diff options
| author | arcadia-devtools <arcadia-devtools@yandex-team.ru> | 2022-03-02 12:50:27 +0300 |
|---|---|---|
| committer | arcadia-devtools <arcadia-devtools@yandex-team.ru> | 2022-03-02 12:50:27 +0300 |
| commit | d0f80d5e60d77854f9d6262a59a7349e2b21f9d2 (patch) | |
| tree | 01f1e033ce5519d96b7d6a83718221dcb8021eec /contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core | |
| parent | 26286f616cee657612a9d820be6da2cdbd4de0ef (diff) | |
| download | ydb-d0f80d5e60d77854f9d6262a59a7349e2b21f9d2.tar.gz | |
intermediate changes
ref:40ac71fae6ea311a73473cf4297ca93bf27559c3
Diffstat (limited to 'contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core')
29 files changed, 694 insertions, 20 deletions
diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/CMakeLists.txt b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/CMakeLists.txt index 3d7f5478bb..46cb712750 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/CMakeLists.txt +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/CMakeLists.txt @@ -17,7 +17,7 @@ target_compile_options(libs-aws-sdk-cpp-aws-cpp-sdk-core PRIVATE -DAWS_IO_USE_IMPORT_EXPORT -DAWS_SDK_VERSION_MAJOR=1 -DAWS_SDK_VERSION_MINOR=8 - -DAWS_SDK_VERSION_PATCH=113 + -DAWS_SDK_VERSION_PATCH=186 -DAWS_USE_EPOLL -DCURL_HAS_H2 -DCURL_HAS_TLS_PROXY @@ -63,6 +63,7 @@ target_sources(libs-aws-sdk-cpp-aws-cpp-sdk-core PRIVATE ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSignerProvider.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp + ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/SSOCredentialsProvider.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/STSCredentialsProvider.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/client/AWSClient.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/client/AWSErrorMarshaller.cpp @@ -117,6 +118,7 @@ target_sources(libs-aws-sdk-cpp-aws-cpp-sdk-core PRIVATE ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/EncryptionMaterials.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/KeyWrapAlgorithm.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/MD5.cpp + ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha1.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha256.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha256HMAC.cpp ${CMAKE_SOURCE_DIR}/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/factory/Factories.cpp diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/Aws.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/Aws.h index 4fcdb17779..7c2d7af53f 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/Aws.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/Aws.h @@ -97,6 +97,10 @@ namespace Aws */ std::function<std::shared_ptr<Aws::Utils::Crypto::HashFactory>()> md5Factory_create_fn; /** + * If set, this closure will be used to create and install the factory. + */ + std::function<std::shared_ptr<Aws::Utils::Crypto::HashFactory>()> sha1Factory_create_fn; + /** * If set, this closure will be used to create and install the factory. */ std::function<std::shared_ptr<Aws::Utils::Crypto::HashFactory>()> sha256Factory_create_fn; diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/VersionConfig.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/VersionConfig.h index 9304d56ee7..fd965734a6 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/VersionConfig.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/VersionConfig.h @@ -3,4 +3,4 @@ * SPDX-License-Identifier: Apache-2.0. */ -#define AWS_SDK_VERSION_STRING "1.8.113" +#define AWS_SDK_VERSION_STRING "1.8.186" diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/auth/SSOCredentialsProvider.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/auth/SSOCredentialsProvider.h new file mode 100644 index 0000000000..288beccb3b --- /dev/null +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/auth/SSOCredentialsProvider.h @@ -0,0 +1,48 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + + +#pragma once + +#include <aws/core/Core_EXPORTS.h> +#include <aws/core/auth/AWSCredentialsProvider.h> +#include <memory> + +namespace Aws { + namespace Auth { + /** + * To support usage of SSO credentials + */ + class AWS_CORE_API SSOCredentialsProvider : public AWSCredentialsProvider + { + public: + SSOCredentialsProvider(); + explicit SSOCredentialsProvider(const Aws::String& profile); + /** + * Retrieves the credentials if found, otherwise returns empty credential set. + */ + AWSCredentials GetAWSCredentials() override; + + private: + Aws::UniquePtr<Aws::Internal::SSOCredentialsClient> m_client; + Aws::Auth::AWSCredentials m_credentials; + + // Profile description variables + Aws::String m_profileToUse; + + // The AWS account ID that temporary AWS credentials are resolved for. + Aws::String m_ssoAccountId; + // The AWS region where the SSO directory for the given sso_start_url is hosted. + // This is independent of the general region configuration and MUST NOT be conflated. + Aws::String m_ssoRegion; + // The expiration time of the accessToken. + Aws::Utils::DateTime m_expiresAt; + + void Reload() override; + void RefreshIfExpired(); + Aws::String LoadAccessTokenFile(const Aws::String& ssoAccessTokenPath); + }; + } // namespace Auth +} // namespace Aws diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/AWSError.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/AWSError.h index c88c1bdd5d..39f033c3fc 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/AWSError.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/AWSError.h @@ -56,8 +56,8 @@ namespace Aws m_errorType(errorType), m_responseCode(Aws::Http::HttpResponseCode::REQUEST_NOT_MADE), m_isRetryable(isRetryable), m_errorPayloadType(ErrorPayloadType::NOT_SET) {} - AWSError(AWSError&& rhs) = default; - AWSError(const AWSError& rhs) = default; + AWSError(AWSError&&) = default; + AWSError(const AWSError&) = default; template<typename OTHER_ERROR_TYPE> AWSError(AWSError<OTHER_ERROR_TYPE>&& rhs) : diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h index ba54baaa83..69c2166a6e 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/client/ClientConfiguration.h @@ -10,6 +10,7 @@ #include <aws/core/Region.h> #include <aws/core/utils/memory/stl/AWSString.h> #include <aws/core/http/HttpTypes.h> +#include <aws/core/utils/Array.h> #include <memory> namespace Aws @@ -165,6 +166,10 @@ namespace Aws */ Aws::String proxySSLKeyPassword; /** + * Calls to hosts in this vector will not use proxy configuration + */ + Aws::Utils::Array<Aws::String> nonProxyHosts; + /** * Threading Executor implementation. Default uses std::thread::detach() */ std::shared_ptr<Aws::Utils::Threading::Executor> executor; diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/config/AWSProfileConfigLoader.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/config/AWSProfileConfigLoader.h index 84c62713da..ee467c5640 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/config/AWSProfileConfigLoader.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/config/AWSProfileConfigLoader.h @@ -36,6 +36,14 @@ namespace Aws inline void SetRoleArn(const Aws::String& value) { m_roleArn = value; } inline const Aws::String& GetExternalId() const { return m_externalId; } inline void SetExternalId(const Aws::String& value) { m_externalId = value; } + inline const Aws::String& GetSsoStartUrl() const { return m_ssoStartUrl; } + inline void SetSsoStartUrl(const Aws::String& value) { m_ssoStartUrl = value; } + inline const Aws::String& GetSsoRegion() const { return m_ssoRegion; } + inline void SetSsoRegion(const Aws::String& value) { m_ssoRegion = value; } + inline const Aws::String& GetSsoAccountId() const { return m_ssoAccountId; } + inline void SetSsoAccountId(const Aws::String& value) { m_ssoAccountId = value; } + inline const Aws::String& GetSsoRoleName() const { return m_ssoRoleName; } + inline void SetSsoRoleName(const Aws::String& value) { m_ssoRoleName = value; } inline const Aws::String& GetSourceProfile() const { return m_sourceProfile; } inline void SetSourceProfile(const Aws::String& value ) { m_sourceProfile = value; } inline const Aws::String& GetCredentialProcess() const { return m_credentialProcess; } @@ -56,6 +64,10 @@ namespace Aws Aws::String m_externalId; Aws::String m_sourceProfile; Aws::String m_credentialProcess; + Aws::String m_ssoStartUrl; + Aws::String m_ssoRegion; + Aws::String m_ssoAccountId; + Aws::String m_ssoRoleName; Aws::Map<Aws::String, Aws::String> m_allKeyValPairs; }; @@ -156,7 +168,6 @@ namespace Aws protected: virtual bool LoadInternal() override; - private: std::shared_ptr<Aws::Internal::EC2MetadataClient> m_ec2metadataClient; }; diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h index 31f96befd5..d706405add 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/http/curl/CurlHttpClient.h @@ -60,6 +60,7 @@ private: Aws::String m_proxySSLKeyType; Aws::String m_proxyKeyPasswd; unsigned m_proxyPort; + Aws::String m_nonProxyHosts; bool m_verifySSL; Aws::String m_caPath; Aws::String m_caFile; diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h index c58a1b70bf..bc28cd8861 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/internal/AWSHttpResourceClient.h @@ -221,5 +221,36 @@ namespace Aws private: Aws::String m_endpoint; }; + + /** + * To support retrieving credentials from SSO. + */ + class AWS_CORE_API SSOCredentialsClient : public AWSHttpResourceClient + { + public: + SSOCredentialsClient(const Client::ClientConfiguration& clientConfiguration); + + SSOCredentialsClient& operator =(SSOCredentialsClient& rhs) = delete; + SSOCredentialsClient(const SSOCredentialsClient& rhs) = delete; + SSOCredentialsClient& operator =(SSOCredentialsClient&& rhs) = delete; + SSOCredentialsClient(SSOCredentialsClient&& rhs) = delete; + + struct SSOGetRoleCredentialsRequest + { + Aws::String m_ssoAccountId; + Aws::String m_ssoRoleName; + Aws::String m_accessToken; + }; + + struct SSOGetRoleCredentialsResult + { + Aws::Auth::AWSCredentials creds; + }; + + SSOGetRoleCredentialsResult GetSSOCredentials(const SSOGetRoleCredentialsRequest& request); + + private: + Aws::String m_endpoint; + }; } // namespace Internal } // namespace Aws diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/HashingUtils.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/HashingUtils.h index 48c04daf59..465c9827b2 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/HashingUtils.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/HashingUtils.h @@ -68,6 +68,16 @@ namespace Aws static ByteBuffer CalculateSHA256TreeHash(Aws::IOStream& stream); /** + * Calculates a SHA1 Hash digest (not hex encoded) + */ + static ByteBuffer CalculateSHA1(const Aws::String& str); + + /** + * Calculates a SHA1 Hash digest on a stream (the entire stream is read, not hex encoded.) + */ + static ByteBuffer CalculateSHA1(Aws::IOStream& stream); + + /** * Calculates a MD5 Hash value */ static ByteBuffer CalculateMD5(const Aws::String& str); diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Factories.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Factories.h index b4c17b2a96..a219d3eae5 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Factories.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Factories.h @@ -44,6 +44,10 @@ namespace Aws */ AWS_CORE_API std::shared_ptr<Hash> CreateMD5Implementation(); /** + * Create a Sha1 Hash provider + */ + AWS_CORE_API std::shared_ptr<Hash> CreateSha1Implementation(); + /** * Create a Sha256 Hash provider */ AWS_CORE_API std::shared_ptr<Hash> CreateSha256Implementation(); @@ -114,6 +118,10 @@ namespace Aws */ AWS_CORE_API void SetMD5Factory(const std::shared_ptr<HashFactory>& factory); /** + * Set the global factory for Sha1 Hash providers + */ + AWS_CORE_API void SetSha1Factory(const std::shared_ptr<HashFactory>& factory); + /** * Set the global factory for Sha256 Hash providers */ AWS_CORE_API void SetSha256Factory(const std::shared_ptr<HashFactory>& factory); diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Sha1.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Sha1.h new file mode 100644 index 0000000000..5d9d44f867 --- /dev/null +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/Sha1.h @@ -0,0 +1,65 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + +/* +* Interface for Sha1 encryptor +*/ +#pragma once + +#ifdef __APPLE__ + +#ifdef __clang__ +#pragma clang diagnostic ignored "-Wdeprecated-declarations" +#endif // __clang__ + +#ifdef __GNUC__ +#pragma GCC diagnostic ignored "-Wdeprecated-declarations" +#endif // __GNUC__ + +#endif // __APPLE__ + +#include <aws/core/Core_EXPORTS.h> + +#include <aws/core/utils/crypto/Hash.h> + +namespace Aws +{ + namespace Utils + { + namespace Crypto + { + class WindowsHashImpl; + + /** + * Sha1 hash implementation. + */ + class AWS_CORE_API Sha1 : public Hash + { + public: + /** + * Initializes platform crypto libs. + */ + Sha1(); + virtual ~Sha1(); + + /** + * Calculates a SHA1 Hash digest (not hex encoded) + */ + virtual HashResult Calculate(const Aws::String& str) override; + + /** + * Calculates a SHA1 Hash digest on a stream (the entire stream is read) + */ + virtual HashResult Calculate(Aws::IStream& stream) override; + + private: + + std::shared_ptr< Hash > m_hashImpl; + }; + + } // namespace Crypto + } // namespace Utils +} // namespace Aws + diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/openssl/CryptoImpl.h b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/openssl/CryptoImpl.h index e3f37edda9..39f5e5fcd4 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/openssl/CryptoImpl.h +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/include/aws/core/utils/crypto/openssl/CryptoImpl.h @@ -70,6 +70,18 @@ namespace Aws }; + class Sha1OpenSSLImpl : public Hash + { + public: + + Sha1OpenSSLImpl() {} + virtual ~Sha1OpenSSLImpl() = default; + + virtual HashResult Calculate(const Aws::String& str) override; + + virtual HashResult Calculate(Aws::IStream& stream) override; + }; + class Sha256OpenSSLImpl : public Hash { public: diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/Aws.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/Aws.cpp index 1eaa477fca..33856b968a 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/Aws.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/Aws.cpp @@ -65,6 +65,11 @@ namespace Aws Aws::Utils::Crypto::SetMD5Factory(options.cryptoOptions.md5Factory_create_fn()); } + if(options.cryptoOptions.sha1Factory_create_fn) + { + Aws::Utils::Crypto::SetSha1Factory(options.cryptoOptions.sha1Factory_create_fn()); + } + if(options.cryptoOptions.sha256Factory_create_fn) { Aws::Utils::Crypto::SetSha256Factory(options.cryptoOptions.sha256Factory_create_fn()); diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp index de4826fa5b..0baa00058f 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp @@ -417,7 +417,7 @@ bool AWSAuthV4Signer::ServiceRequireUnsignedPayload(const Aws::String& serviceNa // However, other services (for example RDS) implement the specification as outlined here: // https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html // which states that body-less requests should use the empty-string SHA256 hash. - return "s3" == serviceName; + return "s3" == serviceName || "s3-object-lambda" == serviceName; } Aws::String AWSAuthV4Signer::GenerateSignature(const AWSCredentials& credentials, const Aws::String& stringToSign, diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp index 31e28b996f..bf20ede35e 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProvider.cpp @@ -383,7 +383,7 @@ void ProcessCredentialsProvider::Reload() const Aws::String &command = profile.GetCredentialProcess(); if (command.empty()) { - AWS_LOGSTREAM_ERROR(PROCESS_LOG_TAG, "Failed to find credential process's profile: " << m_profileToUse); + AWS_LOGSTREAM_INFO(PROCESS_LOG_TAG, "Failed to find credential process's profile: " << m_profileToUse); return; } m_credentials = GetCredentialsFromProcess(command); diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp index 373136d96a..8b019a1664 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/AWSCredentialsProviderChain.cpp @@ -5,6 +5,7 @@ #include <aws/core/auth/AWSCredentialsProviderChain.h> #include <aws/core/auth/STSCredentialsProvider.h> +#include <aws/core/auth/SSOCredentialsProvider.h> #include <aws/core/platform/Environment.h> #include <aws/core/utils/memory/AWSMemory.h> #include <aws/core/utils/StringUtils.h> @@ -38,6 +39,7 @@ DefaultAWSCredentialsProviderChain::DefaultAWSCredentialsProviderChain() : AWSCr AddProvider(Aws::MakeShared<ProfileConfigFileAWSCredentialsProvider>(DefaultCredentialsProviderChainTag)); AddProvider(Aws::MakeShared<ProcessCredentialsProvider>(DefaultCredentialsProviderChainTag)); AddProvider(Aws::MakeShared<STSAssumeRoleWebIdentityCredentialsProvider>(DefaultCredentialsProviderChainTag)); + AddProvider(Aws::MakeShared<SSOCredentialsProvider>(DefaultCredentialsProviderChainTag)); //ECS TaskRole Credentials only available when ENVIRONMENT VARIABLE is set const auto relativeUri = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI); diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/SSOCredentialsProvider.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/SSOCredentialsProvider.cpp new file mode 100644 index 0000000000..e8f780762e --- /dev/null +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/auth/SSOCredentialsProvider.cpp @@ -0,0 +1,146 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + + +#include <aws/core/auth/SSOCredentialsProvider.h> +#include <aws/core/config/AWSProfileConfigLoader.h> +#include <aws/core/internal/AWSHttpResourceClient.h> +#include <aws/core/platform/Environment.h> +#include <aws/core/platform/FileSystem.h> +#include <aws/core/utils/logging/LogMacros.h> +#include <aws/core/utils/StringUtils.h> +#include <aws/core/utils/FileSystemUtils.h> +#include <aws/core/client/SpecifiedRetryableErrorsRetryStrategy.h> +#include <aws/core/utils/UUID.h> +#include <aws/core/utils/HashingUtils.h> +#include <aws/core/utils/json/JsonSerializer.h> + +using namespace Aws::Utils; +using namespace Aws::Utils::Logging; +using namespace Aws::Auth; +using namespace Aws::Internal; +using namespace Aws::FileSystem; +using namespace Aws::Client; +using Aws::Utils::Threading::ReaderLockGuard; + + +static const char SSO_CREDENTIALS_PROVIDER_LOG_TAG[] = "SSOCredentialsProvider"; + +SSOCredentialsProvider::SSOCredentialsProvider() : m_profileToUse(GetConfigProfileName()) +{ + AWS_LOGSTREAM_INFO(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Setting sso credentials provider to read config from " << m_profileToUse); +} + +SSOCredentialsProvider::SSOCredentialsProvider(const Aws::String& profile) : m_profileToUse(profile) +{ + AWS_LOGSTREAM_INFO(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Setting sso credentials provider to read config from " << m_profileToUse); +} + +AWSCredentials SSOCredentialsProvider::GetAWSCredentials() +{ + RefreshIfExpired(); + ReaderLockGuard guard(m_reloadLock); + return m_credentials; +} + +void SSOCredentialsProvider::Reload() +{ + auto profile = Aws::Config::GetCachedConfigProfile(m_profileToUse); + + Aws::String hashedStartUrl = Aws::Utils::HashingUtils::HexEncode(Aws::Utils::HashingUtils::CalculateSHA1(profile.GetSsoStartUrl())); + auto profileDirectory = ProfileConfigFileAWSCredentialsProvider::GetProfileDirectory(); + Aws::StringStream ssToken; + ssToken << profileDirectory; + ssToken << PATH_DELIM << "sso" << PATH_DELIM << "cache" << PATH_DELIM << hashedStartUrl << ".json"; + auto ssoTokenPath = ssToken.str(); + AWS_LOGSTREAM_DEBUG(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Loading token from: " << ssoTokenPath) + Aws::String accessToken = LoadAccessTokenFile(ssoTokenPath); + if (accessToken.empty()) { + AWS_LOGSTREAM_TRACE(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Access token for SSO not available"); + return; + } + if (m_expiresAt < Aws::Utils::DateTime::Now()) { + AWS_LOGSTREAM_ERROR(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Cached Token expired at " << m_expiresAt.ToGmtString(DateFormat::ISO_8601)); + return; + } + SSOCredentialsClient::SSOGetRoleCredentialsRequest request; + request.m_ssoAccountId = profile.GetSsoAccountId(); + request.m_ssoRoleName = profile.GetSsoRoleName(); + request.m_accessToken = accessToken; + + Aws::Client::ClientConfiguration config; + config.scheme = Aws::Http::Scheme::HTTPS; + config.region = profile.GetSsoRegion(); + AWS_LOGSTREAM_DEBUG(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Passing config to client for region: " << m_ssoRegion); + + Aws::Vector<Aws::String> retryableErrors; + retryableErrors.push_back("TooManyRequestsException"); + + config.retryStrategy = Aws::MakeShared<SpecifiedRetryableErrorsRetryStrategy>(SSO_CREDENTIALS_PROVIDER_LOG_TAG, retryableErrors, 3/*maxRetries*/); + m_client = Aws::MakeUnique<Aws::Internal::SSOCredentialsClient>(SSO_CREDENTIALS_PROVIDER_LOG_TAG, config); + + AWS_LOGSTREAM_TRACE(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Requesting credentials with AWS_ACCESS_KEY: " << m_ssoAccountId); + auto result = m_client->GetSSOCredentials(request); + AWS_LOGSTREAM_TRACE(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Successfully retrieved credentials with AWS_ACCESS_KEY: " << result.creds.GetAWSAccessKeyId()); + + m_credentials = result.creds; +} + +void SSOCredentialsProvider::RefreshIfExpired() +{ + ReaderLockGuard guard(m_reloadLock); + if (!m_credentials.IsExpiredOrEmpty()) + { + return; + } + + guard.UpgradeToWriterLock(); + if (!m_credentials.IsExpiredOrEmpty()) // double-checked lock to avoid refreshing twice + { + return; + } + + Reload(); +} + +Aws::String SSOCredentialsProvider::LoadAccessTokenFile(const Aws::String& ssoAccessTokenPath) +{ + AWS_LOGSTREAM_DEBUG(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Preparing to load token from: " << ssoAccessTokenPath); + + Aws::IFStream inputFile(ssoAccessTokenPath.c_str()); + if(inputFile) + { + AWS_LOGSTREAM_DEBUG(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Reading content from token file: " << ssoAccessTokenPath); + + Json::JsonValue tokenDoc(inputFile); + if (!tokenDoc.WasParseSuccessful()) + { + AWS_LOGSTREAM_ERROR(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Failed to parse token file: " << ssoAccessTokenPath); + return ""; + } + Utils::Json::JsonView tokenView(tokenDoc); + Aws::String tmpAccessToken, expirationStr; + tmpAccessToken = tokenView.GetString("accessToken"); + expirationStr = tokenView.GetString("expiresAt"); + DateTime expiration(expirationStr, DateFormat::ISO_8601); + + AWS_LOGSTREAM_TRACE(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Token cache file contains accessToken [" << tmpAccessToken << "], expiration [" << expirationStr << "]"); + + if (tmpAccessToken.empty() || !expiration.WasParseSuccessful()) { + AWS_LOG_ERROR(SSO_CREDENTIALS_PROVIDER_LOG_TAG, R"(The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.)"); + AWS_LOGSTREAM_TRACE(SSO_CREDENTIALS_PROVIDER_LOG_TAG, "Token cache file failed because " + << (tmpAccessToken.empty()?"AccessToken was empty ":"") + << (!expiration.WasParseSuccessful()? "failed to parse expiration":"")); + return ""; + } + m_expiresAt = expiration; + return tmpAccessToken; + } + else + { + AWS_LOGSTREAM_INFO(SSO_CREDENTIALS_PROVIDER_LOG_TAG,"Unable to open token file on path: " << ssoAccessTokenPath); + return ""; + } +}
\ No newline at end of file diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/client/AWSClient.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/client/AWSClient.cpp index e1ff064840..4b2a38b4e6 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/client/AWSClient.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/client/AWSClient.cpp @@ -137,7 +137,7 @@ void AWSClient::SetServiceClientName(const Aws::String& name) if (!m_customizedUserAgent) { Aws::StringStream ss; - ss << "aws-sdk-cpp/" << Version::GetVersionString() << "/" << m_serviceName << "/" << Aws::OSVersionInfo::ComputeOSVersionString() + ss << "aws-sdk-cpp/" << Version::GetVersionString() << " " << Aws::OSVersionInfo::ComputeOSVersionString() << " " << Version::GetCompilerVersionString(); m_userAgent = ss.str(); } @@ -626,7 +626,7 @@ void AWSClient::AddContentBodyToRequest(const std::shared_ptr<Aws::Http::HttpReq } //Add transfer-encoding:chunked to header - if (body && isChunked) + if (body && isChunked && !httpRequest->HasHeader(Http::CONTENT_LENGTH_HEADER)) { httpRequest->SetTransferEncoding(CHUNKED_VALUE); } diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/config/AWSProfileConfigLoader.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/config/AWSProfileConfigLoader.cpp index 9ec2e54f55..bb6acd0b3a 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/config/AWSProfileConfigLoader.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/config/AWSProfileConfigLoader.cpp @@ -67,6 +67,10 @@ namespace Aws static const char ACCESS_KEY_ID_KEY[] = "aws_access_key_id"; static const char SECRET_KEY_KEY[] = "aws_secret_access_key"; static const char SESSION_TOKEN_KEY[] = "aws_session_token"; + static const char SSO_START_URL_KEY[] = "sso_start_url"; + static const char SSO_REGION_KEY[] = "sso_region"; + static const char SSO_ACCOUNT_ID_KEY[] = "sso_account_id"; + static const char SSO_ROLE_NAME_KEY[] = "sso_role_name"; static const char ROLE_ARN_KEY[] = "role_arn"; static const char EXTERNAL_ID_KEY[] = "external_id"; static const char CREDENTIAL_PROCESS_COMMAND[] = "credential_process"; @@ -184,6 +188,33 @@ namespace Aws profile.SetCredentials(Aws::Auth::AWSCredentials(accessKey, secretKey, sessionToken)); } + auto ssoStartUrlIter = m_profileKeyValuePairs.find(SSO_START_URL_KEY); + auto ssoRegionIter = m_profileKeyValuePairs.find(SSO_REGION_KEY); + auto ssoRoleNameIter = m_profileKeyValuePairs.find(SSO_ROLE_NAME_KEY); + auto ssoAccountIdIter = m_profileKeyValuePairs.find(SSO_ACCOUNT_ID_KEY); + if (ssoStartUrlIter != m_profileKeyValuePairs.end() + || ssoRegionIter != m_profileKeyValuePairs.end() + || ssoRoleNameIter != m_profileKeyValuePairs.end() + || ssoAccountIdIter != m_profileKeyValuePairs.end()) + { + if (ssoStartUrlIter != m_profileKeyValuePairs.end() + && ssoRegionIter != m_profileKeyValuePairs.end() + && ssoRoleNameIter != m_profileKeyValuePairs.end() + && ssoAccountIdIter != m_profileKeyValuePairs.end()) + { + AWS_LOGSTREAM_DEBUG(PARSER_TAG, "found sso_start_url " << ssoStartUrlIter->second); + profile.SetSsoStartUrl(ssoStartUrlIter->second); + AWS_LOGSTREAM_DEBUG(PARSER_TAG, "found sso_region " << ssoRegionIter->second); + profile.SetSsoRegion(ssoRegionIter->second); + AWS_LOGSTREAM_DEBUG(PARSER_TAG, "found sso_account_id " << ssoAccountIdIter->second); + profile.SetSsoAccountId(ssoAccountIdIter->second); + AWS_LOGSTREAM_DEBUG(PARSER_TAG, "found sso_role_name " << ssoRoleNameIter->second); + profile.SetSsoRoleName(ssoRoleNameIter->second); + } else { + AWS_LOGSTREAM_ERROR(PARSER_TAG, "invalid configuration for sso profile " << profile.GetName()); + } + } + auto assumeRoleArnIter = m_profileKeyValuePairs.find(ROLE_ARN_KEY); if (assumeRoleArnIter != m_profileKeyValuePairs.end()) { diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp index 2fb9cc9643..95132f5df0 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/http/curl/CurlHttpClient.cpp @@ -142,8 +142,9 @@ struct CurlWriteCallbackContext struct CurlReadCallbackContext { - CurlReadCallbackContext(const CurlHttpClient* client, HttpRequest* request, Aws::Utils::RateLimits::RateLimiterInterface* limiter) : + CurlReadCallbackContext(const CurlHttpClient* client, CURL* curlHandle, HttpRequest* request, Aws::Utils::RateLimits::RateLimiterInterface* limiter) : m_client(client), + m_curlHandle(curlHandle), m_rateLimiter(limiter), m_request(request) {} @@ -236,10 +237,10 @@ static size_t ReadBody(char* ptr, size_t size, size_t nmemb, void* userdata) { if (request->IsEventStreamRequest()) { - // Waiting for next available character to read. - // Without peek(), readsome() will keep reading 0 byte from the stream. - ioStream->peek(); - ioStream->readsome(ptr, amountToRead); + if (ioStream->readsome(ptr, amountToRead) == 0 && !ioStream->eof()) + { + return CURL_READFUNC_PAUSE; + } } else { @@ -304,6 +305,33 @@ static size_t SeekBody(void* userdata, curl_off_t offset, int origin) return CURL_SEEKFUNC_OK; } +#if LIBCURL_VERSION_NUM >= 0x072000 // 7.32.0 +static int CurlProgressCallback(void *userdata, curl_off_t, curl_off_t, curl_off_t, curl_off_t) +#else +static int CurlProgressCallback(void *userdata, double, double, double, double) +#endif +{ + CurlReadCallbackContext* context = reinterpret_cast<CurlReadCallbackContext*>(userdata); + + const std::shared_ptr<Aws::IOStream>& ioStream = context->m_request->GetContentBody(); + if (ioStream->eof()) + { + curl_easy_pause(context->m_curlHandle, CURLPAUSE_CONT); + return 0; + } + char output[1]; + if (ioStream->readsome(output, 1) > 0) + { + ioStream->unget(); + if (!ioStream->good()) + { + AWS_LOGSTREAM_WARN(CURL_HTTP_CLIENT_TAG, "Input stream failed to perform unget()."); + } + curl_easy_pause(context->m_curlHandle, CURLPAUSE_CONT); + } + + return 0; +} void SetOptCodeForHttpMethod(CURL* requestHandle, const std::shared_ptr<HttpRequest>& request) { @@ -456,6 +484,16 @@ CurlHttpClient::CurlHttpClient(const ClientConfiguration& clientConfig) : { m_allowRedirects = true; } + if(clientConfig.nonProxyHosts.GetLength() > 0) + { + Aws::StringStream ss; + ss << clientConfig.nonProxyHosts.GetItem(0); + for (auto i=1u; i < clientConfig.nonProxyHosts.GetLength(); i++) + { + ss << "," << clientConfig.nonProxyHosts.GetItem(i); + } + m_nonProxyHosts = ss.str(); + } } @@ -521,7 +559,7 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr< } CurlWriteCallbackContext writeContext(this, request.get(), response.get(), readLimiter); - CurlReadCallbackContext readContext(this, request.get(), writeLimiter); + CurlReadCallbackContext readContext(this, connectionHandle, request.get(), writeLimiter); SetOptCodeForHttpMethod(connectionHandle, request); @@ -595,6 +633,7 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr< curl_easy_setopt(connectionHandle, CURLOPT_PROXYUSERNAME, m_proxyUserName.c_str()); curl_easy_setopt(connectionHandle, CURLOPT_PROXYPASSWORD, m_proxyPassword.c_str()); } + curl_easy_setopt(connectionHandle, CURLOPT_NOPROXY, m_nonProxyHosts.c_str()); #ifdef CURL_HAS_TLS_PROXY if (!m_proxySSLCertPath.empty()) { @@ -629,6 +668,17 @@ std::shared_ptr<HttpResponse> CurlHttpClient::MakeRequest(const std::shared_ptr< curl_easy_setopt(connectionHandle, CURLOPT_READDATA, &readContext); curl_easy_setopt(connectionHandle, CURLOPT_SEEKFUNCTION, SeekBody); curl_easy_setopt(connectionHandle, CURLOPT_SEEKDATA, &readContext); + if (request->IsEventStreamRequest()) + { + curl_easy_setopt(connectionHandle, CURLOPT_NOPROGRESS, 0L); +#if LIBCURL_VERSION_NUM >= 0x072000 // 7.32.0 + curl_easy_setopt(connectionHandle, CURLOPT_XFERINFOFUNCTION, CurlProgressCallback); + curl_easy_setopt(connectionHandle, CURLOPT_XFERINFODATA, &readContext); +#else + curl_easy_setopt(connectionHandle, CURLOPT_PROGRESSFUNCTION, CurlProgressCallback); + curl_easy_setopt(connectionHandle, CURLOPT_PROGRESSDATA, &readContext); +#endif + } } OverrideOptionsOnConnectionHandle(connectionHandle); diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp index 24145e4d92..2f372ec82a 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/internal/AWSHttpResourceClient.cpp @@ -35,6 +35,7 @@ static const char EC2_IMDS_TOKEN_HEADER[] = "x-aws-ec2-metadata-token"; static const char RESOURCE_CLIENT_CONFIGURATION_ALLOCATION_TAG[] = "AWSHttpResourceClient"; static const char EC2_METADATA_CLIENT_LOG_TAG[] = "EC2MetadataClient"; static const char ECS_CREDENTIALS_CLIENT_LOG_TAG[] = "ECSCredentialsClient"; +static const char SSO_GET_ROLE_RESOURCE[] = "/federation/credentials"; namespace Aws { @@ -160,7 +161,7 @@ namespace Aws if (!m_retryStrategy->ShouldRetry(error, retries)) { - AWS_LOGSTREAM_ERROR(m_logtag.c_str(), "Can not retrive resource from " << httpRequest->GetURIString()); + AWS_LOGSTREAM_ERROR(m_logtag.c_str(), "Can not retrieve resource from " << httpRequest->GetURIString()); return {{}, response->GetHeaders(), error.GetResponseCode()}; } auto sleepMillis = m_retryStrategy->CalculateDelayBeforeNextRetry(error, retries); @@ -502,5 +503,73 @@ namespace Aws } return result; } + + static const char SSO_RESOURCE_CLIENT_LOG_TAG[] = "SSOResourceClient"; + SSOCredentialsClient::SSOCredentialsClient(const Aws::Client::ClientConfiguration& clientConfiguration) + : AWSHttpResourceClient(clientConfiguration, SSO_RESOURCE_CLIENT_LOG_TAG) + { + SetErrorMarshaller(Aws::MakeUnique<Aws::Client::JsonErrorMarshaller>(SSO_RESOURCE_CLIENT_LOG_TAG)); + + Aws::StringStream ss; + if (clientConfiguration.scheme == Aws::Http::Scheme::HTTP) + { + ss << "http://"; + } + else + { + ss << "https://"; + } + + static const int CN_NORTH_1_HASH = Aws::Utils::HashingUtils::HashString(Aws::Region::CN_NORTH_1); + static const int CN_NORTHWEST_1_HASH = Aws::Utils::HashingUtils::HashString(Aws::Region::CN_NORTHWEST_1); + auto hash = Aws::Utils::HashingUtils::HashString(clientConfiguration.region.c_str()); + + AWS_LOGSTREAM_DEBUG(SSO_RESOURCE_CLIENT_LOG_TAG, "Preparing SSO client for region: " << clientConfiguration.region); + + ss << "portal.sso." << clientConfiguration.region << ".amazonaws.com/federation/credentials"; + if (hash == CN_NORTH_1_HASH || hash == CN_NORTHWEST_1_HASH) + { + ss << ".cn"; + } + m_endpoint = ss.str(); + + AWS_LOGSTREAM_INFO(SSO_RESOURCE_CLIENT_LOG_TAG, "Creating SSO ResourceClient with endpoint: " << m_endpoint); + } + + SSOCredentialsClient::SSOGetRoleCredentialsResult SSOCredentialsClient::GetSSOCredentials(const SSOGetRoleCredentialsRequest &request) + { + Aws::StringStream ssUri; + ssUri << m_endpoint << SSO_GET_ROLE_RESOURCE; + + std::shared_ptr<HttpRequest> httpRequest(CreateHttpRequest(m_endpoint, HttpMethod::HTTP_GET, + Aws::Utils::Stream::DefaultResponseStreamFactoryMethod)); + + httpRequest->SetHeaderValue("x-amz-sso_bearer_token", request.m_accessToken); + + httpRequest->SetUserAgent(ComputeUserAgentString()); + + httpRequest->AddQueryStringParameter("account_id", Aws::Utils::StringUtils::URLEncode(request.m_ssoAccountId.c_str())); + httpRequest->AddQueryStringParameter("role_name", Aws::Utils::StringUtils::URLEncode(request.m_ssoRoleName.c_str())); + + Aws::String credentialsStr = GetResourceWithAWSWebServiceResult(httpRequest).GetPayload(); + + Json::JsonValue credentialsDoc(credentialsStr); + AWS_LOGSTREAM_TRACE(SSO_RESOURCE_CLIENT_LOG_TAG, "Raw creds returned: " << credentialsStr); + Aws::Auth::AWSCredentials creds; + if (!credentialsDoc.WasParseSuccessful()) + { + AWS_LOGSTREAM_ERROR(SSO_RESOURCE_CLIENT_LOG_TAG, "Failed to load credential from running. Error: " << credentialsStr); + return SSOGetRoleCredentialsResult{creds}; + } + Utils::Json::JsonView credentialsView(credentialsDoc); + auto roleCredentials = credentialsView.GetObject("roleCredentials"); + creds.SetAWSAccessKeyId(roleCredentials.GetString("accessKeyId")); + creds.SetAWSSecretKey(roleCredentials.GetString("secretAccessKey")); + creds.SetSessionToken(roleCredentials.GetString("sessionToken")); + creds.SetExpiration(roleCredentials.GetInt64("expiration")); + SSOCredentialsClient::SSOGetRoleCredentialsResult result; + result.creds = creds; + return result; + } } } diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/HashingUtils.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/HashingUtils.cpp index 147bddf33e..0e49a61634 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/HashingUtils.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/HashingUtils.cpp @@ -9,6 +9,7 @@ #include <aws/core/utils/base64/Base64.h> #include <aws/core/utils/crypto/Sha256.h> #include <aws/core/utils/crypto/Sha256HMAC.h> +#include <aws/core/utils/crypto/Sha1.h> #include <aws/core/utils/crypto/MD5.h> #include <aws/core/utils/Outcome.h> #include <aws/core/utils/memory/stl/AWSStringStream.h> @@ -209,6 +210,18 @@ ByteBuffer HashingUtils::HexDecode(const Aws::String& str) return hexBuffer; } +ByteBuffer HashingUtils::CalculateSHA1(const Aws::String& str) +{ + Sha1 hash; + return hash.Calculate(str).GetResult(); +} + +ByteBuffer HashingUtils::CalculateSHA1(Aws::IOStream& stream) +{ + Sha1 hash; + return hash.Calculate(stream).GetResult(); +} + ByteBuffer HashingUtils::CalculateMD5(const Aws::String& str) { MD5 hash; diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha1.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha1.cpp new file mode 100644 index 0000000000..5da3e63d28 --- /dev/null +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha1.cpp @@ -0,0 +1,30 @@ +/** + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0. + */ + + +#include <aws/core/utils/crypto/Sha1.h> +#include <aws/core/utils/Outcome.h> +#include <aws/core/utils/crypto/Factories.h> + +using namespace Aws::Utils::Crypto; + +Sha1::Sha1() : + m_hashImpl(CreateSha1Implementation()) +{ +} + +Sha1::~Sha1() +{ +} + +HashResult Sha1::Calculate(const Aws::String& str) +{ + return m_hashImpl->Calculate(str); +} + +HashResult Sha1::Calculate(Aws::IStream& stream) +{ + return m_hashImpl->Calculate(stream); +} diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha256.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha256.cpp index 178df00d37..a8aa5ae879 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha256.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/Sha256.cpp @@ -10,7 +10,7 @@ using namespace Aws::Utils::Crypto; -Sha256::Sha256() : +Sha256::Sha256() : m_hashImpl(CreateSha256Implementation()) { } diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/factory/Factories.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/factory/Factories.cpp index bff0382241..88ca147d11 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/factory/Factories.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/factory/Factories.cpp @@ -35,6 +35,12 @@ static std::shared_ptr<HashFactory>& GetMD5Factory() return s_MD5Factory; } +static std::shared_ptr<HashFactory>& GetSha1Factory() +{ + static std::shared_ptr<HashFactory> s_Sha1Factory(nullptr); + return s_Sha1Factory; +} + static std::shared_ptr<HashFactory>& GetSha256Factory() { static std::shared_ptr<HashFactory> s_Sha256Factory(nullptr); @@ -130,6 +136,51 @@ public: } }; +class DefaultSHA1Factory : public HashFactory +{ +public: + std::shared_ptr<Hash> CreateImplementation() const override + { +#if ENABLE_BCRYPT_ENCRYPTION + return Aws::MakeShared<Sha1BcryptImpl>(s_allocationTag); +#elif ENABLE_OPENSSL_ENCRYPTION + return Aws::MakeShared<Sha1OpenSSLImpl>(s_allocationTag); +#elif ENABLE_COMMONCRYPTO_ENCRYPTION + return Aws::MakeShared<Sha1CommonCryptoImpl>(s_allocationTag); +#else + return nullptr; +#endif + } + + /** + * Opportunity to make any static initialization calls you need to make. + * Will only be called once. + */ + void InitStaticState() override + { +#if ENABLE_OPENSSL_ENCRYPTION + if(s_InitCleanupOpenSSLFlag) + { + OpenSSL::getTheLights.EnterRoom(&OpenSSL::init_static_state); + } +#endif + } + + /** + * Opportunity to make any static cleanup calls you need to make. + * will only be called at the end of the application. + */ + void CleanupStaticState() override + { +#if ENABLE_OPENSSL_ENCRYPTION + if(s_InitCleanupOpenSSLFlag) + { + OpenSSL::getTheLights.LeaveRoom(&OpenSSL::cleanup_static_state); + } +#endif + } +}; + class DefaultSHA256Factory : public HashFactory { public: @@ -616,6 +667,16 @@ void Aws::Utils::Crypto::InitCrypto() GetMD5Factory()->InitStaticState(); } + if(GetSha1Factory()) + { + GetSha1Factory()->InitStaticState(); + } + else + { + GetSha1Factory() = Aws::MakeShared<DefaultSHA1Factory>(s_allocationTag); + GetSha1Factory()->InitStaticState(); + } + if(GetSha256Factory()) { GetSha256Factory()->InitStaticState(); @@ -693,6 +754,12 @@ void Aws::Utils::Crypto::CleanupCrypto() GetMD5Factory() = nullptr; } + if(GetSha1Factory()) + { + GetSha1Factory()->CleanupStaticState(); + GetSha1Factory() = nullptr; + } + if(GetSha256Factory()) { GetSha256Factory()->CleanupStaticState(); @@ -742,6 +809,11 @@ void Aws::Utils::Crypto::SetMD5Factory(const std::shared_ptr<HashFactory>& facto GetMD5Factory() = factory; } +void Aws::Utils::Crypto::SetSha1Factory(const std::shared_ptr<HashFactory>& factory) +{ + GetSha1Factory() = factory; +} + void Aws::Utils::Crypto::SetSha256Factory(const std::shared_ptr<HashFactory>& factory) { GetSha256Factory() = factory; @@ -782,8 +854,12 @@ std::shared_ptr<Hash> Aws::Utils::Crypto::CreateMD5Implementation() return GetMD5Factory()->CreateImplementation(); } -std::shared_ptr<Hash> Aws::Utils::Crypto::CreateSha256Implementation() +std::shared_ptr<Hash> Aws::Utils::Crypto::CreateSha1Implementation() { + return GetSha1Factory()->CreateImplementation(); +} + +std::shared_ptr<Hash> Aws::Utils::Crypto::CreateSha256Implementation() { return GetSha256Factory()->CreateImplementation(); } diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/openssl/CryptoImpl.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/openssl/CryptoImpl.cpp index 911838864b..3a89265e6e 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/openssl/CryptoImpl.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/crypto/openssl/CryptoImpl.cpp @@ -222,6 +222,56 @@ namespace Aws return HashResult(std::move(hash)); } + HashResult Sha1OpenSSLImpl::Calculate(const Aws::String& str) + { + OpensslCtxRAIIGuard guard; + auto ctx = guard.getResource(); + EVP_DigestInit_ex(ctx, EVP_sha1(), nullptr); + EVP_DigestUpdate(ctx, str.c_str(), str.size()); + + ByteBuffer hash(EVP_MD_size(EVP_sha1())); + EVP_DigestFinal(ctx, hash.GetUnderlyingData(), nullptr); + + return HashResult(std::move(hash)); + } + + HashResult Sha1OpenSSLImpl::Calculate(Aws::IStream& stream) + { + OpensslCtxRAIIGuard guard; + auto ctx = guard.getResource(); + + EVP_DigestInit_ex(ctx, EVP_sha1(), nullptr); + + auto currentPos = stream.tellg(); + if (currentPos == -1) + { + currentPos = 0; + stream.clear(); + } + + stream.seekg(0, stream.beg); + + char streamBuffer[Aws::Utils::Crypto::Hash::INTERNAL_HASH_STREAM_BUFFER_SIZE]; + while (stream.good()) + { + stream.read(streamBuffer, Aws::Utils::Crypto::Hash::INTERNAL_HASH_STREAM_BUFFER_SIZE); + auto bytesRead = stream.gcount(); + + if (bytesRead > 0) + { + EVP_DigestUpdate(ctx, streamBuffer, static_cast<size_t>(bytesRead)); + } + } + + stream.clear(); + stream.seekg(currentPos, stream.beg); + + ByteBuffer hash(EVP_MD_size(EVP_sha1())); + EVP_DigestFinal(ctx, hash.GetUnderlyingData(), nullptr); + + return HashResult(std::move(hash)); + } + HashResult Sha256OpenSSLImpl::Calculate(const Aws::String& str) { OpensslCtxRAIIGuard guard; diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/stream/ConcurrentStreamBuf.cpp b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/stream/ConcurrentStreamBuf.cpp index 3f59dbe96d..1ef4ee6758 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/stream/ConcurrentStreamBuf.cpp +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/source/utils/stream/ConcurrentStreamBuf.cpp @@ -89,7 +89,10 @@ namespace Aws std::streamsize ConcurrentStreamBuf::showmanyc() { std::unique_lock<std::mutex> lock(m_lock); - AWS_LOGSTREAM_TRACE(TAG, "stream how many character? " << m_backbuf.size()); + if (!m_backbuf.empty()) + { + AWS_LOGSTREAM_TRACE(TAG, "Stream characters in buffer: " << m_backbuf.size()); + } return m_backbuf.size(); } diff --git a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/ya.make b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/ya.make index 308c7f5011..d6872ee9b7 100644 --- a/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/ya.make +++ b/contrib/libs/aws-sdk-cpp/aws-cpp-sdk-core/ya.make @@ -39,7 +39,7 @@ CFLAGS( -DAWS_IO_USE_IMPORT_EXPORT -DAWS_SDK_VERSION_MAJOR=1 -DAWS_SDK_VERSION_MINOR=8 - -DAWS_SDK_VERSION_PATCH=113 + -DAWS_SDK_VERSION_PATCH=186 -DAWS_USE_EPOLL -DCURL_HAS_H2 -DCURL_HAS_TLS_PROXY @@ -73,6 +73,7 @@ SRCS( source/auth/AWSAuthSignerProvider.cpp source/auth/AWSCredentialsProvider.cpp source/auth/AWSCredentialsProviderChain.cpp + source/auth/SSOCredentialsProvider.cpp source/auth/STSCredentialsProvider.cpp source/client/AWSClient.cpp source/client/AWSErrorMarshaller.cpp @@ -127,6 +128,7 @@ SRCS( source/utils/crypto/EncryptionMaterials.cpp source/utils/crypto/KeyWrapAlgorithm.cpp source/utils/crypto/MD5.cpp + source/utils/crypto/Sha1.cpp source/utils/crypto/Sha256.cpp source/utils/crypto/Sha256HMAC.cpp source/utils/crypto/factory/Factories.cpp |