Merge branch 'main' into cmake-modules

awslabs · Jan 28, 2025 · cff4edd · cff4edd
2 parents 1c085d5 + 274a1d2
commit cff4edd
Show file tree

Hide file tree

Showing 15 changed files with 168 additions and 27 deletions.
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -4,7 +4,7 @@ on:
   push:
 
 env:
-  BUILDER_VERSION: v0.9.72
+  BUILDER_VERSION: v0.9.74
   BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
   BUILDER_SOURCE: releases
   PACKAGE_NAME: aws-c-auth
@@ -28,4 +28,4 @@ jobs:
       run: |
         python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
         chmod a+x builder
-        ./builder build -p ${{ env.PACKAGE_NAME }} --compiler=gcc-9 --cmake-extra=-DASSERT_LOCK_HELD=ON --coverage
+        ./builder build -p ${{ env.PACKAGE_NAME }} --compiler=gcc --cmake-extra=-DASSERT_LOCK_HELD=ON --coverage
diff --git a/include/aws/auth/credentials.h b/include/aws/auth/credentials.h
@@ -82,6 +82,7 @@ struct aws_credentials_provider_static_options {
     struct aws_byte_cursor access_key_id;
     struct aws_byte_cursor secret_access_key;
     struct aws_byte_cursor session_token;
+    struct aws_byte_cursor account_id;
 };
 
 /**
@@ -743,6 +744,28 @@ struct aws_credentials *aws_credentials_new(
     struct aws_byte_cursor session_token_cursor,
     uint64_t expiration_timepoint_seconds);
 
+/**
+ * Creates a new set of aws credentials with account_id
+ *
+ * @param allocator memory allocator to use
+ * @param access_key_id_cursor value for the aws access key id field
+ * @param secret_access_key_cursor value for the secret access key field
+ * @param session_token_cursor (optional) security token associated with the credentials
+ * @param account_id (optional) value for the account_id field
+ * @param expiration_timepoint_seconds timepoint, in seconds since epoch, that the credentials will no longer
+ * be valid past.  For credentials that do not expire, use UINT64_MAX
+ *
+ * @return a valid credentials object, or NULL
+ */
+AWS_AUTH_API
+struct aws_credentials *aws_credentials_new_with_account_id(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor access_key_id_cursor,
+    struct aws_byte_cursor secret_access_key_cursor,
+    struct aws_byte_cursor session_token_cursor,
+    struct aws_byte_cursor account_id_cursor,
+    uint64_t expiration_timepoint_seconds);
+
 /**
  * Creates a new set of aws anonymous credentials.
  * Use Anonymous credentials, when you want to skip the signing process.
@@ -848,6 +871,15 @@ struct aws_byte_cursor aws_credentials_get_secret_access_key(const struct aws_cr
 AWS_AUTH_API
 struct aws_byte_cursor aws_credentials_get_session_token(const struct aws_credentials *credentials);
 
+/**
+ * Get the AWS account id from a set of credentials
+ *
+ * @param credentials to get the account id from
+ * @return a byte cursor to the account id or an empty byte cursor if there is no account id
+ */
+AWS_AUTH_API
+struct aws_byte_cursor aws_credentials_get_account_id(const struct aws_credentials *credentials);
+
 /**
  * Get the expiration timepoint (in seconds since epoch) associated with a set of credentials
  *
@@ -883,7 +915,7 @@ bool aws_credentials_is_anonymous(const struct aws_credentials *credentials);
  * the hybrid mode based on AWS credentials.
  *
  * @param allocator memory allocator to use for all memory allocation
- * @param credentials AWS credentials to derive the ECC key from using the AWS sigv4a key deriviation specification
+ * @param credentials AWS credentials to derive the ECC key from using the AWS sigv4a key derivation specification
  * @return a new ecc key pair or NULL on failure
  */
 AWS_AUTH_API

diff --git a/include/aws/auth/signing_config.h b/include/aws/auth/signing_config.h
@@ -209,7 +209,7 @@ struct aws_signing_config_aws {
     void *should_sign_header_ud;
 
     /*
-     * Put all flags in here at the end.  If this grows, stay aware of bit-space overflow and ABI compatibilty.
+     * Put all flags in here at the end.  If this grows, stay aware of bit-space overflow and ABI compatibility.
      */
     struct {
         /**

diff --git a/source/aws_imds_client.c b/source/aws_imds_client.c
@@ -954,7 +954,7 @@ static enum imds_token_copy_result s_copy_token_safely(struct imds_user_data *us
     return ret;
 }
 /**
- * Once a requseter returns from token request, it should call this function to unblock all other
+ * Once a requester returns from token request, it should call this function to unblock all other
  * waiting requesters. When the token parameter is NULL, means the token request failed. Now we need
  * a new requester to acquire the token again.
  */

diff --git a/source/aws_signing.c b/source/aws_signing.c
@@ -82,6 +82,7 @@ static struct aws_byte_cursor s_sec_websocket_key_header_name;
 static struct aws_byte_cursor s_sec_websocket_protocol_header_name;
 static struct aws_byte_cursor s_sec_websocket_version_header_name;
 static struct aws_byte_cursor s_upgrade_header_name;
+static struct aws_byte_cursor s_transfer_encoding_header_name;
 
 static struct aws_byte_cursor s_amz_content_sha256_header_name;
 static struct aws_byte_cursor s_amz_date_header_name;
@@ -157,6 +158,11 @@ int aws_signing_init_signing_tables(struct aws_allocator *allocator) {
         return AWS_OP_ERR;
     }
 
