Apache
/
nifi
mirror of https://github.com/apache/nifi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

NIFI-11260 Added STS SSL Context Service for AWS Credentials Provider 

This closes #7021

Signed-off-by: David Handermann <exceptionfactory@apache.org>
This commit is contained in:
Peter Turcsanyi 2023-03-08 12:30:05 +01:00 committed by exceptionfactory
parent b23b2621ac
commit d2f80b1645
No known key found for this signature in database
GPG Key ID: 29B6A52D2AAE8DBA
14 changed files with 156 additions and 167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-abstract-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialPropertyDescriptors.java
View File

@ -23,6 +23,7 @@ import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.expression.ExpressionLanguageScope; import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.processor.util.StandardValidators; import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.processors.aws.AwsPropertyDescriptors; import org.apache.nifi.processors.aws.AwsPropertyDescriptors;
import org.apache.nifi.ssl.SSLContextService;
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.regions.Region;
import java.util.ArrayList; import java.util.ArrayList;
@ -173,6 +174,15 @@ public class CredentialPropertyDescriptors {
.dependsOn(ASSUME_ROLE_ARN) .dependsOn(ASSUME_ROLE_ARN)
.build(); .build();
public static final PropertyDescriptor ASSUME_ROLE_SSL_CONTEXT_SERVICE = new PropertyDescriptor.Builder()
.name("assume-role-ssl-context-service")
.displayName("Assume Role SSL Context Service")
.description("SSL Context Service used when connecting to the STS Endpoint.")
.identifiesControllerService(SSLContextService.class)
.required(false)
.dependsOn(ASSUME_ROLE_ARN)
.build();
/** /**
* Assume Role Proxy variables for configuring proxy to retrieve keys * Assume Role Proxy variables for configuring proxy to retrieve keys
*/ */

33
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialsProviderFactory.java
View File

@ -19,11 +19,10 @@ package org.apache.nifi.processors.aws.credentials.provider.factory;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
import java.util.Map;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.ExplicitDefaultCredentialsStrategy; import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.ExplicitDefaultCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AccessKeyPairCredentialsStrategy; import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.AccessKeyPairCredentialsStrategy;
import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.FileCredentialsStrategy; import org.apache.nifi.processors.aws.credentials.provider.factory.strategies.FileCredentialsStrategy;
@ -66,20 +65,15 @@ public class CredentialsProviderFactory {
strategies.add(new AssumeRoleCredentialsStrategy()); strategies.add(new AssumeRoleCredentialsStrategy());
} }
public CredentialsStrategy selectPrimaryStrategy(final Map<PropertyDescriptor, String> properties) { public CredentialsStrategy selectPrimaryStrategy(final PropertyContext propertyContext) {
for (CredentialsStrategy strategy : strategies) { for (CredentialsStrategy strategy : strategies) {
if (strategy.canCreatePrimaryCredential(properties)) { if (strategy.canCreatePrimaryCredential(propertyContext)) {
return strategy; return strategy;
} }
} }
return null; return null;
} }
public CredentialsStrategy selectPrimaryStrategy(final ValidationContext validationContext) {
final Map<PropertyDescriptor, String> properties = validationContext.getProperties();
return selectPrimaryStrategy(properties);
}
/** /**
* Validates AWS credential properties against the configured strategies to report any validation errors. * Validates AWS credential properties against the configured strategies to report any validation errors.
* @return Validation errors * @return Validation errors
@ -104,15 +98,14 @@ public class CredentialsProviderFactory {
* the factory. * the factory.
* @return AWSCredentialsProvider implementation * @return AWSCredentialsProvider implementation
*/ */
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
final CredentialsStrategy primaryStrategy = selectPrimaryStrategy(properties); final CredentialsStrategy primaryStrategy = selectPrimaryStrategy(propertyContext);
AWSCredentialsProvider primaryCredentialsProvider = primaryStrategy.getCredentialsProvider(properties); AWSCredentialsProvider primaryCredentialsProvider = primaryStrategy.getCredentialsProvider(propertyContext);
AWSCredentialsProvider derivedCredentialsProvider = null; AWSCredentialsProvider derivedCredentialsProvider = null;
for (CredentialsStrategy strategy : strategies) { for (CredentialsStrategy strategy : strategies) {
if (strategy.canCreateDerivedCredential(properties)) { if (strategy.canCreateDerivedCredential(propertyContext)) {
derivedCredentialsProvider = strategy.getDerivedCredentialsProvider(properties, derivedCredentialsProvider = strategy.getDerivedCredentialsProvider(propertyContext, primaryCredentialsProvider);
primaryCredentialsProvider);
break; break;
} }
} }
@ -129,14 +122,14 @@ public class CredentialsProviderFactory {
* the factory. * the factory.
* @return AwsCredentialsProvider implementation * @return AwsCredentialsProvider implementation
*/ */
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
final CredentialsStrategy primaryStrategy = selectPrimaryStrategy(properties); final CredentialsStrategy primaryStrategy = selectPrimaryStrategy(propertyContext);
final AwsCredentialsProvider primaryCredentialsProvider = primaryStrategy.getAwsCredentialsProvider(properties); final AwsCredentialsProvider primaryCredentialsProvider = primaryStrategy.getAwsCredentialsProvider(propertyContext);
AwsCredentialsProvider derivedCredentialsProvider = null; AwsCredentialsProvider derivedCredentialsProvider = null;
for (final CredentialsStrategy strategy : strategies) { for (final CredentialsStrategy strategy : strategies) {
if (strategy.canCreateDerivedCredential(properties)) { if (strategy.canCreateDerivedCredential(propertyContext)) {
derivedCredentialsProvider = strategy.getDerivedAwsCredentialsProvider(properties, primaryCredentialsProvider); derivedCredentialsProvider = strategy.getDerivedAwsCredentialsProvider(propertyContext, primaryCredentialsProvider);
break; break;
} }
} }

