Merge pull request #1016 from Dohbedoh/JENKINS-74945

[JENKINS-74945] Use Role ARN when defined
jenkinsci · Dec 9, 2024 · 71dbefb · 71dbefb
2 parents 5a174f4 + 6f2fb05
commit 71dbefb
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 3 deletions.
diff --git a/src/main/java/hudson/plugins/ec2/EC2Cloud.java b/src/main/java/hudson/plugins/ec2/EC2Cloud.java
@@ -50,6 +50,7 @@
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
 import com.cloudbees.plugins.credentials.domains.Domain;
 import com.cloudbees.plugins.credentials.domains.DomainRequirement;
+import com.google.common.annotations.VisibleForTesting;
 import edu.umd.cs.findbugs.annotations.CheckForNull;
 import edu.umd.cs.findbugs.annotations.NonNull;
 import hudson.Extension;
@@ -92,6 +93,8 @@
 import jenkins.model.Jenkins;
 import jenkins.model.JenkinsLocationConfiguration;
 import org.apache.commons.lang.StringUtils;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.HttpResponse;
 import org.kohsuke.stapler.QueryParameter;
@@ -1083,8 +1086,9 @@ public static AWSCredentialsProvider createCredentialsProvider(
 
         AWSCredentialsProvider provider = createCredentialsProvider(useInstanceProfileForCredentials, credentialsId);
 
-        if (StringUtils.isNotEmpty(roleArn) && StringUtils.isNotEmpty(roleSessionName)) {
-            return new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, roleSessionName)
+        if (StringUtils.isNotEmpty(roleArn)) {
+            return new STSAssumeRoleSessionCredentialsProvider.Builder(
+                            roleArn, StringUtils.defaultIfBlank(roleSessionName, "Jenkins"))
                     .withStsClient(AWSSecurityTokenServiceClientBuilder.standard()
                             .withCredentials(provider)
                             .withRegion(region)
@@ -1272,6 +1276,22 @@ public ListBoxModel doFillSshKeysCredentialsIdItems(
             return result;
         }
 
+        @NonNull
+        @RequirePOST
+        @Restricted(NoExternalUse.class)
+        @VisibleForTesting
+        public FormValidation doCheckRoleSessionName(
+                @QueryParameter String roleArn, @QueryParameter String roleSessionName) {
+            // Don't do anything if the user is only reading the configuration
+            if (Jenkins.get().hasPermission(Jenkins.ADMINISTER)) {
+                if (StringUtils.isNotEmpty(roleArn) && StringUtils.isBlank(roleSessionName)) {
+                    return FormValidation.warning(
+                            "Session Name is recommended when specifying an Arn Role. If empty, 'Jenkins' will be used.");
+                }
+            }
+            return FormValidation.ok();
+        }
+
         @RequirePOST
         public FormValidation doCheckSshKeysCredentialsId(
                 @AncestorInPath ItemGroup context, @QueryParameter String value) throws IOException, ServletException {

diff --git a/src/main/resources/hudson/plugins/ec2/AmazonEC2Cloud/config-entries.jelly b/src/main/resources/hudson/plugins/ec2/AmazonEC2Cloud/config-entries.jelly
@@ -50,7 +50,7 @@ THE SOFTWARE.
       <f:textbox />
     </f:entry>
     <f:entry title="${%Session Name}" field="roleSessionName">
-      <f:textbox />
+      <f:textbox checkDependsOn="roleArn"/>
     </f:entry>
   </f:advanced>
   <f:validateButton title="${%Test Connection}" progress="${%Testing...}" method="testConnection" with="region,useInstanceProfileForCredentials,credentialsId,sshKeysCredentialsId,roleArn,roleSessionName" />

diff --git a/src/main/resources/hudson/plugins/ec2/EC2Cloud/help-roleArn.html b/src/main/resources/hudson/plugins/ec2/EC2Cloud/help-roleArn.html
@@ -0,0 +1,3 @@
+<div>
+    The ARN of an IAM Role to be assumed.
+</div>
diff --git a/src/main/resources/hudson/plugins/ec2/EC2Cloud/help-roleSessionName.html b/src/main/resources/hudson/plugins/ec2/EC2Cloud/help-roleSessionName.html
@@ -0,0 +1,3 @@
+<div>
+    A name for the session of the assumed IAM role. If empty, this defaults to 'Jenkins'.
+</div>
diff --git a/src/test/java/hudson/plugins/ec2/AmazonEC2CloudTest.java b/src/test/java/hudson/plugins/ec2/AmazonEC2CloudTest.java
@@ -38,6 +38,7 @@
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
 import com.cloudbees.plugins.credentials.domains.Domain;
 import hudson.plugins.ec2.util.TestSSHUserPrivateKey;
+import hudson.util.FormValidation;
 import hudson.util.ListBoxModel;
 import java.io.IOException;
 import java.util.Collections;
@@ -96,6 +97,24 @@ public void testAmazonEC2FactoryGetInstance() throws Exception {
         Assert.assertTrue(Mockito.mockingDetails(connection).isMock());
     }
 
+    @Test
+    public void testAmazonEC2FactoryWorksIfSessionNameMissing() throws Exception {
+        r.jenkins.clouds.replace(new AmazonEC2Cloud(
+                "us-east-1", true, "abc", "us-east-1", null, "ghi", "3", Collections.emptyList(), "roleArn", null));
+        AmazonEC2Cloud cloud = r.jenkins.clouds.get(AmazonEC2Cloud.class);
+        AmazonEC2 connection = cloud.connect();
+        Assert.assertNotNull(connection);
+        Assert.assertTrue(Mockito.mockingDetails(connection).isMock());
+    }
+
+    @Test
+    public void testSessionNameMissingWarning() {
+        AmazonEC2Cloud actual = r.jenkins.clouds.get(AmazonEC2Cloud.class);
+        AmazonEC2Cloud.DescriptorImpl descriptor = (AmazonEC2Cloud.DescriptorImpl) actual.getDescriptor();
+        assertThat(descriptor.doCheckRoleSessionName("roleArn", "").kind, is(FormValidation.Kind.WARNING));
+        assertThat(descriptor.doCheckRoleSessionName("roleArn", "roleSessionName").kind, is(FormValidation.Kind.OK));
+    }
+
     @Test
     public void testSshKeysCredentialsIdRemainsUnchangedAfterUpdatingOtherFields() throws Exception {
         HtmlForm form = getConfigForm();