetadata.credential());
requestLoggingSession.logError("request.security.fail.request", request);
requestLoggingSession.logError("request.security.fail.request", originalRequest);
requestLoggingSession.logError("request.security.fail.error", error);

throw new WebApplicationException(Response.Status.UNAUTHORIZED);
}

Optional<S3RewriteResult> rewriteResult = s3RequestRewriter.rewrite(identity, signingMetadata, request);
String targetBucket = rewriteResult.map(S3RewriteResult::finalRequestBucket).orElse(request.bucketName());
String targetKey = rewriteResult
Optional<S3RewriteResult> rewriteResult = s3RequestRewriter.rewrite(identity, signingMetadata, originalRequest);
String bucket = rewriteResult.map(S3RewriteResult::finalRequestBucket).orElse(originalRequest.bucketName());
String key = rewriteResult
.map(S3RewriteResult::finalRequestKey)
.orElse(originalRequest.keyInBucket());
String path = rewriteResult
.map(S3RewriteResult::finalRequestKey)
.map(SdkHttpUtils::urlEncodeIgnoreSlashes)
.orElse(request.rawPath());
.orElse(originalRequest.rawPath());

ParsedS3Request request = new ParsedS3Request(
originalRequest.requestId(),
originalRequest.requestAuthorization(),
originalRequest.requestDate(),
bucket,
key,
originalRequest.requestHeaders(),
originalRequest.queryParameters(),
originalRequest.httpVerb(),
path,
originalRequest.rawQuery(),
originalRequest.requestContent());

RemoteRequestWithPresignedURIs remoteRequest = remoteS3ConnectionController.withRemoteConnection(signingMetadata, identity, request, (remoteCredential, remoteS3Facade) -> {
URI remoteUri = remoteS3Facade.buildEndpoint(uriBuilder(request.queryParameters()), targetKey, targetBucket, request.requestAuthorization().region());
URI remoteUri = remoteS3Facade.buildEndpoint(uriBuilder(request.queryParameters()), request.rawPath(), request.bucketName(), request.requestAuthorization().region());

Request.Builder remoteRequestBuilder = new Request.Builder()
.setMethod(request.httpVerb())
Expand Down Expand Up @@ -161,7 +177,8 @@ public void proxyRequest(Optional<Identity> identity, SigningMetadata signingMet

Map<String, URI> presignedUrls;
if (generatePresignedUrlsOnHead && request.httpVerb().equalsIgnoreCase("HEAD")) {
presignedUrls = s3PresignController.buildPresignedRemoteUrls(identity, remoteSigningMetadata, request, targetRequestTimestamp, remoteUri);
// Presigned URLs are generated for the ORIGINAL key and bucket, not the rewritten ones
presignedUrls = s3PresignController.buildPresignedRemoteUrls(identity, remoteSigningMetadata, originalRequest, targetRequestTimestamp, remoteUri);
}
else {
presignedUrls = ImmutableMap.of();
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.trino.aws.proxy.server.remote.provider;

import com.google.common.collect.ImmutableList;
import com.google.inject.Inject;
import io.trino.aws.proxy.server.testing.RequestRewriteUtil;
import io.trino.aws.proxy.server.testing.TestingTrinoAwsProxyServer;
import io.trino.aws.proxy.server.testing.containers.S3Container.ForS3Container;
import io.trino.aws.proxy.server.testing.harness.BuilderFilter;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTestCommonModules.WithConfiguredBuckets;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.remote.RemoteS3Connection;
import io.trino.aws.proxy.spi.remote.RemoteS3Connection.StaticRemoteS3Connection;
import io.trino.aws.proxy.spi.remote.RemoteS3ConnectionProvider;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.signing.SigningMetadata;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import software.amazon.awssdk.core.ResponseInputStream;
import software.amazon.awssdk.core.sync.RequestBody;
import software.amazon.awssdk.services.s3.S3Client;
import software.amazon.awssdk.services.s3.model.GetObjectRequest;
import software.amazon.awssdk.services.s3.model.GetObjectResponse;
import software.amazon.awssdk.services.s3.model.PutObjectRequest;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;

import static com.google.inject.Scopes.SINGLETON;
import static io.trino.aws.proxy.server.testing.TestingUtil.LOREM_IPSUM;
import static io.trino.aws.proxy.server.testing.TestingUtil.TESTING_REMOTE_CREDENTIAL;
import static io.trino.aws.proxy.spi.plugin.TrinoAwsProxyServerBinding.remoteS3ConnectionProviderModule;
import static java.util.Objects.requireNonNull;
import static org.assertj.core.api.Assertions.assertThat;

