From 0ec1e97a11328cc19e487dedb4cd2d7ee2e2727e Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 16 May 2018 16:12:24 +0300 Subject: [PATCH] S3 repo plugin populate SettingsFilter (#30652) The accessKey and secretKey repo settings (in the cluster state) of the s3 client are registered and will populate the SettingsFilter. --- .../repositories/s3/S3RepositoryPlugin.java | 4 +- .../s3/S3BlobStoreRepositoryTests.java | 46 ++++++++++++++++++- 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java b/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java index 010c4b92c21a0..e31495efc0eef 100644 --- a/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java +++ b/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java @@ -90,6 +90,8 @@ public List> getSettings() { S3ClientSettings.PROXY_PASSWORD_SETTING, S3ClientSettings.READ_TIMEOUT_SETTING, S3ClientSettings.MAX_RETRIES_SETTING, - S3ClientSettings.USE_THROTTLE_RETRIES_SETTING); + S3ClientSettings.USE_THROTTLE_RETRIES_SETTING, + S3Repository.ACCESS_KEY_SETTING, + S3Repository.SECRET_KEY_SETTING); } } diff --git a/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java b/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java index e3e89c41514de..e599f84b411e4 100644 --- a/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java +++ b/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java @@ -21,7 +21,10 @@ import com.amazonaws.services.s3.AmazonS3; import com.amazonaws.services.s3.model.CannedAccessControlList; import com.amazonaws.services.s3.model.StorageClass; + +import org.elasticsearch.client.node.NodeClient; import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.common.settings.SettingsFilter; import org.elasticsearch.common.unit.ByteSizeUnit; import org.elasticsearch.common.unit.ByteSizeValue; import org.elasticsearch.common.xcontent.NamedXContentRegistry; @@ -29,6 +32,12 @@ import org.elasticsearch.plugins.Plugin; import org.elasticsearch.repositories.Repository; import org.elasticsearch.repositories.blobstore.ESBlobStoreRepositoryIntegTestCase; +import org.elasticsearch.rest.AbstractRestChannel; +import org.elasticsearch.rest.RestController; +import org.elasticsearch.rest.RestRequest; +import org.elasticsearch.rest.RestResponse; +import org.elasticsearch.rest.action.admin.cluster.RestGetRepositoriesAction; +import org.elasticsearch.test.rest.FakeRestRequest; import org.junit.AfterClass; import org.junit.BeforeClass; @@ -38,9 +47,14 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; +import java.util.concurrent.CountDownLatch; +import java.util.concurrent.atomic.AtomicReference; import static java.util.Collections.emptyMap; import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked; +import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.not; +import static org.mockito.Mockito.mock; public class S3BlobStoreRepositoryTests extends ESBlobStoreRepositoryIntegTestCase { @@ -81,7 +95,9 @@ protected void createTestRepository(final String name) { .put(S3Repository.BUFFER_SIZE_SETTING.getKey(), bufferSize) .put(S3Repository.SERVER_SIDE_ENCRYPTION_SETTING.getKey(), serverSideEncryption) .put(S3Repository.CANNED_ACL_SETTING.getKey(), cannedACL) - .put(S3Repository.STORAGE_CLASS_SETTING.getKey(), storageClass))); + .put(S3Repository.STORAGE_CLASS_SETTING.getKey(), storageClass) + .put(S3Repository.ACCESS_KEY_SETTING.getKey(), "not_used_but_this_is_a_secret") + .put(S3Repository.SECRET_KEY_SETTING.getKey(), "not_used_but_this_is_a_secret"))); } @Override @@ -106,4 +122,32 @@ public synchronized AmazonS3 client(final Settings repositorySettings) { })); } } + + public void testInsecureRepositoryCredentials() throws Exception { + final String repositoryName = "testInsecureRepositoryCredentials"; + createTestRepository(repositoryName); + final NodeClient nodeClient = internalCluster().getInstance(NodeClient.class); + final RestGetRepositoriesAction getRepoAction = new RestGetRepositoriesAction(Settings.EMPTY, mock(RestController.class), + internalCluster().getInstance(SettingsFilter.class)); + final RestRequest getRepoRequest = new FakeRestRequest(); + getRepoRequest.params().put("repository", repositoryName); + final CountDownLatch getRepoLatch = new CountDownLatch(1); + final AtomicReference getRepoError = new AtomicReference<>(); + getRepoAction.handleRequest(getRepoRequest, new AbstractRestChannel(getRepoRequest, true) { + @Override + public void sendResponse(RestResponse response) { + try { + assertThat(response.content().utf8ToString(), not(containsString("not_used_but_this_is_a_secret"))); + } catch (final AssertionError ex) { + getRepoError.set(ex); + } + getRepoLatch.countDown(); + } + }, nodeClient); + getRepoLatch.await(); + if (getRepoError.get() != null) { + throw getRepoError.get(); + } + } + }