Add support for AWS session tokens

docs/plugins/discovery-ec2.asciidoc

@@ -40,11 +40,16 @@ Those that must be stored in the keystore are marked as `Secure`.
 
 `access_key`::
 
-    An s3 access key. The `secret_key` setting must also be specified. (Secure)
+    An ec2 access key. The `secret_key` setting must also be specified. (Secure)
 
 `secret_key`::
 
-    An s3 secret key. The `access_key` setting must also be specified. (Secure)
+    An ec2 secret key. The `access_key` setting must also be specified. (Secure)
+
+`session_token`::
+
+    An ec2 session token. The `access_key` and `secret_key` settings must also
+    be specified. (Secure)
 
 `endpoint`::
 

docs/plugins/repository-s3.asciidoc

@@ -73,6 +73,11 @@ are marked as `Secure`.
 
     An s3 secret key. The `access_key` setting must also be specified. (Secure)
 
+`session_token`::
+
+    An s3 session token. The `access_key` and `secret_key` settings must also
+    be specified. (Secure)
+
 `endpoint`::
 
     The s3 service endpoint to connect to. This will be automatically

plugins/discovery-ec2/src/main/java/org/elasticsearch/discovery/ec2/AwsEc2Service.java

@@ -52,6 +52,9 @@ class HostType {
     /** The secret key (ie password) for connecting to ec2. */
     Setting<SecureString> SECRET_KEY_SETTING = SecureSetting.secureString("discovery.ec2.secret_key", null);
 
+    /** The (optional) session token for connecting to ec2. */
+    Setting<SecureString> SESSION_TOKEN_SETTING = SecureSetting.secureString("discovery.ec2.session_token", null);
+
     /** An override for the ec2 endpoint to connect to. */
     Setting<String> ENDPOINT_SETTING = new Setting<>("discovery.ec2.endpoint", "",
         s -> s.toLowerCase(Locale.ROOT), Property.NodeScope);

plugins/discovery-ec2/src/main/java/org/elasticsearch/discovery/ec2/AwsEc2ServiceImpl.java

@@ -26,22 +26,30 @@
 import com.amazonaws.AmazonClientException;
 import com.amazonaws.AmazonWebServiceRequest;
 import com.amazonaws.ClientConfiguration;
+import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
+import com.amazonaws.auth.AWSStaticCredentialsProvider;
 import com.amazonaws.auth.BasicAWSCredentials;
+import com.amazonaws.auth.BasicSessionCredentials;
 import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
 import com.amazonaws.http.IdleConnectionReaper;
 import com.amazonaws.internal.StaticCredentialsProvider;
 import com.amazonaws.retry.RetryPolicy;
 import com.amazonaws.services.ec2.AmazonEC2;
 import com.amazonaws.services.ec2.AmazonEC2Client;
 import org.apache.logging.log4j.Logger;
+import org.elasticsearch.ElasticsearchException;
 import org.elasticsearch.common.Randomness;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.component.AbstractComponent;
+import org.elasticsearch.common.logging.DeprecationLogger;
+import org.elasticsearch.common.logging.Loggers;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsException;
 
 class AwsEc2ServiceImpl extends AbstractComponent implements AwsEc2Service, Closeable {
+    private static final DeprecationLogger DEPRECATION_LOGGER = new DeprecationLogger(Loggers.getLogger(AwsEc2ServiceImpl.class));
 
     public static final String EC2_METADATA_URL = "http://169.254.169.254/latest/meta-data/";
 