15
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/CredentialsStrategy.java
View File

@ -17,13 +17,12 @@
package org.apache.nifi.processors.aws.credentials.provider.factory; package org.apache.nifi.processors.aws.credentials.provider.factory;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import java.util.Collection; import java.util.Collection;
import java.util.Map;
/** /**
@ -43,13 +42,13 @@ public interface CredentialsStrategy {
* Determines if this strategy can create primary credentials using the given properties. * Determines if this strategy can create primary credentials using the given properties.
* @return true if primary credentials can be created * @return true if primary credentials can be created
*/ */
boolean canCreatePrimaryCredential(Map<PropertyDescriptor, String> properties); boolean canCreatePrimaryCredential(PropertyContext propertyContext);
/** /**
* Determines if this strategy can create derived credentials using the given properties. * Determines if this strategy can create derived credentials using the given properties.
* @return true if derived credentials can be created * @return true if derived credentials can be created
*/ */
boolean canCreateDerivedCredential(Map<PropertyDescriptor, String> properties); boolean canCreateDerivedCredential(PropertyContext propertyContext);
/** /**
* Validates the properties belonging to this strategy, given the selected primary strategy. Errors may result * Validates the properties belonging to this strategy, given the selected primary strategy. Errors may result
@ -63,25 +62,25 @@ public interface CredentialsStrategy {
/** /**
* Creates an AWSCredentialsProvider instance for this strategy, given the properties defined by the user. * Creates an AWSCredentialsProvider instance for this strategy, given the properties defined by the user.
*/ */
AWSCredentialsProvider getCredentialsProvider(Map<PropertyDescriptor, String> properties); AWSCredentialsProvider getCredentialsProvider(PropertyContext propertyContext);
/** /**
* Creates an AWSCredentialsProvider instance for this strategy, given the properties defined by the user and * Creates an AWSCredentialsProvider instance for this strategy, given the properties defined by the user and
* the AWSCredentialsProvider from the winning primary strategy. * the AWSCredentialsProvider from the winning primary strategy.
*/ */
AWSCredentialsProvider getDerivedCredentialsProvider(Map<PropertyDescriptor, String> properties, AWSCredentialsProvider getDerivedCredentialsProvider(PropertyContext propertyContext,
AWSCredentialsProvider primaryCredentialsProvider); AWSCredentialsProvider primaryCredentialsProvider);
/** /**
* Creates an AwsCredentialsProvider instance for this strategy, given the properties defined by the user. * Creates an AwsCredentialsProvider instance for this strategy, given the properties defined by the user.
*/ */
AwsCredentialsProvider getAwsCredentialsProvider(Map<PropertyDescriptor, String> properties); AwsCredentialsProvider getAwsCredentialsProvider(PropertyContext propertyContext);
/** /**
* Creates an AwsCredentialsProvider instance for this strategy, given the properties defined by the user and * Creates an AwsCredentialsProvider instance for this strategy, given the properties defined by the user and
* the AwsCredentialsProvider from the winning primary strategy. * the AwsCredentialsProvider from the winning primary strategy.
*/ */
AwsCredentialsProvider getDerivedAwsCredentialsProvider(Map<PropertyDescriptor, String> properties, AwsCredentialsProvider getDerivedAwsCredentialsProvider(PropertyContext propertyContext,
AwsCredentialsProvider primaryCredentialsProvider); AwsCredentialsProvider primaryCredentialsProvider);
} }

14
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AbstractBooleanCredentialsStrategy.java
View File

@ -18,11 +18,12 @@ package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Map;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy;
@ -42,8 +43,15 @@ public abstract class AbstractBooleanCredentialsStrategy extends AbstractCredent
} }
@Override @Override
public boolean canCreatePrimaryCredential(final Map<PropertyDescriptor, String> properties) { public boolean canCreatePrimaryCredential(final PropertyContext propertyContext) {
final String useStrategyString = properties.get(strategyProperty); PropertyValue strategyPropertyValue = propertyContext.getProperty(strategyProperty);
if (strategyPropertyValue == null) {
return false;
}
if (strategyProperty.isExpressionLanguageSupported()) {
strategyPropertyValue = strategyPropertyValue.evaluateAttributeExpressions();
}
final String useStrategyString = strategyPropertyValue.getValue();
final Boolean useStrategy = Boolean.parseBoolean(useStrategyString); final Boolean useStrategy = Boolean.parseBoolean(useStrategyString);
return useStrategy; return useStrategy;
} }

19
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AbstractCredentialsStrategy.java
View File

