Merge pull request #692 from aws/finks/westeros-final

Adding support for S3 Access Points

Author: spfink

bom/pom.xml

@@ -44,6 +44,11 @@
                 <artifactId>annotations</artifactId>
                 <version>${awsjavasdk.version}</version>
             </dependency>
+            <dependency>
+                <groupId>software.amazon.awssdk</groupId>
+                <artifactId>arns</artifactId>
+                <version>${awsjavasdk.version}</version>
+            </dependency>
             <dependency>
                 <groupId>software.amazon.awssdk</groupId>
                 <artifactId>auth</artifactId>

core/aws-core/src/main/java/software/amazon/awssdk/awscore/client/handler/AwsClientHandlerUtils.java

@@ -81,7 +81,9 @@ static <InputT extends SdkRequest, OutputT extends SdkResponse> ExecutionContext
             .putAttribute(SdkInternalExecutionAttribute.IS_FULL_DUPLEX, executionParams.isFullDuplex())
             .putAttribute(SdkExecutionAttribute.CLIENT_TYPE, clientConfig.option(SdkClientOption.CLIENT_TYPE))
             .putAttribute(SdkExecutionAttribute.SERVICE_NAME, clientConfig.option(SdkClientOption.SERVICE_NAME))
-            .putAttribute(SdkExecutionAttribute.OPERATION_NAME, executionParams.getOperationName());
+            .putAttribute(SdkExecutionAttribute.OPERATION_NAME, executionParams.getOperationName())
+            .putAttribute(SdkExecutionAttribute.ENDPOINT_OVERRIDDEN,
+                          clientConfig.option(SdkClientOption.ENDPOINT_OVERRIDDEN));
 
         ExecutionInterceptorChain executionInterceptorChain =
                 new ExecutionInterceptorChain(clientConfig.option(SdkClientOption.EXECUTION_INTERCEPTORS));

core/pom.xml

@@ -34,13 +34,13 @@
 
     <modules>
         <module>annotations</module>
+        <module>arns</module>
         <module>auth</module>
         <module>sdk-core</module>
         <module>aws-core</module>
         <module>profiles</module>
         <module>regions</module>
         <module>protocols</module>
-        <module>arns</module>
     </modules>
 
     <dependencyManagement>

core/regions/src/main/java/software/amazon/awssdk/regions/PartitionMetadata.java

@@ -71,4 +71,15 @@ public interface PartitionMetadata {
     static PartitionMetadata of(String partition) {
         return MetadataLoader.partitionMetadata(partition);
     }
+
+    /**
+     * Retrieves the partition metadata for a given region.
+     *
+     * @param region The region to get the partition metadata for.
+     *
+     * @return {@link PartitionMetadata} for the given region.
+     */
+    static PartitionMetadata of(Region region) {
+        return MetadataLoader.partitionMetadata(region);
+    }
 }

core/sdk-core/src/main/java/software/amazon/awssdk/core/SdkSystemSetting.java

@@ -149,9 +149,7 @@ public enum SdkSystemSetting implements SystemSetting {
      * the SDK to use the {@code s3.us-east-1.amazonaws.com} endpoint when using the {@code US_EAST_1} region instead of
      * the global {@code s3.amazonaws.com}. Using the regional endpoint is disabled by default.
      */
-    AWS_S3_US_EAST_1_REGIONAL_ENDPOINT(null, null)
-
-    ;
+    AWS_S3_US_EAST_1_REGIONAL_ENDPOINT(null, null);
 
     private final String systemProperty;
     private final String defaultValue;

core/sdk-core/src/main/java/software/amazon/awssdk/core/client/builder/SdkDefaultClientBuilder.java

@@ -195,8 +195,8 @@ private SdkClientConfiguration mergeGlobalDefaults(SdkClientConfiguration config
     }
 
     /**
-     * Optionally overidden by child implementations to derive implementation-specific configuration from the default-applied
-     * configuration. (eg. AWS's endpoint, derived from the region).
+     * Optionally overridden by child implementations to derive implementation-specific configuration from the
+     * default-applied configuration. (eg. AWS's endpoint, derived from the region).
      */
     protected SdkClientConfiguration finalizeChildConfiguration(SdkClientConfiguration configuration) {
         return configuration;
@@ -309,6 +309,7 @@ public final B endpointOverride(URI endpointOverride) {
         Validate.paramNotNull(endpointOverride, "endpointOverride");
         Validate.paramNotNull(endpointOverride.getScheme(), "The URI scheme of endpointOverride");
         clientConfiguration.option(SdkClientOption.ENDPOINT, endpointOverride);
+        clientConfiguration.option(SdkClientOption.ENDPOINT_OVERRIDDEN, true);
         return thisBuilder();
     }
 

core/sdk-core/src/main/java/software/amazon/awssdk/core/client/config/SdkClientOption.java

