Ignore endpoint override if awsShouldUseFips is passed in. Add test.

Author: cfikeatlass

src/main/java/software/amazon/msk/auth/iam/internals/MSKCredentialProvider.java

@@ -90,6 +90,7 @@ public class MSKCredentialProvider implements AwsCredentialsProvider, AutoClosea
     private static final String AWS_ROLE_SESSION_TOKEN = "awsRoleSessionToken";
     private static final String AWS_STS_REGION = "awsStsRegion";
     private static final String AWS_DEBUG_CREDS_KEY = "awsDebugCreds";
+    private static final String AWS_SHOULD_USE_FIPS = "awsShouldUseFips";
     private static final String AWS_MAX_RETRIES = "awsMaxRetries";
     private static final String AWS_MAX_BACK_OFF_TIME_MS = "awsMaxBackOffTimeMs";
     private static final String GLOBAL_REGION = "aws-global";
@@ -264,6 +265,10 @@ public Boolean shouldDebugCreds() {
             return Optional.ofNullable(optionsMap.get(AWS_DEBUG_CREDS_KEY)).map(d -> d.equals("true")).orElse(false);
         }
 
+        public Boolean shouldUseFips() {
+            return Optional.ofNullable(optionsMap.get(AWS_SHOULD_USE_FIPS)).map(d -> d.equals("true")).orElse(false);
+        }
+
         public String getStsRegion() {
             return Optional.ofNullable((String) optionsMap.get(AWS_STS_REGION))
                     .orElse(GLOBAL_REGION);
@@ -295,9 +300,10 @@ public URI buildEndpointConfiguration(Region stsRegion) {
             }
         }
 
-        private StsClientBuilder getStsClientBuilder(Region stsRegion) {
+        private StsClientBuilder getStsClientBuilder(Region stsRegion, Boolean shouldUseFips) {
             StsClientBuilder builder = StsClient.builder().region(stsRegion);
-            if (stsRegion != Region.AWS_GLOBAL) {
+            if (stsRegion != Region.AWS_GLOBAL && !shouldUseFips) {
+                log.info("Using STS Endpoint override");
                 builder.endpointOverride(buildEndpointConfiguration(stsRegion));
             }
             return builder;
@@ -327,6 +333,7 @@ private Optional<StsAssumeRoleCredentialsProvider> getStsRoleProvider() {
                 String sessionName = Optional.ofNullable((String) optionsMap.get(AWS_ROLE_SESSION_KEY))
                         .orElse("aws-msk-iam-auth");
                 String stsRegion = getStsRegion();
+                Boolean shouldUseFIPs = shouldUseFips();
 
                 String accessKey = (String) optionsMap.getOrDefault(AWS_ROLE_ACCESS_KEY_ID, null);
                 String secretKey = (String) optionsMap.getOrDefault(AWS_ROLE_SECRET_ACCESS_KEY, null);
@@ -337,25 +344,26 @@ private Optional<StsAssumeRoleCredentialsProvider> getStsRoleProvider() {
                             sessionToken != null
                                     ? AwsSessionCredentials.create(accessKey, secretKey, sessionToken)
                                     : AwsBasicCredentials.create(accessKey, secretKey));
-                    return createSTSRoleCredentialProvider((String) p, sessionName, stsRegion, credentials);
+                    return createSTSRoleCredentialProvider((String) p, sessionName, stsRegion, credentials, shouldUseFIPs);
                 }
                 else if (externalId != null) {
-                    return createSTSRoleCredentialProvider((String) p, externalId, sessionName, stsRegion);
+                    return createSTSRoleCredentialProvider((String) p, externalId, sessionName, stsRegion, shouldUseFIPs);
                 }
 
-                return createSTSRoleCredentialProvider((String) p, sessionName, stsRegion);
+                return createSTSRoleCredentialProvider((String) p, sessionName, stsRegion, shouldUseFIPs);
             });
         }
 
         StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(
             String roleArn,
             String sessionName,
-            String stsRegion) {
+            String stsRegion,
+            Boolean shouldUseFips) {
             AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                 .roleArn(roleArn)
                 .roleSessionName(sessionName)
                 .build();
-            StsClient stsClient = getStsClientBuilder(Region.of(stsRegion))
+            StsClient stsClient = getStsClientBuilder(Region.of(stsRegion), shouldUseFips)
                 .build();
             return StsAssumeRoleCredentialsProvider.builder()
                 .stsClient(stsClient)
@@ -367,12 +375,13 @@ StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(
         StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(
             String roleArn,
             String sessionName, String stsRegion,
-            AwsCredentialsProvider credentials) {
+            AwsCredentialsProvider credentials,
+            Boolean shouldUseFips) {
             AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                 .roleArn(roleArn)
                 .roleSessionName(sessionName)
                 .build();
-            StsClient stsClient = getStsClientBuilder(Region.of(stsRegion))
+            StsClient stsClient = getStsClientBuilder(Region.of(stsRegion), shouldUseFips)
                 .credentialsProvider(credentials)
                 .build();
             return StsAssumeRoleCredentialsProvider.builder()
@@ -386,17 +395,18 @@ StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(
             String roleArn,
             String externalId,
             String sessionName,
-            String stsRegion) {
+            String stsRegion,
+            Boolean shouldUseFips) {
             AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                 .externalId(externalId)
                 .roleArn(roleArn)
                 .roleSessionName(sessionName)
                 .build();
             return StsAssumeRoleCredentialsProvider.builder()
-                .stsClient(getStsClientBuilder(Region.of(stsRegion)).build())
+                .stsClient(getStsClientBuilder(Region.of(stsRegion), shouldUseFips).build())
                 .refreshRequest(roleRequest)
                 .asyncCredentialUpdateEnabled(true)
                 .build();
         }
     }
-}
+}

src/test/java/software/amazon/msk/auth/iam/internals/MSKCredentialProviderTest.java

@@ -353,9 +353,10 @@ public void testAwsRoleArnSessionNameAndStsRegion() {
 
         MSKCredentialProvider.ProviderBuilder providerBuilder = new MSKCredentialProvider.ProviderBuilder(optionsMap) {
             StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
-                                                                                    String sessionName, String stsRegion) {
+                                                                             String sessionName, String stsRegion, Boolean shouldUseFips) {
                 assertEquals(TEST_ROLE_ARN, roleArn);
                 assertEquals(TEST_ROLE_SESSION_NAME, sessionName);
+                assertEquals(false, shouldUseFips);
                 assertEquals("eu-west-1", stsRegion);
                 URI endpointConfiguration = buildEndpointConfiguration(Region.of(stsRegion));
                 assertEquals("https://sts.eu-west-1.amazonaws.com", endpointConfiguration.toString());
@@ -372,6 +373,41 @@ StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
         Mockito.verify(mockStsRoleProvider, times(1)).close();
     }
 
