Merge branch 'main' into feat/dont-log-secret

Author: mosiac1

trino-aws-proxy-glue/src/test/java/io/trino/aws/proxy/glue/TestGlueBase.java

@@ -13,7 +13,7 @@
  */
 package io.trino.aws.proxy.glue;
 
-import io.trino.aws.proxy.spi.credentials.Credentials;
+import io.trino.aws.proxy.spi.credentials.IdentityCredential;
 import jakarta.annotation.PreDestroy;
 import jakarta.ws.rs.core.UriBuilder;
 import org.junit.jupiter.api.Test;
@@ -72,7 +72,7 @@ public abstract class TestGlueBase<T extends TestingGlueContext>
     protected final GlueClient glueClient;
     protected final T context;
 
-    protected TestGlueBase(TrinoGlueConfig config, Credentials testingCredentials, T context)
+    protected TestGlueBase(TrinoGlueConfig config, IdentityCredential testingCredentials, T context)
     {
         this.context = requireNonNull(context, "context is null");
 

trino-aws-proxy-glue/src/test/java/io/trino/aws/proxy/glue/TestGlueInS3Proxy.java

@@ -19,7 +19,7 @@
 import io.trino.aws.proxy.server.testing.TestingUtil.ForTesting;
 import io.trino.aws.proxy.server.testing.harness.BuilderFilter;
 import io.trino.aws.proxy.server.testing.harness.TrinoAwsProxyTest;
-import io.trino.aws.proxy.spi.credentials.Credentials;
+import io.trino.aws.proxy.spi.credentials.IdentityCredential;
 
 import java.net.URI;
 
@@ -51,7 +51,7 @@ public record Context(URI baseUrl)
     }
 
     @Inject
-    public TestGlueInS3Proxy(TestingHttpServer httpServer, TrinoGlueConfig config, @ForTesting Credentials testingCredentials)
+    public TestGlueInS3Proxy(TestingHttpServer httpServer, TrinoGlueConfig config, @ForTesting IdentityCredential testingCredentials)
     {
         super(config, testingCredentials, new Context(httpServer.getBaseUrl()));
     }

trino-aws-proxy-glue/src/test/java/io/trino/aws/proxy/glue/TestingCredentialsProvider.java

@@ -14,19 +14,19 @@
 package io.trino.aws.proxy.glue;
 
 import io.trino.aws.proxy.spi.credentials.Credential;
-import io.trino.aws.proxy.spi.credentials.Credentials;
 import io.trino.aws.proxy.spi.credentials.CredentialsProvider;
+import io.trino.aws.proxy.spi.credentials.IdentityCredential;
 
 import java.util.Optional;
 import java.util.UUID;
 
 public class TestingCredentialsProvider
         implements CredentialsProvider
 {
-    public static final Credentials CREDENTIALS = Credentials.build(new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString()));
+    public static final IdentityCredential CREDENTIALS = new IdentityCredential(new Credential(UUID.randomUUID().toString(), UUID.randomUUID().toString()));
 
     @Override
-    public Optional<Credentials> credentials(String emulatedAccessKey, Optional<String> session)
+    public Optional<IdentityCredential> credentials(String emulatedAccessKey, Optional<String> session)
     {
         return Optional.of(CREDENTIALS);
     }

trino-aws-proxy-spark3/src/main/java/io/trino/aws/proxy/spark3/PresignAwareAmazonS3.java

@@ -626,6 +626,8 @@ public S3Object getObject(GetObjectRequest getObjectRequest)
         return getPresignedUrl("GET", getObjectRequest.getBucketName(), getObjectRequest.getKey())
                 .map(presigned -> {
                     PresignedUrlDownloadRequest presignedUrlDownloadRequest = new PresignedUrlDownloadRequest(presigned.url);
+                    Optional.ofNullable(getObjectRequest.getRange())
+                            .ifPresent(range -> presignedUrlDownloadRequest.withRange(range[0], range[1]));
                     return delegate.download(presignedUrlDownloadRequest).getS3Object();
                 })
                 .orElseGet(() -> delegate.getObject(getObjectRequest));
@@ -638,6 +640,8 @@ public ObjectMetadata getObject(GetObjectRequest getObjectRequest, File destinat
         return getPresignedUrl("GET", getObjectRequest.getBucketName(), getObjectRequest.getKey())
                 .map(presigned -> {
                     PresignedUrlDownloadRequest presignedUrlDownloadRequest = new PresignedUrlDownloadRequest(presigned.url);
+                    Optional.ofNullable(getObjectRequest.getRange())
+                            .ifPresent(range -> presignedUrlDownloadRequest.withRange(range[0], range[1]));
                     delegate.download(presignedUrlDownloadRequest, destinationFile);
                     return presigned.objectMetadata;
                 })

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/credentials/Credentials.java

@@ -15,6 +15,7 @@
 
 import java.util.Optional;
 
+// TODO: Add back file-based provider
 public interface CredentialsProvider
 {
     CredentialsProvider NOOP = (_, _) -> Optional.empty();
@@ -24,5 +25,5 @@ public interface CredentialsProvider
      * Your implementation should have a centralized credentials mechanism, likely
      * some type of database along with a way of registering credentials, etc.
      */
-    Optional<Credentials> credentials(String emulatedAccessKey, Optional<String> session);
+    Optional<IdentityCredential> credentials(String emulatedAccessKey, Optional<String> session);
 }

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/credentials/CredentialsProvider.java

@@ -0,0 +1,37 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.spi.credentials;
+
+import java.util.Optional;
+
+import static java.util.Objects.requireNonNull;
+
+public record IdentityCredential(Credential emulated, Optional<Identity> identity)
+{
+    public IdentityCredential
+    {
+        requireNonNull(emulated, "emulated is null");
+        requireNonNull(identity, "identity is null");
+    }
+
+    public IdentityCredential(Credential emulatedCredential, Identity identity)
+    {
+        this(emulatedCredential, Optional.of(identity));
+    }
+
+    public IdentityCredential(Credential emulatedCredential)
+    {
+        this(emulatedCredential, Optional.empty());
+    }
+}

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/credentials/IdentityCredential.java

@@ -25,8 +25,10 @@
 import io.trino.aws.proxy.spi.plugin.config.CredentialsProviderConfig;
 import io.trino.aws.proxy.spi.plugin.config.PluginIdentifierConfig;
 import io.trino.aws.proxy.spi.plugin.config.RemoteS3Config;
+import io.trino.aws.proxy.spi.plugin.config.RemoteS3ConnectionProviderConfig;
 import io.trino.aws.proxy.spi.plugin.config.S3RequestRewriterConfig;
 import io.trino.aws.proxy.spi.plugin.config.S3SecurityFacadeProviderConfig;
+import io.trino.aws.proxy.spi.remote.RemoteS3ConnectionProvider;
 import io.trino.aws.proxy.spi.remote.RemoteS3Facade;
 import io.trino.aws.proxy.spi.rest.S3RequestRewriter;
 import io.trino.aws.proxy.spi.security.S3SecurityFacadeProvider;
@@ -49,6 +51,11 @@ static Module assumedRoleProviderModule(String identifier, Class<? extends Assum
         return optionalPluginModule(AssumedRoleProviderConfig.class, identifier, AssumedRoleProvider.class, implementationClass, module);
     }
 
+    static Module remoteS3ConnectionProviderModule(String identifier, Class<? extends RemoteS3ConnectionProvider> implementationClass, Module module)
+    {
+        return optionalPluginModule(RemoteS3ConnectionProviderConfig.class, identifier, RemoteS3ConnectionProvider.class, implementationClass, module);
+    }
+
     static Module s3SecurityFacadeProviderModule(String identifier, Class<? extends S3SecurityFacadeProvider> implementationClass, Module module)
     {
         return optionalPluginModule(S3SecurityFacadeProviderConfig.class, identifier, S3SecurityFacadeProvider.class, implementationClass, module);

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/plugin/TrinoAwsProxyServerBinding.java

@@ -0,0 +1,38 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.spi.plugin.config;
+
+import io.airlift.configuration.Config;
+import jakarta.validation.constraints.NotNull;
+
+import java.util.Optional;
+
+public class RemoteS3ConnectionProviderConfig
+        implements PluginIdentifierConfig
+{
+    private Optional<String> identifier = Optional.empty();
+
+    @NotNull
+    @Override
+    public Optional<String> getPluginIdentifier()
+    {
+        return identifier;
+    }
+
+    @Config("remote-s3-connection-provider.type")
+    public void setPluginIdentifier(String identifier)
+    {
+        this.identifier = Optional.ofNullable(identifier);
+    }
+}

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/plugin/config/RemoteS3ConnectionProviderConfig.java

@@ -0,0 +1,59 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.spi.remote;
+
+import io.trino.aws.proxy.spi.credentials.Credential;
+
+import java.util.Optional;
+
+import static java.util.Objects.requireNonNull;
+
+public interface RemoteS3Connection
+{
+    Credential remoteCredential();
+
+    default Optional<RemoteSessionRole> remoteSessionRole()
+    {
+        return Optional.empty();
+    }
+
+    default Optional<RemoteS3Facade> remoteS3Facade()
+    {
+        return Optional.empty();
+    }
+
+    record StaticRemoteS3Connection(
+            Credential remoteCredential,
+            Optional<RemoteSessionRole> remoteSessionRole,
+            Optional<RemoteS3Facade> remoteS3Facade)
+            implements RemoteS3Connection
+    {
+        public StaticRemoteS3Connection
+        {
+            requireNonNull(remoteCredential, "remoteCredential is null");
+            requireNonNull(remoteSessionRole, "remoteSessionRole is null");
+            requireNonNull(remoteS3Facade, "remoteS3Facade is null");
+        }
+
+        public StaticRemoteS3Connection(Credential remoteCredential)
+        {
+            this(remoteCredential, Optional.empty(), Optional.empty());
+        }
+
+        public StaticRemoteS3Connection(Credential remoteCredential, RemoteSessionRole remoteSessionRole)
+        {
+            this(remoteCredential, Optional.of(remoteSessionRole), Optional.empty());
+        }
+    }
+}

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/remote/RemoteS3Connection.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.spi.remote;
+
+import io.trino.aws.proxy.spi.credentials.Identity;
+import io.trino.aws.proxy.spi.rest.ParsedS3Request;
+import io.trino.aws.proxy.spi.signing.SigningMetadata;
+
+import java.util.Optional;
+
+// TODO: This should have a config implementation (hard-coding a single set of Remote Credentials) and an HTTP implementation
+public interface RemoteS3ConnectionProvider
+{
+    RemoteS3ConnectionProvider NOOP = (_, _, _) -> Optional.empty();
+
+    Optional<RemoteS3Connection> remoteConnection(SigningMetadata signingMetadata, Optional<Identity> identity, ParsedS3Request request);
+}

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/remote/RemoteS3ConnectionProvider.java

@@ -13,11 +13,12 @@
  */
 package io.trino.aws.proxy.spi.remote;
 
+import java.net.URI;
 import java.util.Optional;
 
 import static java.util.Objects.requireNonNull;
 
-public record RemoteSessionRole(String region, String roleArn, Optional<String> externalId)
+public record RemoteSessionRole(String region, String roleArn, Optional<String> externalId, Optional<URI> stsEndpoint)
 {
     public RemoteSessionRole
     {

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/remote/RemoteSessionRole.java

@@ -13,23 +13,25 @@
  */
 package io.trino.aws.proxy.spi.rest;
 
-import io.trino.aws.proxy.spi.credentials.Credentials;
+import io.trino.aws.proxy.spi.credentials.Identity;
+import io.trino.aws.proxy.spi.signing.SigningMetadata;
 
 import java.util.Optional;
 
 import static java.util.Objects.requireNonNull;
 
 public interface S3RequestRewriter
 {
-    S3RequestRewriter NOOP = (_, _) -> Optional.empty();
+    S3RequestRewriter NOOP = (_, _, _) -> Optional.empty();
 
     record S3RewriteResult(String finalRequestBucket, String finalRequestKey)
     {
-        public S3RewriteResult {
+        public S3RewriteResult
+        {
             requireNonNull(finalRequestBucket, "finalRequestBucket is null");
             requireNonNull(finalRequestKey, "finalRequestKey is null");
         }
     }
 
-    Optional<S3RewriteResult> rewrite(Credentials credentials, ParsedS3Request request);
+    Optional<S3RewriteResult> rewrite(Optional<Identity> identity, SigningMetadata signingMetadata, ParsedS3Request request);
 }