Since it is unclear when jenkinsci/aws-credentials-plugin#46 will be …

…released, do not depend on it for now.
jglick · Nov 16, 2018 · f62c139 · f62c139
1 parent 9fca2cd
commit f62c139
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 7 deletions.
diff --git a/pom.xml b/pom.xml
@@ -123,11 +123,6 @@
             <version>${powermock.version}</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.jenkins-ci.plugins</groupId>
-            <artifactId>aws-credentials</artifactId>
-            <version>1.24-rc76.eb913007d21e</version> <!-- TODO https://github.com/jenkinsci/aws-credentials-plugin/pull/46 -->
-        </dependency>
     </dependencies>
     <dependencyManagement>
         <dependencies>

diff --git a/src/test/java/io/jenkins/plugins/pipeline_log_fluentd_cloudwatch/PipelineBridgeTest.java b/src/test/java/io/jenkins/plugins/pipeline_log_fluentd_cloudwatch/PipelineBridgeTest.java
@@ -24,6 +24,14 @@
 
 package io.jenkins.plugins.pipeline_log_fluentd_cloudwatch;
 
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.AWSStaticCredentialsProvider;
+import com.amazonaws.auth.BasicAWSCredentials;
+import com.amazonaws.auth.BasicSessionCredentials;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
+import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
+import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
+import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
 import com.cloudbees.jenkins.plugins.awscredentials.AWSCredentialsImpl;
 import com.cloudbees.plugins.credentials.CredentialsScope;
 import com.cloudbees.plugins.credentials.SystemCredentialsProvider;
@@ -43,7 +51,9 @@
 import java.util.logging.LogRecord;
 import java.util.logging.Logger;
 import java.util.logging.SimpleFormatter;
+import jenkins.model.Jenkins;
 import jenkins.security.MasterToSlaveCallable;
+import org.apache.commons.lang.StringUtils;
 import static org.hamcrest.Matchers.*;
 import org.jenkinsci.plugins.workflow.log.LogStorage;
 import org.jenkinsci.plugins.workflow.log.LogStorageTestBase;
@@ -67,7 +77,7 @@ public class PipelineBridgeTest extends LogStorageTestBase {
         String credentialsId = null;
         if (role != null) {
             credentialsId = "aws";
-            SystemCredentialsProvider.getInstance().getCredentials().add(new AWSCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, null, null, null, role, null));
+            SystemCredentialsProvider.getInstance().getCredentials().add(new PatchedAWSCredentialsImpl(CredentialsScope.GLOBAL, credentialsId, null, null, null, role, null));
             CredentialsAwsGlobalConfiguration.get().setCredentialsId(credentialsId);
         }
         CloudWatchAwsGlobalConfiguration configuration = ExtensionList.lookupSingleton(CloudWatchAwsGlobalConfiguration.class);
@@ -77,7 +87,39 @@ public class PipelineBridgeTest extends LogStorageTestBase {
         id = UUID.randomUUID().toString();
     }
 
-    // TODO consider whether this should be moved into LoggerRule
+    // TODO remove when depending on https://github.com/jenkinsci/aws-credentials-plugin/pull/46
+    private static final class PatchedAWSCredentialsImpl extends AWSCredentialsImpl {
+        PatchedAWSCredentialsImpl(CredentialsScope scope, String id, String accessKey, String secretKey, String description, String iamRoleArn, String iamMfaSerialNumber) {
+            super(scope, id, accessKey, secretKey, description, iamRoleArn, iamMfaSerialNumber);
+        }
+        @Override public AWSCredentials getCredentials() {
+            AWSCredentials initialCredentials = new BasicAWSCredentials(getAccessKey(), getSecretKey().getPlainText());
+            if (StringUtils.isBlank(getIamRoleArn())) {
+                return initialCredentials;
+            } else {
+                AWSSecurityTokenService client;
+                if (StringUtils.isBlank(getAccessKey()) && StringUtils.isBlank(getSecretKey().getPlainText())) {
+                    client = AWSSecurityTokenServiceClientBuilder.defaultClient();
+                } else {
+                    client = AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(initialCredentials)).build();
+                }
+                AssumeRoleRequest assumeRequest = createAssumeRoleRequest(getIamRoleArn());
+                AssumeRoleResult assumeResult = client.assumeRole(assumeRequest);
+                return new BasicSessionCredentials(
+                        assumeResult.getCredentials().getAccessKeyId(),
+                        assumeResult.getCredentials().getSecretAccessKey(),
+                        assumeResult.getCredentials().getSessionToken());
+            }
+        }
+        private static AssumeRoleRequest createAssumeRoleRequest(String iamRoleArn) {
+            return new AssumeRoleRequest()
+                    .withRoleArn(iamRoleArn)
+                    .withDurationSeconds(STS_CREDENTIALS_DURATION_SECONDS)
+                    .withRoleSessionName(Jenkins.get().getDisplayName());
+        }
+    }
+
+    // TODO pulled up into https://github.com/jenkinsci/workflow-api-plugin/pull/83 with some modifications; move into jenkins-test-harness
     @TestExtension public static final class RemoteLogs extends ComputerListener {
         @Override public void onOnline(Computer c, TaskListener listener) throws IOException, InterruptedException {
             if (c instanceof SlaveComputer) {