Fix NPE in STS client usage (#510)

<!-- FLEET-5859 -->
Fixes #509

Adds additional tests.

Author: Claudenw

gradle.properties

@@ -1,4 +1,4 @@
-version=3.5.0-SNAPSHOT
+version=3.4.1-SNAPSHOT
 
 sonatypeUsername=<fill>
 sonatypePassword=<fill>

s3-commons/src/main/java/io/aiven/kafka/connect/config/s3/S3ConfigFragment.java

@@ -23,6 +23,7 @@
 import org.apache.kafka.common.config.AbstractConfig;
 import org.apache.kafka.common.config.ConfigDef;
 import org.apache.kafka.common.config.ConfigException;
+import org.apache.kafka.common.utils.Utils;
 
 import io.aiven.kafka.connect.common.config.ConfigFragment;
 import io.aiven.kafka.connect.common.config.validators.FileCompressionTypeValidator;
@@ -43,6 +44,7 @@
 import org.slf4j.LoggerFactory;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
 
 /**
  * The configuration fragment that defines the S3 specific characteristics.
@@ -94,6 +96,12 @@ public final class S3ConfigFragment extends ConfigFragment {
     public static final String AWS_ACCESS_KEY_ID_CONFIG = "aws.access.key.id";
     public static final String AWS_SECRET_ACCESS_KEY_CONFIG = "aws.secret.access.key";
     public static final String AWS_CREDENTIALS_PROVIDER_CONFIG = "aws.credentials.provider";
+    /**
+     * not used in codebase
+     *
+     * @deprecated to be removed
+     */
+    @Deprecated
     public static final String AWS_CREDENTIAL_PROVIDER_DEFAULT = "com.amazonaws.auth.DefaultAWSCredentialsProviderChain";
     public static final String AWS_S3_BUCKET_NAME_CONFIG = "aws.s3.bucket.name";
     public static final String AWS_S3_SSE_ALGORITHM_CONFIG = "aws.s3.sse.algorithm";
@@ -189,13 +197,10 @@ static void addAwsConfigGroup(final ConfigDef configDef) {
                 ConfigDef.Importance.MEDIUM, "AWS Secret Access Key", GROUP_AWS, awsGroupCounter++,
                 ConfigDef.Width.NONE, AWS_SECRET_ACCESS_KEY_CONFIG);
 
-        configDef.define(AWS_CREDENTIALS_PROVIDER_CONFIG, ConfigDef.Type.CLASS, AWS_CREDENTIAL_PROVIDER_DEFAULT,
-                ConfigDef.Importance.MEDIUM,
-                "When you initialize a new " + "service client without supplying any arguments, "
-                        + "the AWS SDK for Java attempts to find temporary "
-                        + "credentials by using the default credential " + "provider chain implemented by the "
-                        + "DefaultAWSCredentialsProviderChain class.",
-
+        configDef.define(AWS_CREDENTIALS_PROVIDER_CONFIG, ConfigDef.Type.CLASS, null, ConfigDef.Importance.MEDIUM,
+                "When you initialize a new service client without supplying any arguments "
+                        + "the AWS SDK for Java attempts to find temporary credentials by using the default credential "
+                        + "provider chain.",
                 GROUP_AWS, awsGroupCounter++, ConfigDef.Width.NONE, AWS_CREDENTIALS_PROVIDER_CONFIG);
 
         configDef.define(AWS_S3_BUCKET_NAME_CONFIG, ConfigDef.Type.STRING, null, new BucketNameValidator(),
@@ -355,7 +360,7 @@ public void validateCredentials() {
             final AwsBasicCredentials awsCredentialsV2 = getAwsCredentialsV2();
             if (awsCredentials == null && awsCredentialsV2 == null) {
                 LOGGER.info(
-                        "Connector use {} as credential Provider, "
+                        "Connector uses {} as credential Provider, "
                                 + "when configuration for {{}, {}} OR {{}, {}} are absent",
                         AWS_CREDENTIALS_PROVIDER_CONFIG, AWS_ACCESS_KEY_ID_CONFIG, AWS_SECRET_ACCESS_KEY_CONFIG,
                         AWS_STS_ROLE_ARN, AWS_STS_ROLE_SESSION_NAME);
@@ -541,12 +546,26 @@ public int getS3RetryBackoffMaxRetries() {
         return cfg.getInt(AWS_S3_RETRY_BACKOFF_MAX_RETRIES_CONFIG);
     }
 
