[GitHub] [nifi] turcsanyip commented on a diff in pull request #6777: NIFI-10969: Created extension point for Signer Override in AWS S3 pro…

GitBox Wed, 14 Dec 2022 13:56:25 -0800


turcsanyip commented on code in PR #6777:
URL: https://github.com/apache/nifi/pull/6777#discussion_r1049009041



##########
nifi-nar-bundles/nifi-aws-bundle/nifi-aws-processors/src/main/java/org/apache/nifi/processors/aws/credentials/provider/factory/strategies/AssumeRoleCredentialsStrategy.java:
##########
@@ -95,50 +100,29 @@ public boolean proxyVariablesValidForAssumeRole(final 
Map<PropertyDescriptor, St
     @Override
     public Collection<ValidationResult> validate(final ValidationContext 
validationContext,
                                                  final CredentialsStrategy 
primaryStrategy) {
-        final boolean assumeRoleArnIsSet = 
validationContext.getProperty(ASSUME_ROLE_ARN).isSet();
-        final boolean assumeRoleNameIsSet = 
validationContext.getProperty(ASSUME_ROLE_NAME).isSet();
-        final Integer maxSessionTime = 
validationContext.getProperty(MAX_SESSION_TIME).asInteger();
-        final boolean assumeRoleExternalIdIsSet = 
validationContext.getProperty(ASSUME_ROLE_EXTERNAL_ID).isSet();
-        final boolean assumeRoleProxyHostIsSet = 
validationContext.getProperty(ASSUME_ROLE_PROXY_HOST).isSet();
-        final boolean assumeRoleProxyPortIsSet = 
validationContext.getProperty(ASSUME_ROLE_PROXY_PORT).isSet();
-        final boolean assumeRoleSTSEndpointIsSet = 
validationContext.getProperty(ASSUME_ROLE_STS_ENDPOINT).isSet();
-
-        final Collection<ValidationResult> validationFailureResults  = new 
ArrayList<ValidationResult>();
-
-        // Both role and arn name are req if present
-        if (assumeRoleArnIsSet ^ assumeRoleNameIsSet ) {
-            validationFailureResults.add(new 
ValidationResult.Builder().input("Assume Role Arn and Name")
-                    .valid(false).explanation("Assume role requires both arn 
and name to be set").build());
-        }
+        final Collection<ValidationResult> validationFailureResults  = new 
ArrayList<>();
 
-        // Session time only b/w 900 to 3600 sec (see sts session class)
-        if ( maxSessionTime < 900 || maxSessionTime > 3600 )
-            validationFailureResults.add(new 
ValidationResult.Builder().valid(false).input(maxSessionTime + "")
-                    .explanation(MAX_SESSION_TIME.getDisplayName() +
-                            " must be between 900 and 3600 seconds").build());
-
-        // External ID should only be provided with viable Assume Role ARN and 
Name
-        if (assumeRoleExternalIdIsSet && (!assumeRoleArnIsSet || 
!assumeRoleNameIsSet)) {
-            validationFailureResults.add(new 
ValidationResult.Builder().input("Assume Role External ID")
-                    .valid(false)
-                    .explanation("Assume role requires both arn and name to be 
set with External ID")
-                    .build());
-        }
-
-        // STS Endpoint should only be provided with viable Assume Role ARN 
and Name
-        if (assumeRoleSTSEndpointIsSet && (!assumeRoleArnIsSet || 
!assumeRoleNameIsSet)) {
-            validationFailureResults.add(new 
ValidationResult.Builder().input("Assume Role STS Endpoint")
-                    .valid(false)
-                    .explanation("Assume role requires both arn and name to be 
set with STS Endpoint")
-                    .build());
-        }
+        final boolean assumeRoleArnIsSet = 
validationContext.getProperty(ASSUME_ROLE_ARN).isSet();
 
-        // Both proxy host and proxy port are required if present
-        if (assumeRoleProxyHostIsSet ^ assumeRoleProxyPortIsSet){
-            validationFailureResults.add(new 
ValidationResult.Builder().input("Assume Role Proxy Host and Port")
-                    .valid(false)
-                    .explanation("Assume role with proxy requires both host 
and port for the proxy to be set")
-                    .build());
+        if (assumeRoleArnIsSet) {
+            final Integer maxSessionTime = 
validationContext.getProperty(MAX_SESSION_TIME).asInteger();
+
+            // Session time only b/w 900 to 3600 sec (see sts session class)
+            if (maxSessionTime < 900 || maxSessionTime > 3600)

Review Comment:
   I think the intent was here to check it at validation time instead of 
failing at runtime.
   The 1 hour max value seems to be a safety approach because the session max 
time can be configured at role level on AWS side, and it can be 1 to 12 hours 
(1 is default). So 1 hour works for all settings.
   As it is legacy code part and does not affect the current change, I would 
leave the logic as it is.
   I only changed the syntax and the comment.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@nifi.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [nifi] turcsanyip commented on a diff in pull request #6777: NIFI-10969: Created extension point for Signer Override in AWS S3 pro…

Reply via email to