@@ -23,7 +23,6 @@
 import software.amazon.awssdk.annotations.SdkProtectedApi;
 import software.amazon.awssdk.core.ClientType;
 import software.amazon.awssdk.core.ServiceConfiguration;
-import software.amazon.awssdk.core.client.builder.SdkClientBuilder;
 import software.amazon.awssdk.core.interceptor.ExecutionInterceptor;
 import software.amazon.awssdk.core.retry.RetryPolicy;
 import software.amazon.awssdk.http.SdkHttpClient;
@@ -52,10 +51,17 @@ public final class SdkClientOption<T> extends ClientOption<T> {
             new SdkClientOption<>(new UnsafeValueType(List.class));
 
     /**
-     * @see SdkClientBuilder#endpointOverride(URI)
+     * The effective endpoint the client is configured to make requests to. If the client has been configured with
+     * an endpoint override then this value will be the provided endpoint value.
      */
     public static final SdkClientOption<URI> ENDPOINT = new SdkClientOption<>(URI.class);
 
+    /**
+     * A flag that when set to true indicates the endpoint stored in {@link SdkClientOption#ENDPOINT} was a customer
+     * supplied value and not generated by the client based on Region metadata.
+     */
+    public static final SdkClientOption<Boolean> ENDPOINT_OVERRIDDEN = new SdkClientOption<>(Boolean.class);
+
     /**
      * Service-specific configuration used by some services, like S3.
      */

core/sdk-core/src/main/java/software/amazon/awssdk/core/interceptor/SdkExecutionAttribute.java

@@ -45,6 +45,12 @@ public class SdkExecutionAttribute {
     public static final ExecutionAttribute<ClientType> CLIENT_TYPE = new ExecutionAttribute<>("ClientType");
 
     public static final ExecutionAttribute<String> OPERATION_NAME = new ExecutionAttribute<>("OperationName");
+
+    /**
+     * If true indicates that the configured endpoint of the client is a value that was supplied as an override and not
+     * generated from regional metadata.
+     */
+    public static final ExecutionAttribute<Boolean> ENDPOINT_OVERRIDDEN = new ExecutionAttribute<>("EndpointOverride");
 
     protected SdkExecutionAttribute() {
     }

services/ec2/src/main/java/software/amazon/awssdk/services/ec2/transform/internal/GeneratePreSignUrlInterceptor.java

@@ -45,11 +45,13 @@
 @SdkInternalApi
 public final class GeneratePreSignUrlInterceptor implements ExecutionInterceptor {
 
+    private static final URI CUSTOM_ENDPOINT_LOCALHOST = URI.create("http://localhost");
+
     private static final AwsEc2ProtocolFactory PROTOCOL_FACTORY = AwsEc2ProtocolFactory
         .builder()
         // Need an endpoint to marshall but this will be overwritten in modifyHttpRequest
         .clientConfiguration(SdkClientConfiguration.builder()
-                                                   .option(SdkClientOption.ENDPOINT, URI.create("http://localhost"))
+                                                   .option(SdkClientOption.ENDPOINT, CUSTOM_ENDPOINT_LOCALHOST)
                                                    .build())
         .build();
 

services/rds/src/main/java/software/amazon/awssdk/services/rds/internal/RdsPresignInterceptor.java

@@ -48,11 +48,13 @@
 @SdkInternalApi
 public abstract class RdsPresignInterceptor<T extends RdsRequest> implements ExecutionInterceptor {
 
+    private static final URI CUSTOM_ENDPOINT_LOCALHOST = URI.create("http://localhost");
+
     protected static final AwsQueryProtocolFactory PROTOCOL_FACTORY = AwsQueryProtocolFactory
         .builder()
         // Need an endpoint to marshall but this will be overwritten in modifyHttpRequest
         .clientConfiguration(SdkClientConfiguration.builder()
-                                                   .option(SdkClientOption.ENDPOINT, URI.create("http://localhost"))
+                                                   .option(SdkClientOption.ENDPOINT, CUSTOM_ENDPOINT_LOCALHOST)
                                                    .build())
         .build();
 

services/s3/pom.xml

@@ -56,6 +56,16 @@
             <artifactId>protocol-core</artifactId>
             <version>${awsjavasdk.version}</version>
         </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>arns</artifactId>
+            <version>${awsjavasdk.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>software.amazon.awssdk</groupId>
+            <artifactId>profiles</artifactId>
+            <version>${awsjavasdk.version}</version>
+        </dependency>
         <!-- Test Dependencies -->
         <dependency>
             <artifactId>commons-io</artifactId>
@@ -80,6 +90,12 @@
             <version>${awsjavasdk.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <artifactId>s3control</artifactId>
+            <groupId>software.amazon.awssdk</groupId>
+            <version>${awsjavasdk.version}</version>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>

services/s3/src/it/java/software/amazon/awssdk/services/s3/AccessPointsIntegrationTest.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2010-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ *
+ *  http://aws.amazon.com/apache2.0
+ *
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+package software.amazon.awssdk.services.s3;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static software.amazon.awssdk.testutils.service.S3BucketUtils.temporaryBucketName;
+
+import java.util.StringJoiner;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import software.amazon.awssdk.core.sync.RequestBody;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.s3.model.GetObjectRequest;
+import software.amazon.awssdk.services.s3.model.PutObjectRequest;
+import software.amazon.awssdk.services.s3control.S3ControlClient;
+import software.amazon.awssdk.services.s3control.model.S3ControlException;
+import software.amazon.awssdk.services.sts.StsClient;
+
+public class AccessPointsIntegrationTest extends S3IntegrationTestBase {
+
+    private static final String BUCKET = temporaryBucketName(AclIntegrationTest.class);
+
+    private static final String AP_NAME = "java-sdk";
+
+    private static final String KEY = "some-key";
+
+    private static S3ControlClient s3control;
+
+    private static StsClient sts;
+
+    private static String accountId;
+
+    @BeforeClass
+    public static void setupFixture() {
+        createBucket(BUCKET);
+
+        s3control = S3ControlClient.builder()
+                                   .region(Region.US_WEST_2)
+                                   .credentialsProvider(CREDENTIALS_PROVIDER_CHAIN)
+                                   .build();
+
+        sts = StsClient.builder()
+                       .region(Region.US_WEST_2)
+                       .credentialsProvider(CREDENTIALS_PROVIDER_CHAIN)
+                       .build();
+
+        accountId = sts.getCallerIdentity().account();
+
+        try {
+            s3control.createAccessPoint(r -> r.accountId(accountId)
+                                              .bucket(BUCKET)
+                                              .name(AP_NAME));
+        } catch (S3ControlException e) {
+            // Do nothing as the access point is already created
+        }
+    }
+
+    @Test
+    public void transfer_Succeeds_UsingAccessPoint() {
+        StringJoiner apArn = new StringJoiner(":");
+        apArn.add("arn").add("aws").add("s3").add("us-west-2").add(accountId).add("accesspoint").add(AP_NAME);
+
+        s3.putObject(PutObjectRequest.builder()
+                                     .bucket(apArn.toString())
+                                     .key(KEY)
+                                     .build(), RequestBody.fromString("helloworld"));
+
+        String objectContent = s3.getObjectAsBytes(GetObjectRequest.builder()
+                                                                   .bucket(apArn.toString())
+                                                                   .key(KEY)
+                                                                   .build()).asUtf8String();
+
+        assertThat(objectContent).isEqualTo("helloworld");
+    }
+}

services/s3/src/main/java/software/amazon/awssdk/services/s3/S3Configuration.java

@@ -20,6 +20,7 @@
 import software.amazon.awssdk.annotations.SdkPublicApi;
 import software.amazon.awssdk.annotations.ThreadSafe;
 import software.amazon.awssdk.core.ServiceConfiguration;
+import software.amazon.awssdk.services.s3.internal.usearnregion.UseArnRegionProviderChain;
 import software.amazon.awssdk.services.s3.model.PutBucketAccelerateConfigurationRequest;
 import software.amazon.awssdk.utils.builder.CopyableBuilder;
 import software.amazon.awssdk.utils.builder.ToCopyableBuilder;
@@ -28,6 +29,8 @@
 @Immutable
 @ThreadSafe
 public final class S3Configuration implements ServiceConfiguration, ToCopyableBuilder<S3Configuration.Builder, S3Configuration> {
+    private static final UseArnRegionProviderChain USE_ARN_REGION_PROVIDER_CHAIN = UseArnRegionProviderChain.create();
+
     /**
      * The default setting for use of path style addressing.
      */
@@ -60,6 +63,7 @@ public final class S3Configuration implements ServiceConfiguration, ToCopyableBu
     private final boolean dualstackEnabled;
     private final boolean checksumValidationEnabled;
     private final boolean chunkedEncodingEnabled;
+    private final boolean useArnRegionEnabled;
 
