|
789 | 789 |
|
790 | 790 | print(" ✓ Compressed log uploaded with multipart") |
791 | 791 |
|
| 792 | + @setup_s3( |
| 793 | + populate_bucket=[PKGS['A']], |
| 794 | + profiles={ |
| 795 | + "valid": {"access_key": ACCESS_KEY, "secret_key": SECRET_KEY}, |
| 796 | + "invalid": {"access_key": "INVALIDKEY", "secret_key": "INVALIDSECRET"}, |
| 797 | + } |
| 798 | + ) |
| 799 | + def test_profile_credentials(bucket): |
| 800 | + """Test that profile-based credentials work without environment variables""" |
| 801 | + print("\n=== Testing Profile-Based Credentials ===") |
| 802 | +
|
| 803 | + store_url = make_s3_url(bucket, profile="valid") |
| 804 | +
|
| 805 | + # Verify store info works with profile credentials (no env vars) |
| 806 | + client.succeed(f"HOME=/root nix store info --store '{store_url}' >&2") |
| 807 | + print(" ✓ nix store info works with profile credentials") |
| 808 | +
|
| 809 | + # Verify we can copy from the store using profile |
| 810 | + verify_packages_in_store(client, PKGS['A'], should_exist=False) |
| 811 | + client.succeed(f"HOME=/root nix copy --no-check-sigs --from '{store_url}' {PKGS['A']}") |
| 812 | + verify_packages_in_store(client, PKGS['A']) |
| 813 | + print(" ✓ nix copy works with profile credentials") |
| 814 | +
|
| 815 | + # Clean up the package we just copied so we can test invalid profile |
| 816 | + client.succeed(f"nix store delete --ignore-liveness {PKGS['A']}") |
| 817 | + verify_packages_in_store(client, PKGS['A'], should_exist=False) |
| 818 | +
|
| 819 | + # Verify invalid profile fails when trying to copy |
| 820 | + invalid_url = make_s3_url(bucket, profile="invalid") |
| 821 | + client.fail(f"HOME=/root nix copy --no-check-sigs --from '{invalid_url}' {PKGS['A']} 2>&1") |
| 822 | + print(" ✓ Invalid profile credentials correctly rejected") |
| 823 | +
|
| 824 | + @setup_s3( |
| 825 | + populate_bucket=[PKGS['A']], |
| 826 | + profiles={ |
| 827 | + "wrong": {"access_key": "WRONGKEY", "secret_key": "WRONGSECRET"}, |
| 828 | + } |
| 829 | + ) |
| 830 | + def test_env_vars_precedence(bucket): |
| 831 | + """Test that environment variables take precedence over profile credentials""" |
| 832 | + print("\n=== Testing Environment Variables Precedence ===") |
| 833 | +
|
| 834 | + # Use profile with wrong credentials, but provide correct creds via env vars |
| 835 | + store_url = make_s3_url(bucket, profile="wrong") |
| 836 | +
|
| 837 | + # Ensure package is not in client store |
| 838 | + verify_packages_in_store(client, PKGS['A'], should_exist=False) |
| 839 | +
|
| 840 | + # This should succeed because env vars (correct) override profile (wrong) |
| 841 | + output = client.succeed( |
| 842 | + f"HOME=/root {ENV_WITH_CREDS} nix copy --no-check-sigs --debug --from '{store_url}' {PKGS['A']} 2>&1" |
| 843 | + ) |
| 844 | + print(" ✓ nix copy succeeded with env vars overriding wrong profile") |
| 845 | +
|
| 846 | + # Verify the credential chain shows Environment provider was added |
| 847 | + if "Added AWS Environment Credential Provider" not in output: |
| 848 | + print("Debug output:") |
| 849 | + print(output) |
| 850 | + raise Exception("Expected Environment provider to be added to chain") |
| 851 | + print(" ✓ Environment provider added to credential chain") |
| 852 | +
|
| 853 | + # Clean up the package so we can test again without env vars |
| 854 | + client.succeed(f"nix store delete --ignore-liveness {PKGS['A']}") |
| 855 | + verify_packages_in_store(client, PKGS['A'], should_exist=False) |
| 856 | +
|
| 857 | + # Without env vars, same URL should fail (proving profile creds are actually wrong) |
| 858 | + client.fail(f"HOME=/root nix copy --no-check-sigs --from '{store_url}' {PKGS['A']} 2>&1") |
| 859 | + print(" ✓ Without env vars, wrong profile credentials correctly fail") |
| 860 | +
|
| 861 | + @setup_s3( |
| 862 | + populate_bucket=[PKGS['A']], |
| 863 | + profiles={ |
| 864 | + "testprofile": {"access_key": ACCESS_KEY, "secret_key": SECRET_KEY}, |
| 865 | + } |
| 866 | + ) |
| 867 | + def test_credential_provider_chain(bucket): |
| 868 | + """Test that debug logging shows which providers are added to the chain""" |
| 869 | + print("\n=== Testing Credential Provider Chain Logging ===") |
| 870 | +
|
| 871 | + store_url = make_s3_url(bucket, profile="testprofile") |
| 872 | +
|
| 873 | + output = client.succeed( |
| 874 | + f"HOME=/root nix store info --debug --store '{store_url}' 2>&1" |
| 875 | + ) |
| 876 | +
|
| 877 | + # For a named profile, we expect to see these providers in the chain |
| 878 | + expected_providers = ["Environment", "Profile", "IMDS"] |
| 879 | + for provider in expected_providers: |
| 880 | + msg = f"Added AWS {provider} Credential Provider to chain for profile 'testprofile'" |
| 881 | + if msg not in output: |
| 882 | + print("Debug output:") |
| 883 | + print(output) |
| 884 | + raise Exception(f"Expected to find: {msg}") |
| 885 | + print(f" ✓ {provider} provider added to chain") |
| 886 | +
|
| 887 | + # SSO should be skipped (no SSO config for this profile) |
| 888 | + if "Skipped AWS SSO Credential Provider for profile 'testprofile'" not in output: |
| 889 | + print("Debug output:") |
| 890 | + print(output) |
| 891 | + raise Exception("Expected SSO provider to be skipped") |
| 892 | + print(" ✓ SSO provider correctly skipped (not configured)") |
| 893 | +
|
792 | 894 | # ============================================================================ |
793 | 895 | # Main Test Execution |
794 | 896 | # ============================================================================ |
|
822 | 924 | test_multipart_upload_basic() |
823 | 925 | test_multipart_threshold() |
824 | 926 | test_multipart_with_log_compression() |
| 927 | + test_profile_credentials() |
| 928 | + test_env_vars_precedence() |
| 929 | + test_credential_provider_chain() |
825 | 930 |
|
826 | 931 | print("\n" + "="*80) |
827 | 932 | print("✓ All S3 Binary Cache Store Tests Passed!") |
|
0 commit comments