+    /**
+     * @return a V1 credentials provider
+     * @deprecated use {@link #getAwsCredentialsV2()}
+     */
+    @Deprecated
     public AWSCredentialsProvider getCustomCredentialsProvider() {
-        return cfg.getConfiguredInstance(AWS_CREDENTIALS_PROVIDER_CONFIG, AWSCredentialsProvider.class);
+        final AWSCredentialsProvider result = cfg.getConfiguredInstance(AWS_CREDENTIALS_PROVIDER_CONFIG,
+                AWSCredentialsProvider.class);
+        return result != null ? result : Utils.newInstance(com.amazonaws.auth.DefaultAWSCredentialsProviderChain.class);
     }
 
+    /**
+     * Gets the Aws Credentials provider.
+     *
+     * @return the Aws Credentials provider.
+     */
     public AwsCredentialsProvider getCustomCredentialsProviderV2() {
-        return cfg.getConfiguredInstance(AWS_CREDENTIALS_PROVIDER_CONFIG, AwsCredentialsProvider.class);
+        final AwsCredentialsProvider result = cfg.getConfiguredInstance(AWS_CREDENTIALS_PROVIDER_CONFIG,
+                AwsCredentialsProvider.class);
+        return result != null ? result : DefaultCredentialsProvider.builder().build();
     }
 
     public int getFetchPageSize() {

s3-commons/src/main/java/io/aiven/kafka/connect/iam/AwsCredentialProviderFactory.java

@@ -29,11 +29,19 @@
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.services.sts.StsClient;
 import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
 import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
 
+/**
+ * Creates AwsCredentialProviders.
+ */
 public class AwsCredentialProviderFactory {
 
+    /**
+     * @deprecated use {@link #getAwsV2Provider(S3ConfigFragment)}
+     */
+    @Deprecated
     public AWSCredentialsProvider getProvider(final S3ConfigFragment config) {
         if (config.hasAwsStsRole()) {
             return getStsProvider(config);
@@ -45,6 +53,10 @@ public AWSCredentialsProvider getProvider(final S3ConfigFragment config) {
         return new AWSStaticCredentialsProvider(awsCredentials);
     }
 
+    /**
+     * @deprecated use {@link #getV2StsProvider(S3ConfigFragment)}
+     */
+    @Deprecated
     private AWSCredentialsProvider getStsProvider(final S3ConfigFragment config) {
         final AwsStsRole awsstsRole = config.getStsRole();
         final AWSSecurityTokenService sts = securityTokenService(config);
@@ -55,6 +67,7 @@ private AWSCredentialsProvider getStsProvider(final S3ConfigFragment config) {
                 .build();
     }
 
+    @Deprecated
     private AWSSecurityTokenService securityTokenService(final S3ConfigFragment config) {
         if (config.hasStsEndpointConfig()) {
             final AWSSecurityTokenServiceClientBuilder stsBuilder = AWSSecurityTokenServiceClientBuilder.standard();
@@ -64,6 +77,13 @@ private AWSSecurityTokenService securityTokenService(final S3ConfigFragment conf
         return AWSSecurityTokenServiceClientBuilder.defaultClient();
     }
 
+    /**
+     * Gets an AWS V2 credential provider
+     *
+     * @param config
+     *            the S3Configuration fragment.
+     * @return an AwsCredentialsProvider
+     */
     public AwsCredentialsProvider getAwsV2Provider(final S3ConfigFragment config) {
 
         if (config.hasAwsStsRole()) {
@@ -74,9 +94,15 @@ public AwsCredentialsProvider getAwsV2Provider(final S3ConfigFragment config) {
             return config.getCustomCredentialsProviderV2();
         }
         return StaticCredentialsProvider.create(awsCredentials);
-
     }
 
+    /**
+     * Gets a V2 STS Provider.
+     *
+     * @param config
+     *            the S3Configuration fragment.
+     * @return an StsAssumeRoleCredentialsProvider
+     */
     private StsAssumeRoleCredentialsProvider getV2StsProvider(final S3ConfigFragment config) {
         if (config.hasAwsStsRole()) {
             return StsAssumeRoleCredentialsProvider.builder()
@@ -85,11 +111,10 @@ private StsAssumeRoleCredentialsProvider getV2StsProvider(final S3ConfigFragment
                             // Maker this a unique identifier
                             .roleSessionName("AwsV2SDKConnectorSession")
                             .build())
+                    .stsClient(StsClient.builder().region(config.getAwsS3RegionV2()).build())
                     .build();
         }
-
         return StsAssumeRoleCredentialsProvider.builder().build();
-
     }
 
 }

s3-commons/src/test/java/io/aiven/kafka/connect/iam/AwsCredentialProviderFactoryTest.java

@@ -21,16 +21,23 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import org.apache.kafka.common.Configurable;
+
 import io.aiven.kafka.connect.config.s3.S3ConfigFragment;
 import io.aiven.kafka.connect.tools.AwsCredentialBaseConfig;
 
+import com.amazonaws.auth.AWSCredentials;
+import com.amazonaws.auth.AWSCredentialsProvider;
 import com.amazonaws.auth.AWSStaticCredentialsProvider;
 import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
 import com.amazonaws.auth.STSAssumeRoleSessionCredentialsProvider;
 import com.amazonaws.regions.Regions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+/**
+ * Tests the Credential provider factory generation of V1 credentials
+ */
 final class AwsCredentialProviderFactoryTest {
     private AwsCredentialProviderFactory factory;
     private Map<String, String> props;
@@ -77,4 +84,36 @@ void createDefaultCredentialsWhenNoCredentialsSpecified() {
         assertThat(credentialProvider).isInstanceOf(DefaultAWSCredentialsProviderChain.class);
     }
 
+    @Test
+    void customCredentialProviderTest() {
+        props.put(S3ConfigFragment.AWS_CREDENTIALS_PROVIDER_CONFIG, DummyCredentialsProvider.class.getName());
+        final var config = new AwsCredentialBaseConfig(props);
+
+        final var credentialProvider = factory.getProvider(new S3ConfigFragment(config));
+        assertThat(credentialProvider).isInstanceOf(DummyCredentialsProvider.class);
+        assertThat(((DummyCredentialsProvider) credentialProvider).configured).isTrue();
+    }
+
+    /**
+     * A custom V1 credential provider for testing.
+     */
+    public static class DummyCredentialsProvider implements AWSCredentialsProvider, Configurable {
+        boolean configured;
+
+        @Override
+        public AWSCredentials getCredentials() {
+            return null;
+        }
+
+        @Override
+        public void refresh() {
+
+        }
+
+        @Override
+        public void configure(final Map<String, ?> map) {
+            configured = true;
+        }
+    }
+
 }

