Update CRT submodules to latest (#997)

* Update mountpoint-s3-crt-sys crate excludes to reduce package size Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com> Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Update CRT submodules to latest releases Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com> Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * WIP: Add testing for #927 Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Gate scoped credential test Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Update `test_credential_process_behind_source_profile` to use role Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Remove unused import Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Remove TODOs from CHANGELOG Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Update CRT submodules to latest Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Remove feature gate from `test_credential_process_behind_source_profile` Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Fix Clippy failures Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * More Clippy fixes Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Fix formatting Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> * Update test failure message Co-authored-by: Daniel Carl Jones <danny@danielcarl.info> Signed-off-by: Burak <unexge@gmail.com> --------- Signed-off-by: Daniel Carl Jones <djonesoa@amazon.com> Signed-off-by: Burak Varlı <burakvar@amazon.co.uk> Signed-off-by: Burak <unexge@gmail.com> Co-authored-by: Daniel Carl Jones <djonesoa@amazon.com> Co-authored-by: Daniel Carl Jones <danny@danielcarl.info>
awslabs · Sep 4, 2024 · 3c371f3 · 3c371f3 · github-actions · Sep 4, 2024
1 parent ae4f909
commit 3c371f3
Show file tree

Hide file tree

Showing 12 changed files with 151 additions and 11 deletions.
diff --git a/mountpoint-s3-client/tests/auth.rs b/mountpoint-s3-client/tests/auth.rs
@@ -4,6 +4,7 @@ pub mod common;
 
 use std::io::Write;
 use std::option::Option::None;
+use std::writeln;
 
 use aws_sdk_s3::primitives::ByteStream;
 use bytes::Bytes;
@@ -13,7 +14,6 @@ use common::creds::{get_sdk_default_chain_creds, get_subsession_iam_role};
 use common::*;
 use futures::StreamExt;
 use mountpoint_s3_client::config::{EndpointConfig, S3ClientAuthConfig, S3ClientConfig};
-#[cfg(not(feature = "s3express_tests"))]
 use mountpoint_s3_client::error::ObjectClientError;
 #[cfg(not(feature = "s3express_tests"))]
 use mountpoint_s3_client::S3RequestError;
@@ -240,6 +240,130 @@ async fn test_profile_provider_assume_role_async() {
     check_get_result(result, None, &body[..]).await;
 }
 
+async fn test_credential_process_behind_source_profile_async() {
+    let (bucket, prefix) = get_test_bucket_and_prefix("test_credential_process_behind_source_profile");
+
+    // Create a test file in "{prefix}/hello"
+    {
+        let sdk_client = get_test_sdk_client().await;
+        let key = format!("{prefix}/hello");
+        let body = b"hello world!";
+        sdk_client
+            .put_object()
+            .bucket(&bucket)
+            .key(&key)
+            .body(ByteStream::from(Bytes::from_static(body)))
+            .send()
+            .await
+            .unwrap();
+    }
+
+    // Get some static credentials by just using the SDK's default provider, which we know works.
+    let credentials = get_sdk_default_chain_creds().await;
+
+    // Create two credential files to be used in `credential_process`,
+    // one with correct credentials and one with incorrect credentials.
+    let (correct_credential_file, incorrect_credential_file) = {
+        let mut correct = NamedTempFile::new().unwrap();
+        let mut incorrect = NamedTempFile::new().unwrap();
+        let json_response = r#"{
+            "Version": 1,
+            "AccessKeyId": "__AWS_ACCESS_KEY_ID__",
+            "SecretAccessKey": "__AWS_SECRET_ACCESS_KEY__",
+            "SessionToken": "__AWS_SESSION_TOKEN__",
+            "Expiration": "2099-08-20T00:05:35+00:00"
+        }"#;
+
+        correct
+            .write_all(
+                json_response
+                    .replace("__AWS_ACCESS_KEY_ID__", credentials.access_key_id())
+                    .replace("__AWS_SECRET_ACCESS_KEY__", credentials.secret_access_key())
+                    .replace("__AWS_SESSION_TOKEN__", credentials.session_token().unwrap())
+                    .as_bytes(),
+            )
+            .unwrap();
+
+        incorrect
+            .write_all(
+                json_response
+                    .replace("__AWS_ACCESS_KEY_ID__", &credentials.access_key_id()[..10])
+                    .replace("__AWS_SECRET_ACCESS_KEY__", credentials.secret_access_key())
+                    .replace("__AWS_SESSION_TOKEN__", credentials.session_token().unwrap())
+                    .as_bytes(),
+            )
+            .unwrap();
+
+        (correct, incorrect)
+    };
+
+    let mut config_file = NamedTempFile::new().unwrap();
+
+    // Create two source profiles to provide credentials from previously created files using `credential_process`.
+    let (correct_source_profile, incorrect_source_profile) = {
+        let correct = "correct-source-profile";
+        writeln!(config_file, "[profile {}]", correct).unwrap();
+        writeln!(
+            config_file,
+            "credential_process=cat {}",
+            correct_credential_file.path().to_string_lossy()
+        )
+        .unwrap();
+        let incorrect = "incorrect-source-profile";
+        writeln!(config_file, "[profile {}]", incorrect).unwrap();
+        writeln!(
+            config_file,
+            "credential_process=cat {}",
+            incorrect_credential_file.path().to_string_lossy()
+        )
+        .unwrap();
+        (correct, incorrect)
+    };
+
+    // Create two profiles to assume our test role with previously created source profiles.
+    let (correct_profile, incorrect_profile) = {
+        let correct = "correct-profile";
+        writeln!(config_file, "[profile {}]", correct).unwrap();
+        writeln!(config_file, "role_arn={}", get_subsession_iam_role()).unwrap();
+        writeln!(config_file, "source_profile={}", correct_source_profile).unwrap();
+        writeln!(config_file, "region={}", &get_test_region()).unwrap();
+        let incorrect = "incorrect-profile";
+        writeln!(config_file, "[profile {}]", incorrect).unwrap();
+        writeln!(config_file, "role_arn={}", get_subsession_iam_role()).unwrap();
+        writeln!(config_file, "source_profile={}", incorrect_source_profile).unwrap();
+        writeln!(config_file, "region={}", &get_test_region()).unwrap();
+        (correct, incorrect)
+    };
+
+    config_file.flush().unwrap();
+
+    // Set up the environment variables to use this new config file. This is only OK to do because
+    // this test is run in a forked process, so won't affect any other concurrently running tests.
+    std::env::set_var("AWS_CONFIG_FILE", config_file.path().as_os_str());
+
+    // With correct profile, things should be fine
+    let config = S3ClientConfig::new()
+        .auth_config(S3ClientAuthConfig::Profile(correct_profile.to_owned()))
+        .endpoint_config(EndpointConfig::new(&get_test_region()));
+    let client = S3CrtClient::new(config).unwrap();
+    let _result = client
+        .list_objects(&bucket, None, "/", 10, &format!("{prefix}foo/"))
+        .await
+        .expect("list_objects should succeed");
+
+    // With incorrect profile, requests should fail with a client error
+    let config = S3ClientConfig::new()
+        .auth_config(S3ClientAuthConfig::Profile(incorrect_profile.to_owned()))
+        .endpoint_config(EndpointConfig::new(&get_test_region()));
+    let client = S3CrtClient::new(config).unwrap();
+    let err = client
+        .list_objects(&bucket, None, "/", 10, &format!("{prefix}/"))
+        .await
+        .expect_err("should fail when using invalid credentials");
+    assert!(matches!(err, ObjectClientError::ClientError(_)));
+    drop(config_file);
+}
+
 rusty_fork_test! {
     #[test]
     fn test_profile_provider_static() {
@@ -254,6 +378,13 @@ rusty_fork_test! {
         let runtime = tokio::runtime::Builder::new_current_thread().enable_all().build().unwrap();
         runtime.block_on(test_profile_provider_assume_role_async());
     }
+
+    #[test]
+    fn test_credential_process_behind_source_profile() {
+        // rusty_fork doesn't support async tests, so build an SDK-usable runtime manually
+        let runtime = tokio::runtime::Builder::new_current_thread().enable_all().build().unwrap();
+        runtime.block_on(test_credential_process_behind_source_profile_async());
+    }
 }
 
