diff options
| author | orivej <orivej@yandex-team.ru> | 2022-02-10 16:44:49 +0300 |
|---|---|---|
| committer | Daniil Cherednik <dcherednik@yandex-team.ru> | 2022-02-10 16:44:49 +0300 |
| commit | 718c552901d703c502ccbefdfc3c9028d608b947 (patch) | |
| tree | 46534a98bbefcd7b1f3faa5b52c138ab27db75b7 /contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth | |
| parent | e9656aae26e0358d5378e5b63dcac5c8dbe0e4d0 (diff) | |
| download | ydb-718c552901d703c502ccbefdfc3c9028d608b947.tar.gz | |
Restoring authorship annotation for <orivej@yandex-team.ru>. Commit 1 of 2.
Diffstat (limited to 'contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth')
5 files changed, 354 insertions, 354 deletions
diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp index de4826fa5b..410c446958 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp @@ -1,7 +1,7 @@ -/** - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0. - */ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ #include <aws/core/auth/AWSAuthSigner.h> @@ -94,7 +94,7 @@ static Aws::String CanonicalizeRequestSigningString(HttpRequest& request, bool u signingStringStream << NEWLINE << uriCpy.GetPath() << NEWLINE; } - if (request.GetQueryString().find('=') != std::string::npos) + if (request.GetQueryString().find('=') != std::string::npos) { signingStringStream << request.GetQueryString().substr(1) << NEWLINE; } @@ -138,7 +138,7 @@ static Http::HeaderValueCollection CanonicalizeHeaders(Http::HeaderValueCollecti ); headerValue.erase(new_end, headerValue.end()); - canonicalHeaders[trimmedHeaderName] = headerValue; + canonicalHeaders[trimmedHeaderName] = headerValue; } return canonicalHeaders; @@ -157,12 +157,12 @@ AWSAuthV4Signer::AWSAuthV4Signer(const std::shared_ptr<Auth::AWSCredentialsProvi m_urlEscapePath(urlEscapePath) { //go ahead and warm up the signing cache. - ComputeHash(credentialsProvider->GetAWSCredentials().GetAWSSecretKey(), DateTime::CalculateGmtTimestampAsString(SIMPLE_DATE_FORMAT_STR), region, m_serviceName); + ComputeHash(credentialsProvider->GetAWSCredentials().GetAWSSecretKey(), DateTime::CalculateGmtTimestampAsString(SIMPLE_DATE_FORMAT_STR), region, m_serviceName); } AWSAuthV4Signer::~AWSAuthV4Signer() { - // empty destructor in .cpp file to keep from needing the implementation of (AWSCredentialsProvider, Sha256, Sha256HMAC) in the header file + // empty destructor in .cpp file to keep from needing the implementation of (AWSCredentialsProvider, Sha256, Sha256HMAC) in the header file } @@ -171,7 +171,7 @@ bool AWSAuthV4Signer::ShouldSignHeader(const Aws::String& header) const return m_unsignedHeaders.find(Aws::Utils::StringUtils::ToLower(header.c_str())) == m_unsignedHeaders.cend(); } -bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* region, const char* serviceName, bool signBody) const +bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* region, const char* serviceName, bool signBody) const { AWSCredentials credentials = m_credentialsProvider->GetAWSCredentials(); @@ -222,7 +222,7 @@ bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* r //calculate date header to use in internal signature (this also goes into date header). DateTime now = GetSigningTimestamp(); - Aws::String dateHeaderValue = now.ToGmtString(DateFormat::ISO_8601_BASIC); + Aws::String dateHeaderValue = now.ToGmtString(DateFormat::ISO_8601_BASIC); request.SetHeaderValue(AWS_DATE_HEADER, dateHeaderValue); Aws::StringStream headersStream; @@ -272,24 +272,24 @@ bool AWSAuthV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* r } auto sha256Digest = hashResult.GetResult(); - Aws::String canonicalRequestHash = HashingUtils::HexEncode(sha256Digest); + Aws::String canonicalRequestHash = HashingUtils::HexEncode(sha256Digest); Aws::String simpleDate = now.ToGmtString(SIMPLE_DATE_FORMAT_STR); - Aws::String signingRegion = region ? region : m_region; - Aws::String signingServiceName = serviceName ? serviceName : m_serviceName; - Aws::String stringToSign = GenerateStringToSign(dateHeaderValue, simpleDate, canonicalRequestHash, signingRegion, signingServiceName); - auto finalSignature = GenerateSignature(credentials, stringToSign, simpleDate, signingRegion, signingServiceName); + Aws::String signingRegion = region ? region : m_region; + Aws::String signingServiceName = serviceName ? serviceName : m_serviceName; + Aws::String stringToSign = GenerateStringToSign(dateHeaderValue, simpleDate, canonicalRequestHash, signingRegion, signingServiceName); + auto finalSignature = GenerateSignature(credentials, stringToSign, simpleDate, signingRegion, signingServiceName); Aws::StringStream ss; ss << AWS_HMAC_SHA256 << " " << CREDENTIAL << EQ << credentials.GetAWSAccessKeyId() << "/" << simpleDate - << "/" << signingRegion << "/" << signingServiceName << "/" << AWS4_REQUEST << ", " << SIGNED_HEADERS << EQ + << "/" << signingRegion << "/" << signingServiceName << "/" << AWS4_REQUEST << ", " << SIGNED_HEADERS << EQ << signedHeadersValue << ", " << SIGNATURE << EQ << finalSignature; auto awsAuthString = ss.str(); AWS_LOGSTREAM_DEBUG(v4LogTag, "Signing request with: " << awsAuthString); request.SetAwsAuthorization(awsAuthString); request.SetSigningAccessKey(credentials.GetAWSAccessKeyId()); - request.SetSigningRegion(signingRegion); + request.SetSigningRegion(signingRegion); return true; } @@ -324,7 +324,7 @@ bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char //calculate date header to use in internal signature (this also goes into date header). DateTime now = GetSigningTimestamp(); - Aws::String dateQueryValue = now.ToGmtString(DateFormat::ISO_8601_BASIC); + Aws::String dateQueryValue = now.ToGmtString(DateFormat::ISO_8601_BASIC); request.AddQueryStringParameter(Http::AWS_DATE_HEADER, dateQueryValue); Aws::StringStream