Support Endpoint Override for CredentialsProviders #263
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #263 +/- ##
==========================================
+ Coverage 80.77% 80.88% +0.11%
==========================================
Files 33 33
Lines 6173 6214 +41
==========================================
+ Hits 4986 5026 +40
- Misses 1187 1188 +1 ☔ View full report in Codecov by Sentry. |
graebm
reviewed
Feb 5, 2025
| /* check environment variable first */ | ||
| struct aws_string *region = aws_credentials_provider_resolve_region_from_env(allocator); | ||
| if (region != NULL && region->len > 0) { | ||
| return region; | ||
| } | ||
|
|
||
| if (profile) { |
There was a problem hiding this comment.
a few lines up, we can leak the region string if it's ""
There was a problem hiding this comment.
the aws_credentials_provider_resolve_region_from_env() function has the same bug
There was a problem hiding this comment.
should we just have an alternate get-env-var function that won't return empty strings?
There was a problem hiding this comment.
oh man, if we're adding new get-env functions, we can fix the terrible API of the current one (bad because it did out-values to handle reporting OOM which we don't do anymore, and bad because it didn't just take char * which forces some users to allocate/cleanup a needless aws_string)
struct aws_string *aws_getenv_nonempty(struct aws_allocator *, const char *); // NULL if missing or ""
struct aws_string *aws_getenv_raw(struct aws_allocator *, const char *); // may be ""
There was a problem hiding this comment.
Thanks, I have added the aws_getenv_nonempty which will resolve this issue.
| */ | ||
| AWS_AUTH_API | ||
| int aws_credentials_provider_construct_regional_endpoint( | ||
| int aws_credentials_provider_construct_endpoint( |
There was a problem hiding this comment.
I'm not proposing an options-struct because this is private
But if someone moves this out of private/ and is like "WHY SHOULD I CHANGE IT YOU ALREADY APPROVED THE EXISTING CODE"
then I can point at this comment here and say "NUH UH"
| s_sts_service_env_name, | ||
| s_sts_service_name, | ||
| profile_collection, | ||
| profile)) { | ||
| goto cleanup; |
There was a problem hiding this comment.
if something goes wrong here, we end up setting out_region but not out_endpoint?
is that failure? or is that something we expect to happen?
There was a problem hiding this comment.
Logically, it won't happen since if we resolve the region, we can construct the endpoint. But even if it does happen in the future, we have a fallback: We will check that out_endpoint is not set and then use the global STS endpoint.
source/credentials_provider_sts.c
Outdated
Comment on lines
745
to
750
| *out_region = s_resolve_region(allocator, profile); | ||
|
|
||
| if (aws_credentials_provider_construct_endpoint( | ||
| allocator, | ||
| out_endpoint, | ||
| *out_region, |
There was a problem hiding this comment.
code clarity: *out_region could be NULL at this point....
and I see that aws_credentials_provider_construct_endpoint() only requires region sometimes
if region isn't always required, add a comment here to that effect
but if it is always required, maybe early-out if s_resolve_region() returns NULL
| on_finish: | ||
| aws_byte_buf_clean_up(&service_endpoint_buf); | ||
| aws_string_destroy(service_endpoint_str); | ||
| return out_endpoint; |
There was a problem hiding this comment.
there are a lot of paths where NULL is returned, but no aws_raise_error() happened. Is that OK for this helper function?
There was a problem hiding this comment.
Yes, NULL means that there was no endpoint_override configured.
