Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reset provider creds on every invocation #401

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

reset provider creds on every invocation #401

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4f2d099
CW client creds refresh
ammokhov Jul 22, 2022
aaf0c94
force reset null provider credentials
aygold92 Aug 3, 2022
32995ea
add back final to variables
aygold92 Aug 3, 2022
f34dd3e
always reset credentials
aygold92 Aug 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion src/main/java/software/amazon/cloudformation/AbstractWrapper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,15 @@ public AbstractWrapper(final CredentialsProvider providerCredentialsProvider,
// sync.
// Both are required parameters when LoggingConfig (optional) is provided when
// 'RegisterType'.
if (providerCredentials != null) {
if (providerCredentials == null) {
// reset provider credentials back to null to avoid reusing stale credentials
if (this.providerCredentialsProvider != null) {
this.providerCredentialsProvider.resetCredentials();
}
this.providerMetricsPublisher = null;
this.providerEventsLogger = null;
this.cloudWatchLogHelper = null;
} else {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why null check providerCredentials and providerCredentialsProvider before resetting the credentials? Cant we do it for every request? The next section will set it if credentials are provided anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because it does get refreshed when creds are non-null

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually that null check on providerCredentialsProvider seemed unnecessary to me. It's a final variable and instantiated in the constructor, but it was already there and I was just afraid to remove it and potentially cause an NPE for something I couldn't see.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. What exactly are providerCredentials and providerCredentialsProvider? Do the credentials not need to be reset if both providerCredentials and providerCredentialsProvider are null?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

providerCredentials come directly from the request sent in by CloudFormation (or Cloud Control API). So if the credentials passed by CFN are null, then we want to reset everything.

ProviderCredentialsProvider is just a wrapper class which holds a reference to a credentials object. Like I said I don't think it's possible to be null, but if it was then it wouldn't hold any credentials anyway, which is what we want in this case. And even then, we still reset the other related objects metricsPublisher, eventsLogger, and cloudWatchLogHelper

if (this.providerCredentialsProvider != null) {
this.providerCredentialsProvider.setCredentials(providerCredentials);
}
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/software/amazon/cloudformation/LambdaWrapper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ public void handleRequest(final InputStream inputStream, final OutputStream outp
TerminalException {
if (platformLogPublisher == null) {
platformLogPublisher = new LambdaLogPublisher(context.getLogger());
this.platformLoggerProxy.addLogPublisher(platformLogPublisher);
}
this.platformLoggerProxy.addLogPublisher(platformLogPublisher);
ammokhov marked this conversation as resolved.
Show resolved Hide resolved
processRequest(inputStream, outputStream);
outputStream.close();
}
Expand Down
5 changes: 5 additions & 0 deletions src/main/java/software/amazon/cloudformation/injection/CredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,4 +30,9 @@ public interface CredentialsProvider {
* @param credentials, incoming credentials for the call that is being made
*/
void setCredentials(Credentials credentials);

/**
* set credentials back to null to avoid reusing stale creds
*/
void resetCredentials();
}
5 changes: 5 additions & 0 deletions src/main/java/software/amazon/cloudformation/injection/SessionCredentialsProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,9 @@ public void setCredentials(final Credentials credentials) {
this.awsSessionCredentials = AwsSessionCredentials.create(credentials.getAccessKeyId(), credentials.getSecretAccessKey(),
credentials.getSessionToken());
}

@Override
public void resetCredentials() {
this.awsSessionCredentials = null;
}
}
5 changes: 5 additions & 0 deletions src/test/java/software/amazon/cloudformation/proxy/End2EndCallChainTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,11 @@ public AwsSessionCredentials get() {
public void setCredentials(Credentials credentials) {

}

@Override
public void resetCredentials() {

}
};
}

Expand Down