@@ -67,20 +75,38 @@ public synchronized AmazonEC2 client() {
     }
 
     protected static AWSCredentialsProvider buildCredentials(Logger logger, Settings settings) {
-        AWSCredentialsProvider credentials;
-
         try (SecureString key = ACCESS_KEY_SETTING.get(settings);
-             SecureString secret = SECRET_KEY_SETTING.get(settings)) {
+             SecureString secret = SECRET_KEY_SETTING.get(settings);
+             SecureString sessionToken = SESSION_TOKEN_SETTING.get(settings)) {
             if (key.length() == 0 && secret.length() == 0) {
+                if (sessionToken.length() > 0) {
+                    throw new SettingsException("Setting [{}] is set but [{}] and [{}] are not",
+                        SESSION_TOKEN_SETTING.getKey(), ACCESS_KEY_SETTING.getKey(), SECRET_KEY_SETTING.getKey());
+                }
+
                 logger.debug("Using either environment variables, system properties or instance profile credentials");
-                credentials = new DefaultAWSCredentialsProviderChain();
+                return new DefaultAWSCredentialsProviderChain();
             } else {
-                logger.debug("Using basic key/secret credentials");
-                credentials = new StaticCredentialsProvider(new BasicAWSCredentials(key.toString(), secret.toString()));
+                if (key.length() == 0) {
+                    DEPRECATION_LOGGER.deprecated("Setting [{}] is set but [{}] is not, which will be unsupported in future",
+                        SECRET_KEY_SETTING.getKey(), ACCESS_KEY_SETTING.getKey());
+                }
+                if (secret.length() == 0) {
+                    DEPRECATION_LOGGER.deprecated("Setting [{}] is set but [{}] is not, which will be unsupported in future",
+                        ACCESS_KEY_SETTING.getKey(), SECRET_KEY_SETTING.getKey());
+                }
+
+                final AWSCredentials credentials;
+                if (sessionToken.length() == 0) {
+                    logger.debug("Using basic key/secret credentials");
+                    credentials = new BasicAWSCredentials(key.toString(), secret.toString());
+                } else {
+                    logger.debug("Using basic session credentials");
+                    credentials = new BasicSessionCredentials(key.toString(), secret.toString(), sessionToken.toString());
+                }
+                return new AWSStaticCredentialsProvider(credentials);
             }
         }
-
-        return credentials;
     }
 
     protected static ClientConfiguration buildConfiguration(Logger logger, Settings settings) {

plugins/discovery-ec2/src/main/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryPlugin.java

@@ -106,6 +106,7 @@ public List<Setting<?>> getSettings() {
         // Register EC2 discovery settings: discovery.ec2
         AwsEc2Service.ACCESS_KEY_SETTING,
         AwsEc2Service.SECRET_KEY_SETTING,
+        AwsEc2Service.SESSION_TOKEN_SETTING,
         AwsEc2Service.ENDPOINT_SETTING,
         AwsEc2Service.PROTOCOL_SETTING,
         AwsEc2Service.PROXY_HOST_SETTING,

plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/AwsEc2ServiceImplTests.java

@@ -23,15 +23,13 @@
 import com.amazonaws.Protocol;
 import com.amazonaws.auth.AWSCredentials;
 import com.amazonaws.auth.AWSCredentialsProvider;
+import com.amazonaws.auth.BasicSessionCredentials;
 import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
 import org.elasticsearch.common.settings.MockSecureSettings;
-import org.elasticsearch.common.settings.Setting;
 import org.elasticsearch.common.settings.Settings;
-import org.elasticsearch.discovery.ec2.AwsEc2Service;
-import org.elasticsearch.discovery.ec2.AwsEc2ServiceImpl;
+import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.test.ESTestCase;
 
-import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.nullValue;
@@ -44,17 +42,56 @@ public void testAWSCredentialsWithSystemProviders() {
     }
 
