Merge branch 'aws-es-connect-when-needed' into 'master'

Only try AWS instance profile creds if needed See merge request gitlab-org/gitlab-ee!3798

Merge branch 'aws-es-connect-when-needed' into 'master'
Only try AWS instance profile creds if needed See merge request gitlab-org/gitlab-ee!3798
bd4b5181 · Nick Thomas · 392227ee · c9bf0401 · bd4b5181 · bd4b5181
Commit bd4b5181 authored Dec 15, 2017 by Nick Thomas
3 changed files
--- a/changelogs/unreleased-ee/aws-es-connect-when-needed.yml
+++ b/changelogs/unreleased-ee/aws-es-connect-when-needed.yml
+---
+title: Stop authorization attempts with instance profile when static credentials are
+  provided for AWS Elasticsearch
+merge_request:
+author:
+type: fixed
--- a/lib/gitlab/elastic/client.rb
+++ b/lib/gitlab/elastic/client.rb
@@ -32,13 +32,15 @@ module Gitlab
        # Resolve credentials in order
        # 1.  Static config
        # 2.  ec2 instance profile
-        credentials = [
+        static_credentials = Aws::Credentials.new(config[:aws_access_key], config[:aws_secret_access_key])
-          Aws::Credentials.new(config[:aws_access_key], config[:aws_secret_access_key]),
-          Aws::InstanceProfileCredentials.new
+        return static_credentials if static_credentials&.set?
-        ]
-        credentials.find do |creds|
+        # Instantiating this will perform an API call, so only do so if the
-          creds&.set?
+        # static credentials did not work
-        end
+        instance_credentials = Aws::InstanceProfileCredentials.new
+        instance_credentials if instance_credentials&.set?
      end
    end
  end

--- a/spec/lib/gitlab/elastic/client_spec.rb
+++ b/spec/lib/gitlab/elastic/client_spec.rb
@@ -28,7 +28,7 @@ describe Gitlab::Elastic::Client do
      .to_return(status: 200, body: creds_response, headers: {})
  end
-  describe 'build' do
+  describe '.build' do
    let(:client) { described_class.build(params) }
    context 'without credentials' do
@@ -73,10 +73,10 @@ describe Gitlab::Elastic::Client do
    end
  end
-  describe 'resolve_aws_credentials' do
+  describe '.resolve_aws_credentials' do
    let(:creds) { described_class.resolve_aws_credentials(params) }
-    context 'with AWS IAM static credentials' do
+    context 'when the AWS IAM static credentials are valid' do
      let(:params) do
        {
          url: 'http://example-elastic:9200',
@@ -87,44 +87,44 @@ describe Gitlab::Elastic::Client do
        }
      end
-      it 'returns credentials from static credentials' do
+      it 'returns credentials from static credentials without making an HTTP request' do
-        stub_instance_credentials(creds_fail_response)
        expect(creds.credentials.access_key_id).to eq '0'
        expect(creds.credentials.secret_access_key).to eq '0'
      end
    end
-    context 'with AWS ec2 instance profile' do
+    context 'when the AWS IAM static credentials are invalid' do
-      let(:params) do
+      context 'with AWS ec2 instance profile' do
-        {
+        let(:params) do
-          url: 'http://example-elastic:9200',
+          {
-          aws: true,
+            url: 'http://example-elastic:9200',
-          aws_region: 'us-east-1'
+            aws: true,
-        }
+            aws_region: 'us-east-1'
-      end
+          }
+        end
-      it 'returns credentials from ec2 instance profile' do
+        it 'returns credentials from ec2 instance profile' do
-        stub_instance_credentials(creds_valid_response)
+          stub_instance_credentials(creds_valid_response)
-        expect(creds.credentials.access_key_id).to eq '0'
+          expect(creds.credentials.access_key_id).to eq '0'
-        expect(creds.credentials.secret_access_key).to eq '0'
+          expect(creds.credentials.secret_access_key).to eq '0'
+        end
      end
-    end
-    context 'with AWS no credentials' do
+      context 'with AWS no credentials' do
-      let(:params) do
+        let(:params) do
-        {
+          {
-          url: 'http://example-elastic:9200',
+            url: 'http://example-elastic:9200',
-          aws: true,
+            aws: true,
-          aws_region: 'us-east-1'
+            aws_region: 'us-east-1'
-        }
+          }
-      end
+        end
-      it 'returns nil' do
+        it 'returns nil' do
-        stub_instance_credentials(creds_fail_response)
+          stub_instance_credentials(creds_fail_response)
-        expect(creds).to be_nil
+          expect(creds).to be_nil
+        end
      end
    end
  end