@ -18,11 +18,12 @@ package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Map;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
@ -42,12 +43,10 @@ public abstract class AbstractCredentialsStrategy implements CredentialsStrategy
} }
@Override @Override
public boolean canCreatePrimaryCredential(final Map<PropertyDescriptor, String> properties) { public boolean canCreatePrimaryCredential(final PropertyContext propertyContext) {
for (final PropertyDescriptor requiredProperty : requiredProperties) { for (final PropertyDescriptor requiredProperty : requiredProperties) {
final boolean containsRequiredProperty = properties.containsKey(requiredProperty); final PropertyValue propertyValue = propertyContext.getProperty(requiredProperty);
final String propertyValue = properties.get(requiredProperty); if (!propertyValue.isSet()) {
final boolean containsValue = propertyValue != null;
if (!containsRequiredProperty || !containsValue) {
return false; return false;
} }
} }
@ -81,7 +80,7 @@ public abstract class AbstractCredentialsStrategy implements CredentialsStrategy
return validationFailureResults; return validationFailureResults;
} }
public abstract AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties); public abstract AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext);
public String getName() { public String getName() {
return name; return name;
@ -89,18 +88,18 @@ public abstract class AbstractCredentialsStrategy implements CredentialsStrategy
@Override @Override
public boolean canCreateDerivedCredential(final Map<PropertyDescriptor, String> properties) { public boolean canCreateDerivedCredential(final PropertyContext propertyContext) {
return false; return false;
} }
@Override @Override
public AWSCredentialsProvider getDerivedCredentialsProvider(final Map<PropertyDescriptor, String> properties, public AWSCredentialsProvider getDerivedCredentialsProvider(final PropertyContext propertyContext,
final AWSCredentialsProvider primaryCredentialsProvider) { final AWSCredentialsProvider primaryCredentialsProvider) {
return null; return null;
} }
@Override @Override
public AwsCredentialsProvider getDerivedAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties, public AwsCredentialsProvider getDerivedAwsCredentialsProvider(final PropertyContext propertyContext,
final AwsCredentialsProvider primaryCredentialsProvider) { final AwsCredentialsProvider primaryCredentialsProvider) {
return null; return null;
} }

15
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AccessKeyPairCredentialsStrategy.java
View File

@ -20,12 +20,11 @@ import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials; import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.internal.StaticCredentialsProvider; import com.amazonaws.internal.StaticCredentialsProvider;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
import software.amazon.awssdk.auth.credentials.AwsBasicCredentials; import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import java.util.Map;
/** /**
* Supports AWS credentials defined by an Access Key and Secret Key pair. * Supports AWS credentials defined by an Access Key and Secret Key pair.
@ -43,17 +42,17 @@ public class AccessKeyPairCredentialsStrategy extends AbstractCredentialsStrateg
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
final String accessKey = properties.get(CredentialPropertyDescriptors.ACCESS_KEY); final String accessKey = propertyContext.getProperty(CredentialPropertyDescriptors.ACCESS_KEY).evaluateAttributeExpressions().getValue();
final String secretKey = properties.get(CredentialPropertyDescriptors.SECRET_KEY); final String secretKey = propertyContext.getProperty(CredentialPropertyDescriptors.SECRET_KEY).evaluateAttributeExpressions().getValue();
final BasicAWSCredentials credentials = new BasicAWSCredentials(accessKey, secretKey); final BasicAWSCredentials credentials = new BasicAWSCredentials(accessKey, secretKey);
return new StaticCredentialsProvider(credentials); return new StaticCredentialsProvider(credentials);
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
final String accessKey = properties.get(CredentialPropertyDescriptors.ACCESS_KEY); final String accessKey = propertyContext.getProperty(CredentialPropertyDescriptors.ACCESS_KEY).evaluateAttributeExpressions().getValue();
final String secretKey = properties.get(CredentialPropertyDescriptors.SECRET_KEY); final String secretKey = propertyContext.getProperty(CredentialPropertyDescriptors.SECRET_KEY).evaluateAttributeExpressions().getValue();
return software.amazon.awssdk.auth.credentials.StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretKey)); return software.amazon.awssdk.auth.credentials.StaticCredentialsProvider.create(AwsBasicCredentials.create(accessKey, secretKey));
} }

8
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AnonymousCredentialsStrategy.java
View File

@ -19,13 +19,11 @@ package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AnonymousAWSCredentials; import com.amazonaws.auth.AnonymousAWSCredentials;
import com.amazonaws.internal.StaticCredentialsProvider; import com.amazonaws.internal.StaticCredentialsProvider;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider; import software.amazon.awssdk.auth.credentials.AnonymousCredentialsProvider;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import java.util.Map;
/** /**
* Supports Anonymous AWS credentials. * Supports Anonymous AWS credentials.
@ -40,13 +38,13 @@ public class AnonymousCredentialsStrategy extends AbstractBooleanCredentialsStra
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
AnonymousAWSCredentials credentials = new AnonymousAWSCredentials(); AnonymousAWSCredentials credentials = new AnonymousAWSCredentials();
return new StaticCredentialsProvider(credentials); return new StaticCredentialsProvider(credentials);
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
return AnonymousCredentialsProvider.create(); return AnonymousCredentialsProvider.create();
} }

91
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java
View File

@ -20,12 +20,15 @@ import com.amazonaws.ClientConfiguration;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider; import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient; import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext; import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult; import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialsStrategy;
import org.apache.nifi.processors.aws.signer.AwsCustomSignerUtil; import org.apache.nifi.processors.aws.signer.AwsCustomSignerUtil;
import org.apache.nifi.processors.aws.signer.AwsSignerType; import org.apache.nifi.processors.aws.signer.AwsSignerType;
import org.apache.nifi.ssl.SSLContextService;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.http.apache.ApacheHttpClient; import software.amazon.awssdk.http.apache.ApacheHttpClient;
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.regions.Region;
@ -34,17 +37,18 @@ import software.amazon.awssdk.services.sts.StsClientBuilder;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider; import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import javax.net.ssl.SSLContext;
import java.net.URI; import java.net.URI;
import java.time.Duration; import java.time.Duration;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Map;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_ARN; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_ARN;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_NAME; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_NAME;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_SSL_CONTEXT_SERVICE;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION;
@ -72,14 +76,14 @@ public class AssumeRoleCredentialsStrategy extends AbstractCredentialsStrategy {
} }
@Override @Override
public boolean canCreatePrimaryCredential(final Map<PropertyDescriptor, String> properties) { public boolean canCreatePrimaryCredential(final PropertyContext propertyContext) {
return false; return false;
} }
@Override @Override
public boolean canCreateDerivedCredential(final Map<PropertyDescriptor, String> properties) { public boolean canCreateDerivedCredential(final PropertyContext propertyContext) {
final String assumeRoleArn = properties.get(ASSUME_ROLE_ARN); final String assumeRoleArn = propertyContext.getProperty(ASSUME_ROLE_ARN).getValue();
final String assumeRoleName = properties.get(ASSUME_ROLE_NAME); final String assumeRoleName = propertyContext.getProperty(ASSUME_ROLE_NAME).getValue();
if (assumeRoleArn != null && !assumeRoleArn.isEmpty() if (assumeRoleArn != null && !assumeRoleArn.isEmpty()
&& assumeRoleName != null && !assumeRoleName.isEmpty()) { && assumeRoleName != null && !assumeRoleName.isEmpty()) {
return true; return true;
@ -87,9 +91,9 @@ public class AssumeRoleCredentialsStrategy extends AbstractCredentialsStrategy {
return false; return false;
} }
public boolean proxyVariablesValidForAssumeRole(final Map<PropertyDescriptor, String> properties){ protected boolean proxyVariablesValidForAssumeRole(final PropertyContext propertyContext) {
final String assumeRoleProxyHost = properties.get(ASSUME_ROLE_PROXY_HOST); final String assumeRoleProxyHost = propertyContext.getProperty(ASSUME_ROLE_PROXY_HOST).getValue();
final String assumeRoleProxyPort = properties.get(ASSUME_ROLE_PROXY_PORT); final String assumeRoleProxyPort = propertyContext.getProperty(ASSUME_ROLE_PROXY_PORT).getValue();
if (assumeRoleProxyHost != null && !assumeRoleProxyHost.isEmpty() if (assumeRoleProxyHost != null && !assumeRoleProxyHost.isEmpty()
&& assumeRoleProxyPort != null && !assumeRoleProxyPort.isEmpty()) { && assumeRoleProxyPort != null && !assumeRoleProxyPort.isEmpty()) {
return true; return true;
@ -130,36 +134,41 @@ public class AssumeRoleCredentialsStrategy extends AbstractCredentialsStrategy {
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@Override @Override
public AWSCredentialsProvider getDerivedCredentialsProvider(final Map<PropertyDescriptor, String> properties, public AWSCredentialsProvider getDerivedCredentialsProvider(final PropertyContext propertyContext,
final AWSCredentialsProvider primaryCredentialsProvider) { final AWSCredentialsProvider primaryCredentialsProvider) {
final String assumeRoleArn = properties.get(ASSUME_ROLE_ARN); final String assumeRoleArn = propertyContext.getProperty(ASSUME_ROLE_ARN).getValue();
final String assumeRoleName = properties.get(ASSUME_ROLE_NAME); final String assumeRoleName = propertyContext.getProperty(ASSUME_ROLE_NAME).getValue();
String rawMaxSessionTime = properties.get(MAX_SESSION_TIME); final int maxSessionTime = propertyContext.getProperty(MAX_SESSION_TIME).asInteger();
rawMaxSessionTime = rawMaxSessionTime == null ? MAX_SESSION_TIME.getDefaultValue() : rawMaxSessionTime; final String assumeRoleExternalId = propertyContext.getProperty(ASSUME_ROLE_EXTERNAL_ID).getValue();
final Integer maxSessionTime = Integer.parseInt(rawMaxSessionTime.trim()); final String assumeRoleSTSRegion = propertyContext.getProperty(ASSUME_ROLE_STS_REGION).getValue();
final String assumeRoleExternalId = properties.get(ASSUME_ROLE_EXTERNAL_ID); final String assumeRoleSTSEndpoint = propertyContext.getProperty(ASSUME_ROLE_STS_ENDPOINT).getValue();
final String assumeRoleSTSRegion = properties.get(ASSUME_ROLE_STS_REGION); final String assumeRoleSTSSigner = propertyContext.getProperty(ASSUME_ROLE_STS_SIGNER_OVERRIDE).getValue();
final String assumeRoleSTSEndpoint = properties.get(ASSUME_ROLE_STS_ENDPOINT); final SSLContextService sslContextService = propertyContext.getProperty(ASSUME_ROLE_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
