Track Backports for 0.32.3 in our Fork

Cargo.toml

@@ -1,6 +1,2 @@
 [workspace]
-members = [
-    "s3",
-    "aws-region",
-    "aws-creds"
-]
+members = ["rust-s3", "aws-creds"]

aws-creds/Cargo.toml

@@ -1,37 +1,39 @@
 [package]
 name = "aws-creds"
-version = "0.30.0"
+version = "0.38.0"
 authors = ["Drazen Urch"]
-description = "Tiny Rust library for working with Amazon IAM credential,s, supports `s3` crate"
+description = "Rust library for working with Amazon IAM credential,s, supports `s3` crate"
 repository = "https://github.com/durch/rust-s3"
 readme = "README.md"
-keywords = ["AWS", "S3", "Wasabi", "Minio", "Yandex"]
+keywords = ["AWS", "S3", "Wasabi", "Minio", "R2"]
 license = "MIT"
-documentation = "https://durch.github.io/rust-s3/"
-edition = "2018"
+documentation = "https://docs.rs/aws-creds/latest/awscreds/"
+edition = "2021"
 
 [lib]
 name = "awscreds"
 path = "src/lib.rs"
 
 [dependencies]
 thiserror = "1"
-dirs = "4"
-rust-ini = "0.18"
-attohttpc = { version = "0.19", default-features = false, features = [
+home = "0.5"
+rust-ini = "0.21"
+attohttpc = { version = "0.28", default-features = false, features = [
     "json",
 ], optional = true }
 url = "2"
-serde-xml-rs = "0.5"
+quick-xml = { version = "0.32", features = ["serialize"] }
 serde = { version = "1", features = ["derive"] }
 time = { version = "^0.3.6", features = ["serde", "serde-well-known"] }
+log = "0.4"
 
 [features]
 default = ["native-tls"]
 http-credentials = ["attohttpc"]
 native-tls = ["http-credentials", "attohttpc/tls"]
+native-tls-vendored = ["http-credentials", "attohttpc/tls-vendored"]
 rustls-tls = ["http-credentials", "attohttpc/tls-rustls"]
 
 [dev-dependencies]
-env_logger = "0.9"
+env_logger = "0.11"
 serde_json = "1"

aws-creds/src/credentials.rs

@@ -1,13 +1,16 @@
 #![allow(dead_code)]
+
 use crate::error::CredentialsError;
 use ini::Ini;
+use log::debug;
 use serde::{Deserialize, Serialize};
-use serde_xml_rs as serde_xml;
 use std::collections::HashMap;
 use std::env;
+use std::ops::Deref;
 use std::sync::atomic::AtomicU32;
 use std::sync::atomic::Ordering;
 use std::time::Duration;
+use time::OffsetDateTime;
 use url::Url;
 
 /// AWS access credentials: access key, secret key, and optional token.
@@ -23,19 +26,17 @@ use url::Url;
 /// use awscreds::Credentials;
 ///
 /// // Load credentials from `[default]` profile
-/// #[cfg(feature="http-credentials")]
 /// let credentials = Credentials::default();
 ///
 /// // Also loads credentials from `[default]` profile
-/// #[cfg(feature="http-credentials")]
 /// let credentials = Credentials::new(None, None, None, None, None);
 ///
 /// // Load credentials from `[my-profile]` profile
-/// #[cfg(feature="http-credentials")]
 /// let credentials = Credentials::new(None, None, None, None, Some("my-profile".into()));
-/// ```
+///
 /// // Use anonymous credentials for public objects
 /// let credentials = Credentials::anonymous();
+/// ```
 ///
 /// Credentials may also be initialized directly or by the following environment variables:
 ///
@@ -52,14 +53,12 @@ use url::Url;
 /// // Load credentials directly
 /// let access_key = "AKIAIOSFODNN7EXAMPLE";
 /// let secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
-/// #[cfg(feature="http-credentials")]
 /// let credentials = Credentials::new(Some(access_key), Some(secret_key), None, None, None);
 ///
 /// // Load credentials from the environment
 /// use std::env;
 /// env::set_var("AWS_ACCESS_KEY_ID", "AKIAIOSFODNN7EXAMPLE");
 /// env::set_var("AWS_SECRET_ACCESS_KEY", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
-/// #[cfg(feature="http-credentials")]
 /// let credentials = Credentials::new(None, None, None, None, None);
 /// ```
 #[derive(Clone, Debug, Eq, PartialEq, Serialize, Deserialize)]
@@ -71,7 +70,31 @@ pub struct Credentials {
     /// Temporary token issued by AWS service.
     pub security_token: Option<String>,
     pub session_token: Option<String>,
-    pub expiration: Option<time::OffsetDateTime>,
+    pub expiration: Option<Rfc3339OffsetDateTime>,
+}
+
+#[derive(Debug, Copy, Clone, Eq, PartialEq, Serialize, Deserialize)]
+#[repr(transparent)]
+pub struct Rfc3339OffsetDateTime(#[serde(with = "time::serde::rfc3339")] pub time::OffsetDateTime);
+
+impl From<time::OffsetDateTime> for Rfc3339OffsetDateTime {
+    fn from(v: time::OffsetDateTime) -> Self {
+        Self(v)
+    }
+}
+
+impl From<Rfc3339OffsetDateTime> for time::OffsetDateTime {
+    fn from(v: Rfc3339OffsetDateTime) -> Self {
+        v.0
+    }
+}
+
+impl Deref for Rfc3339OffsetDateTime {
+    type Target = time::OffsetDateTime;
+
+    fn deref(&self) -> &Self::Target {
+        &self.0
+    }
 }
 
