destination-s3: add a test for listObjects permission on destination bucket #10856
Conversation
...ctors/destination-s3/src/main/java/io/airbyte/integrations/destination/s3/S3Destination.java
Outdated
Show resolved
Hide resolved
grishick
force-pushed
the
greg/check-listObjects-10665
branch
from
cf608b3
to
2d04a71
Compare
| assertEquals(Status.FAILED, status.getStatus(), "Connection check should have failed"); | ||
| assertTrue(status.getMessage().indexOf("Access Denied") > 0, "Connection check returned wrong failure message"); | ||
|
|
||
| // Test that check succeeds when IAM user has listObjects permission |
There was a problem hiding this comment.
ideally each unit test verifies a single well defined scenario, so we should split these into two unit tests
| @@ -20,19 +34,66 @@ | |||
| public class S3DestinationTest { | |||
|
|
|||
| private AmazonS3 s3; | |||
| private AmazonS3 s3NoAccess; | |||
There was a problem hiding this comment.
we can probably keep using a single s3 client, and instead add doThrow(..).when(s3) block in the test itself. This makes it clearer what mocks the test itself is setting up and keeps the global namespace light
| @@ -127,6 +141,10 @@ public S3FormatConfig getFormatConfig() { | |||
| } | |||
|
|
|||
| public AmazonS3 getS3Client() { | |||
| if(this.s3Client !=null) { | |||
There was a problem hiding this comment.
formatting: space between = and null
this should happen automatically if you run ./gradlew format . Also it should happen automatically in intellij if you follow these instructions https://docs.airbyte.com/contributing-to-airbyte/code-style
grishick
force-pushed
the
greg/check-listObjects-10665
branch
from
2d04a71
to
77a7101
Compare
|
/test connector=connectors/destination-s3
|
github-actions
bot
added
the
area/documentation
grishick
force-pushed
the
greg/check-listObjects-10665
branch
from
a2a76a9
to
e5a0bc6
Compare
* Bump version to 0.2.10 in Dockerfile * Bump version to 0.2.10 in changelog
|
/publish connector=connectors/destination-s3
|
|
/publish connector=connectors/destination-s3
|
grishick
force-pushed
the
greg/check-listObjects-10665
branch
from
e5a0bc6
to
94af7d5
Compare
* Bump version to 0.2.10 in Dockerfile * Bump version to 0.2.10 in changelog
|
/publish connector=connectors/destination-s3
|
grishick
force-pushed
the
greg/check-listObjects-10665
branch
from
94af7d5
to
444ef03
Compare
* add testIAMUserHasListObjectPermission method to S3Destination and call this method from S3Destination::check. Method throws an exception if IAM user does not have listObjects permission on the destination bucket * add a unit test to S3DestinationTest to verify that S3Destination::check fails if listObjects throws an exception * add a unit test to S3DestinationTest to verify that S3Destination::check succeeds if listObjects succeeds * Add S3DestinationConfigFactory in order to be able to mock S3 client used in S3Destination::check
- separate positive and negative unit tests - fix formatting - reuse s3 client for both positive and negative tests
* Bump version to 0.2.10 in Dockerfile * Bump version to 0.2.10 in changelog
grishick
force-pushed
the
greg/check-listObjects-10665
branch
from
444ef03
to
5444bd2
Compare
|
/publish connector=connectors/destination-s3
|
…bucket (#10856) * Add a test for listObjects permission to destination-s3 connector * add testIAMUserHasListObjectPermission method to S3Destination and call this method from S3Destination::check. Method throws an exception if IAM user does not have listObjects permission on the destination bucket * add a unit test to S3DestinationTest to verify that S3Destination::check fails if listObjects throws an exception * add a unit test to S3DestinationTest to verify that S3Destination::check succeeds if listObjects succeeds * Add S3DestinationConfigFactory in order to be able to mock S3 client used in S3Destination::check * Addressing review comments: - separate positive and negative unit tests - fix formatting - reuse s3 client for both positive and negative tests * Add information about PR #10856 to the changelog * Prepare for publishing new version: * Bump version to 0.2.10 in Dockerfile * Bump version to 0.2.10 in changelog * Update destination-s3 version in connector index * Update seed spec for destination-s3 connector
What
The S3 destination connector occasionally needs s3:listObjects permissions on an S3 bucket. The connector currently does not actually verify that the input IAM user has listObjects permissions on the bucket which prevents running a RESET_SCHEMA job in Airbyte. This means that a user could setup the connector only to have it fail later due to this missing permissions.
How
add testIAMUserHasListObjectPermission method to S3Destination
and call this method from S3Destination::check. Method throws
an exception if IAM user does not have listObjects permission
on the destination bucket
add a unit test to S3DestinationTest to verify that S3Destination::check
fails if listObjects throws an exception
add a unit test to S3DestinationTest to verify that S3Destination::check
succeeds if listObjects succeeds
Add S3DestinationConfigFactory in order to be able to mock S3 client
used in S3Destination::check
🚨 User Impact 🚨
Before this change, when a user sets up an S3 destination with IAM credentials that do not have listObjects permission on the destination bucket, connection check succeeds. After this change, connection check fails if listObjects permissions are missing.
Pre-merge Checklist
Expand the relevant checklist and delete the others.
Community member or Airbyter
airbyte_secret./gradlew :airbyte-integrations:connectors:<name>:integrationTest.README.mdbootstrap.md. See description and examplesdocs/integrations/<source or destination>/<name>.mdincluding changelog. See changelog exampleAirbyter
If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.
/test connector=connectors/<name>command is passing/publishcommand described hereTests
Unit