Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use AWS SDK to fetch AWS credentials #1311

Merged
merged 19 commits into from
Jan 21, 2020
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,25 @@
<version>1.24</version>
</dependency>

<!-- _______________________________________________________________________________ -->

<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-core</artifactId>
<version>1.11.696</version>
<optional>true</optional>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-cbor</artifactId>
</exclusion>
<exclusion>
<groupId>software.amazon.ion</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>


<!-- =============================================================================== -->

Expand Down
19 changes: 19 additions & 0 deletions src/main/java/io/fabric8/maven/docker/util/AuthConfigFactory.java
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@

import io.fabric8.maven.docker.access.AuthConfig;
import io.fabric8.maven.docker.access.ecr.EcrExtendedAuth;
import io.fabric8.maven.docker.util.aws.AwsSdkAuthConfigFactory;

/**
* Factory for creating docker specific authentication configuration
Expand Down Expand Up @@ -227,6 +228,12 @@ private AuthConfig createStandardAuthConfig(boolean isPush, Map authConfigMap, S

// check EC2 instance role if registry is ECR
if (EcrExtendedAuth.isAwsRegistry(registry)) {
ret = getAuthConfigViaAwsSdk();
if (ret != null) {
log.debug("AuthConfig: AWS credentials from AWS SDK");
return ret;
}

ret = getAuthConfigFromAwsEnvironmentVariables();
if (ret != null) {
log.debug("AuthConfig: AWS credentials from ENV variables");
Expand Down Expand Up @@ -265,6 +272,18 @@ private AuthConfig createStandardAuthConfig(boolean isPush, Map authConfigMap, S
return null;
}

private AuthConfig getAuthConfigViaAwsSdk() {
try {
Class.forName("com.amazonaws.auth.DefaultAWSCredentialsProviderChain");
} catch (ClassNotFoundException e) {
log.info("It appears that you're using AWS ECR." +
" Consider integrating the AWS SDK in order to make use of common AWS authentication mechanisms," +
" see TODO");
return null;
}
return new AwsSdkAuthConfigFactory(log).createAuthConfig();
}

/**
* Try using the AWS credentials provided via ENV variables.
* See https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
package io.fabric8.maven.docker.util.aws;

import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.AWSSessionCredentials;
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
sebastiankirsch marked this conversation as resolved.
Show resolved Hide resolved
import io.fabric8.maven.docker.access.AuthConfig;
import io.fabric8.maven.docker.util.Logger;

public class AwsSdkAuthConfigFactory {

private final AWSCredentialsProvider credentialsProvider;
private final Logger log;

public AwsSdkAuthConfigFactory(Logger log) {
this(new DefaultAWSCredentialsProviderChain(), log);
}

AwsSdkAuthConfigFactory(AWSCredentialsProvider credentialsProvider, Logger log) {
this.credentialsProvider = credentialsProvider;
this.log = log;
}

public AuthConfig createAuthConfig() {
AWSCredentials credentials;
try {
credentials = credentialsProvider.getCredentials();
} catch (SdkClientException e) {
log.debug("Failed to fetch AWS credentials: %s", e);
return null;
}
if (credentials == null) {
return null;
}
String sessionToken = (credentials instanceof AWSSessionCredentials)
? ((AWSSessionCredentials) credentials).getSessionToken() : null;
return new AuthConfig(credentials.getAWSAccessKeyId(), credentials.getAWSSecretKey(), "none", sessionToken);
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,10 @@
import com.google.gson.JsonNull;
import com.google.gson.JsonObject;
import io.fabric8.maven.docker.access.AuthConfig;
import io.fabric8.maven.docker.util.aws.AwsSdkAuthConfigFactory;
import mockit.Expectations;
import mockit.Mock;
import mockit.MockUp;
import mockit.Mocked;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.bootstrap.HttpServer;
Expand Down Expand Up @@ -522,8 +524,20 @@ public void exec(File homeDir) throws IOException, MojoExecutionException {
});
}

@Test
public void getAuthConfigViaAwsSdk() throws MojoExecutionException {
String accessKeyId = randomUUID().toString();
String secretAccessKey = randomUUID().toString();
new MockedAwsSdkAuthConfigFactory(accessKeyId, secretAccessKey);

AuthConfig authConfig = factory.createAuthConfig(false, true, null, settings, "user", ECR_NAME);

verifyAuthConfig(authConfig, accessKeyId, secretAccessKey, null, null);
}

@Test
public void ecsTaskRole() throws IOException, MojoExecutionException {
givenAwsSdkIsDisabled();
String containerCredentialsUri = "/v2/credentials/" + randomUUID().toString();
String accessKeyId = randomUUID().toString();
String secretAccessKey = randomUUID().toString();
Expand All @@ -538,6 +552,7 @@ public void ecsTaskRole() throws IOException, MojoExecutionException {