headersStream; @@ -353,18 +353,18 @@ bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char AWS_LOGSTREAM_DEBUG(v4LogTag, "Signed Headers value: " << signedHeadersValue); Aws::StringStream ss; - Aws::String signingRegion = region ? region : m_region; - Aws::String signingServiceName = serviceName ? serviceName : m_serviceName; + Aws::String signingRegion = region ? region : m_region; + Aws::String signingServiceName = serviceName ? serviceName : m_serviceName; Aws::String simpleDate = now.ToGmtString(SIMPLE_DATE_FORMAT_STR); ss << credentials.GetAWSAccessKeyId() << "/" << simpleDate - << "/" << signingRegion << "/" << signingServiceName << "/" << AWS4_REQUEST; + << "/" << signingRegion << "/" << signingServiceName << "/" << AWS4_REQUEST; request.AddQueryStringParameter(X_AMZ_ALGORITHM, AWS_HMAC_SHA256); request.AddQueryStringParameter(X_AMZ_CREDENTIAL, ss.str()); ss.str(""); request.SetSigningAccessKey(credentials.GetAWSAccessKeyId()); - request.SetSigningRegion(signingRegion); + request.SetSigningRegion(signingRegion); //generate generalized canonicalized request string. Aws::String canonicalRequestString = CanonicalizeRequestSigningString(request, m_urlEscapePath); @@ -374,7 +374,7 @@ bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char canonicalRequestString.append(NEWLINE); canonicalRequestString.append(signedHeadersValue); canonicalRequestString.append(NEWLINE); - if (ServiceRequireUnsignedPayload(signingServiceName)) + if (ServiceRequireUnsignedPayload(signingServiceName)) { canonicalRequestString.append(UNSIGNED_PAYLOAD); } @@ -394,16 +394,16 @@ bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char } auto sha256Digest = hashResult.GetResult(); - auto canonicalRequestHash = HashingUtils::HexEncode(sha256Digest); + auto canonicalRequestHash = HashingUtils::HexEncode(sha256Digest); - auto stringToSign = GenerateStringToSign(dateQueryValue, simpleDate, canonicalRequestHash, signingRegion, signingServiceName); - auto finalSigningHash = GenerateSignature(credentials, stringToSign, simpleDate, signingRegion, signingServiceName); + auto stringToSign = GenerateStringToSign(dateQueryValue, simpleDate, canonicalRequestHash, signingRegion, signingServiceName); + auto finalSigningHash = GenerateSignature(credentials, stringToSign, simpleDate, signingRegion, signingServiceName); if (finalSigningHash.empty()) { return false; } - //add that the signature to the query string + //add that the signature to the query string request.AddQueryStringParameter(X_AMZ_SIGNATURE, finalSigningHash); return true; @@ -544,7 +544,7 @@ AWSAuthEventStreamV4Signer::AWSAuthEventStreamV4Signer(const std::shared_ptr<Aut m_unsignedHeaders.emplace_back(USER_AGENT_HEADER); } -bool AWSAuthEventStreamV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* region, const char* serviceName, bool /* signBody */) const +bool AWSAuthEventStreamV4Signer::SignRequest(Aws::Http::HttpRequest& request, const char* region, const char* serviceName, bool /* signBody */) const { AWSCredentials credentials = m_credentialsProvider->GetAWSCredentials(); @@ -563,7 +563,7 @@ bool AWSAuthEventStreamV4Signer::SignRequest(Aws::Http::HttpRequest& request, co //calculate date header to use in internal signature (this also goes into date header). DateTime now = GetSigningTimestamp(); - Aws::String dateHeaderValue = now.ToGmtString(DateFormat::ISO_8601_BASIC); + Aws::String dateHeaderValue = now.ToGmtString(DateFormat::ISO_8601_BASIC); request.SetHeaderValue(AWS_DATE_HEADER, dateHeaderValue); Aws::StringStream headersStream; @@ -613,24 +613,24 @@ bool AWSAuthEventStreamV4Signer::SignRequest(Aws::Http::HttpRequest& request, co } auto sha256Digest = hashResult.GetResult(); - Aws::String canonicalRequestHash = HashingUtils::HexEncode(sha256Digest); + Aws::String canonicalRequestHash = HashingUtils::HexEncode(sha256Digest); Aws::String simpleDate = now.ToGmtString(SIMPLE_DATE_FORMAT_STR); - Aws::String signingRegion = region ? region : m_region; - Aws::String signingServiceName = serviceName ? serviceName : m_serviceName; - Aws::String stringToSign = GenerateStringToSign(dateHeaderValue, simpleDate, canonicalRequestHash, signingRegion, signingServiceName); - auto finalSignature = GenerateSignature(credentials, stringToSign, simpleDate, signingRegion, signingServiceName); + Aws::String signingRegion = region ? region : m_region; + Aws::String signingServiceName = serviceName ? serviceName : m_serviceName; + Aws::String stringToSign = GenerateStringToSign(dateHeaderValue, simpleDate, canonicalRequestHash, signingRegion, signingServiceName); + auto finalSignature = GenerateSignature(credentials, stringToSign, simpleDate, signingRegion, signingServiceName); Aws::StringStream ss; ss << AWS_HMAC_SHA256 << " " << CREDENTIAL << EQ << credentials.GetAWSAccessKeyId() << "/" << simpleDate - << "/" << signingRegion << "/" << signingServiceName << "/" << AWS4_REQUEST << ", " << SIGNED_HEADERS << EQ + << "/" << signingRegion << "/" << signingServiceName << "/" << AWS4_REQUEST << ", " << SIGNED_HEADERS << EQ << signedHeadersValue << ", " << SIGNATURE << EQ << HashingUtils::HexEncode(finalSignature); auto awsAuthString = ss.str(); AWS_LOGSTREAM_DEBUG(v4StreamingLogTag, "Signing request with: " << awsAuthString); request.SetAwsAuthorization(awsAuthString); request.SetSigningAccessKey(credentials.GetAWSAccessKeyId()); - request.SetSigningRegion(signingRegion); + request.SetSigningRegion(signingRegion); return true; } @@ -653,7 +653,7 @@ bool AWSAuthEventStreamV4Signer::SignEventMessage(Event::Message& message, Aws:: stringToSign << EVENT_STREAM_PAYLOAD << NEWLINE; const DateTime now = GetSigningTimestamp(); const auto simpleDate = now.ToGmtString(SIMPLE_DATE_FORMAT_STR); - stringToSign << now.ToGmtString(DateFormat::ISO_8601_BASIC) << NEWLINE + stringToSign << now.ToGmtString(DateFormat::ISO_8601_BASIC) << NEWLINE << simpleDate << "/" << m_region << "/" << m_serviceName << "/aws4_request" << NEWLINE << priorSignature << NEWLINE; @@ -698,7 +698,7 @@ bool AWSAuthEventStreamV4Signer::SignEventMessage(Event::Message& message, Aws:: AWS_LOGSTREAM_DEBUG(v4StreamingLogTag, "Payload hash - " << HashingUtils::HexEncode(payloadHash)); } - Utils::ByteBuffer finalSignatureDigest = GenerateSignature(m_credentialsProvider->GetAWSCredentials(), stringToSign.str(), simpleDate, m_region, m_serviceName); + Utils::ByteBuffer finalSignatureDigest = GenerateSignature(m_credentialsProvider->GetAWSCredentials(), stringToSign.str(), simpleDate, m_region, m_serviceName); const auto finalSignature = HashingUtils::HexEncode(finalSignatureDigest); AWS_LOGSTREAM_DEBUG(v4StreamingLogTag, "Final computed signing hash: " << finalSignature); priorSignature = finalSignature; @@ -716,7 +716,7 @@ bool AWSAuthEventStreamV4Signer::ShouldSignHeader(const Aws::String& header) con } Utils::ByteBuffer AWSAuthEventStreamV4Signer::GenerateSignature(const AWSCredentials& credentials, const Aws::String& stringToSign, - const Aws::String& simpleDate, const Aws::String& region, const Aws::String& serviceName) const + const Aws::String& simpleDate, const Aws::String& region, const Aws::String& serviceName) const { Utils::Threading::ReaderLockGuard guard(m_derivedKeyLock); const auto& secretKey = credentials.GetAWSSecretKey(); @@ -728,7 +728,7 @@ Utils::ByteBuffer AWSAuthEventStreamV4Signer::GenerateSignature(const AWSCredent { m_currentSecretKey = secretKey; m_currentDateStr = simpleDate; - m_derivedKey = ComputeHash(m_currentSecretKey, m_currentDateStr, region, serviceName); + m_derivedKey = ComputeHash(m_currentSecretKey, m_currentDateStr, region, serviceName); } } diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSignerProvider.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSignerProvider.cpp index 31fd6c006b..a981bc3536 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSignerProvider.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSignerProvider.cpp @@ -1,26 +1,26 @@ -/** - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0. - */ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ #include <aws/core/utils/logging/LogMacros.h> #include <aws/core/auth/AWSAuthSignerProvider.h> #include <aws/core/auth/AWSAuthSigner.h> -#include <aws/core/auth/AWSCredentialsProvider.h> -#include <aws/core/utils/memory/stl/AWSAllocator.h> +#include <aws/core/auth/AWSCredentialsProvider.h> +#include <aws/core/utils/memory/stl/AWSAllocator.h> const char CLASS_TAG[] = "AuthSignerProvider"; using namespace Aws::Auth; - -DefaultAuthSignerProvider::DefaultAuthSignerProvider(const std::shared_ptr<AWSCredentialsProvider>& credentialsProvider, - const Aws::String& serviceName, const Aws::String& region) -{ - m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(CLASS_TAG, credentialsProvider, serviceName.c_str(), region)); - m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSAuthEventStreamV4Signer>(CLASS_TAG, credentialsProvider, serviceName.c_str(), region)); - m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSNullSigner>(CLASS_TAG)); -} - + +DefaultAuthSignerProvider::DefaultAuthSignerProvider(const std::shared_ptr<AWSCredentialsProvider>& credentialsProvider, + const Aws::String& serviceName, const Aws::String& region) +{ + m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSAuthV4Signer>(CLASS_TAG, credentialsProvider, serviceName.c_str(), region)); + m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSAuthEventStreamV4Signer>(CLASS_TAG, credentialsProvider, serviceName.c_str(), region)); + m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSNullSigner>(CLASS_TAG)); +} + DefaultAuthSignerProvider::DefaultAuthSignerProvider(const std::shared_ptr<Aws::Client::AWSAuthSigner>& signer) { m_signers.emplace_back(Aws::MakeShared<Aws::Client::AWSNullSigner>(CLASS_TAG)); @@ -43,9 +43,9 @@ std::shared_ptr<Aws::Client::AWSAuthSigner> DefaultAuthSignerProvider::GetSigner assert(false); return nullptr; } - -void DefaultAuthSignerProvider::AddSigner(std::shared_ptr<Aws::Client::AWSAuthSigner>& signer) -{ - assert(signer); - m_signers.emplace_back(signer); -} + +void DefaultAuthSignerProvider::AddSigner(std::shared_ptr<Aws::Client::AWSAuthSigner>& signer) +{ + assert(signer); + m_signers.emplace_back(signer); +} diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp index 31e28b996f..b4b4cae940 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp @@ -1,7 +1,7 @@ -/** - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0. - */ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ #include <aws/core/auth/AWSCredentialsProvider.h> @@ -14,9 +14,9 @@ #include <aws/core/utils/StringUtils.h> #include <aws/core/utils/json/JsonSerializer.h> #include <aws/core/utils/FileSystemUtils.h> -#include <aws/core/client/AWSError.h> -#include <aws/core/utils/StringUtils.h> -#include <aws/core/utils/xml/XmlSerializer.h> +#include <aws/core/client/AWSError.h> +#include <aws/core/utils/StringUtils.h> +#include <aws/core/utils/xml/XmlSerializer.h> #include <cstdlib> #include <fstream> #include <string.h> @@ -28,8 +28,8 @@ using namespace Aws::Utils::Logging; using namespace Aws::Auth; using namespace Aws::Internal; using namespace Aws::FileSystem; -using namespace Aws::Utils::Xml; -using namespace Aws::Client; +using namespace Aws::Utils::Xml; +using namespace Aws::Client; using Aws::Utils::Threading::ReaderLockGuard; using Aws::Utils::Threading::WriterLockGuard; @@ -41,11 +41,11 @@ static const char AWS_PROFILE_ENV_VAR[] = "AWS_PROFILE"; static const char AWS_PROFILE_DEFAULT_ENV_VAR[] = "AWS_DEFAULT_PROFILE"; static const char