s3-commons/src/test/java/io/aiven/kafka/connect/iam/AwsCredentialV2ProviderFactoryTest.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2024 Aiven Oy
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.aiven.kafka.connect.iam;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.kafka.common.Configurable;
+
+import io.aiven.kafka.connect.config.s3.S3ConfigFragment;
+import io.aiven.kafka.connect.tools.AwsCredentialBaseConfig;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import software.amazon.awssdk.auth.credentials.AwsCredentials;
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.sts.auth.StsAssumeRoleCredentialsProvider;
+
+/**
+ * Tests the Credential provider factory generation of V2 credentials
+ */
+final class AwsCredentialV2ProviderFactoryTest {
+    private AwsCredentialProviderFactory factory;
+    private Map<String, String> props;
+
+    @BeforeEach
+    public void setUp() {
+        factory = new AwsCredentialProviderFactory();
+        props = new HashMap<>();
+        props.put(S3ConfigFragment.AWS_S3_BUCKET_NAME_CONFIG, "any-bucket");
+    }
+
+    @Test
+    void createsStsCredentialProviderIfSpecified() {
+
+        props.put(S3ConfigFragment.AWS_ACCESS_KEY_ID_CONFIG, "blah-blah-blah");
+        props.put(S3ConfigFragment.AWS_SECRET_ACCESS_KEY_CONFIG, "blah-blah-blah");
+        props.put(S3ConfigFragment.AWS_STS_ROLE_ARN, "arn:aws:iam::12345678910:role/S3SinkTask");
+        props.put(S3ConfigFragment.AWS_STS_ROLE_SESSION_NAME, "SESSION_NAME");
+        props.put(S3ConfigFragment.AWS_S3_REGION_CONFIG, Region.US_EAST_1.id());
+        props.put(S3ConfigFragment.AWS_STS_CONFIG_ENDPOINT, "https://sts.us-east-1.amazonaws.com");
+
+        final var config = new AwsCredentialBaseConfig(props);
+
+        final var credentialProvider = factory.getAwsV2Provider(new S3ConfigFragment(config));
+        assertThat(credentialProvider).isInstanceOf(StsAssumeRoleCredentialsProvider.class);
+    }
+
+    @Test
+    void createStaticCredentialProviderByDefault() {
+        props.put(S3ConfigFragment.AWS_ACCESS_KEY_ID_CONFIG, "blah-blah-blah");
+        props.put(S3ConfigFragment.AWS_SECRET_ACCESS_KEY_CONFIG, "blah-blah-blah");
+
+        final var config = new AwsCredentialBaseConfig(props);
+
+        final var credentialProvider = factory.getAwsV2Provider(new S3ConfigFragment(config));
+        assertThat(credentialProvider).isInstanceOf(StaticCredentialsProvider.class);
+    }
+
+    @Test
+    void createDefaultCredentialsWhenNoCredentialsSpecified() {
+        final var config = new AwsCredentialBaseConfig(props);
+
+        final var credentialProvider = factory.getAwsV2Provider(new S3ConfigFragment(config));
+        assertThat(credentialProvider).isInstanceOf(AwsCredentialsProvider.class);
+    }
+
+    @Test
+    void customCredentialProviderTest() {
+        props.put(S3ConfigFragment.AWS_CREDENTIALS_PROVIDER_CONFIG, DummyCredentialsProvider.class.getName());
+        final var config = new AwsCredentialBaseConfig(props);
+
+        final var credentialProvider = factory.getAwsV2Provider(new S3ConfigFragment(config));
+        assertThat(credentialProvider).isInstanceOf(DummyCredentialsProvider.class);
+        assertThat(((DummyCredentialsProvider) credentialProvider).configured).isTrue();
+    }
+
+    /**
+     * A custom V2 credential provider for testing.
+     */
+    public static class DummyCredentialsProvider implements AwsCredentialsProvider, Configurable {
+        boolean configured;
+
+        @Override
+        public void configure(final Map<String, ?> map) {
+            configured = true;
+        }
+
+        @Override
+        public AwsCredentials resolveCredentials() {
+            return null;
+        }
+    }
+
+}

s3-source-connector/src/main/java/io/aiven/kafka/connect/s3/source/config/S3ClientFactory.java

@@ -47,7 +47,7 @@ public S3Client createAmazonS3Client(final S3SourceConfig config) {
                     .credentialsProvider(config.getAwsV2Provider())
                     .build();
         } else {
-            // TODO This is definitely used for testing but not sure if customers use it.
+            // TODO This is definitely used for testing but not sure if customers use it. customers use it!
             return S3Client.builder()
                     .overrideConfiguration(clientOverrideConfiguration)
                     .region(config.getAwsS3Region())