     public void testAWSCredentialsWithElasticsearchAwsSettings() {
-        MockSecureSettings secureSettings = new MockSecureSettings();
+        final MockSecureSettings secureSettings = new MockSecureSettings();
+        secureSettings.setString("discovery.ec2.access_key", "aws_key");
+        secureSettings.setString("discovery.ec2.secret_key", "aws_secret");
+        final AWSCredentials credentials = AwsEc2ServiceImpl.buildCredentials(logger,
+            Settings.builder().setSecureSettings(secureSettings).build()).getCredentials();
+        assertThat(credentials.getAWSAccessKeyId(), is("aws_key"));
+        assertThat(credentials.getAWSSecretKey(), is("aws_secret"));
+    }
+
+    public void testAWSSessionCredentialsWithElasticsearchAwsSettings() {
+        final MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString("discovery.ec2.access_key", "aws_key");
         secureSettings.setString("discovery.ec2.secret_key", "aws_secret");
-        Settings settings = Settings.builder().setSecureSettings(secureSettings).build();
-        launchAWSCredentialsWithElasticsearchSettingsTest(settings, "aws_key", "aws_secret");
+        secureSettings.setString("discovery.ec2.session_token", "aws_session_token");
+        final BasicSessionCredentials credentials = (BasicSessionCredentials) AwsEc2ServiceImpl.buildCredentials(logger,
+            Settings.builder().setSecureSettings(secureSettings).build()).getCredentials();
+        assertThat(credentials.getAWSAccessKeyId(), is("aws_key"));
+        assertThat(credentials.getAWSSecretKey(), is("aws_secret"));
+        assertThat(credentials.getSessionToken(), is("aws_session_token"));
+    }
+
+    public void testDeprecationOfLoneAccessKey() {
+        final MockSecureSettings secureSettings = new MockSecureSettings();
+        secureSettings.setString("discovery.ec2.access_key", "aws_key");
+        final AWSCredentials credentials = AwsEc2ServiceImpl.buildCredentials(logger,
+            Settings.builder().setSecureSettings(secureSettings).build()).getCredentials();
+        assertThat(credentials.getAWSAccessKeyId(), is("aws_key"));
+        assertThat(credentials.getAWSSecretKey(), is(""));
+        assertSettingDeprecationsAndWarnings(new String[]{},
+            "Setting [discovery.ec2.access_key] is set but [discovery.ec2.secret_key] is not, which will be unsupported in future");
+    }
+
+    public void testDeprecationOfLoneSecretKey() {
+        final MockSecureSettings secureSettings = new MockSecureSettings();
+        secureSettings.setString("discovery.ec2.secret_key", "aws_secret");
+        final AWSCredentials credentials = AwsEc2ServiceImpl.buildCredentials(logger,
+            Settings.builder().setSecureSettings(secureSettings).build()).getCredentials();
+        assertThat(credentials.getAWSAccessKeyId(), is(""));
+        assertThat(credentials.getAWSSecretKey(), is("aws_secret"));
+        assertSettingDeprecationsAndWarnings(new String[]{},
+            "Setting [discovery.ec2.secret_key] is set but [discovery.ec2.access_key] is not, which will be unsupported in future");
     }
 
-    protected void launchAWSCredentialsWithElasticsearchSettingsTest(Settings settings, String expectedKey, String expectedSecret) {
-        AWSCredentials credentials = AwsEc2ServiceImpl.buildCredentials(logger, settings).getCredentials();
-        assertThat(credentials.getAWSAccessKeyId(), is(expectedKey));
-        assertThat(credentials.getAWSSecretKey(), is(expectedSecret));
+    public void testRejectionOfLoneSessionToken() {
+        final MockSecureSettings secureSettings = new MockSecureSettings();
+        secureSettings.setString("discovery.ec2.session_token", "aws_session_token");
+        SettingsException e = expectThrows(SettingsException.class, () -> AwsEc2ServiceImpl.buildCredentials(logger,
+            Settings.builder().setSecureSettings(secureSettings).build()));
+        assertThat(e.getMessage(), is(
+            "Setting [discovery.ec2.session_token] is set but [discovery.ec2.access_key] and [discovery.ec2.secret_key] are not"));
     }
 
     public void testAWSDefaultConfiguration() {

plugins/discovery-ec2/src/test/java/org/elasticsearch/discovery/ec2/Ec2DiscoveryClusterFormationTests.java

@@ -82,6 +82,9 @@ protected Settings nodeSettings(int nodeOrdinal) {
         MockSecureSettings secureSettings = new MockSecureSettings();
         secureSettings.setString(AwsEc2Service.ACCESS_KEY_SETTING.getKey(), "some_access");
         secureSettings.setString(AwsEc2Service.SECRET_KEY_SETTING.getKey(), "some_secret");
+        if (randomBoolean()) {
+            secureSettings.setString(AwsEc2Service.SESSION_TOKEN_SETTING.getKey(), "some_token");
+        }
         return Settings.builder().put(super.nodeSettings(nodeOrdinal))
             .put(DiscoveryModule.DISCOVERY_HOSTS_PROVIDER_SETTING.getKey(), "ec2")
             .put("path.logs", resolve)

