Add simple test for signature headers

Author: original-brownbear

plugins/repository-s3/src/main/java/org/elasticsearch/repositories/s3/S3RepositoryPlugin.java

@@ -105,7 +105,9 @@ public List<Setting<?>> getSettings() {
             S3ClientSettings.READ_TIMEOUT_SETTING,
             S3ClientSettings.MAX_RETRIES_SETTING,
             S3ClientSettings.USE_THROTTLE_RETRIES_SETTING,
-            S3ClientSettings.USE_PATH_STYLE_ACCESS);
+            S3ClientSettings.USE_PATH_STYLE_ACCESS,
+            S3ClientSettings.SIGNER_OVERRIDE,
+            S3ClientSettings.REGION);
     }
 
     @Override

plugins/repository-s3/src/test/java/org/elasticsearch/repositories/s3/S3BlobStoreRepositoryTests.java

@@ -46,6 +46,7 @@
 import org.elasticsearch.snapshots.SnapshotId;
 import org.elasticsearch.snapshots.SnapshotsService;
 import org.elasticsearch.snapshots.mockstore.BlobStoreWrapper;
+import org.elasticsearch.test.ESIntegTestCase;
 import org.elasticsearch.threadpool.ThreadPool;
 
 import java.io.IOException;
@@ -56,14 +57,34 @@
 import java.util.List;
 import java.util.Map;
 
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.greaterThan;
 import static org.hamcrest.Matchers.lessThan;
+import static org.hamcrest.Matchers.startsWith;
 
 @SuppressForbidden(reason = "this test uses a HttpServer to emulate an S3 endpoint")
+// Need to set up a new cluster for each test because cluster settings use randomized authentication settings
+@ESIntegTestCase.ClusterScope(scope = ESIntegTestCase.Scope.TEST)
 public class S3BlobStoreRepositoryTests extends ESMockAPIBasedRepositoryIntegTestCase {
 
     private static final TimeValue TEST_COOLDOWN_PERIOD = TimeValue.timeValueSeconds(5L);
 
+    private String region;
+    private String signerOverride;
+
+    @Override
+    public void setUp() throws Exception {
+        if (randomBoolean()) {
+            region = "test-region";
+        }
+        if (region != null && randomBoolean()) {
+            signerOverride = randomFrom("AWS3SignerType", "AWS4SignerType");
+        } else if (randomBoolean()) {
+            signerOverride = "AWS3SignerType";
+        }
+        super.setUp();
+    }
+
     @Override
     protected String repositoryType() {
         return S3Repository.TYPE;
@@ -99,16 +120,23 @@ protected Settings nodeSettings(int nodeOrdinal) {
         secureSettings.setString(S3ClientSettings.ACCESS_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "access");
         secureSettings.setString(S3ClientSettings.SECRET_KEY_SETTING.getConcreteSettingForNamespace("test").getKey(), "secret");
 
-        return Settings.builder()
+        final Settings.Builder builder = Settings.builder()
             .put(ThreadPool.ESTIMATED_TIME_INTERVAL_SETTING.getKey(), 0) // We have tests that verify an exact wait time
             .put(S3ClientSettings.ENDPOINT_SETTING.getConcreteSettingForNamespace("test").getKey(), httpServerUrl())
             // Disable chunked encoding as it simplifies a lot the request parsing on the httpServer side
             .put(S3ClientSettings.DISABLE_CHUNKED_ENCODING.getConcreteSettingForNamespace("test").getKey(), true)
             // Disable request throttling because some random values in tests might generate too many failures for the S3 client
             .put(S3ClientSettings.USE_THROTTLE_RETRIES_SETTING.getConcreteSettingForNamespace("test").getKey(), false)
             .put(super.nodeSettings(nodeOrdinal))
-            .setSecureSettings(secureSettings)
-            .build();
+            .setSecureSettings(secureSettings);
+
+        if (signerOverride != null) {
+            builder.put(S3ClientSettings.SIGNER_OVERRIDE.getConcreteSettingForNamespace("test").getKey(), signerOverride);
+        }
+        if (region != null) {
+            builder.put(S3ClientSettings.REGION.getConcreteSettingForNamespace("test").getKey(), region);
+        }
+        return builder.build();
     }
 
     public void testEnforcedCooldownPeriod() throws IOException {
@@ -190,11 +218,31 @@ void ensureMultiPartUploadSize(long blobSize) {
     }
 
     @SuppressForbidden(reason = "this test uses a HttpHandler to emulate an S3 endpoint")
-    private static class S3BlobStoreHttpHandler extends S3HttpHandler implements BlobStoreHttpHandler {
+    private class S3BlobStoreHttpHandler extends S3HttpHandler implements BlobStoreHttpHandler {
 
         S3BlobStoreHttpHandler(final String bucket) {
             super(bucket);
         }
+
+        @Override
+        public void handle(final HttpExchange exchange) throws IOException {
+            validateAuthHeader(exchange);
+            super.handle(exchange);
+        }
+
+        private void validateAuthHeader(HttpExchange exchange) {
+            final String authorizationHeaderV4 = exchange.getRequestHeaders().getFirst("Authorization");
+            final String authorizationHeaderV3 = exchange.getRequestHeaders().getFirst("X-amzn-authorization");
+
+            if ("AWS3SignerType".equals(signerOverride)) {
+                assertThat(authorizationHeaderV3, startsWith("AWS3"));
+            } else if ("AWS4SignerType".equals(signerOverride)) {
+                assertThat(authorizationHeaderV4, containsString("aws4_request"));
+            }
+            if (region != null && authorizationHeaderV4 != null) {
+                assertThat(authorizationHeaderV4, containsString("/" + region + "/s3/"));
+            }
+        }
     }
 
     /**