S3 repo plugin populate SettingsFilter (elastic#30652)

albertzaharovits · ywelsch · commit 0ec1e97a1132 · 2018-05-23T09:48:55.000+02:00
The accessKey and secretKey repo settings (in the cluster state)
of the s3 client are registered and will populate the SettingsFilter.
diff --git a/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java b/plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java
@@ -90,6 +90,8 @@ public List<Setting<?>> getSettings() {
             S3ClientSettings.PROXY_PASSWORD_SETTING,
             S3ClientSettings.READ_TIMEOUT_SETTING,
             S3ClientSettings.MAX_RETRIES_SETTING,
-            S3ClientSettings.USE_THROTTLE_RETRIES_SETTING);
+            S3ClientSettings.USE_THROTTLE_RETRIES_SETTING,
+            S3Repository.ACCESS_KEY_SETTING,
+            S3Repository.SECRET_KEY_SETTING);
     }
 }
diff --git a/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java b/plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java
@@ -21,14 +21,23 @@
 import com.amazonaws.services.s3.AmazonS3;
 import com.amazonaws.services.s3.model.CannedAccessControlList;
 import com.amazonaws.services.s3.model.StorageClass;
+
+import org.elasticsearch.client.node.NodeClient;
 import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.settings.SettingsFilter;
 import org.elasticsearch.common.unit.ByteSizeUnit;
 import org.elasticsearch.common.unit.ByteSizeValue;
 import org.elasticsearch.common.xcontent.NamedXContentRegistry;
 import org.elasticsearch.env.Environment;
 import org.elasticsearch.plugins.Plugin;
 import org.elasticsearch.repositories.Repository;
 import org.elasticsearch.repositories.blobstore.ESBlobStoreRepositoryIntegTestCase;
+import org.elasticsearch.rest.AbstractRestChannel;
+import org.elasticsearch.rest.RestController;
+import org.elasticsearch.rest.RestRequest;
+import org.elasticsearch.rest.RestResponse;
+import org.elasticsearch.rest.action.admin.cluster.RestGetRepositoriesAction;
+import org.elasticsearch.test.rest.FakeRestRequest;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 
@@ -38,9 +47,14 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
+import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.atomic.AtomicReference;
 
 import static java.util.Collections.emptyMap;
 import static org.elasticsearch.test.hamcrest.ElasticsearchAssertions.assertAcked;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.not;
+import static org.mockito.Mockito.mock;
 
 public class S3BlobStoreRepositoryTests extends ESBlobStoreRepositoryIntegTestCase {
 
@@ -81,7 +95,9 @@ protected void createTestRepository(final String name) {
                 .put(S3Repository.BUFFER_SIZE_SETTING.getKey(), bufferSize)
                 .put(S3Repository.SERVER_SIDE_ENCRYPTION_SETTING.getKey(), serverSideEncryption)
                 .put(S3Repository.CANNED_ACL_SETTING.getKey(), cannedACL)
-                .put(S3Repository.STORAGE_CLASS_SETTING.getKey(), storageClass)));
+                .put(S3Repository.STORAGE_CLASS_SETTING.getKey(), storageClass)
+                .put(S3Repository.ACCESS_KEY_SETTING.getKey(), "not_used_but_this_is_a_secret")
+                .put(S3Repository.SECRET_KEY_SETTING.getKey(), "not_used_but_this_is_a_secret")));
     }
 
     @Override
@@ -106,4 +122,32 @@ public synchronized AmazonS3 client(final Settings repositorySettings) {
                 }));
         }
     }
+
+    public void testInsecureRepositoryCredentials() throws Exception {
+        final String repositoryName = "testInsecureRepositoryCredentials";
+        createTestRepository(repositoryName);
+        final NodeClient nodeClient = internalCluster().getInstance(NodeClient.class);
+        final RestGetRepositoriesAction getRepoAction = new RestGetRepositoriesAction(Settings.EMPTY, mock(RestController.class),
+                internalCluster().getInstance(SettingsFilter.class));
+        final RestRequest getRepoRequest = new FakeRestRequest();
+        getRepoRequest.params().put("repository", repositoryName);
+        final CountDownLatch getRepoLatch = new CountDownLatch(1);
+        final AtomicReference<AssertionError> getRepoError = new AtomicReference<>();
+        getRepoAction.handleRequest(getRepoRequest, new AbstractRestChannel(getRepoRequest, true) {
+            @Override
+            public void sendResponse(RestResponse response) {
+                try {
+                    assertThat(response.content().utf8ToString(), not(containsString("not_used_but_this_is_a_secret")));
+                } catch (final AssertionError ex) {
+                    getRepoError.set(ex);
+                }
+                getRepoLatch.countDown();
+            }
+        }, nodeClient);
+        getRepoLatch.await();
+        if (getRepoError.get() != null) {
+            throw getRepoError.get();
+        }
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -90,6 +90,8 @@ public List<Setting<?>> getSettings() {`
`90`	`90`	`S3ClientSettings.PROXY_PASSWORD_SETTING,`
`91`	`91`	`S3ClientSettings.READ_TIMEOUT_SETTING,`
`92`	`92`	`S3ClientSettings.MAX_RETRIES_SETTING,`
`93`		`- S3ClientSettings.USE_THROTTLE_RETRIES_SETTING);`
	`93`	`+ S3ClientSettings.USE_THROTTLE_RETRIES_SETTING,`
	`94`	`+ S3Repository.ACCESS_KEY_SETTING,`
	`95`	`+ S3Repository.SECRET_KEY_SETTING);`
`94`	`96`	`}`
`95`	`97`	`}`