final String assumeRoleSTSSigner = properties.get(ASSUME_ROLE_STS_SIGNER_OVERRIDE);
STSAssumeRoleSessionCredentialsProvider.Builder builder; STSAssumeRoleSessionCredentialsProvider.Builder builder;
ClientConfiguration config = new ClientConfiguration(); final ClientConfiguration config = new ClientConfiguration();
if (sslContextService != null) {
final SSLContext sslContext = sslContextService.createContext();
config.getApacheHttpClientConfig().setSslSocketFactory(new SSLConnectionSocketFactory(sslContext));
}
// If proxy variables are set, then create Client Configuration with those values // If proxy variables are set, then create Client Configuration with those values
if (proxyVariablesValidForAssumeRole(properties)) { if (proxyVariablesValidForAssumeRole(propertyContext)) {
final String assumeRoleProxyHost = properties.get(ASSUME_ROLE_PROXY_HOST); final String assumeRoleProxyHost = propertyContext.getProperty(ASSUME_ROLE_PROXY_HOST).getValue();
final Integer assumeRoleProxyPort = Integer.parseInt(properties.get(ASSUME_ROLE_PROXY_PORT)); final int assumeRoleProxyPort = propertyContext.getProperty(ASSUME_ROLE_PROXY_PORT).asInteger();
config.withProxyHost(assumeRoleProxyHost); config.withProxyHost(assumeRoleProxyHost);
config.withProxyPort(assumeRoleProxyPort); config.withProxyPort(assumeRoleProxyPort);
} }
final AwsSignerType assumeRoleSTSSignerType = AwsSignerType.forValue(assumeRoleSTSSigner); final AwsSignerType assumeRoleSTSSignerType = AwsSignerType.forValue(assumeRoleSTSSigner);
if (assumeRoleSTSSignerType == CUSTOM_SIGNER) { if (assumeRoleSTSSignerType == CUSTOM_SIGNER) {
final String signerClassName = properties.get(ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME); final String signerClassName = propertyContext.getProperty(ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME).evaluateAttributeExpressions().getValue();
config.withSignerOverride(AwsCustomSignerUtil.registerCustomSigner(signerClassName)); config.withSignerOverride(AwsCustomSignerUtil.registerCustomSigner(signerClassName));
} else if (assumeRoleSTSSignerType != DEFAULT_SIGNER) { } else if (assumeRoleSTSSignerType != DEFAULT_SIGNER) {
@ -190,29 +199,33 @@ public class AssumeRoleCredentialsStrategy extends AbstractCredentialsStrategy {
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
throw new UnsupportedOperationException(); throw new UnsupportedOperationException();
} }
@Override @Override
public AwsCredentialsProvider getDerivedAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties, public AwsCredentialsProvider getDerivedAwsCredentialsProvider(final PropertyContext propertyContext,
AwsCredentialsProvider primaryCredentialsProvider) { final AwsCredentialsProvider primaryCredentialsProvider) {
final String assumeRoleArn = properties.get(ASSUME_ROLE_ARN); final String assumeRoleArn = propertyContext.getProperty(ASSUME_ROLE_ARN).getValue();
final String assumeRoleName = properties.get(ASSUME_ROLE_NAME); final String assumeRoleName = propertyContext.getProperty(ASSUME_ROLE_NAME).getValue();
String rawMaxSessionTime = properties.get(MAX_SESSION_TIME); final int maxSessionTime = propertyContext.getProperty(MAX_SESSION_TIME).asInteger();
rawMaxSessionTime = rawMaxSessionTime == null ? MAX_SESSION_TIME.getDefaultValue() : rawMaxSessionTime; final String assumeRoleExternalId = propertyContext.getProperty(ASSUME_ROLE_EXTERNAL_ID).getValue();
final Integer maxSessionTime = Integer.parseInt(rawMaxSessionTime.trim()); final String assumeRoleSTSEndpoint = propertyContext.getProperty(ASSUME_ROLE_STS_ENDPOINT).getValue();
final String assumeRoleExternalId = properties.get(ASSUME_ROLE_EXTERNAL_ID); final String stsRegion = propertyContext.getProperty(ASSUME_ROLE_STS_REGION).getValue();
final String assumeRoleSTSEndpoint = properties.get(ASSUME_ROLE_STS_ENDPOINT); final SSLContextService sslContextService = propertyContext.getProperty(ASSUME_ROLE_SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
final String stsRegion = properties.get(ASSUME_ROLE_STS_REGION);
final StsAssumeRoleCredentialsProvider.Builder builder = StsAssumeRoleCredentialsProvider.builder(); final StsAssumeRoleCredentialsProvider.Builder builder = StsAssumeRoleCredentialsProvider.builder();
// If proxy variables are set, then create Client Configuration with those values
final ApacheHttpClient.Builder httpClientBuilder = ApacheHttpClient.builder(); final ApacheHttpClient.Builder httpClientBuilder = ApacheHttpClient.builder();
if (proxyVariablesValidForAssumeRole(properties)) {
final String assumeRoleProxyHost = properties.get(ASSUME_ROLE_PROXY_HOST); if (sslContextService != null) {
final Integer assumeRoleProxyPort = Integer.parseInt(properties.get(ASSUME_ROLE_PROXY_PORT)); final SSLContext sslContext = sslContextService.createContext();
httpClientBuilder.socketFactory(new SSLConnectionSocketFactory(sslContext));
}
if (proxyVariablesValidForAssumeRole(propertyContext)) {
final String assumeRoleProxyHost = propertyContext.getProperty(ASSUME_ROLE_PROXY_HOST).getValue();
final int assumeRoleProxyPort = propertyContext.getProperty(ASSUME_ROLE_PROXY_PORT).asInteger();
final software.amazon.awssdk.http.apache.ProxyConfiguration proxyConfig = software.amazon.awssdk.http.apache.ProxyConfiguration.builder() final software.amazon.awssdk.http.apache.ProxyConfiguration proxyConfig = software.amazon.awssdk.http.apache.ProxyConfiguration.builder()
.endpoint(URI.create(String.format("%s:%s", assumeRoleProxyHost, assumeRoleProxyPort))) .endpoint(URI.create(String.format("%s:%s", assumeRoleProxyHost, assumeRoleProxyPort)))
.build(); .build();