AWS_CREDENTIALS_FILE[] = "AWS_SHARED_CREDENTIALS_FILE"; -extern const char AWS_CONFIG_FILE[] = "AWS_CONFIG_FILE"; +extern const char AWS_CONFIG_FILE[] = "AWS_CONFIG_FILE"; -extern const char PROFILE_DIRECTORY[] = ".aws"; +extern const char PROFILE_DIRECTORY[] = ".aws"; static const char DEFAULT_CREDENTIALS_FILE[] = "credentials"; -extern const char DEFAULT_CONFIG_FILE[] = "config"; +extern const char DEFAULT_CONFIG_FILE[] = "config"; static const int EXPIRATION_GRACE_PERIOD = 5 * 1000; @@ -71,7 +71,7 @@ static const char* ENVIRONMENT_LOG_TAG = "EnvironmentAWSCredentialsProvider"; AWSCredentials EnvironmentAWSCredentialsProvider::GetAWSCredentials() { auto accessKey = Aws::Environment::GetEnv(ACCESS_KEY_ENV_VAR); - AWSCredentials credentials; + AWSCredentials credentials; if (!accessKey.empty()) { @@ -107,41 +107,41 @@ Aws::String Aws::Auth::GetConfigProfileFilename() } else { - return Aws::FileSystem::GetHomeDirectory() + PROFILE_DIRECTORY + PATH_DELIM + DEFAULT_CONFIG_FILE; - } -} - -Aws::String Aws::Auth::GetConfigProfileName() -{ - auto profileFromVar = Aws::Environment::GetEnv(AWS_PROFILE_DEFAULT_ENV_VAR); - if (profileFromVar.empty()) - { - profileFromVar = Aws::Environment::GetEnv(AWS_PROFILE_ENV_VAR); - } - - if (profileFromVar.empty()) - { - return Aws::String(DEFAULT_PROFILE); - } - else - { - return profileFromVar; + return Aws::FileSystem::GetHomeDirectory() + PROFILE_DIRECTORY + PATH_DELIM + DEFAULT_CONFIG_FILE; } } +Aws::String Aws::Auth::GetConfigProfileName() +{ + auto profileFromVar = Aws::Environment::GetEnv(AWS_PROFILE_DEFAULT_ENV_VAR); + if (profileFromVar.empty()) + { + profileFromVar = Aws::Environment::GetEnv(AWS_PROFILE_ENV_VAR); + } + + if (profileFromVar.empty()) + { + return Aws::String(DEFAULT_PROFILE); + } + else + { + return profileFromVar; + } +} + static const char* PROFILE_LOG_TAG = "ProfileConfigFileAWSCredentialsProvider"; Aws::String ProfileConfigFileAWSCredentialsProvider::GetCredentialsProfileFilename() { auto credentialsFileNameFromVar = Aws::Environment::GetEnv(AWS_CREDENTIALS_FILE); - if (credentialsFileNameFromVar.empty()) + if (credentialsFileNameFromVar.empty()) { - return Aws::FileSystem::GetHomeDirectory() + PROFILE_DIRECTORY + PATH_DELIM + DEFAULT_CREDENTIALS_FILE; + return Aws::FileSystem::GetHomeDirectory() + PROFILE_DIRECTORY + PATH_DELIM + DEFAULT_CREDENTIALS_FILE; } else { - return credentialsFileNameFromVar; + return credentialsFileNameFromVar; } } @@ -160,9 +160,9 @@ Aws::String ProfileConfigFileAWSCredentialsProvider::GetProfileDirectory() } ProfileConfigFileAWSCredentialsProvider::ProfileConfigFileAWSCredentialsProvider(long refreshRateMs) : - m_profileToUse(Aws::Auth::GetConfigProfileName()), - m_credentialsFileLoader(GetCredentialsProfileFilename()), - m_loadFrequencyMs(refreshRateMs) + m_profileToUse(Aws::Auth::GetConfigProfileName()), + m_credentialsFileLoader(GetCredentialsProfileFilename()), + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(PROFILE_LOG_TAG, "Setting provider to read credentials from " << GetCredentialsProfileFilename() << " for credentials file" << " and " << GetConfigProfileFilename() << " for the config file " @@ -170,9 +170,9 @@ ProfileConfigFileAWSCredentialsProvider::ProfileConfigFileAWSCredentialsProvider } ProfileConfigFileAWSCredentialsProvider::ProfileConfigFileAWSCredentialsProvider(const char* profile, long refreshRateMs) : - m_profileToUse(profile), - m_credentialsFileLoader(GetCredentialsProfileFilename()), - m_loadFrequencyMs(refreshRateMs) + m_profileToUse(profile), + m_credentialsFileLoader(GetCredentialsProfileFilename()), + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(PROFILE_LOG_TAG, "Setting provider to read credentials from " << GetCredentialsProfileFilename() << " for credentials file" << " and " << GetConfigProfileFilename() << " for the config file " @@ -196,7 +196,7 @@ AWSCredentials ProfileConfigFileAWSCredentialsProvider::GetAWSCredentials() void ProfileConfigFileAWSCredentialsProvider::Reload() { - m_credentialsFileLoader.Load(); + m_credentialsFileLoader.Load(); AWSCredentialsProvider::Reload(); } @@ -220,16 +220,16 @@ void ProfileConfigFileAWSCredentialsProvider::RefreshIfExpired() static const char* INSTANCE_LOG_TAG = "InstanceProfileCredentialsProvider"; InstanceProfileCredentialsProvider::InstanceProfileCredentialsProvider(long refreshRateMs) : - m_ec2MetadataConfigLoader(Aws::MakeShared<Aws::Config::EC2InstanceProfileConfigLoader>(INSTANCE_LOG_TAG)), - m_loadFrequencyMs(refreshRateMs) + m_ec2MetadataConfigLoader(Aws::MakeShared<Aws::Config::EC2InstanceProfileConfigLoader>(INSTANCE_LOG_TAG)), + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(INSTANCE_LOG_TAG, "Creating Instance with default EC2MetadataClient and refresh rate " << refreshRateMs); } -InstanceProfileCredentialsProvider::InstanceProfileCredentialsProvider(const std::shared_ptr<Aws::Config::EC2InstanceProfileConfigLoader>& loader, long refreshRateMs) : - m_ec2MetadataConfigLoader(loader), - m_loadFrequencyMs(refreshRateMs) +InstanceProfileCredentialsProvider::InstanceProfileCredentialsProvider(const std::shared_ptr<Aws::Config::EC2InstanceProfileConfigLoader>& loader, long refreshRateMs) : + m_ec2MetadataConfigLoader(loader), + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(INSTANCE_LOG_TAG, "Creating Instance with injected EC2MetadataClient and refresh rate " << refreshRateMs); } @@ -268,7 +268,7 @@ void InstanceProfileCredentialsProvider::RefreshIfExpired() guard.UpgradeToWriterLock(); if (!IsTimeToRefresh(m_loadFrequencyMs)) // double-checked lock to avoid refreshing twice { - return; + return; } Reload(); } @@ -277,14 +277,14 @@ static const char TASK_ROLE_LOG_TAG[] = "TaskRoleCredentialsProvider"; TaskRoleCredentialsProvider::TaskRoleCredentialsProvider(const char* URI, long