plugins/repository-s3/qa/amazon-s3/build.gradle

@@ -39,16 +39,37 @@ forbiddenApisTest {
 
 boolean useFixture = false
 
-String s3AccessKey = System.getenv("amazon_s3_access_key")
-String s3SecretKey = System.getenv("amazon_s3_secret_key")
-String s3Bucket = System.getenv("amazon_s3_bucket")
-String s3BasePath = System.getenv("amazon_s3_base_path")
-
-if (!s3AccessKey && !s3SecretKey && !s3Bucket && !s3BasePath) {
-    s3AccessKey = 's3_integration_test_access_key'
-    s3SecretKey = 's3_integration_test_secret_key'
-    s3Bucket = 'bucket_test'
-    s3BasePath = 'integration_test'
+// We test against two repositories, one which uses the usual two-part "permanent" credentials and
+// the other which uses three-part "temporary" or "session" credentials.
+
+String s3PermanentAccessKey = System.getenv("amazon_s3_access_key_permanent")
+String s3PermanentSecretKey = System.getenv("amazon_s3_secret_key_permanent")
+String s3PermanentBucket = System.getenv("amazon_s3_bucket_permanent")
+String s3PermanentBasePath = System.getenv("amazon_s3_base_path_permanent")
+
+String s3TemporaryAccessKey = System.getenv("amazon_s3_access_key_temporary")
+String s3TemporarySecretKey = System.getenv("amazon_s3_secret_key_temporary")
+String s3TemporarySessionToken = System.getenv("amazon_s3_session_token_temporary")
+String s3TemporaryBucket = System.getenv("amazon_s3_bucket_temporary")
+String s3TemporaryBasePath = System.getenv("amazon_s3_base_path_temporary")
+
+// If all these variables are missing then we are testing against the internal fixture instead, which has the following
+// credentials hard-coded in.
+
+if (!s3PermanentAccessKey && !s3PermanentSecretKey && !s3PermanentBucket && !s3PermanentBasePath
+ && !s3TemporaryAccessKey && !s3TemporarySecretKey && !s3TemporaryBucket && !s3TemporaryBasePath && !s3TemporarySessionToken) {
+
+    s3PermanentAccessKey = 's3_integration_test_permanent_access_key'
+    s3PermanentSecretKey = 's3_integration_test_permanent_secret_key'
+    s3PermanentBucket = 'permanent_bucket_test'
+    s3PermanentBasePath = 'integration_test'
+
+    s3TemporaryAccessKey = 's3_integration_test_temporary_access_key'
+    s3TemporarySecretKey = 's3_integration_test_temporary_secret_key'
+    s3TemporaryBucket = 'temporary_bucket_test'
+    s3TemporaryBasePath = 'integration_test'
+    s3TemporarySessionToken = 's3_integration_test_temporary_session_token'
+
     useFixture = true
 }
 
@@ -57,26 +78,34 @@ task s3Fixture(type: AntFixture) {
     dependsOn compileTestJava
     env 'CLASSPATH', "${ -> project.sourceSets.test.runtimeClasspath.asPath }"
     executable = new File(project.runtimeJavaHome, 'bin/java')
-    args 'org.elasticsearch.repositories.s3.AmazonS3Fixture', baseDir, s3Bucket
+    args 'org.elasticsearch.repositories.s3.AmazonS3Fixture', baseDir
 }
 
 Map<String, Object> expansions = [
-        'bucket': s3Bucket,
-        'base_path': s3BasePath
+    'permanent_bucket': s3PermanentBucket,
+    'permanent_base_path': s3PermanentBasePath,
+    'temporary_bucket': s3TemporaryBucket,
+    'temporary_base_path': s3TemporaryBasePath
 ]
 processTestResources {
     inputs.properties(expansions)
     MavenFilteringHack.filter(it, expansions)
 }
 
 integTestCluster {
-    keystoreSetting 's3.client.integration_test.access_key', s3AccessKey
-    keystoreSetting 's3.client.integration_test.secret_key', s3SecretKey
+    keystoreSetting 's3.client.integration_test_permanent.access_key', s3PermanentAccessKey
+    keystoreSetting 's3.client.integration_test_permanent.secret_key', s3PermanentSecretKey
+
+    keystoreSetting 's3.client.integration_test_temporary.access_key', s3TemporaryAccessKey
+    keystoreSetting 's3.client.integration_test_temporary.secret_key', s3TemporarySecretKey
+    keystoreSetting 's3.client.integration_test_temporary.session_token', s3TemporarySessionToken
 
