[ALS-7716] - Use AVL role

Luke Sikina · Luke-Sikina · commit 7e4cb2ebf621 · 2025-03-28T14:22:56.000-04:00
diff --git a/uploader/src/main/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSClientBuilder.java b/uploader/src/main/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSClientBuilder.java
@@ -3,9 +3,11 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Profile;
 import org.springframework.stereotype.Service;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.http.SdkHttpClient;
 import software.amazon.awssdk.services.s3.S3Client;
@@ -27,18 +29,21 @@ public class AWSClientBuilder {
     private final StsClientProvider stsClientProvider;
     private final S3ClientBuilder s3ClientBuilder;
     private final SdkHttpClient sdkHttpClient;
+    private final boolean retainRole;
 
     @Autowired
     public AWSClientBuilder(
         Map<String, SiteAWSInfo> sites,
         StsClientProvider stsClientProvider,
         S3ClientBuilder s3ClientBuilder,
-        @Autowired(required = false) SdkHttpClient sdkHttpClient
+        @Autowired(required = false) SdkHttpClient sdkHttpClient,
+        @Value("${s3.retain_role:false}") boolean retainRole
     ) {
         this.sites = sites;
         this.stsClientProvider = stsClientProvider;
         this.s3ClientBuilder = s3ClientBuilder;
         this.sdkHttpClient = sdkHttpClient;
+        this.retainRole = retainRole;
     }
 
     public Optional<S3Client> buildClientForSite(String siteName) {
@@ -48,6 +53,15 @@ public Optional<S3Client> buildClientForSite(String siteName) {
             return Optional.empty();
         }
 
+        if (retainRole) {
+            log.info("s3.retain_role set to true. Will retain current role rather than assuming one for site");
+            InstanceProfileCredentialsProvider credentialsProvider = InstanceProfileCredentialsProvider.create();
+            S3Client client = s3ClientBuilder
+                .credentialsProvider(credentialsProvider)
+                .build();
+            return Optional.of(client);
+        }
+
         log.info("Found site, making assume role request");
         SiteAWSInfo site = sites.get(siteName);
         AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
diff --git a/uploader/src/main/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSCredentialsService.java b/uploader/src/main/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSCredentialsService.java
@@ -54,10 +54,12 @@ private AwsCredentials createUserBasedCredentials() {
         if (Strings.isBlank(key)) {
             LOG.error("No AWS key. Can't create client. Exiting");
             context.close();
+            return null;
         }
         if (Strings.isBlank(secret)) {
             LOG.error("No AWS secret. Can't create client. Exiting");
             context.close();
+            return null;
         }
         if (Strings.isBlank(token)) {
             return AwsBasicCredentials.create(key, secret);
diff --git a/uploader/src/test/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSClientBuilderTest.java b/uploader/src/test/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSClientBuilderTest.java
@@ -7,11 +7,11 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
-import org.springframework.boot.test.mock.mockito.SpyBean;
-import org.springframework.context.annotation.Profile;
 import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.util.ReflectionTestUtils;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
+import software.amazon.awssdk.auth.credentials.InstanceProfileCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.services.s3.S3Client;
 import software.amazon.awssdk.services.s3.S3ClientBuilder;
@@ -43,6 +43,19 @@ class AWSClientBuilderTest {
     @Autowired
     AWSClientBuilder subject;
 
+    @Test
+    void shouldCreateCredentialsWithoutAssumingRole() {
+        S3Client s3Client = Mockito.mock(S3Client.class);
+        Mockito.when(sites.containsKey("bch")).thenReturn(true);
+        Mockito.when(s3ClientBuilder.credentialsProvider(Mockito.any(InstanceProfileCredentialsProvider.class)))
+            .thenReturn(s3ClientBuilder);
+        Mockito.when(s3ClientBuilder.build())
+            .thenReturn(s3Client);
+        ReflectionTestUtils.setField(subject, "retainRole",  true);
+        Optional<S3Client> actual = subject.buildClientForSite("bch");
+        Assertions.assertEquals(Optional.of(s3Client), actual);
+    }
+
     @Test
     void shouldNotBuildClientIfSiteDNE() {
         Mockito.when(sites.get("Narnia"))
@@ -80,6 +93,7 @@ void shouldNotBuildClientIfRoleRequestFails() {
 
     @Test
     void shouldBuildClient() {
+        ReflectionTestUtils.setField(subject, "retainRole",  false);
         SiteAWSInfo siteAWSInfo = new SiteAWSInfo("bch", "aws:arn:420", "external", "bucket", "aws:kms:420");
         Mockito.when(sites.get("bch"))
             .thenReturn(siteAWSInfo);
diff --git a/uploader/src/test/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSCredentialsServiceTest.java b/uploader/src/test/java/edu/harvard/dbmi/avillach/dataupload/aws/AWSCredentialsServiceTest.java
@@ -5,16 +5,12 @@
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.Mockito;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.context.ConfigurableApplicationContext;
 import org.springframework.test.util.ReflectionTestUtils;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
 import software.amazon.awssdk.auth.credentials.AwsSessionCredentials;
 
-import static org.junit.jupiter.api.Assertions.*;
-
 @SpringBootTest
 class AWSCredentialsServiceTest {
 
diff --git a/uploader/src/test/java/edu/harvard/dbmi/avillach/dataupload/hpds/HPDSConnectionVerifierTest.java b/uploader/src/test/java/edu/harvard/dbmi/avillach/dataupload/hpds/HPDSConnectionVerifierTest.java
@@ -5,25 +5,22 @@
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
-import org.mockito.ArgumentMatcher;
 import org.mockito.Mockito;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
 
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.UUID;
 
-import static org.junit.jupiter.api.Assertions.*;
-
 @SpringBootTest
 class HPDSConnectionVerifierTest {
 
-    @MockBean
+    @MockitoBean
     private HPDSClient client;
 
-    @MockBean
+    @MockitoBean
     private UUIDGenerator generator;
 
     private final Query query = new Query();

Original file line number	Diff line number	Diff line change
`@@ -54,10 +54,12 @@ private AwsCredentials createUserBasedCredentials() {`
`54`	`54`	`if (Strings.isBlank(key)) {`
`55`	`55`	`LOG.error("No AWS key. Can't create client. Exiting");`
`56`	`56`	`context.close();`
	`57`	`+ return null;`
`57`	`58`	`}`
`58`	`59`	`if (Strings.isBlank(secret)) {`
`59`	`60`	`LOG.error("No AWS secret. Can't create client. Exiting");`
`60`	`61`	`context.close();`
	`62`	`+ return null;`
`61`	`63`	`}`
`62`	`64`	`if (Strings.isBlank(token)) {`
`63`	`65`	`return AwsBasicCredentials.create(key, secret);`