Return token expiry with presigned URLs

pkg/block/s3/client_cache.go

@@ -2,10 +2,13 @@ package s3
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"sync"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/aws/aws-sdk-go/service/s3/s3iface"
@@ -15,8 +18,25 @@ import (
 	"github.com/treeverse/lakefs/pkg/stats"
 )
 
+// ErrDoesntExpire is returned by an Expirer if expiry times cannot be
+// determined.  For instance, if AWS is configured using an access key then
+// Expirer cannot determine expiry.
+var ErrDoesntExpire = errors.New("no access expiry")
+
+type Expirer interface {
+	// ExpiresAt returns an expiry time or an error.  It returns
+	// a ErrDoesntExpire if it cannot determine expiry times -- for
+	// instance, if AWS is configured using an access key.
+	ExpiresAt() (time.Time, error)
+}
+
+type S3APIWithExpirer interface {
+	s3iface.S3API
+	Expirer
+}
+
 type (
-	clientFactory  func(awsSession *session.Session, cfgs ...*aws.Config) s3iface.S3API
+	clientFactory  func(awsSession *session.Session, cfgs ...*aws.Config) S3APIWithExpirer
 	s3RegionGetter func(ctx context.Context, sess *session.Session, bucket string) (string, error)
 )
 
@@ -39,8 +59,32 @@ func getBucketRegionFromSession(ctx context.Context, sess *session.Session, buck
 	return region, nil
 }
 
-func newS3Client(sess *session.Session, cfgs ...*aws.Config) s3iface.S3API {
-	return s3.New(sess, cfgs...)
+type s3Client struct {
+	s3iface.S3API
+	awsSession *session.Session
+}
+
+func newS3Client(sess *session.Session, cfgs ...*aws.Config) S3APIWithExpirer {
+	return &s3Client{
+		S3API:      s3.New(sess, cfgs...),
+		awsSession: sess,
+	}
+}
+
+func (c *s3Client) ExpiresAt() (time.Time, error) {
+	creds := c.awsSession.Config.Credentials
+	if creds == nil {
+		return time.Time{}, ErrDoesntExpire
+	}
+	expiryTime, err := creds.ExpiresAt()
+	if err != nil {
+		if awsErr, ok := err.(awserr.Error); ok {
+			if awsErr.Code() == "ProviderNotExpirer" {
+				err = ErrDoesntExpire
+			}
+		}
+	}
+	return expiryTime, err
 }
 
 func NewClientCache(awsSession *session.Session) *ClientCache {

pkg/block/s3/client_cache_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"testing"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
@@ -13,7 +14,22 @@ import (
 	"github.com/treeverse/lakefs/pkg/testutil"
 )
 
-var errRegion = errors.New("failed to get region")
+var (
+	errRegion      = errors.New("failed to get region")
+	errFakeExpires = errors.New("fake Expirer")
+)
+
+type FakeS3APIWithExpirer struct {
+	s3iface.S3API
+}
+
+func NewFakeS3APIWithExpirer() FakeS3APIWithExpirer {
+	return FakeS3APIWithExpirer(struct{ s3iface.S3API }{})
+}
+
+func (f FakeS3APIWithExpirer) ExpiresAt() (time.Time, error) {
+	return time.Time{}, errFakeExpires
+}
 
 func TestClientCache(t *testing.T) {
 	defaultRegion := "us-west-2"
@@ -57,7 +73,7 @@ func TestClientCache(t *testing.T) {
 			expectedRegionFetch := make(map[string]bool)
 			c := s3.NewClientCache(sess)
 
-			c.SetClientFactory(func(sess *session.Session, cfgs ...*aws.Config) s3iface.S3API {
+			c.SetClientFactory(func(sess *session.Session, cfgs ...*aws.Config) s3.S3APIWithExpirer {
 				region := sess.Config.Region
 				for _, cfg := range cfgs {
 					if cfg.Region != nil {
@@ -68,7 +84,7 @@ func TestClientCache(t *testing.T) {
 					t.Fatalf("client created more than once for a region")
 				}
 				actualClientsCreated[*region] = true
-				return struct{ s3iface.S3API }{}
+				return NewFakeS3APIWithExpirer()
 			})
 			c.SetS3RegionGetter(func(ctx context.Context, sess *session.Session, bucket string) (string, error) {
 				if actualRegionFetch[bucket] {