refactor constants and validations to shared location

Fabian Morgan · Fabian Morgan · commit 0e0f4844f448 · 2026-01-21T22:59:56.000-08:00
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/AwsRoleArnValidator.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/AwsRoleArnValidator.java
@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-package org.apache.hadoop.ozone.om.request.s3.security;
+package org.apache.hadoop.ozone.om.helpers;
 
 import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
@@ -125,7 +125,7 @@ private static boolean isAllDigits(String s) {
    */
   private static boolean hasCharNotAllowedInIamRoleArn(String s) {
     for (int i = 0; i < s.length(); i++) {
-      if (!isCharAllowedInIamRoleArn(s.charAt(i))) {
+      if (!isCharAllowedInIamRoleArn(s.codePointAt(i))) {
         return true;
       }
     }
@@ -134,12 +134,11 @@ private static boolean hasCharNotAllowedInIamRoleArn(String s) {
 
   /**
    * Checks if the supplied char is allowed in IAM Role ARN.
+   * Pattern: [\u0009\u000A\u000D\u0020-\u007E\u0085\u00A0-\uD7FF\uE000-\uFFFD\u10000-\u10FFFF]+
    */
-  private static boolean isCharAllowedInIamRoleArn(char c) {
-    return (c >= 'A' && c <= 'Z')
-        || (c >= 'a' && c <= 'z')
-        || (c >= '0' && c <= '9')
-        || c == '+' || c == '=' || c == ',' || c == '.' || c == '@' || c == '_' || c == '-';
+  private static boolean isCharAllowedInIamRoleArn(int c) {
+    return c == 0x09 || c == 0x0A || c == 0x0D || (c >= 0x20 && c <= 0x7E) || c == 0x85 || (c >= 0xA0 && c <= 0xD7FF) ||
+        (c >= 0xE000 && c <= 0xFFFD) || (c >= 0x10000 && c <= 0x10FFFF);
   }
 }
 