+    s_transfer_encoding_header_name = aws_byte_cursor_from_c_str("transfer-encoding");
+    if (aws_hash_table_put(&s_skipped_headers, &s_transfer_encoding_header_name, NULL, NULL)) {
+        return AWS_OP_ERR;
+    }
+
     if (aws_hash_table_init(
             &s_forbidden_headers,
             allocator,

diff --git a/source/credentials.c b/source/credentials.c
@@ -22,6 +22,7 @@ struct aws_credentials_identity {
     struct aws_string *access_key_id;
     struct aws_string *secret_access_key;
     struct aws_string *session_token;
+    struct aws_string *account_id;
 };
 
 /* aws_token identity contains only a token to represent token only identities like a bearer token. */
@@ -85,13 +86,34 @@ struct aws_credentials {
 /*
  * Credentials API implementations
  */
+
 struct aws_credentials *aws_credentials_new(
     struct aws_allocator *allocator,
     struct aws_byte_cursor access_key_id_cursor,
     struct aws_byte_cursor secret_access_key_cursor,
     struct aws_byte_cursor session_token_cursor,
     uint64_t expiration_timepoint_seconds) {
 
+    struct aws_byte_cursor account_id;
+    AWS_ZERO_STRUCT(account_id);
+
+    return aws_credentials_new_with_account_id(
+        allocator,
+        access_key_id_cursor,
+        secret_access_key_cursor,
+        session_token_cursor,
+        account_id,
+        expiration_timepoint_seconds);
+}
+
+struct aws_credentials *aws_credentials_new_with_account_id(
+    struct aws_allocator *allocator,
+    struct aws_byte_cursor access_key_id_cursor,
+    struct aws_byte_cursor secret_access_key_cursor,
+    struct aws_byte_cursor session_token_cursor,
+    struct aws_byte_cursor account_id_cursor,
+    uint64_t expiration_timepoint_seconds) {
+
     if (access_key_id_cursor.ptr == NULL || access_key_id_cursor.len == 0) {
         aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);
         return NULL;
@@ -133,6 +155,14 @@ struct aws_credentials *aws_credentials_new(
         }
     }
 
+    if (account_id_cursor.ptr != NULL && account_id_cursor.len > 0) {
+        credentials_identity->account_id =
+            aws_string_new_from_array(allocator, account_id_cursor.ptr, account_id_cursor.len);
+        if (credentials_identity->account_id == NULL) {
+            goto error;
+        }
+    }
+
     credentials->expiration_timepoint_seconds = expiration_timepoint_seconds;
 
     return credentials;
@@ -166,6 +196,7 @@ static void s_aws_credentials_destroy(struct aws_credentials *credentials) {
             aws_string_destroy(credentials->identity.credentials_identity.access_key_id);
             aws_string_destroy_secure(credentials->identity.credentials_identity.secret_access_key);
             aws_string_destroy_secure(credentials->identity.credentials_identity.session_token);
+            aws_string_destroy_secure(credentials->identity.credentials_identity.account_id);
             break;
         case ECC_IDENTITY:
             aws_string_destroy(credentials->identity.ecc_identity.access_key_id);
@@ -255,6 +286,19 @@ struct aws_byte_cursor aws_credentials_get_session_token(const struct aws_creden
     return s_empty_token_cursor;
 }
 
+struct aws_byte_cursor aws_credentials_get_account_id(const struct aws_credentials *credentials) {
+    switch (credentials->identity_type) {
+        case AWS_CREDENTIALS_IDENTITY:
+            if (credentials->identity.credentials_identity.account_id != NULL) {
+                return aws_byte_cursor_from_string(credentials->identity.credentials_identity.account_id);
+            }
+            break;
+        default:
+            break;
+    }
+    return s_empty_token_cursor;
+}
+
 struct aws_byte_cursor aws_credentials_get_token(const struct aws_credentials *credentials) {
     switch (credentials->identity_type) {
         case TOKEN_IDENTITY:

diff --git a/source/credentials_provider_cached.c b/source/credentials_provider_cached.c
@@ -60,7 +60,7 @@ static void s_swap_cached_credentials(
 