8
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/ExplicitDefaultCredentialsStrategy.java
View File

@ -16,9 +16,7 @@
*/ */
package org.apache.nifi.processors.aws.credentials.provider.factory.strategies; package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import java.util.Map; import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
@ -41,12 +39,12 @@ public class ExplicitDefaultCredentialsStrategy extends AbstractBooleanCredentia
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
return new DefaultAWSCredentialsProviderChain(); return new DefaultAWSCredentialsProviderChain();
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
return DefaultCredentialsProvider.create(); return DefaultCredentialsProvider.create();
} }

10
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/FileCredentialsStrategy.java
View File

@ -19,12 +19,12 @@ package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.PropertiesFileCredentialsProvider; import com.amazonaws.auth.PropertiesFileCredentialsProvider;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.PropertiesCredentialsProvider; import org.apache.nifi.processors.aws.credentials.provider.PropertiesCredentialsProvider;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import java.io.File; import java.io.File;
import java.util.Map;
/** /**
@ -47,14 +47,14 @@ public class FileCredentialsStrategy extends AbstractCredentialsStrategy {
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
final String credentialsFile = properties.get(CredentialPropertyDescriptors.CREDENTIALS_FILE); final String credentialsFile = propertyContext.getProperty(CredentialPropertyDescriptors.CREDENTIALS_FILE).getValue();
return new PropertiesFileCredentialsProvider(credentialsFile); return new PropertiesFileCredentialsProvider(credentialsFile);
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
final String credentialsFile = properties.get(CredentialPropertyDescriptors.CREDENTIALS_FILE); final String credentialsFile = propertyContext.getProperty(CredentialPropertyDescriptors.CREDENTIALS_FILE).getValue();
return new PropertiesCredentialsProvider(new File(credentialsFile)); return new PropertiesCredentialsProvider(new File(credentialsFile));
} }

7
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/ImplicitDefaultCredentialsStrategy.java
View File

@ -19,11 +19,10 @@ package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain; import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.context.PropertyContext;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import java.util.Map;
/** /**
* Supports AWS Default Credentials. Compared to ExplicitDefaultCredentialsStrategy, this strategy is always * Supports AWS Default Credentials. Compared to ExplicitDefaultCredentialsStrategy, this strategy is always
@ -37,12 +36,12 @@ public class ImplicitDefaultCredentialsStrategy extends AbstractCredentialsStrat
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
return new DefaultAWSCredentialsProviderChain(); return new DefaultAWSCredentialsProviderChain();
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
return DefaultCredentialsProvider.create(); return DefaultCredentialsProvider.create();
} }
} }

11
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/NamedProfileCredentialsStrategy.java
View File

@ -16,9 +16,8 @@
*/ */
package org.apache.nifi.processors.aws.credentials.provider.factory.strategies; package org.apache.nifi.processors.aws.credentials.provider.factory.strategies;
import java.util.Map;
import org.apache.nifi.components.PropertyDescriptor; import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors; import org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors;
import com.amazonaws.auth.AWSCredentialsProvider; import com.amazonaws.auth.AWSCredentialsProvider;
@ -41,14 +40,14 @@ public class NamedProfileCredentialsStrategy extends AbstractCredentialsStrategy
} }
@Override @Override
public AWSCredentialsProvider getCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AWSCredentialsProvider getCredentialsProvider(final PropertyContext propertyContext) {
final String profileName = properties.get(CredentialPropertyDescriptors.PROFILE_NAME); final String profileName = propertyContext.getProperty(CredentialPropertyDescriptors.PROFILE_NAME).evaluateAttributeExpressions().getValue();
return new ProfileCredentialsProvider(profileName); return new ProfileCredentialsProvider(profileName);
} }
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider(final Map<PropertyDescriptor, String> properties) { public AwsCredentialsProvider getAwsCredentialsProvider(final PropertyContext propertyContext) {
final String profileName = properties.get(CredentialPropertyDescriptors.PROFILE_NAME); final String profileName = propertyContext.getProperty(CredentialPropertyDescriptors.PROFILE_NAME).evaluateAttributeExpressions().getValue();
return software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.create(profileName); return software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.create(profileName);
} }
} }

25
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/service/AWSCredentialsProviderControllerService.java
View File

