Upgrade AWS STS client to v2 #504
Conversation
Including removal of awscala STS library.
83e8a30 to
cb278a4
Compare
There was a problem hiding this comment.
I think the revocation code will be broken as-is, because the authentication isn't providing the session token. This is a super important, but irregularly used, feature of Janus! Perhaps we can test it locally towards the end of a day on our own account after checking no-one is depending on their session?
Otherwise looks great, thank you!
test/logic/ViewHelpersTest.scala
Outdated
|
|
||
| class ViewHelpersTest extends AnyFreeSpec with Matchers { | ||
|
|
||
| private def mkCredentials( |
There was a problem hiding this comment.
Is there any reason for this name to be shortened? Would it be clearer to call it makeCredentials? I'm also not 100% convinced that it wouldn't be clearer to just use the builder in each place, but if you tried that and thought this way was clearer then 👍
There was a problem hiding this comment.
Yes I'll switch to using the builder inline.
| def formatDateTime(date: DateTime): String = | ||
| dateTimeFormatter.print(date) | ||
|
|
||
| def formatTime(date: DateTime): String = | ||
| timeFormatter.print(date) | ||
| def formatTime(instant: java.time.Instant): String = |
There was a problem hiding this comment.
We should probably switch to java.time everywhere, at some point 😬
app/aws/Federation.scala
Outdated
| Credentials(creds.accessKeyId, creds.secretAccessKey, creds.sessionToken) | ||
| val provider = new AWSStaticCredentialsProvider(sessionCredentials) | ||
| val iamClient = IAM(provider) | ||
| val iamClient = IAM(creds.accessKeyId(), creds.secretAccessKey()) |
There was a problem hiding this comment.
I think this will need the session token as well, since these are temporary credentials just like any others that Janus produces.
This bit still depends on AWScala, because we're making an instance of IAM here. While that's true I think we might as well continue to use the AWSCala credentials representation. awscala's core module includes SessionCredentials, which takes the three arguments we need here, and can be passed to the IAM constructor.
There was a problem hiding this comment.
I'll have another look at this code. It looked like it was actually just passing the same values around from one structure to another but I've probably missed something important here. It proves the value of code review.
There was a problem hiding this comment.
I should have read the code more carefully! Fixed in f2a07b1
There was a problem hiding this comment.
I've left the awscala IAM code as-is and I'll deal with that separately.
| autoLogoutUrl(url, autoLogout) | ||
| } | ||
|
|
||
| private def signinToken(credentials: Credentials): String = { |
There was a problem hiding this comment.
This isn't necessarily the way we'd implement all this from scratch, but great for now given that this is explicitly a reimplementation of the existing code in AWScala 👍
There was a problem hiding this comment.
I've tried to read this all super carefully, and it looks like it should be the same as the previous behaviour. Ultimately it comes down to verifying this by using it, which I'm sure you have done locally (and it seems to work fine for me)!
There was a problem hiding this comment.
It works locally. Like the dynamo db change, I see this as the smallest change I could make and it can be built on and improved.
app/aws/Federation.scala
Outdated
|
|
||
| val awsMinimumSessionLength = 900.seconds | ||
| private val signInUrl = "https://signin.aws.amazon.com/federation" | ||
| private val consoleUrl = |
There was a problem hiding this comment.
Would it be clearer to apply the URLEncoding where it is used, to call this something like encodedConsoleUrl, or to inline this val?
This is only used in one place, but I can see the benefit to having it be defined up top as a "constant". However, including the encoding feels a little like mixing the constant definition with the logic of its use. I don't feel strongly, whatever you think!
There was a problem hiding this comment.
You're right that would be more consistent and readable. It's a slight optimisation that's of very little value here.
Good point. I haven't tested that! |
|
Tested revocation endpoint by:
|
# Conflicts: # app/aws/Federation.scala # app/controllers/Janus.scala
Changes have been addressed, I'll re-review
| @@ -129,8 +141,11 @@ object Federation { | |||
| stsClient, | |||
| Federation.awsMinimumSessionLength | |||
| ) | |||
| val sessionCredentials = | |||
| Credentials(creds.accessKeyId, creds.secretAccessKey, creds.sessionToken) | |||
| val sessionCredentials = awscala.Credentials( | |||
There was a problem hiding this comment.
Great stuff, nice and easy for now and we defer this to the IAM change 👍
|
Tested in Prod:
|
What is the purpose of this change?
To remove the deprecated AWS v1 STS client and replace it with v2.
And to remove the awscala STS library which has a dependence on the v1 client.
What is the value of this change and how do we measure success?
Code is up to date and easier to patch in future.
Should still be able to:
Any additional notes?
This is part of a series of PRs to upgrade AWS clients to v2.
See also: