Add RemoteS3ConnectionProvider plugin implementations

Author: mosiac1

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/credentials/CredentialsProvider.java

@@ -15,7 +15,6 @@
 
 import java.util.Optional;
 
-// TODO: Add back file-based provider
 public interface CredentialsProvider
 {
     CredentialsProvider NOOP = (_, _) -> Optional.empty();

trino-aws-proxy-spi/src/main/java/io/trino/aws/proxy/spi/remote/RemoteS3Connection.java

@@ -32,4 +32,9 @@ public record RemoteS3Connection(
         requireNonNull(remoteSessionRole, "remoteSessionRole is null");
         remoteS3FacadeConfiguration = requireNonNull(remoteS3FacadeConfiguration, "remoteS3FacadeConfiguration is null").map(ImmutableMap::copyOf);
     }
+
+    public RemoteS3Connection(Credential remoteCredential)
+    {
+        this(remoteCredential, Optional.empty(), Optional.empty());
+    }
 }

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/TrinoAwsProxyServerModule.java

@@ -34,6 +34,9 @@
 import io.trino.aws.proxy.server.credentials.http.HttpCredentialsModule;
 import io.trino.aws.proxy.server.remote.DefaultRemoteS3Module;
 import io.trino.aws.proxy.server.remote.RemoteS3ConnectionController;
+import io.trino.aws.proxy.server.remote.provider.config.ConfigRemoteS3ConnectionProviderModule;
+import io.trino.aws.proxy.server.remote.provider.file.FileBasedRemoteS3ConnectionModule;
+import io.trino.aws.proxy.server.remote.provider.http.HttpRemoteS3ConnectionProviderConfigModule;
 import io.trino.aws.proxy.server.rest.LimitStreamController;
 import io.trino.aws.proxy.server.rest.ResourceSecurityDynamicFeature;
 import io.trino.aws.proxy.server.rest.RestModule;
@@ -140,6 +143,9 @@ protected void setup(Binder binder)
         install(new FileBasedCredentialsModule());
         install(new OpaS3SecurityModule());
         install(new HttpCredentialsModule());
+        install(new FileBasedRemoteS3ConnectionModule());
+        install(new ConfigRemoteS3ConnectionProviderModule());
+        install(new HttpRemoteS3ConnectionProviderConfigModule());
 
         // RemoteS3 binder
         newOptionalBinder(binder, RemoteS3Facade.class);

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/remote/provider/config/ConfigRemoteS3ConnectionProviderConfig.java

@@ -0,0 +1,54 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.remote.provider.config;
+
+import io.airlift.configuration.Config;
+import io.airlift.configuration.ConfigSecuritySensitive;
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+
+public class ConfigRemoteS3ConnectionProviderConfig
+{
+    private String accessKey;
+    private String secretKey;
+
+    @NotNull
+    @NotEmpty
+    public String getAccessKey()
+    {
+        return accessKey;
+    }
+
+    @Config("remote-s3-connection-provider.access-key")
+    public ConfigRemoteS3ConnectionProviderConfig setAccessKey(String accessKey)
+    {
+        this.accessKey = accessKey;
+        return this;
+    }
+
+    @NotNull
+    @NotEmpty
+    public String getSecretKey()
+    {
+        return secretKey;
+    }
+
+    @ConfigSecuritySensitive
+    @Config("remote-s3-connection-provider.access-key")
+    public ConfigRemoteS3ConnectionProviderConfig setSecretKey(String secretKey)
+    {
+        this.secretKey = secretKey;
+        return this;
+    }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/remote/provider/config/ConfigRemoteS3ConnectionProviderModule.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.remote.provider.config;
+
+import com.google.inject.Binder;
+import io.airlift.configuration.AbstractConfigurationAwareModule;
+import io.trino.aws.proxy.spi.credentials.Credential;
+import io.trino.aws.proxy.spi.plugin.config.RemoteS3ConnectionProviderConfig;
+import io.trino.aws.proxy.spi.remote.RemoteS3Connection;
+import io.trino.aws.proxy.spi.remote.RemoteS3ConnectionProvider;
+
+import java.util.Optional;
+
+import static com.google.inject.multibindings.OptionalBinder.newOptionalBinder;
+import static io.airlift.configuration.ConditionalModule.conditionalModule;
+
+public class ConfigRemoteS3ConnectionProviderModule
+        extends AbstractConfigurationAwareModule
+{
+    public static final String CONFIG_REMOTE_S3_CONNECTION_PROVIDER = "config";
+
+    @Override
+    protected void setup(Binder binder)
+    {
+        install(conditionalModule(
+                RemoteS3ConnectionProviderConfig.class,
+                config -> config.getPluginIdentifier().map(CONFIG_REMOTE_S3_CONNECTION_PROVIDER::equals).orElse(false),
+                innerBinder -> {
+                    ConfigRemoteS3ConnectionProviderConfig config = buildConfigObject(ConfigRemoteS3ConnectionProviderConfig.class);
+                    newOptionalBinder(innerBinder, RemoteS3ConnectionProvider.class)
+                            .setBinding()
+                            .toInstance((_, _, _) -> Optional.of(new RemoteS3Connection(new Credential(config.getAccessKey(), config.getSecretKey()))));
+                }));
+    }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/remote/provider/file/FileBasedRemoteS3ConnectionModule.java

@@ -0,0 +1,42 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.remote.provider.file;
+
+import com.google.inject.Binder;
+import io.airlift.configuration.AbstractConfigurationAwareModule;
+import io.trino.aws.proxy.spi.remote.RemoteS3Connection;
+
+import static io.airlift.configuration.ConfigBinder.configBinder;
+import static io.airlift.json.JsonCodecBinder.jsonCodecBinder;
+import static io.trino.aws.proxy.spi.plugin.TrinoAwsProxyServerBinding.remoteS3ConnectionProviderModule;
+
+public class FileBasedRemoteS3ConnectionModule
+        extends AbstractConfigurationAwareModule
+{
+    // set as config value for "remote-s3-connection-provider.type"
+    public static final String FILE_BASED_REMOTE_S3_CONNECTION_PROVIDER = "file";
+
+    @Override
+    protected void setup(Binder binder)
+    {
+        install(remoteS3ConnectionProviderModule(
+                FILE_BASED_REMOTE_S3_CONNECTION_PROVIDER,
+                FileBasedRemoteS3ConnectionProvider.class,
+                innerBinder -> {
+                    configBinder(innerBinder).bindConfig(FileBasedRemoteS3ConnectionProviderConfig.class);
+                    innerBinder.bind(FileBasedRemoteS3ConnectionProvider.class);
+                    jsonCodecBinder(innerBinder).bindMapJsonCodec(String.class, RemoteS3Connection.class);
+                }));
+    }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/remote/provider/file/FileBasedRemoteS3ConnectionProvider.java

@@ -0,0 +1,76 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.remote.provider.file;
+
+import com.google.common.io.Files;
+import com.google.inject.Inject;
+import io.airlift.json.JsonCodec;
+import io.trino.aws.proxy.spi.credentials.Identity;
+import io.trino.aws.proxy.spi.remote.RemoteS3Connection;
+import io.trino.aws.proxy.spi.remote.RemoteS3ConnectionProvider;
+import io.trino.aws.proxy.spi.rest.ParsedS3Request;
+import io.trino.aws.proxy.spi.signing.SigningMetadata;
+
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * <p>File-based RemoteS3ConnectionProvider that reads a JSON file containing a mapping from emulated access key to
+ * RemoteS3Connection.</p>
+ * <pre>{@code
+ * {
+ *   "emulated-access-key-1": {
+ *     "remoteCredential": {
+ *       "accessKey": "remote-access-key",
+ *       "secretKey": "remote-secret-key"
+ *     },
+ *     "remoteSessionRole": {
+ *       "region": "us-east-1",
+ *       "roleArn": "arn:aws:iam::123456789012:role/role-name",
+ *       "externalId": "external-id",
+ *       "stsEndpoint": "https://sts.us-east-1.amazonaws.com"
+ *     },
+ *     "remoteS3FacadeConfiguration": {
+ *       "remoteS3.https": true,
+ *       "remoteS3.domain": "s3.amazonaws.com",
+ *       "remoteS3.port": 443,
+ *       "remoteS3.virtual-host-style": false,
+ *       "remoteS3.hostname.template": "${domain}"
+ *     }
+ *   }
+ * }
+ * }</pre>
+ */
+public class FileBasedRemoteS3ConnectionProvider
+        implements RemoteS3ConnectionProvider
+{
+    private final Map<String, RemoteS3Connection> remoteS3Connections;
+
+    @Inject
+    public FileBasedRemoteS3ConnectionProvider(FileBasedRemoteS3ConnectionProviderConfig config, JsonCodec<Map<String, RemoteS3Connection>> jsonCodec)
+    {
+        try {
+            this.remoteS3Connections = jsonCodec.fromJson(Files.toByteArray(config.getConnectionsFile()));
+        }
+        catch (Exception e) {
+            throw new RuntimeException("Failed to read remote S3 connections file", e);
+        }
+    }
+
+    @Override
+    public Optional<RemoteS3Connection> remoteConnection(SigningMetadata signingMetadata, Optional<Identity> identity, ParsedS3Request request)
+    {
+        return Optional.ofNullable(remoteS3Connections.get(signingMetadata.credential().accessKey()));
+    }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/remote/provider/file/FileBasedRemoteS3ConnectionProviderConfig.java

@@ -0,0 +1,39 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.remote.provider.file;
+
+import io.airlift.configuration.Config;
+import io.airlift.configuration.validation.FileExists;
+import jakarta.validation.constraints.NotNull;
+
+import java.io.File;
+
+public class FileBasedRemoteS3ConnectionProviderConfig
+{
+    private File connectionsFile;
+
+    @NotNull
+    @FileExists
+    public File getConnectionsFile()
+    {
+        return connectionsFile;
+    }
+
+    @Config("remote-s3.connections-file-path")
+    public FileBasedRemoteS3ConnectionProviderConfig setConnectionsFile(File connectionsFile)
+    {
+        this.connectionsFile = connectionsFile;
+        return this;
+    }
+}

trino-aws-proxy/src/main/java/io/trino/aws/proxy/server/remote/provider/http/ForHttpRemoteS3ConnectionProvider.java

@@ -0,0 +1,31 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.aws.proxy.server.remote.provider.http;
+
+import com.google.inject.BindingAnnotation;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.FIELD;
+import static java.lang.annotation.ElementType.METHOD;
+import static java.lang.annotation.ElementType.PARAMETER;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@BindingAnnotation
+@Target({FIELD, PARAMETER, METHOD})
+@Retention(RUNTIME)
+public @interface ForHttpRemoteS3ConnectionProvider
+{
+}