@ -36,14 +36,13 @@ import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ACCESS_KEY; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ACCESS_KEY;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_EXTERNAL_ID;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_HOST;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_SSL_CONTEXT_SERVICE;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_ENDPOINT;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_SIGNER_OVERRIDE; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.ASSUME_ROLE_STS_SIGNER_OVERRIDE;
import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.CREDENTIALS_FILE; import static org.apache.nifi.processors.aws.credentials.provider.factory.CredentialPropertyDescriptors.CREDENTIALS_FILE;
@ -79,7 +78,7 @@ public class AWSCredentialsProviderControllerService extends AbstractControllerS
public static final PropertyDescriptor MAX_SESSION_TIME = CredentialPropertyDescriptors.MAX_SESSION_TIME; public static final PropertyDescriptor MAX_SESSION_TIME = CredentialPropertyDescriptors.MAX_SESSION_TIME;
public static final PropertyDescriptor ASSUME_ROLE_STS_REGION = CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION; public static final PropertyDescriptor ASSUME_ROLE_STS_REGION = CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION;
private static final List<PropertyDescriptor> properties; private static final List<PropertyDescriptor> PROPERTIES;
static { static {
final List<PropertyDescriptor> props = new ArrayList<>(); final List<PropertyDescriptor> props = new ArrayList<>();
@ -93,6 +92,7 @@ public class AWSCredentialsProviderControllerService extends AbstractControllerS
props.add(ASSUME_ROLE_NAME); props.add(ASSUME_ROLE_NAME);
props.add(MAX_SESSION_TIME); props.add(MAX_SESSION_TIME);
props.add(ASSUME_ROLE_EXTERNAL_ID); props.add(ASSUME_ROLE_EXTERNAL_ID);
props.add(ASSUME_ROLE_SSL_CONTEXT_SERVICE);
props.add(ASSUME_ROLE_PROXY_HOST); props.add(ASSUME_ROLE_PROXY_HOST);
props.add(ASSUME_ROLE_PROXY_PORT); props.add(ASSUME_ROLE_PROXY_PORT);
props.add(ASSUME_ROLE_STS_REGION); props.add(ASSUME_ROLE_STS_REGION);
@ -100,16 +100,16 @@ public class AWSCredentialsProviderControllerService extends AbstractControllerS
props.add(ASSUME_ROLE_STS_SIGNER_OVERRIDE); props.add(ASSUME_ROLE_STS_SIGNER_OVERRIDE);
props.add(ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME); props.add(ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME);
props.add(ASSUME_ROLE_STS_CUSTOM_SIGNER_MODULE_LOCATION); props.add(ASSUME_ROLE_STS_CUSTOM_SIGNER_MODULE_LOCATION);
properties = Collections.unmodifiableList(props); PROPERTIES = Collections.unmodifiableList(props);
} }
private volatile ConfigurationContext context;
private volatile AWSCredentialsProvider credentialsProvider; private volatile AWSCredentialsProvider credentialsProvider;
private volatile Map<PropertyDescriptor, String> evaluatedProperties;
protected final CredentialsProviderFactory credentialsProviderFactory = new CredentialsProviderFactory(); protected final CredentialsProviderFactory credentialsProviderFactory = new CredentialsProviderFactory();
@Override @Override
protected List<PropertyDescriptor> getSupportedPropertyDescriptors() { protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
return properties; return PROPERTIES;
} }
@Override @Override
@ -120,7 +120,7 @@ public class AWSCredentialsProviderControllerService extends AbstractControllerS
@Override @Override
public AwsCredentialsProvider getAwsCredentialsProvider() { public AwsCredentialsProvider getAwsCredentialsProvider() {
// Avoiding instantiation until actually used, in case v1-related configuration is not compatible with v2 clients // Avoiding instantiation until actually used, in case v1-related configuration is not compatible with v2 clients
return credentialsProviderFactory.getAwsCredentialsProvider(evaluatedProperties); return credentialsProviderFactory.getAwsCredentialsProvider(context);
} }
@Override @Override
@ -130,14 +130,9 @@ public class AWSCredentialsProviderControllerService extends AbstractControllerS
@OnEnabled @OnEnabled
public void onConfigured(final ConfigurationContext context) { public void onConfigured(final ConfigurationContext context) {
evaluatedProperties = new HashMap<>(context.getProperties()); this.context = context;
evaluatedProperties.keySet().forEach(propertyDescriptor -> {
if (propertyDescriptor.isExpressionLanguageSupported()) { credentialsProvider = credentialsProviderFactory.getCredentialsProvider(context);
evaluatedProperties.put(propertyDescriptor,
context.getProperty(propertyDescriptor).evaluateAttributeExpressions().getValue());
}
});
credentialsProvider = credentialsProviderFactory.getCredentialsProvider(evaluatedProperties);
getLogger().debug("Using credentials provider: " + credentialsProvider.getClass()); getLogger().debug("Using credentials provider: " + credentialsProvider.getClass());
} }

55
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/test/java/org/apache/nifi/processors/aws/credentials/provider/factory/TestCredentialsProviderFactory.java
View File