 /// Test using a client with scoped-down credentials

diff --git a/mountpoint-s3-crt-sys/Cargo.toml b/mountpoint-s3-crt-sys/Cargo.toml
@@ -62,7 +62,9 @@ exclude = [
 ]
 
 [build-dependencies]
-bindgen = { version = "0.66.1", default-features = false, features = ["runtime"] }
+bindgen = { version = "0.66.1", default-features = false, features = [
+    "runtime",
+] }
 cc = "1.0.73"
 cmake = "0.1.48"
 rustflags = "0.1.1"

diff --git a/mountpoint-s3-crt-sys/crt/aws-c-auth b/mountpoint-s3-crt-sys/crt/aws-c-auth
diff --git a/mountpoint-s3-crt-sys/crt/aws-c-cal b/mountpoint-s3-crt-sys/crt/aws-c-cal
diff --git a/mountpoint-s3-crt-sys/crt/aws-c-common b/mountpoint-s3-crt-sys/crt/aws-c-common
diff --git a/mountpoint-s3-crt-sys/crt/aws-c-compression b/mountpoint-s3-crt-sys/crt/aws-c-compression
diff --git a/mountpoint-s3-crt-sys/crt/aws-c-http b/mountpoint-s3-crt-sys/crt/aws-c-http
diff --git a/mountpoint-s3-crt-sys/crt/aws-c-io b/mountpoint-s3-crt-sys/crt/aws-c-io
diff --git a/mountpoint-s3-crt-sys/crt/aws-c-sdkutils b/mountpoint-s3-crt-sys/crt/aws-c-sdkutils
diff --git a/mountpoint-s3-crt-sys/crt/aws-lc b/mountpoint-s3-crt-sys/crt/aws-lc
diff --git a/mountpoint-s3-crt-sys/crt/s2n-tls b/mountpoint-s3-crt-sys/crt/s2n-tls
diff --git a/mountpoint-s3/CHANGELOG.md b/mountpoint-s3/CHANGELOG.md
@@ -1,3 +1,10 @@
+## Unreleased
+
+### Other changes
+
+* Fix an issue where `credential_process` field would not be picked up correctly when using `source_profile`. ([awslabs/aws-c-auth#245](https://github.com/awslabs/aws-c-auth/pull/245))
+* Fix an issue where `credential_process` field would not be picked up correctly when using `--profile <AWS_PROFILE>`. ([awslabs/aws-c-auth#245](https://github.com/awslabs/aws-c-auth/pull/245))
+
 ## v1.8.0
 
 ### New features
Benchmark suite	Current: `3c371f3`	Previous: `ae4f909`	Ratio
`random_read_four_threads`	`13.483984375` MiB/s	`27.393359375` MiB/s	`2.03`
`random_read`	`2.8478515625` MiB/s	`6.22490234375` MiB/s	`2.19`