@Test
public void fargateTaskRole() throws IOException, MojoExecutionException {
givenAwsSdkIsDisabled();
String containerCredentialsUri = "v2/credentials/" + randomUUID().toString();
String accessKeyId = randomUUID().toString();
String secretAccessKey = randomUUID().toString();
Expand All @@ -552,6 +567,7 @@ public void fargateTaskRole() throws IOException, MojoExecutionException {

@Test
public void awsTemporaryCredentialsArePickedUpFromEnvironment() throws MojoExecutionException {
givenAwsSdkIsDisabled();
String accessKeyId = randomUUID().toString();
String secretAccessKey = randomUUID().toString();
String sessionToken = randomUUID().toString();
Expand All @@ -566,6 +582,7 @@ public void awsTemporaryCredentialsArePickedUpFromEnvironment() throws MojoExecu

@Test
public void awsStaticCredentialsArePickedUpFromEnvironment() throws MojoExecutionException {
givenAwsSdkIsDisabled();
String accessKeyId = randomUUID().toString();
String secretAccessKey = randomUUID().toString();
environmentVariables.set("AWS_ACCESS_KEY_ID", accessKeyId);
Expand All @@ -578,6 +595,7 @@ public void awsStaticCredentialsArePickedUpFromEnvironment() throws MojoExecutio

@Test
public void incompleteAwsCredentialsAreIgnored() throws MojoExecutionException {
givenAwsSdkIsDisabled();
environmentVariables.set("AWS_ACCESS_KEY_ID", randomUUID().toString());

AuthConfig authConfig = factory.createAuthConfig(false, true, null, settings, "user", ECR_NAME);
Expand Down Expand Up @@ -654,4 +672,41 @@ private void verifyAuthConfig(AuthConfig config, String username, String passwor
verifyAuthConfig(config, username, password, email, null);
}

private static void givenAwsSdkIsDisabled() {
new DisableAwsSdkAuthConfigFactory();
}

private static class MockedAwsSdkAuthConfigFactory extends MockUp<AwsSdkAuthConfigFactory> {
private final String accessKeyId;
private final String secretAccessKey;

public MockedAwsSdkAuthConfigFactory(String accessKeyId, String secretAccessKey) {
this.accessKeyId = accessKeyId;
this.secretAccessKey = secretAccessKey;
}

@Mock
public void $init(Logger log) {
}

@Mock
public AuthConfig createAuthConfig() {
return new AuthConfig(accessKeyId, secretAccessKey, null,null);
}

}

private static class DisableAwsSdkAuthConfigFactory extends MockUp<AwsSdkAuthConfigFactory> {

@Mock
public void $init(Logger log) {
}

@Mock
public AuthConfig createAuthConfig() {
return null;
}

}

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
package io.fabric8.maven.docker.util.aws;

import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import io.fabric8.maven.docker.access.AuthConfig;
import io.fabric8.maven.docker.util.Logger;
import mockit.Expectations;
import mockit.Mocked;
import org.junit.Before;
import org.junit.Test;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;

public class AwsSdkAuthConfigFactoryTest {

@Mocked
private AWSCredentialsProvider credentialsProvider;

@Mocked
private Logger log;

private AwsSdkAuthConfigFactory objectUnderTest;


@Before
public void setup() {
objectUnderTest = new AwsSdkAuthConfigFactory(credentialsProvider, log);
}

@Test
public void exceptionsAreHandledGracefully() {
new Expectations() {{
credentialsProvider.getCredentials();
minTimes = 1;
result = new SdkClientException("Unauthorized");
}};

AuthConfig authConfig = objectUnderTest.createAuthConfig();

assertNull(authConfig);
}

@Test
public void nullValueIsPassedOn() {
new Expectations() {{
credentialsProvider.getCredentials();
minTimes = 1;
result = null;
}};

AuthConfig authConfig = objectUnderTest.createAuthConfig();

assertNull(authConfig);
}

@Test
public void basicCredentialsAreTransformedIntoAuthConfig() {
String accessKey = "accessKey";
String secretKey = "secretKey";
new Expectations() {{
credentialsProvider.getCredentials();
minTimes = 1;
this.result = new BasicAWSCredentials(accessKey, secretKey);
}};

AuthConfig authConfig = objectUnderTest.createAuthConfig();

assertNotNull(authConfig);
assertEquals(accessKey, authConfig.getUsername());
assertEquals(secretKey, authConfig.getPassword());
assertNull(authConfig.getAuth());
assertNull(authConfig.getIdentityToken());
}

@Test
public void sessionCredentialsAreTransformedIntoAuthConfig() {
String accessKey = "accessKey";
String secretKey = "secretKey";
String sessionToken = "sessionToken";
new Expectations() {{
credentialsProvider.getCredentials();
minTimes = 1;
this.result = new BasicSessionCredentials(accessKey, secretKey, sessionToken);
}};

AuthConfig authConfig = objectUnderTest.createAuthConfig();

assertNotNull(authConfig);
assertEquals(accessKey, authConfig.getUsername());
assertEquals(secretKey, authConfig.getPassword());
assertEquals(sessionToken, authConfig.getAuth());
assertNull(authConfig.getIdentityToken());
}

}