Re: [PR] HDDS-14150. [STS] Connect STS Endpoint to Backend Processing [ozone]

Fri, 23 Jan 2026 02:27:26 -0800 


ChenSammi commented on code in PR #9654:
URL: https://github.com/apache/ozone/pull/9654#discussion_r2720625098


##########
hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEndpoint.java:
##########
@@ -222,78 +246,75 @@ private boolean isValidRoleSessionName(String 
roleSessionName) {
     return roleSessionName.matches("[a-zA-Z0-9+=,.@\\-]+");
   }
 
-  // TODO: replace mock implementation with actual logic to generate new 
credentials
-  private String generateAssumeRoleResponse(String roleArn, String 
roleSessionName, int duration) {
-    // Generate realistic-looking temporary credentials
-    String accessKeyId = "ASIA" + generateRandomAlphanumeric(16); // AWS temp 
keys start with ASIA
-    String secretAccessKey = generateRandomBase64(40);
-    String sessionToken = generateSessionToken();
-    String expiration = getExpirationTime(duration);
-
-    // Generate AssumedRoleId (format: AROLEID:RoleSessionName)
-    String roleId = "AROA" + generateRandomAlphanumeric(16);
-    String assumedRoleId = roleId + ":" + roleSessionName;
-
-    String requestId = UUID.randomUUID().toString();
-
-    return String.format(
-        "<?xml version=\"1.0\" encoding=\"UTF-8\"?>%n" +
-            "<AssumeRoleResponse 
xmlns=\"https://sts.amazonaws.com/doc/2011-06-15/\";>%n" +
-            "  <AssumeRoleResult>%n" +
-            "    <Credentials>%n" +
-            "      <AccessKeyId>%s</AccessKeyId>%n" +
-            "      <SecretAccessKey>%s</SecretAccessKey>%n" +
-            "      <SessionToken>%s</SessionToken>%n" +
-            "      <Expiration>%s</Expiration>%n" +
-            "    </Credentials>%n" +
-            "    <AssumedRoleUser>%n" +
-            "      <AssumedRoleId>%s</AssumedRoleId>%n" +
-            "      <Arn>%s</Arn>%n" +
-            "    </AssumedRoleUser>%n" +
-            "  </AssumeRoleResult>%n" +
-            "  <ResponseMetadata>%n" +
-            "    <RequestId>%s</RequestId>%n" +
-            "  </ResponseMetadata>%n" +
-            "</AssumeRoleResponse>",
-        accessKeyId, secretAccessKey, sessionToken, expiration,
-        assumedRoleId, roleArn, requestId);
-  }
+  private String generateAssumeRoleResponse(String assumedRoleUserArn, 
AssumeRoleResponseInfo responseInfo)
+      throws IOException {
+    final String accessKeyId = responseInfo.getAccessKeyId();
+    final String secretAccessKey = responseInfo.getSecretAccessKey();
+    final String sessionToken = responseInfo.getSessionToken();
+    final String assumedRoleId = responseInfo.getAssumedRoleId();
+
+    final String expiration = DateTimeFormatter.ISO_INSTANT.format(
+        
Instant.ofEpochSecond(responseInfo.getExpirationEpochSeconds()).atOffset(ZoneOffset.UTC).toInstant());
 
-  // TODO: this method should be removed once actual credential response from 
OM is implemented and used in the endpoint
-  private String generateRandomAlphanumeric(int length) {
-    String chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-    StringBuilder sb = new StringBuilder();
-    Random random = new Random();
-    for (int i = 0; i < length; i++) {
-      sb.append(chars.charAt(random.nextInt(chars.length())));
+    final String requestId = UUID.randomUUID().toString();
+
+    try {
+      final S3AssumeRoleResponseXml response = new S3AssumeRoleResponseXml();
+      final S3AssumeRoleResponseXml.AssumeRoleResult result = new 
S3AssumeRoleResponseXml.AssumeRoleResult();
+      final S3AssumeRoleResponseXml.Credentials credentials = new 
S3AssumeRoleResponseXml.Credentials();
+      credentials.setAccessKeyId(accessKeyId);
+      credentials.setSecretAccessKey(secretAccessKey);
+      credentials.setSessionToken(sessionToken);
+      credentials.setExpiration(expiration);
+      result.setCredentials(credentials);
+      final S3AssumeRoleResponseXml.AssumedRoleUser user = new 
S3AssumeRoleResponseXml.AssumedRoleUser();
+      user.setAssumedRoleId(assumedRoleId);
+      user.setArn(assumedRoleUserArn);
+      result.setAssumedRoleUser(user);
+      response.setAssumeRoleResult(result);
+      final S3AssumeRoleResponseXml.ResponseMetadata meta = new 
S3AssumeRoleResponseXml.ResponseMetadata();
+      meta.setRequestId(requestId);
+      response.setResponseMetadata(meta);
+
+      final JAXBContext jaxbContext = 
JAXBContext.newInstance(S3AssumeRoleResponseXml.class);
+      final Marshaller marshaller = jaxbContext.createMarshaller();
+      marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.TRUE);
+      final StringWriter stringWriter = new StringWriter();
+      marshaller.marshal(response, stringWriter);
+      return stringWriter.toString();
+    } catch (JAXBException e) {
+      throw new IOException("Failed to marshal AssumeRole response", e);
     }
-    return sb.toString();
   }
 
-  // TODO: this method should be removed once actual credential response from 
OM is implemented and used in the endpoint
-  private String generateRandomBase64(int length) {
-    String chars = 
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-    StringBuilder sb = new StringBuilder();
-    Random random = new Random();
-    for (int i = 0; i < length; i++) {
-      sb.append(chars.charAt((random.nextInt(chars.length()))));
+  private String toAssumedRoleUserArn(String roleArn, String roleSessionName) {
+    // RoleArn format: arn:aws:iam::<account-id>:role/<role-name>
+    // Assumed role user arn format: 
arn:aws:sts::<account-id>:assumed-role/<role-name>/<role-session-name>
+    // TODO - refactor and reuse AwsRoleArnValidator for validation in future 
PR
+    final String errMsg = "Invalid RoleArn: must be in the format 
arn:aws:iam::<account-id>:role/<role-name>";
+    final String[] parts = roleArn.split(":", 6);
+    if (parts.length != 6 || !"arn".equals(parts[0]) || parts[1].isEmpty() || 
!"iam".equals(parts[2])) {
+      throw new IllegalArgumentException(errMsg);
     }
-    return sb.toString();
-  }
 
-  // TODO: this method should be removed once actual credential response from 
OM is implemented and used in the endpoint
-  private String generateSessionToken() {
-    byte[] tokenBytes = new byte[128];
-    Random random = new Random();
-    for (int i = 0; i < tokenBytes.length; i++) {
-      tokenBytes[i] = (byte) random.nextInt(256);
+    final String partition = parts[1];
+    final String accountId = parts[4];
+    final String resource = parts[5]; // role/<name>
+
+    if (accountId == null || accountId.isEmpty() || resource == null || 
!resource.startsWith("role/") ||

Review Comment:
   You can leverage Strings.isNullOrEmpty() for string null and empty check.  
Strings.isNullOrEmpty is wildly used in Ozone.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to