     private S3Configuration(DefaultS3ServiceConfigurationBuilder builder) {
         this.dualstackEnabled = resolveBoolean(builder.dualstackEnabled, DEFAULT_DUALSTACK_ENABLED);
@@ -70,6 +74,8 @@ private S3Configuration(DefaultS3ServiceConfigurationBuilder builder) {
             throw new IllegalArgumentException("Accelerate mode cannot be used with path style addressing");
         }
         this.chunkedEncodingEnabled = resolveBoolean(builder.chunkedEncodingEnabled, DEFAULT_CHUNKED_ENCODING_ENABLED);
+        this.useArnRegionEnabled = Boolean.TRUE.equals(builder.useArnRegionEnabled) ? builder.useArnRegionEnabled :
+            resolveUseArnRegionEnabled();
     }
 
     /**
@@ -153,16 +159,31 @@ public boolean chunkedEncodingEnabled() {
         return chunkedEncodingEnabled;
     }
 
+    /**
+     * Returns whether the client is allowed to make cross-region calls when an S3 Access Point ARN has a different
+     * region to the one configured on the client.
+     * <p>
+     * @return True if a different region in the ARN can be used.
+     */
+    public boolean useArnRegionEnabled() {
+        return useArnRegionEnabled;
+    }
+
     private boolean resolveBoolean(Boolean customerSuppliedValue, boolean defaultValue) {
         return customerSuppliedValue == null ? defaultValue : customerSuppliedValue;
     }
 
+    private boolean resolveUseArnRegionEnabled() {
+        return USE_ARN_REGION_PROVIDER_CHAIN.resolveUseArnRegion().orElse(false);
+    }
+
     @Override
     public Builder toBuilder() {
         return builder()
                 .dualstackEnabled(dualstackEnabled)
                 .accelerateModeEnabled(accelerateModeEnabled)
-                .pathStyleAccessEnabled(pathStyleAccessEnabled);
+                .pathStyleAccessEnabled(pathStyleAccessEnabled)
+                .useArnRegionEnabled(useArnRegionEnabled);
     }
 
     @NotThreadSafe
@@ -226,6 +247,15 @@ public interface Builder extends CopyableBuilder<Builder, S3Configuration> { //
          * @see S3Configuration#chunkedEncodingEnabled()
          */
         Builder chunkedEncodingEnabled(Boolean chunkedEncodingEnabled);
+
+        /**
+         * If an S3 resource ARN is passed in as the target of an S3 operation that has a different region to the one
+         * the client was configured with, this flag must be set to 'true' to permit the client to make a
+         * cross-region call to the region specified in the ARN otherwise an exception will be thrown.
+         *
+         * @see S3Configuration#useArnRegionEnabled()
+         */
+        Builder useArnRegionEnabled(Boolean useArnRegionEnabled);
     }
 
     private static final class DefaultS3ServiceConfigurationBuilder implements Builder {
@@ -235,6 +265,7 @@ private static final class DefaultS3ServiceConfigurationBuilder implements Build
         private Boolean pathStyleAccessEnabled;
         private Boolean checksumValidationEnabled;
         private Boolean chunkedEncodingEnabled;
+        private Boolean useArnRegionEnabled;
 
         public Builder dualstackEnabled(Boolean dualstackEnabled) {
             this.dualstackEnabled = dualstackEnabled;
@@ -281,6 +312,15 @@ public void setChunkedEncodingEnabled(Boolean chunkedEncodingEnabled) {
             chunkedEncodingEnabled(chunkedEncodingEnabled);
         }
 
+        public Builder useArnRegionEnabled(Boolean useArnRegionEnabled) {
+            this.useArnRegionEnabled = useArnRegionEnabled;
+            return this;
+        }
+
+        public void setUseArnRegionEnabled(Boolean useArnRegionEnabled) {
+            useArnRegionEnabled(useArnRegionEnabled);
+        }
+
         public S3Configuration build() {
             return new S3Configuration(this);
         }