All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.trino.hdfs.s3.S3SecurityMapping Maven / Gradle / Ivy

There is a newer version: 468
Show newest version
/*
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.trino.hdfs.s3;

import com.amazonaws.auth.BasicAWSCredentials;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import io.trino.spi.security.ConnectorIdentity;

import java.net.URI;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;

import static com.google.common.base.MoreObjects.toStringHelper;
import static com.google.common.base.Preconditions.checkArgument;
import static io.trino.hdfs.s3.TrinoS3FileSystem.extractBucketName;
import static java.util.Objects.requireNonNull;

public class S3SecurityMapping
{
    private final Predicate user;
    private final Predicate> group;
    private final Predicate prefix;
    private final Optional iamRole;
    private final Set allowedIamRoles;
    private final Optional kmsKeyId;
    private final Set allowedKmsKeyIds;
    private final Optional credentials;
    private final boolean useClusterDefault;
    private final Optional endpoint;
    private final Optional roleSessionName;
    private final Optional region;

    @JsonCreator
    public S3SecurityMapping(
            @JsonProperty("user") Optional user,
            @JsonProperty("group") Optional group,
            @JsonProperty("prefix") Optional prefix,
            @JsonProperty("iamRole") Optional iamRole,
            @JsonProperty("roleSessionName") Optional roleSessionName,
            @JsonProperty("allowedIamRoles") Optional> allowedIamRoles,
            @JsonProperty("kmsKeyId") Optional kmsKeyId,
            @JsonProperty("allowedKmsKeyIds") Optional> allowedKmsKeyIds,
            @JsonProperty("accessKey") Optional accessKey,
            @JsonProperty("secretKey") Optional secretKey,
            @JsonProperty("useClusterDefault") Optional useClusterDefault,
            @JsonProperty("endpoint") Optional endpoint,
            @JsonProperty("region") Optional region)
    {
        this.user = user
                .map(S3SecurityMapping::toPredicate)
                .orElse(x -> true);
        this.group = group
                .map(S3SecurityMapping::toPredicate)
                .map(S3SecurityMapping::anyMatch)
                .orElse(x -> true);
        this.prefix = prefix
                .map(S3SecurityMapping::prefixPredicate)
                .orElse(x -> true);

        this.iamRole = requireNonNull(iamRole, "iamRole is null");
        this.roleSessionName = requireNonNull(roleSessionName, "roleSessionName is null");
        checkArgument(!(iamRole.isEmpty() && roleSessionName.isPresent()), "iamRole must be provided when roleSessionName is provided");

        this.allowedIamRoles = ImmutableSet.copyOf(allowedIamRoles.orElse(ImmutableList.of()));

        this.kmsKeyId = requireNonNull(kmsKeyId, "kmsKeyId is null");

        this.allowedKmsKeyIds = ImmutableSet.copyOf(allowedKmsKeyIds.orElse(ImmutableList.of()));

        requireNonNull(accessKey, "accessKey is null");
        requireNonNull(secretKey, "secretKey is null");
        checkArgument(accessKey.isPresent() == secretKey.isPresent(), "accessKey and secretKey must be provided together");
        this.credentials = accessKey.map(access -> new BasicAWSCredentials(access, secretKey.get()));

        this.useClusterDefault = useClusterDefault.orElse(false);
        boolean roleOrCredentialsArePresent = !this.allowedIamRoles.isEmpty() || iamRole.isPresent() || credentials.isPresent();
        checkArgument(this.useClusterDefault ^ roleOrCredentialsArePresent, "must either allow useClusterDefault role or provide role and/or credentials");

        checkArgument(!(this.useClusterDefault && this.kmsKeyId.isPresent()), "KMS key ID cannot be provided together with useClusterDefault");

        this.endpoint = requireNonNull(endpoint, "endpoint is null");
        this.region = requireNonNull(region, "region is null");
    }

    public boolean matches(ConnectorIdentity identity, URI uri)
    {
        return user.test(identity.getUser())
                && group.test(identity.getGroups())
                && prefix.test(uri);
    }

    public Optional getIamRole()
    {
        return iamRole;
    }

    public Set getAllowedIamRoles()
    {
        return allowedIamRoles;
    }

    public Optional getKmsKeyId()
    {
        return kmsKeyId;
    }

    public Set getAllowedKmsKeyIds()
    {
        return allowedKmsKeyIds;
    }

    public Optional getCredentials()
    {
        return credentials;
    }

    public boolean isUseClusterDefault()
    {
        return useClusterDefault;
    }

    public Optional getEndpoint()
    {
        return endpoint;
    }

    public Optional getRegion()
    {
        return region;
    }

    public Optional getRoleSessionName()
    {
        return roleSessionName;
    }

    @Override
    public String toString()
    {
        return toStringHelper(this)
                .add("user", user)
                .add("group", group)
                .add("prefix", prefix)
                .add("iamRole", iamRole)
                .add("roleSessionName", roleSessionName.orElse(null))
                .add("allowedIamRoles", allowedIamRoles)
                .add("kmsKeyId", kmsKeyId)
                .add("allowedKmsKeyIds", allowedKmsKeyIds)
                .add("credentials", credentials)
                .add("useClusterDefault", useClusterDefault)
                .add("endpoint", endpoint.orElse(null))
                .add("region", region.orElse(null))
                .toString();
    }

    private static Predicate prefixPredicate(URI prefix)
    {
        checkArgument("s3".equals(prefix.getScheme()), "prefix URI scheme is not 's3': %s", prefix);
        checkArgument(prefix.getQuery() == null, "prefix URI must not contain query: %s", prefix);
        checkArgument(prefix.getFragment() == null, "prefix URI must not contain fragment: %s", prefix);
        return value -> extractBucketName(prefix).equals(extractBucketName(value)) &&
                value.getPath().startsWith(prefix.getPath());
    }

    private static Predicate toPredicate(Pattern pattern)
    {
        return value -> pattern.matcher(value).matches();
    }

    private static  Predicate> anyMatch(Predicate predicate)
    {
        return values -> values.stream().anyMatch(predicate);
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy