Merge pull request #71 from fbelzunc/issue-20

[JENKINS-60057] AssumeRole does not honour proxy settings
jenkinsci · Dec 16, 2019 · 2273229 · 2273229
2 parents 412c180 + 08cbde7
commit 2273229
Showing 1 changed file with 42 additions and 12 deletions.
diff --git a/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java b/src/main/java/com/cloudbees/jenkins/plugins/awscredentials/AWSCredentialsImpl.java
@@ -144,16 +144,20 @@ public AWSCredentials getCredentials() {
                 clientRegion = Regions.DEFAULT_REGION.getName();
             }
 
+            ClientConfiguration clientConfiguration = getClientConfiguration();
+
             AWSSecurityTokenService client;
             // Handle the case of delegation to instance profile
             if (StringUtils.isBlank(accessKey) && StringUtils.isBlank(secretKey.getPlainText()) ) {
                 client = AWSSecurityTokenServiceClientBuilder.standard()
                         .withRegion(clientRegion)
+                        .withClientConfiguration(clientConfiguration)
                         .build();
             } else {
                 client = AWSSecurityTokenServiceClientBuilder.standard()
                         .withCredentials(new AWSStaticCredentialsProvider(initialCredentials))
                         .withRegion(clientRegion)
+                        .withClientConfiguration(clientConfiguration)
                         .build();
             }
 
@@ -177,7 +181,8 @@ public AWSCredentials getCredentials(String mfaToken) {
                 .withTokenCode(mfaToken)
                 .withDurationSeconds(this.getStsTokenDuration());
 
-        AssumeRoleResult assumeResult = new AWSSecurityTokenServiceClient(initialCredentials).assumeRole(assumeRequest);
+        AWSSecurityTokenService awsSecurityTokenService = getAWSSecurityTokenService(initialCredentials);
+        AssumeRoleResult assumeResult = awsSecurityTokenService.assumeRole(assumeRequest);
 
         return new BasicSessionCredentials(
                 assumeResult.getCredentials().getAccessKeyId(),
@@ -202,6 +207,39 @@ private static AssumeRoleRequest createAssumeRoleRequest(String iamRoleArn) {
                 .withRoleSessionName("Jenkins");
     }
 
+    /**
+     * Provides the {@link AWSSecurityTokenService} for a given {@link AWSCredentials}
+     * @param awsCredentials
+     *
+     * @return {@link AWSSecurityTokenService}
+     */
+    private static AWSSecurityTokenService getAWSSecurityTokenService(AWSCredentials awsCredentials) {
+        ClientConfiguration clientConfiguration = getClientConfiguration();
+        return AWSSecurityTokenServiceClientBuilder.standard()
+                .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
+                .withClientConfiguration(clientConfiguration)
+                .build();
+    }
+
+    /**
+     * Provides the {@link ClientConfiguration}
+     *
+     * @return {@link ClientConfiguration}
+     */
+    private static ClientConfiguration getClientConfiguration() {
+        Jenkins instance = Jenkins.getInstanceOrNull();
+
+        ProxyConfiguration proxy = instance != null ? instance.proxy : null;
+        ClientConfiguration clientConfiguration = new ClientConfiguration();
+        if (proxy != null && proxy.name != null && !proxy.name.isEmpty()) {
+            clientConfiguration.setProxyHost(proxy.name);
+            clientConfiguration.setProxyPort(proxy.port);
+            clientConfiguration.setProxyUsername(proxy.getUserName());
+            clientConfiguration.setProxyPassword(proxy.getPassword());
+        }
+        return clientConfiguration;
+    }
+
     @Extension
     public static class DescriptorImpl extends CredentialsDescriptor {
 
@@ -228,15 +266,6 @@ public FormValidation doCheckSecretKey(@QueryParameter("accessKey") final String
                 return FormValidation.error(Messages.AWSCredentialsImpl_SpecifySecretAccessKey());
             }
 
-            ProxyConfiguration proxy = Jenkins.getActiveInstance().proxy;
-            ClientConfiguration clientConfiguration = new ClientConfiguration();
-            if(proxy != null) {
-            	clientConfiguration.setProxyHost(proxy.name);
-            	clientConfiguration.setProxyPort(proxy.port);
-            	clientConfiguration.setProxyUsername(proxy.getUserName());
-            	clientConfiguration.setProxyPassword(proxy.getPassword());
-            }
-
             AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, Secret.fromString(secretKey).getPlainText());
 
             // If iamRoleArn is specified, swap out the credentials.
@@ -255,7 +284,8 @@ public FormValidation doCheckSecretKey(@QueryParameter("accessKey") final String
                 }
 
                 try {
-                    AssumeRoleResult assumeResult = new AWSSecurityTokenServiceClient(awsCredentials).assumeRole(assumeRequest);
+                    AWSSecurityTokenService awsSecurityTokenService = getAWSSecurityTokenService(awsCredentials);
+                    AssumeRoleResult assumeResult = awsSecurityTokenService.assumeRole(assumeRequest);
 
                     awsCredentials = new BasicSessionCredentials(
                             assumeResult.getCredentials().getAccessKeyId(),
@@ -267,7 +297,7 @@ public FormValidation doCheckSecretKey(@QueryParameter("accessKey") final String
                 }
             }
 
-            AmazonEC2 ec2 = new AmazonEC2Client(awsCredentials,clientConfiguration);
+            AmazonEC2 ec2 = new AmazonEC2Client(awsCredentials, getClientConfiguration());
 
             // TODO better/smarter validation of the credentials instead of verifying the permission on EC2.READ in us-east-1
             String region = "us-east-1";