diff --git a/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/S3STSUtils.java b/hadoop-ozone/common/src/main/java/org/apache/hadoop/ozone/om/helpers/S3STSUtils.java
@@ -0,0 +1,153 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.om.helpers;
+
+import static org.apache.hadoop.ozone.om.exceptions.OMException.ResultCodes.INVALID_REQUEST;
+
+import net.jcip.annotations.Immutable;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.hadoop.ozone.om.exceptions.OMException;
+
+/**
+ * Utility class containing constants and validation methods shared by STS endpoint and OzoneManager processing.
+ */
+@Immutable
+public final class S3STSUtils {
+  // STS API constants
+  public static final int DEFAULT_DURATION_SECONDS = 3600;    // 1 hour
+  public static final int MAX_DURATION_SECONDS = 43200;       // 12 hours
+  public static final int MIN_DURATION_SECONDS = 900;         // 15 minutes
+
+  public static final int ASSUME_ROLE_SESSION_NAME_MIN_LENGTH = 2;
+  public static final int ASSUME_ROLE_SESSION_NAME_MAX_LENGTH = 64;
+
+  // AWS limit for session policy is 2048 characters
+  public static final int MAX_SESSION_POLICY_LENGTH = 2048;
+  
+  private S3STSUtils() {
+  }
+
+  /**
+   * Validates the duration in seconds.
+   * @param durationSeconds duration in seconds
+   * @return validated duration
+   * @throws OMException if duration is invalid
+   */
+  public static int validateDuration(Integer durationSeconds) throws OMException {
+    if (durationSeconds == null) {
+      return DEFAULT_DURATION_SECONDS;
+    }
+
+    if (durationSeconds < MIN_DURATION_SECONDS || durationSeconds > MAX_DURATION_SECONDS) {
+      throw new OMException(
+          "Invalid Value: DurationSeconds must be between " + MIN_DURATION_SECONDS +
+              " and " + MAX_DURATION_SECONDS + " seconds", INVALID_REQUEST);
+    }
+
+    return durationSeconds;
+  }
+
+  /**
+   * Validates the role session name.
+   * @param roleSessionName role session name
+   * @throws OMException if role session name is invalid
+   */
+  public static void validateRoleSessionName(String roleSessionName) throws OMException {
+    if (StringUtils.isBlank(roleSessionName)) {
+      throw new OMException("Missing required parameter: RoleSessionName", INVALID_REQUEST);
+    }
+
+    final int roleSessionNameLength = roleSessionName.length();
+    if (roleSessionNameLength < ASSUME_ROLE_SESSION_NAME_MIN_LENGTH ||
+        roleSessionNameLength > ASSUME_ROLE_SESSION_NAME_MAX_LENGTH) {
+      throw new OMException("Invalid RoleSessionName: must be " + ASSUME_ROLE_SESSION_NAME_MIN_LENGTH + "-" +
+          ASSUME_ROLE_SESSION_NAME_MAX_LENGTH + " characters long and " +
+          "contain only alphanumeric characters, +, =, ,, ., @, -", INVALID_REQUEST);
+    }
+
+    // AWS allows: alphanumeric, +, =, ,, ., @, -
+    // Pattern: [\w+=,.@-]*
+    // Don't use regex for performance reasons
+    for (int i = 0; i < roleSessionNameLength; i++) {
+      final char c = roleSessionName.charAt(i);
+      if (!isRoleSessionNameChar(c)) {
+        throw new OMException("Invalid RoleSessionName: must be " + ASSUME_ROLE_SESSION_NAME_MIN_LENGTH + "-" +
+            ASSUME_ROLE_SESSION_NAME_MAX_LENGTH + " characters long and " +
+            "contain only alphanumeric characters, +, =, ,, ., @, -", INVALID_REQUEST);
+      }
+    }
+  }
+
+  private static boolean isRoleSessionNameChar(char c) {
+    return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') ||
+        c == '_' || c == '+' || c == '=' || c == ',' || c == '.' || c == '@' || c == '-';
+  }
+
+  /**
+   * Validates the session policy length.
+   * @param awsIamSessionPolicy session policy
+   * @throws OMException if policy length is invalid
+   */
+  public static void validateSessionPolicy(String awsIamSessionPolicy) throws OMException {
+    if (awsIamSessionPolicy != null && awsIamSessionPolicy.length() > MAX_SESSION_POLICY_LENGTH) {
+      throw new OMException(
+          "Policy length exceeded maximum allowed length of " + MAX_SESSION_POLICY_LENGTH, INVALID_REQUEST);
+    }
+  }
+
+  /**
+   * Generates the assumed role user ARN.
+   * @param validRoleArn                  valid role ARN
+   * @param roleSessionName               role session name
+   * @return assumed role user ARN
+   * @throws OMException if role ARN is invalid
+   */
+  public static String toAssumedRoleUserArn(String validRoleArn, String roleSessionName) throws OMException {
+    // We already know the roleArn is valid, so perform the conversion for assumed role user arn format
+    // RoleArn format: arn:aws:iam::<account-id>:role/<role-name>
+    // Assumed role user arn format: arn:aws:sts::<account-id>:assumed-role/<role-name>/<role-session-name>
+    final String[] parts = splitRoleArnWithoutRegex(validRoleArn);
+
+    final String partition = parts[1];
+    final String accountId = parts[4];
+    final String resource = parts[5];
+    final String roleName = resource.substring("role/".length());
+
+    final StringBuilder stringBuilder = new StringBuilder("arn:");
+    stringBuilder.append(partition);
+    stringBuilder.append(":sts::");
+    stringBuilder.append(accountId);
+    stringBuilder.append(":assumed-role/");
+    stringBuilder.append(roleName);
+    stringBuilder.append('/');
+    stringBuilder.append(roleSessionName);
+    return stringBuilder.toString();
+  }
+
+  private static String[] splitRoleArnWithoutRegex(String roleArn) {
+    final String[] parts = new String[6];
+    int start = 0;
+    for (int i = 0; i < 5; i++) {
+      final int end = roleArn.indexOf(':', start);
+      parts[i] = roleArn.substring(start, end);
+      start = end + 1;
+    }
+    parts[5] = roleArn.substring(start);
+    return parts;
+  }
+}
diff --git a/hadoop-ozone/common/src/test/java/org/apache/hadoop/ozone/om/helpers/TestAwsRoleArnValidator.java b/hadoop-ozone/common/src/test/java/org/apache/hadoop/ozone/om/helpers/TestAwsRoleArnValidator.java
@@ -15,11 +15,12 @@
  * limitations under the License.
  */
 