@ -27,7 +27,6 @@ import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
import com.amazonaws.auth.Signer; import com.amazonaws.auth.Signer;
import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.internal.StaticCredentialsProvider; import com.amazonaws.internal.StaticCredentialsProvider;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.processors.aws.credentials.provider.PropertiesCredentialsProvider; import org.apache.nifi.processors.aws.credentials.provider.PropertiesCredentialsProvider;
import org.apache.nifi.processors.aws.s3.FetchS3Object; import org.apache.nifi.processors.aws.s3.FetchS3Object;
import org.apache.nifi.processors.aws.signer.AwsSignerType; import org.apache.nifi.processors.aws.signer.AwsSignerType;
@ -40,11 +39,8 @@ import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider; import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
import java.util.Map;
import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
@ -59,14 +55,13 @@ public class TestCredentialsProviderFactory {
final TestRunner runner = TestRunners.newTestRunner(MockAWSProcessor.class); final TestRunner runner = TestRunners.newTestRunner(MockAWSProcessor.class);
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(DefaultAWSCredentialsProviderChain.class, assertEquals(DefaultAWSCredentialsProviderChain.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(DefaultCredentialsProvider.class, assertEquals(DefaultCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -78,14 +73,13 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.USE_DEFAULT_CREDENTIALS, "true"); runner.setProperty(CredentialPropertyDescriptors.USE_DEFAULT_CREDENTIALS, "true");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(DefaultAWSCredentialsProviderChain.class, assertEquals(DefaultAWSCredentialsProviderChain.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(DefaultCredentialsProvider.class, assertEquals(DefaultCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -107,14 +101,14 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.SECRET_KEY, "BogusSecretKey"); runner.setProperty(CredentialPropertyDescriptors.SECRET_KEY, "BogusSecretKey");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(StaticCredentialsProvider.class, assertEquals(StaticCredentialsProvider.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(software.amazon.awssdk.auth.credentials.StaticCredentialsProvider.class, assertEquals(software.amazon.awssdk.auth.credentials.StaticCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -140,14 +134,13 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.CREDENTIALS_FILE, "src/test/resources/mock-aws-credentials.properties"); runner.setProperty(CredentialPropertyDescriptors.CREDENTIALS_FILE, "src/test/resources/mock-aws-credentials.properties");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(PropertiesFileCredentialsProvider.class, assertEquals(PropertiesFileCredentialsProvider.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(PropertiesCredentialsProvider.class, assertEquals(PropertiesCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -161,21 +154,11 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_NAME, "BogusSession"); runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_NAME, "BogusSession");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(STSAssumeRoleSessionCredentialsProvider.class, assertEquals(STSAssumeRoleSessionCredentialsProvider.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
assertThrows(IllegalStateException.class, () -> factory.getAwsCredentialsProvider(properties));
runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_REGION, Region.US_WEST_1.id());
final Map<PropertyDescriptor, String> properties2 = runner.getProcessContext().getProperties();
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties2);
assertNotNull(credentialsProviderV2);
assertEquals(StsAssumeRoleCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal");
} }
@Test @Test
@ -194,14 +177,13 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.USE_ANONYMOUS_CREDENTIALS, "true"); runner.setProperty(CredentialPropertyDescriptors.USE_ANONYMOUS_CREDENTIALS, "true");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
final AWSCredentials creds = credentialsProvider.getCredentials(); final AWSCredentials creds = credentialsProvider.getCredentials();
assertEquals(AnonymousAWSCredentials.class, creds.getClass(), "credentials should be equal"); assertEquals(AnonymousAWSCredentials.class, creds.getClass(), "credentials should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(AnonymousCredentialsProvider.class, assertEquals(AnonymousCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -222,14 +204,13 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.PROFILE_NAME, "BogusProfile"); runner.setProperty(CredentialPropertyDescriptors.PROFILE_NAME, "BogusProfile");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(ProfileCredentialsProvider.class, assertEquals(ProfileCredentialsProvider.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.class, assertEquals(software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -246,14 +227,13 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT, "8080"); runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_PROXY_PORT, "8080");
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProvider); assertNotNull(credentialsProvider);
assertEquals(STSAssumeRoleSessionCredentialsProvider.class, assertEquals(STSAssumeRoleSessionCredentialsProvider.class,
credentialsProvider.getClass(), "credentials provider should be equal"); credentialsProvider.getClass(), "credentials provider should be equal");
final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(properties); final AwsCredentialsProvider credentialsProviderV2 = factory.getAwsCredentialsProvider(runner.getProcessContext());
assertNotNull(credentialsProviderV2); assertNotNull(credentialsProviderV2);
assertEquals(StsAssumeRoleCredentialsProvider.class, assertEquals(StsAssumeRoleCredentialsProvider.class,
credentialsProviderV2.getClass(), "credentials provider should be equal"); credentialsProviderV2.getClass(), "credentials provider should be equal");
@ -300,13 +280,12 @@ public class TestCredentialsProviderFactory {
runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME, CustomSTSSigner.class.getName()); runner.setProperty(CredentialPropertyDescriptors.ASSUME_ROLE_STS_CUSTOM_SIGNER_CLASS_NAME, CustomSTSSigner.class.getName());
runner.assertValid(); runner.assertValid();
final Map<PropertyDescriptor, String> properties = runner.getProcessContext().getProperties();
final CredentialsProviderFactory factory = new CredentialsProviderFactory(); final CredentialsProviderFactory factory = new CredentialsProviderFactory();
final Signer signerChecker = mock(Signer.class); final Signer signerChecker = mock(Signer.class);
CustomSTSSigner.setSignerChecker(signerChecker); CustomSTSSigner.setSignerChecker(signerChecker);
final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(properties); final AWSCredentialsProvider credentialsProvider = factory.getCredentialsProvider(runner.getProcessContext());
try { try {
credentialsProvider.getCredentials(); credentialsProvider.getCredentials();