         AWS_LOGF_DEBUG(
             AWS_LS_AUTH_CREDENTIALS_PROVIDER,
-            "(id=%p) Cached credentials provider succesfully sourced credentials on refresh",
+            "(id=%p) Cached credentials provider successfully sourced credentials on refresh",
             (void *)provider);
     } else {
         AWS_LOGF_DEBUG(

diff --git a/source/credentials_provider_sso.c b/source/credentials_provider_sso.c
@@ -378,7 +378,7 @@ static void s_on_get_token_callback(struct aws_credentials *credentials, int err
     struct aws_byte_cursor token = aws_credentials_get_token(credentials);
     AWS_LOGF_INFO(
         AWS_LS_AUTH_CREDENTIALS_PROVIDER,
-        "(id=%p): successfully accquired a token",
+        "(id=%p): successfully acquired a token",
         (void *)sso_query_context->provider);
 
     sso_query_context->token = aws_string_new_from_cursor(sso_query_context->allocator, &token);
@@ -401,7 +401,7 @@ static void s_on_acquire_connection(struct aws_http_connection *connection, int
     }
     AWS_LOGF_INFO(
         AWS_LS_AUTH_CREDENTIALS_PROVIDER,
-        "(id=%p): successfully accquired a connection",
+        "(id=%p): successfully acquired a connection",
         (void *)sso_query_context->provider);
     sso_query_context->connection = connection;
 

diff --git a/source/credentials_provider_static.c b/source/credentials_provider_static.c
@@ -51,8 +51,13 @@ struct aws_credentials_provider *aws_credentials_provider_new_static(
 
     AWS_ZERO_STRUCT(*provider);
 
-    struct aws_credentials *credentials = aws_credentials_new(
-        allocator, options->access_key_id, options->secret_access_key, options->session_token, UINT64_MAX);
+    struct aws_credentials *credentials = aws_credentials_new_with_account_id(
+        allocator,
+        options->access_key_id,
+        options->secret_access_key,
+        options->session_token,
+        options->account_id,
+        UINT64_MAX);
     if (credentials == NULL) {
         goto on_new_credentials_failure;
     }

diff --git a/source/credentials_provider_sts.c b/source/credentials_provider_sts.c
@@ -742,7 +742,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_sts(
     const struct aws_credentials_provider_sts_options *options) {
 
     if (!options->bootstrap) {
-        AWS_LOGF_ERROR(AWS_LS_AUTH_CREDENTIALS_PROVIDER, "a client bootstrap is necessary for quering STS");
+        AWS_LOGF_ERROR(AWS_LS_AUTH_CREDENTIALS_PROVIDER, "a client bootstrap is necessary for querying STS");
         aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);
         return NULL;
     }

diff --git a/source/credentials_utils.c b/source/credentials_utils.c
@@ -96,7 +96,7 @@ static bool s_parse_expiration_value_from_json_object(
             if (aws_json_value_get_string(value, &expiration_cursor)) {
                 AWS_LOGF_INFO(
                     AWS_LS_AUTH_CREDENTIALS_PROVIDER,
-                    "Unabled to extract credentials Expiration field from Json document.");
+                    "Unable to extract credentials Expiration field from Json document.");
                 return false;
             }
 
@@ -123,7 +123,7 @@ static bool s_parse_expiration_value_from_json_object(
             if (aws_json_value_get_number(value, &expiration_value)) {
                 AWS_LOGF_INFO(
                     AWS_LS_AUTH_CREDENTIALS_PROVIDER,
-                    "Unabled to extract credentials Expiration field from Json document.");
+                    "Unable to extract credentials Expiration field from Json document.");
                 return false;
             }
 
@@ -136,7 +136,7 @@ static bool s_parse_expiration_value_from_json_object(
             if (aws_json_value_get_number(value, &expiration_value_ms)) {
                 AWS_LOGF_INFO(
                     AWS_LS_AUTH_CREDENTIALS_PROVIDER,
-                    "Unabled to extract credentials Expiration field from Json document.");
+                    "Unable to extract credentials Expiration field from Json document.");
                 return false;
             }
 

diff --git a/source/token_provider_sso_session.c b/source/token_provider_sso_session.c
@@ -53,7 +53,7 @@ static int s_token_provider_sso_session_get_token(
         goto done;
     }
 
-    /* TODO: Refresh token if it is within refresh window and refreshable */
+    /* TODO: Refresh token if it is within refresh window and refreshble */
 
     credentials = aws_credentials_new_token(
         provider->allocator,

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
@@ -195,6 +195,7 @@ add_test_case(credentials_utils_construct_endpoint_test)
 add_test_case(sigv4_skip_xray_header_test)
 add_test_case(sigv4_skip_user_agent_header_test)
 add_test_case(sigv4_skip_custom_header_test)
+add_test_case(sigv4_skip_transfer_encoding_header_test)
 
 add_test_case(sigv4_fail_date_header_test)
 add_test_case(sigv4_fail_content_header_test)