-package org.apache.hadoop.ozone.om.request.s3.security;
+package org.apache.hadoop.ozone.om.helpers;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.junit.jupiter.api.Test;
 
@@ -38,12 +39,12 @@ public void testValidateAndExtractRoleNameFromArnSuccessCases() throws OMExcepti
     assertThat(AwsRoleArnValidator.validateAndExtractRoleNameFromArn(ROLE_ARN_2)).isEqualTo("Role2");
 
     // Path name right at 511-char max boundary
-    final String arnPrefixLen511 = S3SecurityTestUtils.repeat('p', 510) + "/"; // 510 chars + '/' = 511
+    final String arnPrefixLen511 = StringUtils.repeat('p', 510) + "/"; // 510 chars + '/' = 511
     final String arnMaxPath = "arn:aws:iam::123456789012:role/" + arnPrefixLen511 + "RoleB";
     assertThat(AwsRoleArnValidator.validateAndExtractRoleNameFromArn(arnMaxPath)).isEqualTo("RoleB");
 
     // Role name right at 64-char max boundary
-    final String roleName64 = S3SecurityTestUtils.repeat('A', 64);
+    final String roleName64 = StringUtils.repeat('A', 64);
     final String arn64 = "arn:aws:iam::123456789012:role/" + roleName64;
     assertThat(AwsRoleArnValidator.validateAndExtractRoleNameFromArn(arn64)).isEqualTo(roleName64);
   }
@@ -105,7 +106,7 @@ public void testValidateAndExtractRoleNameFromArnFailureCases() {
     assertThat(e8.getMessage()).isEqualTo("Role ARN is required");
 
     // Path name too long (> 511 characters)
-    final String arnPrefixLen512 = S3SecurityTestUtils.repeat('q', 511) + "/"; // 511 chars + '/' = 512
+    final String arnPrefixLen512 = StringUtils.repeat('q', 511) + "/"; // 511 chars + '/' = 512
     final String arnTooLongPath = "arn:aws:iam::123456789012:role/" + arnPrefixLen512 + "RoleA";
     final OMException e9 = assertThrows(
         OMException.class, () -> AwsRoleArnValidator.validateAndExtractRoleNameFromArn(arnTooLongPath));
@@ -120,12 +121,11 @@ public void testValidateAndExtractRoleNameFromArnFailureCases() {
     assertThat(e10.getMessage()).isEqualTo("Invalid role ARN: missing role name");  // MyRole/ is considered a path
 
     // 65-char role name
-    final String roleName65 = S3SecurityTestUtils.repeat('B', 65);
+    final String roleName65 = StringUtils.repeat('B', 65);
     final String roleArn65 = "arn:aws:iam::123456789012:role/" + roleName65;
     final OMException e11 = assertThrows(
         OMException.class, () -> AwsRoleArnValidator.validateAndExtractRoleNameFromArn(roleArn65));
     assertThat(e11.getResult()).isEqualTo(OMException.ResultCodes.INVALID_REQUEST);
     assertThat(e11.getMessage()).isEqualTo("Invalid role name: " + roleName65);
   }
 }
-
diff --git a/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java b/hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3AssumeRoleRequest.java
@@ -33,6 +33,8 @@
 import org.apache.hadoop.ozone.om.OzoneManager;
 import org.apache.hadoop.ozone.om.exceptions.OMException;
 import org.apache.hadoop.ozone.om.execution.flowcontrol.ExecutionContext;
+import org.apache.hadoop.ozone.om.helpers.AwsRoleArnValidator;
+import org.apache.hadoop.ozone.om.helpers.S3STSUtils;
 import org.apache.hadoop.ozone.om.request.OMClientRequest;
 import org.apache.hadoop.ozone.om.request.util.OmResponseUtil;
 import org.apache.hadoop.ozone.om.response.OMClientResponse;
@@ -62,14 +64,10 @@ public class S3AssumeRoleRequest extends OMClientRequest {
     SECURE_RANDOM = secureRandom;
   }
 