refreshRateMs) : m_ecsCredentialsClient(Aws::MakeShared<Aws::Internal::ECSCredentialsClient>(TASK_ROLE_LOG_TAG, URI)), - m_loadFrequencyMs(refreshRateMs) + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Creating TaskRole with default ECSCredentialsClient and refresh rate " << refreshRateMs); } TaskRoleCredentialsProvider::TaskRoleCredentialsProvider(const char* endpoint, const char* token, long refreshRateMs) : - m_ecsCredentialsClient(Aws::MakeShared<Aws::Internal::ECSCredentialsClient>(TASK_ROLE_LOG_TAG, ""/*resourcePath*/, endpoint, token)), - m_loadFrequencyMs(refreshRateMs) + m_ecsCredentialsClient(Aws::MakeShared<Aws::Internal::ECSCredentialsClient>(TASK_ROLE_LOG_TAG, ""/*resourcePath*/, endpoint, token)), + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Creating TaskRole with default ECSCredentialsClient and refresh rate " << refreshRateMs); } @@ -292,7 +292,7 @@ TaskRoleCredentialsProvider::TaskRoleCredentialsProvider(const char* endpoint, c TaskRoleCredentialsProvider::TaskRoleCredentialsProvider( const std::shared_ptr<Aws::Internal::ECSCredentialsClient>& client, long refreshRateMs) : m_ecsCredentialsClient(client), - m_loadFrequencyMs(refreshRateMs) + m_loadFrequencyMs(refreshRateMs) { AWS_LOGSTREAM_INFO(TASK_ROLE_LOG_TAG, "Creating TaskRole with default ECSCredentialsClient and refresh rate " << refreshRateMs); } @@ -306,7 +306,7 @@ AWSCredentials TaskRoleCredentialsProvider::GetAWSCredentials() bool TaskRoleCredentialsProvider::ExpiresSoon() const { - return ((m_credentials.GetExpiration() - Aws::Utils::DateTime::Now()).count() < EXPIRATION_GRACE_PERIOD); + return ((m_credentials.GetExpiration() - Aws::Utils::DateTime::Now()).count() < EXPIRATION_GRACE_PERIOD); } void TaskRoleCredentialsProvider::Reload() @@ -317,9 +317,9 @@ void TaskRoleCredentialsProvider::Reload() if (credentialsStr.empty()) return; Json::JsonValue credentialsDoc(credentialsStr); - if (!credentialsDoc.WasParseSuccessful()) + if (!credentialsDoc.WasParseSuccessful()) { - AWS_LOGSTREAM_ERROR(TASK_ROLE_LOG_TAG, "Failed to parse output from ECSCredentialService."); + AWS_LOGSTREAM_ERROR(TASK_ROLE_LOG_TAG, "Failed to parse output from ECSCredentialService."); return; } @@ -333,7 +333,7 @@ void TaskRoleCredentialsProvider::Reload() m_credentials.SetAWSAccessKeyId(accessKey); m_credentials.SetAWSSecretKey(secretKey); m_credentials.SetSessionToken(token); - m_credentials.SetExpiration(Aws::Utils::DateTime(credentialsView.GetString("Expiration"), DateFormat::ISO_8601)); + m_credentials.SetExpiration(Aws::Utils::DateTime(credentialsView.GetString("Expiration"), DateFormat::ISO_8601)); AWSCredentialsProvider::Reload(); } @@ -341,14 +341,14 @@ void TaskRoleCredentialsProvider::RefreshIfExpired() { AWS_LOGSTREAM_DEBUG(TASK_ROLE_LOG_TAG, "Checking if latest credential pull has expired."); ReaderLockGuard guard(m_reloadLock); - if (!m_credentials.IsEmpty() && !IsTimeToRefresh(m_loadFrequencyMs) && !ExpiresSoon()) + if (!m_credentials.IsEmpty() && !IsTimeToRefresh(m_loadFrequencyMs) && !ExpiresSoon()) { return; } guard.UpgradeToWriterLock(); - if (!m_credentials.IsEmpty() && !IsTimeToRefresh(m_loadFrequencyMs) && !ExpiresSoon()) + if (!m_credentials.IsEmpty() && !IsTimeToRefresh(m_loadFrequencyMs) && !ExpiresSoon()) { return; } @@ -358,13 +358,13 @@ void TaskRoleCredentialsProvider::RefreshIfExpired() static const char PROCESS_LOG_TAG[] = "ProcessCredentialsProvider"; ProcessCredentialsProvider::ProcessCredentialsProvider() : - m_profileToUse(Aws::Auth::GetConfigProfileName()) + m_profileToUse(Aws::Auth::GetConfigProfileName()) { AWS_LOGSTREAM_INFO(PROCESS_LOG_TAG, "Setting process credentials provider to read config from " << m_profileToUse); } ProcessCredentialsProvider::ProcessCredentialsProvider(const Aws::String& profile) : - m_profileToUse(profile) + m_profileToUse(profile) { AWS_LOGSTREAM_INFO(PROCESS_LOG_TAG, "Setting process credentials provider to read config from " << m_profileToUse); } @@ -379,88 +379,88 @@ AWSCredentials ProcessCredentialsProvider::GetAWSCredentials() void ProcessCredentialsProvider::Reload() { - auto profile = Aws::Config::GetCachedConfigProfile(m_profileToUse); - const Aws::String &command = profile.GetCredentialProcess(); - if (command.empty()) + auto profile = Aws::Config::GetCachedConfigProfile(m_profileToUse); + const Aws::String &command = profile.GetCredentialProcess(); + if (command.empty()) { AWS_LOGSTREAM_ERROR(PROCESS_LOG_TAG, "Failed to find credential process's profile: " << m_profileToUse); return; } - m_credentials = GetCredentialsFromProcess(command); -} - -void ProcessCredentialsProvider::RefreshIfExpired() -{ - ReaderLockGuard guard(m_reloadLock); - if (!m_credentials.IsExpiredOrEmpty()) - { - return; - } - - guard.UpgradeToWriterLock(); - if (!m_credentials.IsExpiredOrEmpty()) // double-checked lock to avoid refreshing twice - { - return; - } - - Reload(); -} - -AWSCredentials Aws::Auth::GetCredentialsFromProcess(const Aws::String& process) -{ - Aws::String command = process; + m_credentials = GetCredentialsFromProcess(command); +} + +void ProcessCredentialsProvider::RefreshIfExpired() +{ + ReaderLockGuard guard(m_reloadLock); + if (!m_credentials.IsExpiredOrEmpty()) + { + return; + } + + guard.UpgradeToWriterLock(); + if (!m_credentials.IsExpiredOrEmpty()) // double-checked lock to avoid refreshing twice + { + return; + } + + Reload(); +} + +AWSCredentials Aws::Auth::GetCredentialsFromProcess(const Aws::String& process) +{ + Aws::String command = process; command.append(" 2>&1"); // redirect stderr to stdout Aws::String result = Aws::Utils::StringUtils::Trim(Aws::OSVersionInfo::GetSysCommandOutput(command.c_str()).c_str()); Json::JsonValue credentialsDoc(result); - if (!credentialsDoc.WasParseSuccessful()) + if (!credentialsDoc.WasParseSuccessful()) { - AWS_LOGSTREAM_ERROR(PROFILE_LOG_TAG, "Failed to load credential from running: " << command << " Error: " << result); - return {}; + AWS_LOGSTREAM_ERROR(PROFILE_LOG_TAG, "Failed to load credential from running: " << command << " Error: " << result); + return {}; } Aws::Utils::Json::JsonView credentialsView(credentialsDoc); if (!credentialsView.KeyExists("Version") || credentialsView.GetInteger("Version") != 1) { - AWS_LOGSTREAM_ERROR(PROFILE_LOG_TAG, "Encountered an unsupported process credentials payload version:" << credentialsView.GetInteger("Version")); - return {}; + AWS_LOGSTREAM_ERROR(PROFILE_LOG_TAG, "Encountered an unsupported process credentials payload version:" << credentialsView.GetInteger("Version")); + return {}; } - AWSCredentials credentials; + AWSCredentials credentials; Aws::String accessKey, secretKey, token, expire; - if (credentialsView.KeyExists("AccessKeyId")) - { - credentials.SetAWSAccessKeyId(credentialsView.GetString("AccessKeyId")); - } + if (credentialsView.KeyExists("AccessKeyId")) + { + credentials.SetAWSAccessKeyId(credentialsView.GetString("AccessKeyId")); + } - if (credentialsView.KeyExists("SecretAccessKey")) - { - credentials.SetAWSSecretKey(credentialsView.GetString("SecretAccessKey")); - } + if (credentialsView.KeyExists("SecretAccessKey")) + { + credentials.SetAWSSecretKey(credentialsView.GetString("SecretAccessKey")); + } - if (credentialsView.KeyExists("SessionToken")) + if (credentialsView.KeyExists("SessionToken")) { - credentials.SetSessionToken(credentialsView.GetString("SessionToken")); + credentials.SetSessionToken(credentialsView.GetString("SessionToken")); } - if (credentialsView.KeyExists("Expiration")) + if (credentialsView.KeyExists("Expiration")) { - const auto expiration = Aws::Utils::DateTime(credentialsView.GetString("Expiration"), DateFormat::ISO_8601); - if (expiration.WasParseSuccessful()) - { - credentials.SetExpiration(expiration); - } - else - { - AWS_LOGSTREAM_ERROR(PROFILE_LOG_TAG, "Failed to parse credential's expiration value as an ISO 8601 Date. Credentials will be marked expired."); - credentials.SetExpiration(Aws::Utils::DateTime::Now()); - } - } - else - { - credentials.SetExpiration((std::chrono::time_point<std::chrono::system_clock>::max)()); + const auto expiration = Aws::Utils::DateTime(credentialsView.GetString("Expiration"), DateFormat::ISO_8601); + if (expiration.WasParseSuccessful()) + { + credentials.SetExpiration(expiration); + } + else + { + AWS_LOGSTREAM_ERROR(PROFILE_LOG_TAG, "Failed to parse credential's expiration value as an ISO 8601 Date. Credentials will be marked expired."); + credentials.SetExpiration(Aws::Utils::DateTime::Now()); + } } + else + { + credentials.SetExpiration((std::chrono::time_point<std::chrono::system_clock>::max)()); + } - AWS_LOGSTREAM_DEBUG(PROFILE_LOG_TAG, "Successfully pulled credentials from process credential with AccessKey: " << accessKey << ", Expiration:" << credentialsView.GetString("Expiration")); - return credentials; + AWS_LOGSTREAM_DEBUG(PROFILE_LOG_TAG, "Successfully pulled credentials from process credential with AccessKey: " << accessKey << ", Expiration:" << credentialsView.GetString("Expiration")); + return credentials; } - + diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp index 373136d96a..999928c8f6 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp @@ -1,10 +1,10 @@ -/** - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0. - */ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ #include <aws/core/auth/AWSCredentialsProviderChain.h> -#include <aws/core/auth/STSCredentialsProvider.h> +#include <aws/core/auth/STSCredentialsProvider.h> #include <aws/core/platform/Environment.h> #include <aws/core/utils/memory/AWSMemory.h> #include <aws/core/utils/StringUtils.h> @@ -20,7 +20,7 @@ static const char DefaultCredentialsProviderChainTag[] = "DefaultAWSCredentialsP AWSCredentials AWSCredentialsProviderChain::GetAWSCredentials() { - for (auto&& credentialsProvider : m_providerChain) + for (auto&& credentialsProvider : m_providerChain) { AWSCredentials credentials = credentialsProvider->GetAWSCredentials(); if (!credentials.GetAWSAccessKeyId().empty() && !credentials.GetAWSSecretKey().empty()) @@ -29,16 +29,16 @@ AWSCredentials AWSCredentialsProviderChain::GetAWSCredentials() } } - return AWSCredentials(); + return AWSCredentials(); } DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain() : AWSCredentialsProviderChain() { AddProvider(Aws::MakeShared<EnvironmentAWSCredentialsProvider>(DefaultCredentialsProviderChainTag)); AddProvider(Aws::MakeShared<ProfileConfigFileAWSCredentialsProvider>(DefaultCredentialsProviderChainTag)); - AddProvider(Aws::MakeShared<ProcessCredentialsProvider>(DefaultCredentialsProviderChainTag)); - AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag)); - + AddProvider(Aws::MakeShared<ProcessCredentialsProvider>(DefaultCredentialsProviderChainTag)); + AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag)); + //ECS TaskRole Credentials only available when ENVIRONMENT VARIABLE is set const auto relativeUri = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI); AWS_LOGSTREAM_DEBUG(DefaultCredentialsProviderChainTag, "The environment variable value " << AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp index 3f48c9e0c7..c8d2bb98e8 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp @@ -1,163 +1,163 @@ -/** - * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. - * SPDX-License-Identifier: Apache-2.0. - */ - - -#include <aws/core/auth/STSCredentialsProvider.h> -#include <aws/core/config/AWSProfileConfigLoader.h> -#include <aws/core/platform/Environment.h> -#include <aws/core/platform/FileSystem.h> -#include <aws/core/utils/logging/LogMacros.h> -#include <aws/core/utils/StringUtils.h> -#include <aws/core/utils/FileSystemUtils.h> -#include <aws/core/client/SpecifiedRetryableErrorsRetryStrategy.h> -#include <aws/core/utils/StringUtils.h> -#include <aws/core/utils/UUID.h> -#include <cstdlib> -#include <fstream> -#include <string.h> -#include <climits> - - -using namespace Aws::Utils; -using namespace Aws::Utils::Logging; -using namespace Aws::Auth; -using namespace Aws::Internal; -using namespace Aws::FileSystem; -using namespace Aws::Client; -using Aws::Utils::Threading::ReaderLockGuard; -using Aws::Utils::Threading::WriterLockGuard; - -static const char STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG[] = "STSAssumeRoleWithWebIdentityCredentialsProvider"; -STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider() : - m_initialized(false) -{ - // check environment variables - Aws::String tmpRegion = Aws::Environment::GetEnv("AWS_DEFAULT_REGION"); - m_roleArn = Aws::Environment::GetEnv("AWS_ROLE_ARN"); - m_tokenFile = Aws::Environment::GetEnv("AWS_WEB_IDENTITY_TOKEN_FILE"); - m_sessionName = Aws::Environment::GetEnv("AWS_ROLE_SESSION_NAME"); - - // check profile_config if either m_roleArn or m_tokenFile is not loaded from environment variable - // region source is not enforced, but we need it to construct sts endpoint, if we can't find from environment, we should check if it's set in config file. - if (m_roleArn.empty() || m_tokenFile.empty() || tmpRegion.empty()) - { - auto profile = Aws::Config::GetCachedConfigProfile(Aws::Auth::GetConfigProfileName()); - if (tmpRegion.empty()) - { - tmpRegion = profile.GetRegion(); - } - // If either of these two were not found from environment, use whatever found for all three in config file - if (m_roleArn.empty() || m_tokenFile.empty()) - { - m_roleArn = profile.GetRoleArn(); - m_tokenFile = profile.GetValue("web_identity_token_file"); - m_sessionName = profile.GetValue("role_session_name"); - } - } - - if (m_tokenFile.empty()) - { - AWS_LOGSTREAM_WARN(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Token file must be specified to use STS AssumeRole web identity creds provider."); - return; // No need to do further constructing - } - else - { - AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved token_file from profile_config or environment variable to be " << m_tokenFile); - } - - if (m_roleArn.empty()) - { - AWS_LOGSTREAM_WARN(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "RoleArn must be specified to use STS AssumeRole web identity creds provider."); - return; // No need to do further constructing - } - else - { - AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved role_arn from profile_config or environment variable to be " << m_roleArn); - } - - if (tmpRegion.empty()) - { - tmpRegion = Aws::Region::US_EAST_1; - } - else - { - AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved region from profile_config or environment variable to be " << tmpRegion); - } - - if (m_sessionName.empty()) - { - m_sessionName = Aws::Utils::UUID::RandomUUID(); - } - else - { - AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved session_name from profile_config or environment variable to be " << m_sessionName); - } - - Aws::Client::ClientConfiguration config; - config.scheme = Aws::Http::Scheme::HTTPS; - config.region = tmpRegion; - - Aws::Vector<Aws::String> retryableErrors; - retryableErrors.push_back("IDPCommunicationError"); - retryableErrors.push_back("InvalidIdentityToken"); - - config.retryStrategy = Aws::MakeShared<SpecifiedRetryableErrorsRetryStrategy>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, retryableErrors, 3/*maxRetries*/); - - m_client = Aws::MakeUnique<Aws::Internal::STSCredentialsClient>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config); - m_initialized = true; - AWS_LOGSTREAM_INFO(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Creating STS AssumeRole with web identity creds provider."); -} - -AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials() -{ - // A valid client means required information like role arn and token file were constructed correctly. - // We can use this provider to load creds, otherwise, we can just return empty creds. - if (!m_initialized) - { - return Aws::Auth::AWSCredentials(); - } - RefreshIfExpired(); - ReaderLockGuard guard(m_reloadLock); - return m_credentials; -} - -void STSAssumeRoleWebIdentityCredentialsProvider::Reload() -{ - AWS_LOGSTREAM_INFO(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Credentials have expired, attempting to renew from STS."); - - Aws::IFStream tokenFile(m_tokenFile.c_str()); - if(tokenFile) - { - Aws::String token((std::istreambuf_iterator<char>(tokenFile)), std::istreambuf_iterator<char>()); - m_token = token; - } - else - { - AWS_LOGSTREAM_ERROR(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Can't open token file: " << m_tokenFile); - return; - } - STSCredentialsClient::STSAssumeRoleWithWebIdentityRequest request {m_sessionName, m_roleArn, m_token}; - - auto result = m_client->GetAssumeRoleWithWebIdentityCredentials(request); - AWS_LOGSTREAM_TRACE(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Successfully retrieved credentials with AWS_ACCESS_KEY: " << result.creds.GetAWSAccessKeyId()); - m_credentials = result.creds; -} - -void STSAssumeRoleWebIdentityCredentialsProvider::RefreshIfExpired() -{ - ReaderLockGuard guard(m_reloadLock); - if (!m_credentials.IsExpiredOrEmpty()) - { - return; - } - - guard.UpgradeToWriterLock(); - if (!m_credentials.IsExpiredOrEmpty()) // double-checked lock to avoid refreshing twice - { - return; - } - - Reload(); -} +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + + +#include <aws/core/auth/STSCredentialsProvider.h> +#include <aws/core/config/AWSProfileConfigLoader.h> +#include <aws/core/platform/Environment.h> +#include <aws/core/platform/FileSystem.h> +#include <aws/core/utils/logging/LogMacros.h> +#include <aws/core/utils/StringUtils.h> +#include <aws/core/utils/FileSystemUtils.h> +#include <aws/core/client/SpecifiedRetryableErrorsRetryStrategy.h> +#include <aws/core/utils/StringUtils.h> +#include <aws/core/utils/UUID.h> +#include <cstdlib> +#include <fstream> +#include <string.h> +#include <climits> + + +using namespace Aws::Utils; +using namespace Aws::Utils::Logging; +using namespace Aws::Auth; +using namespace Aws::Internal; +using namespace Aws::FileSystem; +using namespace Aws::Client; +using Aws::Utils::Threading::ReaderLockGuard; +using Aws::Utils::Threading::WriterLockGuard; + +static const char STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG[] = "STSAssumeRoleWithWebIdentityCredentialsProvider"; +STSAssumeRoleWebIdentityCredentialsProvider::STSAssumeRoleWebIdentityCredentialsProvider() : + m_initialized(false) +{ + // check environment variables + Aws::String tmpRegion = Aws::Environment::GetEnv("AWS_DEFAULT_REGION"); + m_roleArn = Aws::Environment::GetEnv("AWS_ROLE_ARN"); + m_tokenFile = Aws::Environment::GetEnv("AWS_WEB_IDENTITY_TOKEN_FILE"); + m_sessionName = Aws::Environment::GetEnv("AWS_ROLE_SESSION_NAME"); + + // check profile_config if either m_roleArn or m_tokenFile is not loaded from environment variable + // region source is not enforced, but we need it to construct sts endpoint, if we can't find from environment, we should check if it's set in config file. + if (m_roleArn.empty() || m_tokenFile.empty() || tmpRegion.empty()) + { + auto profile = Aws::Config::GetCachedConfigProfile(Aws::Auth::GetConfigProfileName()); + if (tmpRegion.empty()) + { + tmpRegion = profile.GetRegion(); + } + // If either of these two were not found from environment, use whatever found for all three in config file + if (m_roleArn.empty() || m_tokenFile.empty()) + { + m_roleArn = profile.GetRoleArn(); + m_tokenFile = profile.GetValue("web_identity_token_file"); + m_sessionName = profile.GetValue("role_session_name"); + } + } + + if (m_tokenFile.empty()) + { + AWS_LOGSTREAM_WARN(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Token file must be specified to use STS AssumeRole web identity creds provider."); + return; // No need to do further constructing + } + else + { + AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved token_file from profile_config or environment variable to be " << m_tokenFile); + } + + if (m_roleArn.empty()) + { + AWS_LOGSTREAM_WARN(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "RoleArn must be specified to use STS AssumeRole web identity creds provider."); + return; // No need to do further constructing + } + else + { + AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved role_arn from profile_config or environment variable to be " << m_roleArn); + } + + if (tmpRegion.empty()) + { + tmpRegion = Aws::Region::US_EAST_1; + } + else + { + AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved region from profile_config or environment variable to be " << tmpRegion); + } + + if (m_sessionName.empty()) + { + m_sessionName = Aws::Utils::UUID::RandomUUID(); + } + else + { + AWS_LOGSTREAM_DEBUG(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Resolved session_name from profile_config or environment variable to be " << m_sessionName); + } + + Aws::Client::ClientConfiguration config; + config.scheme = Aws::Http::Scheme::HTTPS; + config.region = tmpRegion; + + Aws::Vector<Aws::String> retryableErrors; + retryableErrors.push_back("IDPCommunicationError"); + retryableErrors.push_back("InvalidIdentityToken"); + + config.retryStrategy = Aws::MakeShared<SpecifiedRetryableErrorsRetryStrategy>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, retryableErrors, 3/*maxRetries*/); + + m_client = Aws::MakeUnique<Aws::Internal::STSCredentialsClient>(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, config); + m_initialized = true; + AWS_LOGSTREAM_INFO(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Creating STS AssumeRole with web identity creds provider."); +} + +AWSCredentials STSAssumeRoleWebIdentityCredentialsProvider::GetAWSCredentials() +{ + // A valid client means required information like role arn and token file were constructed correctly. + // We can use this provider to load creds, otherwise, we can just return empty creds. + if (!m_initialized) + { + return Aws::Auth::AWSCredentials(); + } + RefreshIfExpired(); + ReaderLockGuard guard(m_reloadLock); + return m_credentials; +} + +void STSAssumeRoleWebIdentityCredentialsProvider::Reload() +{ + AWS_LOGSTREAM_INFO(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Credentials have expired, attempting to renew from STS."); + + Aws::IFStream tokenFile(m_tokenFile.c_str()); + if(tokenFile) + { + Aws::String token((std::istreambuf_iterator<char>(tokenFile)), std::istreambuf_iterator<char>()); + m_token = token; + } + else + { + AWS_LOGSTREAM_ERROR(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Can't open token file: " << m_tokenFile); + return; + } + STSCredentialsClient::STSAssumeRoleWithWebIdentityRequest request {m_sessionName, m_roleArn, m_token}; + + auto result = m_client->GetAssumeRoleWithWebIdentityCredentials(request); + AWS_LOGSTREAM_TRACE(STS_ASSUME_ROLE_WEB_IDENTITY_LOG_TAG, "Successfully retrieved credentials with AWS_ACCESS_KEY: " << result.creds.GetAWSAccessKeyId()); + m_credentials = result.creds; +} + +void STSAssumeRoleWebIdentityCredentialsProvider::RefreshIfExpired() +{ + ReaderLockGuard guard(m_reloadLock); + if (!m_credentials.IsExpiredOrEmpty()) + { + return; + } + + guard.UpgradeToWriterLock(); + if (!m_credentials.IsExpiredOrEmpty()) // double-checked lock to avoid refreshing twice + { + return; + } + + Reload(); +} |