pr review updates for Tejaskriya

Fabian Morgan · Fabian Morgan · commit 28e0de8222ae · 2025-12-09T11:36:59.000-08:00
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestS3SecurityUtil.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/security/TestS3SecurityUtil.java
@@ -29,7 +29,6 @@
 import static org.mockito.Mockito.mockStatic;
 import static org.mockito.Mockito.when;
 
-import java.io.IOException;
 import java.time.Clock;
 import java.time.Instant;
 import java.util.UUID;
@@ -60,63 +59,48 @@ public class TestS3SecurityUtil {
   public void testValidateS3CredentialFailsWhenTokenRevoked() throws Exception {
     // If the revoked STS token table contains an entry for the temporary access key id extracted from the session
     // token, validateS3Credential should reject the request with REVOKED_TOKEN
-    final String sessionToken = "session-token-a";
-    final String tempAccessKeyId = "ASIA123456789";
+    validateS3CredentialHelper("session-token-a", true, true, REVOKED_TOKEN);
+  }
+
+  @Test
+  public void testValidateS3CredentialWhenMetadataUnavailable() throws Exception {
+    // If the metadata manager is not available, the revocation check should not cause the request to be rejected.
+    validateS3CredentialHelper("session-token-b", false, false, null);
+  }
+
+  @Test
+  public void testValidateS3CredentialSuccessWhenNotRevoked() throws Exception {
+    // Normal case: token is NOT revoked and request is accepted
+    validateS3CredentialHelper("session-token-c", true, false, null);
+  }
+
+  private void validateS3CredentialHelper(String sessionToken, boolean metadataAvailable, boolean isRevoked,
+      OMException.ResultCodes expectedResult) throws Exception {
 
     try (OzoneManager ozoneManager = mock(OzoneManager.class)) {
       when(ozoneManager.isSecurityEnabled()).thenReturn(true);
       when(ozoneManager.getSecretKeyClient()).thenReturn(mock(SecretKeyClient.class));
 
-      final OMMetadataManager metadataManager = mock(OMMetadataManager.class);
-      when(ozoneManager.getMetadataManager()).thenReturn(metadataManager);
-
       final Table<String, String> revokedSTSTokenTable = new InMemoryTestTable<>();
-      when(metadataManager.getS3RevokedStsTokenTable()).thenReturn(revokedSTSTokenTable);
-
-      // Mock STSSecurityUtil to return a token whose tempAccessKeyId matches the one that's revoked.
-      final STSTokenIdentifier stsTokenIdentifier = new STSTokenIdentifier(
-          tempAccessKeyId, "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
-          Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
-          ENCRYPTION_KEY);
-
-      try (MockedStatic<STSSecurityUtil> stsSecurityUtilMock = mockStatic(STSSecurityUtil.class, CALLS_REAL_METHODS)) {
-        stsSecurityUtilMock.when(
-            () -> STSSecurityUtil.constructValidateAndDecryptSTSToken(
-                eq(sessionToken), any(SecretKeyClient.class), any(Clock.class)))
-            .thenReturn(stsTokenIdentifier);
+      if (metadataAvailable) {
+        final OMMetadataManager metadataManager = mock(OMMetadataManager.class);
+        when(ozoneManager.getMetadataManager()).thenReturn(metadataManager);
+        when(metadataManager.getS3RevokedStsTokenTable()).thenReturn(revokedSTSTokenTable);
+      } else {
+        when(ozoneManager.getMetadataManager()).thenReturn(null);
+      }
 
-        // Revoke the tempAccessKeyId
+      final String tempAccessKeyId = "temp-access-key-id";
+      if (isRevoked) {
         revokedSTSTokenTable.put(tempAccessKeyId, sessionToken);
-
-        final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
-        final OMException ex = assertThrows(
-            OMException.class, () -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
-        assertEquals(REVOKED_TOKEN, ex.getResult());
       }
-    }
-  }
-
-  @Test
-  public void testValidateS3CredentialWhenMetadataUnavailable() {
-    // If the metadata manager is not available, the revocation check should not cause the request to be rejected.
-    final String sessionToken = "session-token-b";
-
-    try (OzoneManager ozoneManager = mock(OzoneManager.class)) {
-      when(ozoneManager.isSecurityEnabled()).thenReturn(true);
-      when(ozoneManager.getMetadataManager()).thenReturn(null);
-      when(ozoneManager.getSecretKeyClient()).thenReturn(mock(SecretKeyClient.class));
 