@TrinoAwsProxyTest(filters = {WithConfiguredBuckets.class, RequestRewriteUtil.Filter.class, TestRemoteS3ConnectionProviderWithRewriter.Filter.class})
public class TestRemoteS3ConnectionProviderWithRewriter
{
public static class Filter
implements BuilderFilter
{
@Override
public TestingTrinoAwsProxyServer.Builder filter(TestingTrinoAwsProxyServer.Builder builder)
{
return builder
.withoutTestingRemoteS3ConnectionProvider()
.addModule(remoteS3ConnectionProviderModule("rewrite-test", DelegateRemoteS3ConnectionProvider.class,
binder -> binder.bind(DelegateRemoteS3ConnectionProvider.class).in(SINGLETON)))
.withProperty("remote-s3-connection-provider.type", "rewrite-test");
}
}

public static class DelegateRemoteS3ConnectionProvider
implements RemoteS3ConnectionProvider
{
private RemoteS3ConnectionProvider delegate;

private final List<RemoteS3ConnectionProviderArgs> callArgs = new ArrayList<>();

@Override
public Optional<RemoteS3Connection> remoteConnection(SigningMetadata signingMetadata, Optional<Identity> identity, ParsedS3Request request)
{
callArgs.add(new RemoteS3ConnectionProviderArgs(signingMetadata, identity, request));
return delegate.remoteConnection(signingMetadata, identity, request);
}

public void setDelegate(RemoteS3ConnectionProvider delegate)
{
this.delegate = requireNonNull(delegate, "delegate is null");
}

public List<RemoteS3ConnectionProviderArgs> getCallArgs()
{
return callArgs;
}

public void reset()
{
callArgs.clear();
delegate = null;
}
}

public record RemoteS3ConnectionProviderArgs(SigningMetadata signingMetadata, Optional<Identity> identity, ParsedS3Request request) {}

private final S3Client s3Client;
private final S3Client storageClient;
private final DelegateRemoteS3ConnectionProvider delegateRemoteS3ConnectionProvider;
private final List<String> buckets;

@Inject
public TestRemoteS3ConnectionProviderWithRewriter(
S3Client s3Client,
@ForS3Container S3Client storageClient,
DelegateRemoteS3ConnectionProvider delegateRemoteS3ConnectionProvider,
@ForS3Container List<String> buckets)
{
this.s3Client = requireNonNull(s3Client, "s3Client is null");
this.storageClient = requireNonNull(storageClient, "storageClient is null");
this.delegateRemoteS3ConnectionProvider = requireNonNull(delegateRemoteS3ConnectionProvider, "delegateRemoteS3ConnectionProvider is null");
this.buckets = ImmutableList.copyOf(buckets);
}

@AfterEach
public void cleanup()
{
delegateRemoteS3ConnectionProvider.reset();
}

@Test
public void testRemoteS3ConnectionRetrievedWithRewrittenRequest()
throws IOException
{
String bucket = buckets.getFirst();

storageClient.putObject(PutObjectRequest.builder().bucket("redirected-" + bucket).key("redirected-test_key_1337").build(), RequestBody.fromString(LOREM_IPSUM));

delegateRemoteS3ConnectionProvider.setDelegate((_, _, _) -> Optional.of(new StaticRemoteS3Connection(TESTING_REMOTE_CREDENTIAL)));

ResponseInputStream<GetObjectResponse> resp = s3Client.getObject(GetObjectRequest.builder().bucket(bucket).key("test_key_1337").build());
assertThat(resp.readAllBytes()).asString().isEqualTo(LOREM_IPSUM);

assertThat(delegateRemoteS3ConnectionProvider.getCallArgs()).hasSize(1).first().satisfies(args -> {
assertThat(args.request().bucketName()).isEqualTo("redirected-" + bucket);
assertThat(args.request().keyInBucket()).isEqualTo("redirected-test_key_1337");
});
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,15 @@
*/
package io.trino.aws.proxy.server.testing;

import com.google.inject.Inject;
import io.trino.aws.proxy.spi.credentials.AssumedRoleProvider;
import io.trino.aws.proxy.spi.credentials.Credential;
import io.trino.aws.proxy.spi.credentials.CredentialsProvider;
import io.trino.aws.proxy.spi.credentials.EmulatedAssumedRole;
import io.trino.aws.proxy.spi.credentials.Identity;
import io.trino.aws.proxy.spi.credentials.IdentityCredential;
import io.trino.aws.proxy.spi.remote.RemoteS3Connection;
import io.trino.aws.proxy.spi.remote.RemoteS3Connection.StaticRemoteS3Connection;
import io.trino.aws.proxy.spi.remote.RemoteS3ConnectionProvider;
import io.trino.aws.proxy.spi.rest.ParsedS3Request;
import io.trino.aws.proxy.spi.signing.SigningMetadata;
Expand All @@ -33,6 +35,8 @@
import java.util.concurrent.atomic.AtomicInteger;