     if (useFixture) {
+        println "Using internal test service to test the repository-s3 plugin"
         dependsOn s3Fixture
         /* Use a closure on the string to delay evaluation until tests are executed */
-        setting 's3.client.integration_test.endpoint', "http://${-> s3Fixture.addressAndPort}"
+        setting 's3.client.integration_test_permanent.endpoint', "http://${-> s3Fixture.addressAndPort}"
+        setting 's3.client.integration_test_temporary.endpoint', "http://${-> s3Fixture.addressAndPort}"
     } else {
         println "Using an external service to test the repository-s3 plugin"
     }

plugins/repository-s3/qa/amazon-s3/src/test/java/org/elasticsearch/repositories/s3/AmazonS3Fixture.java

@@ -53,8 +53,8 @@
 public class AmazonS3Fixture {
 
     public static void main(String[] args) throws Exception {
-        if (args == null || args.length != 2) {
-            throw new IllegalArgumentException("AmazonS3Fixture <working directory> <bucket>");
+        if (args == null || args.length != 1) {
+            throw new IllegalArgumentException("AmazonS3Fixture <working directory>");
         }
 
         final InetSocketAddress socketAddress = new InetSocketAddress(InetAddress.getLoopbackAddress(), 0);
@@ -72,7 +72,8 @@ public static void main(String[] args) throws Exception {
             // Emulates S3
             final String storageUrl = "http://" + addressAndPort;
             final AmazonS3TestServer storageTestServer = new AmazonS3TestServer(storageUrl);
-            storageTestServer.createBucket(args[1]);
+            storageTestServer.createBucket("permanent_bucket_test");
+            storageTestServer.createBucket("temporary_bucket_test");
 
             httpServer.createContext("/", new ResponseHandler(storageTestServer));
             httpServer.start();

plugins/repository-s3/qa/amazon-s3/src/test/java/org/elasticsearch/repositories/s3/AmazonS3TestServer.java

@@ -106,13 +106,38 @@ public Response handle(final String method,
         }
 
         final List<String> authorizations = headers.get("Authorization");
-        if (authorizations == null
-            || (authorizations.isEmpty() == false & authorizations.get(0).contains("s3_integration_test_access_key") == false)) {
-            return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "Access Denied", "");
+        if (authorizations == null || authorizations.size() != 1) {
+            return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "No authorization", "");
+        }
+        final String authorization = authorizations.get(0);
+        final String permittedBucket;
+        if (authorization.contains("s3_integration_test_permanent_access_key")) {
+            final List<String> sessionTokens = headers.get("x-amz-security-token");
+            if (sessionTokens != null) {
+                return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "Unexpected session token", "");
+            }
+            permittedBucket = "permanent_bucket_test";
+        } else if (authorization.contains("s3_integration_test_temporary_access_key")) {
+            final List<String> sessionTokens = headers.get("x-amz-security-token");
+            if (sessionTokens == null || sessionTokens.size() != 1) {
+                return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "No session token", "");
+            }
+            final String sessionToken = sessionTokens.get(0);
+            if (sessionToken.equals("s3_integration_test_temporary_session_token") == false) {
+                return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "Bad session token", "");
+            }
+            permittedBucket = "temporary_bucket_test";
+        } else {
+            return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "Bad access key", "");
         }
 
         final RequestHandler handler = handlers.retrieve(method + " " + path, params);
         if (handler != null) {
+            final String bucket = params.get("bucket");
+            if (bucket != null && permittedBucket.equals(bucket) == false) {
+                // allow a null bucket to support bucket-free APIs like ListBuckets?
+                return newError(requestId, RestStatus.FORBIDDEN, "AccessDenied", "Bad bucket", "");
+            }
             return handler.execute(params, headers, body, requestId);
         } else {
             return newInternalError(requestId, "No handler defined for request [method: " + method + ", path: " + path + "]");