+    @Test
+    public void testAwsRoleArnSessionNameAndStsRegionAndShouldUseFIPs() {
+        StsAssumeRoleCredentialsProvider mockStsRoleProvider = Mockito
+            .mock(StsAssumeRoleCredentialsProvider.class);
+        Mockito.when(mockStsRoleProvider.resolveIdentity())
+            .thenAnswer(i -> CompletableFuture.completedFuture(AwsSessionCredentials.create(ACCESS_KEY_VALUE, SECRET_KEY_VALUE, SESSION_TOKEN)));
+
+        Map<String, String> optionsMap = new HashMap<>();
+        optionsMap.put(AWS_ROLE_ARN, TEST_ROLE_ARN);
+        optionsMap.put("awsRoleSessionName", TEST_ROLE_SESSION_NAME);
+        optionsMap.put("awsStsRegion", "eu-west-1");
+        optionsMap.put("awsShouldUseFips", "true");
+
+        MSKCredentialProvider.ProviderBuilder providerBuilder = new MSKCredentialProvider.ProviderBuilder(optionsMap) {
+            StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
+                                                                             String sessionName, String stsRegion, Boolean shouldUseFips) {
+                assertEquals(TEST_ROLE_ARN, roleArn);
+                assertEquals(TEST_ROLE_SESSION_NAME, sessionName);
+                assertEquals("eu-west-1", stsRegion);
+                assertEquals(true, shouldUseFips);
+                URI endpointConfiguration = buildEndpointConfiguration(Region.of(stsRegion));
+                assertEquals("https://sts.eu-west-1.amazonaws.com", endpointConfiguration.toString());
+                return mockStsRoleProvider;
+            }
+        };
+        MSKCredentialProvider provider = new MSKCredentialProvider(providerBuilder);
+        assertFalse(provider.getShouldDebugCreds());
+
+        AwsCredentials credentials = provider.resolveCredentials();
+        validateBasicSessionCredentials(credentials);
+
+        provider.close();
+        Mockito.verify(mockStsRoleProvider, times(1)).close();
+    }
+
     @Test
     public void testAwsRoleArnSessionNameStsRegionAndExternalId() {
         StsAssumeRoleCredentialsProvider mockStsRoleProvider = Mockito
@@ -389,11 +425,13 @@ public void testAwsRoleArnSessionNameStsRegionAndExternalId() {
             StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
                                                                                     String externalId,
                                                                                     String sessionName,
-                                                                                    String stsRegion) {
+                                                                                    String stsRegion,
+                                                                                    Boolean shouldUseFips) {
                 assertEquals(TEST_ROLE_ARN, roleArn);
                 assertEquals(TEST_ROLE_EXTERNAL_ID, externalId);
                 assertEquals(TEST_ROLE_SESSION_NAME, sessionName);
                 assertEquals("eu-west-1", stsRegion);
+                assertEquals(false, shouldUseFips);
                 URI endpointConfiguration = buildEndpointConfiguration(Region.of(stsRegion));
                 assertEquals("https://sts.eu-west-1.amazonaws.com", endpointConfiguration.toString());
                 return mockStsRoleProvider;
@@ -429,9 +467,10 @@ ProfileCredentialsProvider createEnhancedProfileCredentialsProvider(String profi
             }
 
             StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
-                                                                                    String sessionName, String stsRegion) {
+                                                                             String sessionName, String stsRegion, Boolean shouldUseFips) {
                 assertEquals(TEST_ROLE_ARN, roleArn);
                 assertEquals("aws-msk-iam-auth", sessionName);
+                assertEquals(false, shouldUseFips);
                 return mockStsRoleProvider;
             }
         };
@@ -649,9 +688,10 @@ private MSKCredentialProvider.ProviderBuilder getProviderBuilder(StsAssumeRoleCr
                                                                      Map<String, String> optionsMap, String s) {
         return new MSKCredentialProvider.ProviderBuilder(optionsMap) {
             StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
-                                                                                    String sessionName, String stsRegion) {
+                                                                             String sessionName, String stsRegion, Boolean shouldUseFips) {
                 assertEquals(TEST_ROLE_ARN, roleArn);
                 assertEquals(s, sessionName);
+                assertEquals(false, shouldUseFips);
                 return mockStsRoleProvider;
             }
         };
@@ -662,9 +702,11 @@ private MSKCredentialProvider.ProviderBuilder getProviderBuilderWithCredentials(
         return new MSKCredentialProvider.ProviderBuilder(optionsMap) {
             StsAssumeRoleCredentialsProvider createSTSRoleCredentialProvider(String roleArn,
                                                                                     String sessionName, String stsRegion,
-                                                                                    AwsCredentialsProvider credentials) {
+                                                                                    AwsCredentialsProvider credentials,
+                                                                                    Boolean shouldUseFips) {
                 assertEquals(TEST_ROLE_ARN, roleArn);
                 assertEquals(s, sessionName);
+                assertEquals(false, shouldUseFips);
                 return mockStsRoleProvider;
             }
         };
@@ -740,4 +782,4 @@ private URL getProfileResourceURL() {
         return getClass().getClassLoader().getResource("profile_config_file");
     }
 
-}
+}