-      final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
+      final STSTokenIdentifier stsTokenIdentifier = createSTSTokenIdentifier();
 
       try (MockedStatic<STSSecurityUtil> stsSecurityUtilMock = mockStatic(STSSecurityUtil.class, CALLS_REAL_METHODS);
            MockedStatic<AWSV4AuthValidator> awsV4AuthValidatorMock = mockStatic(
                AWSV4AuthValidator.class, CALLS_REAL_METHODS)) {
 
-        final STSTokenIdentifier stsTokenIdentifier = new STSTokenIdentifier(
-            "temp-access-key-id", "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
-            Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
-            ENCRYPTION_KEY);
-
         stsSecurityUtilMock.when(
             () -> STSSecurityUtil.constructValidateAndDecryptSTSToken(
                 eq(sessionToken), any(SecretKeyClient.class), any(Clock.class)))
@@ -126,51 +110,24 @@ public void testValidateS3CredentialWhenMetadataUnavailable() {
         awsV4AuthValidatorMock.when(() -> AWSV4AuthValidator.validateRequest(anyString(), anyString(), anyString()))
             .thenReturn(true);
 
-        assertDoesNotThrow(() -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
+        final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
+
+        if (expectedResult != null) {
+          final OMException ex = assertThrows(OMException.class,
+              () -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
+          assertEquals(expectedResult, ex.getResult());
+        } else {
+          assertDoesNotThrow(() -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
+        }
       }
-    } catch (IOException e) {
-      throw new RuntimeException(e);
     }
   }
 
-  @Test
-  public void testValidateS3CredentialSuccessWhenNotRevoked() {
-    // Normal case: token is NOT revoked and request is accepted
-    final String sessionToken = "session-token-c";
-
-    try (OzoneManager ozoneManager = mock(OzoneManager.class)) {
-      when(ozoneManager.isSecurityEnabled()).thenReturn(true);
-      when(ozoneManager.getSecretKeyClient()).thenReturn(mock(SecretKeyClient.class));
-
-      final OMMetadataManager metadataManager = mock(OMMetadataManager.class);
-      when(ozoneManager.getMetadataManager()).thenReturn(metadataManager);
-
-      final Table<String, String> revokedSTSTokenTable = new InMemoryTestTable<>();
-      when(metadataManager.getS3RevokedStsTokenTable()).thenReturn(revokedSTSTokenTable);
-
-      // Not revoked -> getIfExist returns null by default in InMemoryTestTable
-      final OMRequest omRequest = createRequestWithSessionToken(sessionToken);
-      final STSTokenIdentifier stsTokenIdentifier = new STSTokenIdentifier(
-          "temp-access-key-id", "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
-          Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
-          ENCRYPTION_KEY);
-
-      try (MockedStatic<STSSecurityUtil> stsSecurityUtilMock = mockStatic(STSSecurityUtil.class, CALLS_REAL_METHODS);
-           MockedStatic<AWSV4AuthValidator> awsV4AuthValidatorMock = mockStatic(
-               AWSV4AuthValidator.class, CALLS_REAL_METHODS)) {
-
-        stsSecurityUtilMock.when(
-                () -> STSSecurityUtil.constructValidateAndDecryptSTSToken(
-                    eq(sessionToken), any(SecretKeyClient.class), any(Clock.class)))
-            .thenReturn(stsTokenIdentifier);
-        awsV4AuthValidatorMock.when(() -> AWSV4AuthValidator.validateRequest(anyString(), anyString(), anyString()))
-            .thenReturn(true);
-
-        assertDoesNotThrow(() -> S3SecurityUtil.validateS3Credential(omRequest, ozoneManager));
-      }
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
+  private STSTokenIdentifier createSTSTokenIdentifier() {
+    return new STSTokenIdentifier(
+        "temp-access-key-id", "original-access-key-id", "arn:aws:iam::123456789012:role/test-role",
+        Instant.now().plusSeconds(3600), "secret-access-key", "session-policy",
+        ENCRYPTION_KEY);
   }
 
   private static OMRequest createRequestWithSessionToken(String sessionToken) {