-  private static final int MIN_TOKEN_EXPIRATION_SECONDS = 900;    // 15 minutes in seconds
-  private static final int MAX_TOKEN_EXPIRATION_SECONDS = 43200;  // 12 hours in seconds
   private static final int STS_ACCESS_KEY_ID_LENGTH = 20;
   private static final int STS_SECRET_ACCESS_KEY_LENGTH = 40;
   private static final int STS_ROLE_ID_LENGTH = 16;
   private static final String ASSUME_ROLE_ID_PREFIX = "AROA";
-  private static final int ASSUME_ROLE_SESSION_NAME_MIN_LENGTH = 2;
-  private static final int ASSUME_ROLE_SESSION_NAME_MAX_LENGTH = 64;
   private static final String CHARS_FOR_ACCESS_KEY_IDS = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ";
   private static final int CHARS_FOR_ACCESS_KEY_IDS_LENGTH = CHARS_FOR_ACCESS_KEY_IDS.length();
   private static final String CHARS_FOR_SECRET_ACCESS_KEYS = CHARS_FOR_ACCESS_KEY_IDS +
@@ -91,19 +89,20 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
     final int durationSeconds = assumeRoleRequest.getDurationSeconds();
 
     // Validate duration
-    if (durationSeconds < MIN_TOKEN_EXPIRATION_SECONDS || durationSeconds > MAX_TOKEN_EXPIRATION_SECONDS) {
-      final OMException omException = new OMException(
-          "Duration must be between " + MIN_TOKEN_EXPIRATION_SECONDS + " and " + MAX_TOKEN_EXPIRATION_SECONDS,
-          OMException.ResultCodes.INVALID_REQUEST);
+    try {
+      S3STSUtils.validateDuration(durationSeconds);
+    } catch (OMException e) {
       return new S3AssumeRoleResponse(
-          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
+          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), e));
     }
 
     // Validate role session name
     final String roleSessionName = assumeRoleRequest.getRoleSessionName();
-    final S3AssumeRoleResponse roleSessionNameErrorResponse = validateRoleSessionName(roleSessionName, omRequest);
-    if (roleSessionNameErrorResponse != null) {
-      return roleSessionNameErrorResponse;
+    try {
+      S3STSUtils.validateRoleSessionName(roleSessionName);
+    } catch (OMException e) {
+      return new S3AssumeRoleResponse(
+          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), e));
     }
 
     final String roleArn = assumeRoleRequest.getRoleArn();
@@ -155,27 +154,6 @@ public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, Execut
     }
   }
 
-  /**
-   * Ensures RoleSessionName is valid.
-   */
-  private S3AssumeRoleResponse validateRoleSessionName(String roleSessionName, OMRequest omRequest) {
-    if (StringUtils.isBlank(roleSessionName)) {
-      final OMException omException = new OMException(
-          "RoleSessionName is required", OMException.ResultCodes.INVALID_REQUEST);
-      return new S3AssumeRoleResponse(
-          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
-    }
-    if (roleSessionName.length() < ASSUME_ROLE_SESSION_NAME_MIN_LENGTH ||
-        roleSessionName.length() > ASSUME_ROLE_SESSION_NAME_MAX_LENGTH) {
-      final OMException omException = new OMException(
-          "RoleSessionName length must be between " + ASSUME_ROLE_SESSION_NAME_MIN_LENGTH + " and " +
-          ASSUME_ROLE_SESSION_NAME_MAX_LENGTH, OMException.ResultCodes.INVALID_REQUEST);
-      return new S3AssumeRoleResponse(
-          createErrorOMResponse(OmResponseUtil.getOMResponseBuilder(omRequest), omException));
-    }
-    return null;
-  }
-
   /**
    * Generates session token using components from the AssumeRoleRequest.
    */
diff --git a/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3AssumeRoleRequest.java b/hadoop-ozone/ozone-manager/src/test/java/org/apache/hadoop/ozone/om/request/s3/security/TestS3AssumeRoleRequest.java
@@ -142,7 +142,8 @@ public void testInvalidDurationTooShort() {
     final OMResponse omResponse = response.getOMResponse();
 
     assertThat(omResponse.getStatus()).isEqualTo(Status.INVALID_REQUEST);
-    assertThat(omResponse.getMessage()).isEqualTo("Duration must be between 900 and 43200");
+    assertThat(omResponse.getMessage()).isEqualTo(
+        "Invalid Value: DurationSeconds must be between 900 and 43200 seconds");
     assertThat(omResponse.hasAssumeRoleResponse()).isFalse();
   }
 
@@ -161,7 +162,8 @@ public void testInvalidDurationTooLong() {
     final OMResponse omResponse = response.getOMResponse();
 
     assertThat(omResponse.getStatus()).isEqualTo(Status.INVALID_REQUEST);
-    assertThat(omResponse.getMessage()).isEqualTo("Duration must be between 900 and 43200");
+    assertThat(omResponse.getMessage()).isEqualTo(
+        "Invalid Value: DurationSeconds must be between 900 and 43200 seconds");
     assertThat(omResponse.hasAssumeRoleResponse()).isFalse();
   }
 
@@ -326,7 +328,7 @@ public void testAssumeRoleWithEmptySessionName() {
     final OMClientResponse response = new S3AssumeRoleRequest(omRequest, CLOCK)
         .validateAndUpdateCache(ozoneManager, context);
     assertThat(response.getOMResponse().getStatus()).isEqualTo(Status.INVALID_REQUEST);
-    assertThat(response.getOMResponse().getMessage()).isEqualTo("RoleSessionName is required");
+    assertThat(response.getOMResponse().getMessage()).isEqualTo("Missing required parameter: RoleSessionName");
   }
 
   @Test
@@ -343,7 +345,9 @@ public void testInvalidAssumeRoleSessionNameTooShort() {
     final OMResponse omResponse = response.getOMResponse();
 
     assertThat(omResponse.getStatus()).isEqualTo(Status.INVALID_REQUEST);
-    assertThat(omResponse.getMessage()).isEqualTo("RoleSessionName length must be between 2 and 64");
+    assertThat(omResponse.getMessage()).isEqualTo(
+        "Invalid RoleSessionName: must be 2-64 characters long and contain only alphanumeric " +
+        "characters, +, =, ,, ., @, -");
     assertThat(omResponse.hasAssumeRoleResponse()).isFalse();
   }
 
@@ -362,7 +366,10 @@ public void testInvalidRoleSessionNameTooLong() {
     final OMResponse omResponse = response.getOMResponse();
 
     assertThat(omResponse.getStatus()).isEqualTo(Status.INVALID_REQUEST);
-    assertThat(omResponse.getMessage()).isEqualTo("RoleSessionName length must be between 2 and 64");
+    assertThat(omResponse.getMessage()).isEqualTo(
+        "Invalid RoleSessionName: must be 2-64 characters long and contain only alphanumeric " +
+        "characters, +, =, ,, ., @, -"
+    );
     assertThat(omResponse.hasAssumeRoleResponse()).isFalse();
   }
 
diff --git a/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEndpoint.java b/hadoop-ozone/s3gateway/src/main/java/org/apache/hadoop/ozone/s3sts/S3STSEndpoint.java
diff --git a/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3sts/TestS3STSEndpoint.java b/hadoop-ozone/s3gateway/src/test/java/org/apache/hadoop/ozone/s3sts/TestS3STSEndpoint.java
