Fix S3 validation errors not caught by action listener (opensearch-project#1257)

* catch errors and fail action listener

Signed-off-by: Joanne Wang <jowg@amazon.com>

* add test to validate behavior

Signed-off-by: Joanne Wang <jowg@amazon.com>

---------

Signed-off-by: Joanne Wang <jowg@amazon.com>

Author: jowg-amazon

src/main/java/org/opensearch/securityanalytics/services/STIX2IOCFetchService.java

@@ -141,7 +141,14 @@ public void onlyIndexIocs(SATIFSourceConfig saTifSourceConfig,
     }
 
     public void downloadAndIndexIOCs(SATIFSourceConfig saTifSourceConfig, ActionListener<STIX2IOCFetchResponse> listener) {
-        S3ConnectorConfig s3ConnectorConfig = constructS3ConnectorConfig(saTifSourceConfig);
+        S3ConnectorConfig s3ConnectorConfig;
+        try {
+            s3ConnectorConfig = constructS3ConnectorConfig(saTifSourceConfig);
+        } catch (SecurityAnalyticsException e) {
+            listener.onFailure(e);
+            return;
+        }
+
         Connector<STIX2> s3Connector = constructS3Connector(s3ConnectorConfig);
         STIX2IOCFeedStore feedStore = new STIX2IOCFeedStore(client, clusterService, saTifSourceConfig, listener);
         STIX2IOCConsumer consumer = new STIX2IOCConsumer(batchSize, feedStore, UpdateType.REPLACE);

src/test/java/org/opensearch/securityanalytics/resthandler/SATIFSourceConfigRestApiIT.java

@@ -788,6 +788,57 @@ public void testWhenBucketObjectDoesNotExist() {
         }
     }
 
+    public void testWhenRoleArnIsEmpty() throws IOException {
+        // Try to create a source config with empty roleArn
+        source = new S3Source("bucketName", "objectKey", "region", "");
+
+        // Create test feed
+        String feedName = "download_test_feed_name";
+        String feedFormat = "STIX2";
+        SourceConfigType sourceConfigType = SourceConfigType.S3_CUSTOM;
+        IntervalSchedule schedule = new IntervalSchedule(Instant.now(), 1, ChronoUnit.MINUTES);
+        List<String> iocTypes = List.of(IOCType.IPV4_TYPE);
+
+        SATIFSourceConfigDto saTifSourceConfigDto = new SATIFSourceConfigDto(
+                null,
+                null,
+                feedName,
+                feedFormat,
+                sourceConfigType,
+                null,
+                null,
+                Instant.now(),
+                source,
+                null,
+                Instant.now(),
+                schedule,
+                null,
+                null,
+                Instant.now(),
+                null,
+                true,
+                iocTypes,
+                true
+        );
+
+        Exception exception = assertThrows(ResponseException.class, () ->
+                makeRequest(client(), "POST", SecurityAnalyticsPlugin.THREAT_INTEL_SOURCE_URI, Collections.emptyMap(), toHttpEntity(saTifSourceConfigDto))
+        );
+
+        String expectedError = "Role arn is empty or malformed";
+        assertTrue("Exception contains unexpected message: " + exception.getMessage(), exception.getMessage().contains(expectedError));
+
+        // ensure that source config is not created
+        String request = "{\n" +
+                "   \"query\" : {\n" +
+                "     \"match_all\":{\n" +
+                "     }\n" +
+                "   }\n" +
+                "}";
+        List<SearchHit> hits = executeSearch(JOB_INDEX_NAME, request);
+        Assert.assertEquals(0, hits.size());
+    }
+
     /**
      * Calls the get source config api and checks if the last updated time is different from the time that was passed in
      * @param createdId