DmitriyMusatkin
approved these changes
Mar 3, 2025
github-merge-queue bot
pushed a commit
to awslabs/mountpoint-s3
that referenced
this pull request
Mar 11, 2025
## Description of change Notably, includes awslabs/aws-c-auth#263 for #1203. Size: ```bash $ cargo package -p mountpoint-s3-crt-sys --no-verify --allow-dirty Packaging mountpoint-s3-crt-sys v0.12.1 (~/Code/mountpoint-s3/mountpoint-s3-crt-sys) Updating crates.io index Packaged 2171 files, 39.4MiB (7.0MiB compressed) ``` <details> <summary>CRT changelog:</summary> ``` Submodule mountpoint-s3-crt-sys/crt/aws-c-auth b513db4b..01dd06ac: > Support Endpoint Override for CredentialsProviders (#263) > aws_hex_encode() no longer adds null-terminator (#264) > Account ID support for Crendentials Providers (#262) Submodule mountpoint-s3-crt-sys/crt/aws-c-cal 7299c6ab..298122a0: > do not include crypto when doing byo_crypto (#207) > Ed25519 support. (#206) Submodule mountpoint-s3-crt-sys/crt/aws-c-common 0e7637fa..568f46b1: > New Get_ENV Functions (#1141) > aws_base64_compute_encoded_len() is now exact, doesn't add 1 extra for null-terminator (#1188) > Make aws_byte_cursor_from_string NULL tolerant (#1187) > Integration test for CPU feature detection (#1186) Submodule mountpoint-s3-crt-sys/crt/aws-c-io 3041dabf..318f7e57: > Revert win TLS 1.3 (#712) > Fix Windows server-side for TLS 1.3 (#710) > Tls1.3 win update (#676) > Add PQ_DEFAULT enum to aws_tls_cipher_pref (#707) Submodule mountpoint-s3-crt-sys/crt/aws-c-s3 6eb8be53..1d0091c7: > Adapt to aws_base64_compute_encoded_len() no longer adding 1 extra for null terminator (#497) > Make public bucket optional (#495) > add life cycle to s3 express to test helper (#494) > Auto - Update S3 Ruleset & Partition (#493) Submodule mountpoint-s3-crt-sys/crt/aws-lc 138a6ad3..7bca7e96: > Add IbmTpm to our CI (#2231) > Revert BIO_get_mem_data back to macro (#2261) > Update patch for Postgres (#2232) > Add missing algorithms to benchmark (#2056) > Update internal IANA values of PQ SupportedGroups (#2235) > Add CMAC benchmark for AWS-LC (#2218) > Added ML-DSA to break-kat framework (#2253) > Update EVP_PKEY ED keygen to use an internal function that can return the result of the PWCT (#2256) > Remove unused CMake options for break tests (#2249) > Adding no-op X509_TRUST_cleanup for select application compatibility (#2257) > Add LibRdKafka to our CI (#2225) > Add public wrapper to internal bn_minimal_width function (#2245) > Prepare v1.48.1 (#2252) > Make BIO_get_mem_data a function again (#2246) > Move OCSP ASN1 type functions to public header (#2239) > Prepare for release v.1.48.0 (#2248) > Migrate last batch of jobs (#2214) > Enforce FIPS callback is only enabled for static builds (#2241) > Update to using Clang 18 on Windows (#2240) > Don't 'dllexport' Windows symbols on static build (#2238) > Check pagesize is non-negative in AES-XTS test (#2237) > Coverity Fix (#2236) > Increase required CMake version to 3.5 (#2219) > Remove BORINGSSL_FIPS_BREAK_FFC_DH (#2216) > Bump version, preparing for release v1.47.0 (#2229) > Add support to export ML-DSA key-pairs in seed format (#2194) > Integration test for libgit2 (#2215) > Fix out-of-bound (OOB) input read in AES-XTS Decrypt in AVX-512 implementation (#2227) > Integration test for libssh2 (#2222) > Reset DTLS1_BITMAP without resorting to memset (#2223) > Use AWSLC_SOURCE_DIR and AWSLC_BINARY_DIR (#2208) > Update ABI Diff Action to work correctly on push events (#2188) > Add SSL_CTX_use_cert_and_key (#2163) > Add support to define a callback for FIPS test failures instead of aborting the process (#2162) > Move Ed25519ph into module boundary (#2186) > Add utility for querying and comparing the BORINGSSL_bcm_text_hash (#2217) > Add guidance around certificate auto-chaining in TLS (#2205) > SHAKE Incremental Byte Squeezes && EVP_ Tests (#2155) > Migrate 3rd batch of CI jobs (#2183) > Avoid duplicated definition of standalone test executable variables (#2212) > Modify SSL to inherit ciphersuites from SSL_CTX at initialization (#2198) > Prepare release v1.46.1 (#2210) > Remove access() call from Snapsafe detection (#2197) > Simplify IsFlag check logic (#2209) > Update pairwise consistency test failures to support gracefully continiung (#2201) > Enable RSA keygen becnhmarks by default (#2206) > Fix C++98 compatibility in our header files (#2193) > Add pq-tls interop test with BoringSSL (#2199) > Refactor AWS_LC_FIPS_failure to always exist (#2200) > Improve tool-openssl compatability for x509 and verify subcommands (#2196) > Prepare release v1.46.0 (#2204) > Add SPARCV9 target (#2202) > Simplify OpenSSH mainline build (#2158) > ML-KEM: Move FIPS-abort upon PCT failure to top-level ML-KEM API (#2195) > Add runtime options to break the pairwise consistency test for Ed, ML-KEM, and ML-DSA (#2192) > Update pkcs8_corpus files to include ML-DSA (#2191) > Refactor TLS 1.3 cipher selection and fix SSL_get_ciphers (#2092) > Add suport for asl and rol to match existing support for asr and ror (#2185) > SCRUTINICE fixes (#2180) > Make install_shared_and_static test more robust (#2179) > MacOS-12 GH runner no longer supported (#2190) > Add integration patches/CI for Ruby main and 3.3 (#2071) > Move ML-DSA to fipsmodule (#2175) > Expand spki fuzz corpus (#2187) > Update PQREADME.md (#2151) > Setup X509 CodeBuild Project for Limbo Report Generation (#2171) > Add msl to ARMConstantTweak and recognise ldrsw to prevent delocator errors (#2177) > Remove DEPENDS from add_custom_command as CMake made the behavior clear (#2178) > Update BORINGSSL_FIPS_abort to AWS_LC_FIPS_failure which takes a message (#2182) > Fix Nginx build (#2181) > Add EVP API Support for ED25519ph (#2144) > Update benchmark to skip chunk sizes that doesn't work with the algorithm (#2146) > Add new CAST tests to break-kat.go (#2173) > Migrate 2nd batch of CI jobs (#2091) > Ensure enabling local symbols doesn't change the module hash (#2169) > Move PQDSA to FIPSMODULE (#2166) > Ensure service indicator is incremented only once, update RSA and ED25519 to ensure the state is locked (#2112) > CAST and PCT for ML-DSA (#2148) > Validate or define ARM HWCAP2_XXX macros (#2164) > Prepare AWS-LC v1.45.0 (#2172) > Wrap pointers to s2n-bignum functions - delocator fix (#2165) > ML-DSA private keys from seeds (#2157) > SHA3 and SHAKE - New API Design (#2098) > Add support for PKCS12_set_mac (#2128) > Fix policy grant on ECR resource policy (#2159) > Cross library PQ interop test with s2n-tls (#2138) Submodule mountpoint-s3-crt-sys/crt/s2n-tls 6cc9f53d..4ed4f1a6: > tests: try to make s2n_mem_usage_test more useful (#5139) > chore: git-blame-ignore ruff formatting (#5151) > chore(bindings): change in rustup behavior (#5160) > refactor: remove unused prf hmac impls (#5148) > chore(ci): make the awslc fips install script version aware (#5100) > fix: memory leak during STEK rotation (#5146) > refactor: add alternative EVP signing method (#5141) > refactor: cleanup prf header (#5144) > feat(bindings): expose context on cert chain (#5132) > Ruff Formatting and add to CI (#5138) > chore(nix): Add aws-lc-fips 2022/4 (#5109) > test(integv2): fixes to allow test_record_padding to partially run (#5099) > build(deps): update rtshark requirement from 2.9.0 to 3.1.0 in /tests/pcap in the all-cargo-updates group across 1 directory (#5087) > tests: use sig schemes as source of truth for valid hash+sig algs (#5129) > ci: always set values for command line defines (#5126) > fix: update callback return value (#5136) > refactor: always use EVP hashing (#5121) > ci: add check for third-party-src in disable rand override buildspec (#5137) > feat: add async cert validation support (#5110) > chore: remove unused well-known-endpoints.py (#5127) > fix(bindings): remove mutation behind Arc (#5124) > chore: binding release 0.3.12 (#5128) > refactor: use EVP_MD_fetch() if available (#5116) > feat: Option to disable RAND engine override (#5108) > fix(bindings): make Context borrow immutable (#5071) > build(deps): update rand requirement (#5125) > chore: fix a typo in API comments (#5123) > bindings: unpin openssl crate from a specific patch version (#5120) > refactor: move "s2n_libcrypto_is" methods into s2n_libcrypto.h (#5117) > Add new security policy (20250211) (#5111) > Revert "refactor: remove unused evp support for md5+sha1 (#5106)" (#5118) > ci: add default provider to openssl-3.0-fips (#5114) > fix: don't enable custom random for openssl fips (#5093) > fix: allow b64 decoding using libcrypto for sidechannel resistance (#5103) > refactor: remove unused evp support for md5+sha1 (#5106) > refactor: remove s2n_hmac_is_available (#5104) > build(deps): bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 in /.github/workflows in the all-gha-updates group across 1 directory (#5107) > fix(integrationv2): Skip unsupported client auth tests (#5096) > chore: bindings release 0.3.11 (#5098) > chore: ktls buildspec (#5083) > Fixed formatting for debugging statements (#5094) > feat(bindings): add external psk apis (#5061) > test: add minimal openssl-3.0-fips test (#5081) > fix(ci): Allow validate_start_codebuild to run on pushes to main (#5080) > fix: don't use DEPENDS with add_custom_command(TARGET) (#5074) > fix: error for uninit psk, check for all-zero psk (#5084) > fix: calculation of session ticket age (#5001) > fix: add support for `S2N_INTERN_LIBCRYPTO` with FetchContent (#5076) > fix(integration): Update PQ integration test expectations (#5082) > ci: fix dependabot, commit & check Cargo.toml (#5065) > docs(s2n-tls-hyper): Add hyper client/server example (#5069) > docs(integv2): add architecture diagram (#5072) > fix(bindings): prevent temp connection free after panic (#5067) > ci: Emit benchmark metrics from scheduled runs (#5064) > ci: change rust-toolchain format to toml (#5070) > Revert "ci: remove openssl-1.0.2-fips builds (#4995)" (#5060) > feat(bench): impl into for base config type (#5056) > refactor: cleanup CBMC proofs after #5048 (#5058) > ci: Adding integ tests back to integv2 (#5054) > refactor: remove openssl-1.0.2-fips 'allow md5' logic (#5048) > ci: pin duvet version (#5057) > build(deps): bump cross-platform-actions/action from 0.26.0 to 0.27.0 in /.github/workflows in the all-gha-updates group (#5053) > chore: fix typos (#5052) > chore: bump osx Openssl to latest (#5041) > chore: bindings release for 0.3.10 (#5046) > fix: initial config should not influence sslv2 (#4987) > ci: add openssl-3.0-fips builds (#5037) > Add Security Policy Deprecation API (#5034) > docs: add C / s2n-tls-sys doc references to s2n-tls docs (#5012) > test: add sslv2 client hello test w/ jvm (#5019) > ci: add timeout for cbmc proof (#5038) > fix(bindings): Specify correct minimum versions (#5028) ``` </details> ## Does this change impact existing behavior? Nothing expected. ## Does this change need a changelog entry in any of the crates? Updated --- By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and I agree to the terms of the [Developer Certificate of Origin (DCO)](https://developercertificate.org/). Signed-off-by: Burak Varlı <burakvar@amazon.co.uk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
#257
awslabs/aws-crt-swift#311
Description of changes:
Support endpoint override for credentials providers.
The order of resolution for configured endpoint is as follows:
AWS_ENDPOINT_URL_<SERVICE>.<SERVICE>here is the uppercased version of corresponding service identifier in this official list.AWS_ENDPOINT_URL.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.