import static com.google.common.base.Preconditions.checkState;
import static io.trino.aws.proxy.server.testing.TestingUtil.TESTING_IDENTITY_CREDENTIAL;
import static io.trino.aws.proxy.server.testing.TestingUtil.TESTING_REMOTE_CREDENTIAL;
import static java.util.Objects.requireNonNull;

/**
Expand Down Expand Up @@ -60,6 +64,13 @@ private record Session(Credential sessionCredential, String originalEmulatedAcce
}
}

@Inject
public TestingCredentialsRolesProvider()
{
addCredentials(TESTING_IDENTITY_CREDENTIAL);
setDefaultRemoteConnection(new StaticRemoteS3Connection(TESTING_REMOTE_CREDENTIAL));
}

@Override
public Optional<RemoteS3Connection> remoteConnection(SigningMetadata signingMetadata, Optional<Identity> identity, ParsedS3Request request)
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Inject;
import com.google.inject.Injector;
import com.google.inject.Key;
import com.google.inject.Module;
Expand All @@ -41,7 +40,6 @@
import io.trino.aws.proxy.server.testing.containers.S3Container.ForS3Container;
import io.trino.aws.proxy.spi.credentials.Credential;
import io.trino.aws.proxy.spi.credentials.IdentityCredential;
import io.trino.aws.proxy.spi.remote.RemoteS3Connection.StaticRemoteS3Connection;

import java.io.Closeable;
import java.util.Collection;
Expand Down Expand Up @@ -98,6 +96,7 @@ public static class Builder
private boolean v4PySparkContainerAdded;
private boolean opaContainerAdded;
private boolean addTestingCredentialsRoleProviders = true;
private boolean addTestingRemoteS3CredentialsProvider = true;

public Builder addModule(Module module)
{
Expand Down Expand Up @@ -200,6 +199,12 @@ public Builder withoutTestingCredentialsRoleProviders()
return this;
}

public Builder withoutTestingRemoteS3ConnectionProvider()
{
addTestingRemoteS3CredentialsProvider = false;
return this;
}

public Builder withOpaContainer()
{
if (opaContainerAdded) {
Expand All @@ -214,33 +219,22 @@ public Builder withOpaContainer()
public TestingTrinoAwsProxyServer buildAndStart()
{
if (addTestingCredentialsRoleProviders) {
if (mockS3ContainerAdded) {
modules.add(binder -> binder.bind(TestingCredentialsInitializer.class).asEagerSingleton());
}

addModule(credentialsProviderModule("testing", TestingCredentialsRolesProvider.class, (binder) -> binder.bind(TestingCredentialsRolesProvider.class).in(Scopes.SINGLETON)));
withProperty("credentials-provider.type", "testing");
addModule(assumedRoleProviderModule("testing", TestingCredentialsRolesProvider.class, (binder) -> binder.bind(TestingCredentialsRolesProvider.class).in(Scopes.SINGLETON)));
withProperty("assumed-role-provider.type", "testing");
}

if (addTestingRemoteS3CredentialsProvider) {
addModule(remoteS3ConnectionProviderModule("testing", TestingCredentialsRolesProvider.class,
binder -> binder.bind(TestingCredentialsInitializer.class).in(Scopes.SINGLETON)));
binder -> binder.bind(TestingCredentialsRolesProvider.class).in(Scopes.SINGLETON)));
withProperty("remote-s3-connection-provider.type", "testing");
}

return start(modules.build(), properties.buildKeepingLast());
}
}

static class TestingCredentialsInitializer
{
@Inject
TestingCredentialsInitializer(TestingCredentialsRolesProvider credentialsController)
{
credentialsController.addCredentials(TESTING_IDENTITY_CREDENTIAL);
credentialsController.setDefaultRemoteConnection(new StaticRemoteS3Connection(TESTING_REMOTE_CREDENTIAL));
}
}

private static TestingTrinoAwsProxyServer start(Collection<Module> extraModules, Map<String, String> properties)
{
ImmutableList.Builder<Module> modules = ImmutableList.<Module>builder()
Expand Down