 #[derive(Deserialize, Debug)]
@@ -96,7 +119,7 @@ pub struct AssumeRoleWithWebIdentityResult {
 pub struct StsResponseCredentials {
     pub session_token: String,
     pub secret_access_key: String,
-    pub expiration: time::OffsetDateTime,
+    pub expiration: Rfc3339OffsetDateTime,
     pub access_key_id: String,
 }
 
@@ -146,20 +169,35 @@ pub fn set_request_timeout(timeout: Option<Duration>) -> Option<Duration> {
     }
 }
 
-/// Sends a GET request to `url` with a request timeout if one was set.
 #[cfg(feature = "http-credentials")]
-fn http_get(url: &str) -> attohttpc::Result<attohttpc::Response> {
-    let mut builder = attohttpc::get(url);
-
+fn apply_timeout(builder: attohttpc::RequestBuilder) -> attohttpc::RequestBuilder {
     let timeout_ms = REQUEST_TIMEOUT_MS.load(Ordering::Relaxed);
     if timeout_ms > 0 {
-        builder = builder.timeout(Duration::from_millis(timeout_ms as u64));
+        return builder.timeout(Duration::from_millis(timeout_ms as u64));
     }
+    builder
+}
+
+/// Sends a GET request to `url` with a request timeout if one was set.
+#[cfg(feature = "http-credentials")]
+fn http_get(url: &str) -> attohttpc::Result<attohttpc::Response> {
+    let builder = apply_timeout(attohttpc::get(url));
 
     builder.send()
 }
 
 impl Credentials {
+    pub fn refresh(&mut self) -> Result<(), CredentialsError> {
+        if let Some(expiration) = self.expiration {
+            if expiration.0 <= OffsetDateTime::now_utc() {
+                debug!("Refreshing credentials!");
+                let refreshed = Credentials::default()?;
+                *self = refreshed
+            }
+        }
+        Ok(())
+    }
+
     #[cfg(feature = "http-credentials")]
     pub fn from_sts_env(session_name: &str) -> Result<Credentials, CredentialsError> {
         let role_arn = env::var("AWS_ROLE_ARN")?;
@@ -174,8 +212,14 @@ impl Credentials {
         session_name: &str,
         web_identity_token: &str,
     ) -> Result<Credentials, CredentialsError> {
+        let use_regional_sts = env::var("AWS_STS_REGIONAL_ENDPOINTS") == Ok("regional".to_string());
+        let sts_url = if use_regional_sts {
+            format!("https://sts.{}.amazonaws.com/", env::var("AWS_REGION")?)
+        } else {
+            "https://sts.amazonaws.com/".to_string()
+        };
         let url = Url::parse_with_params(
-            "https://sts.amazonaws.com/",
+            sts_url.as_str(),
             &[
                 ("Action", "AssumeRoleWithWebIdentity"),
                 ("RoleSessionName", session_name),
@@ -186,8 +230,8 @@ impl Credentials {
         )?;
         let response = http_get(url.as_str())?;
         let serde_response =
-            serde_xml::from_str::<AssumeRoleWithWebIdentityResponse>(&response.text()?)?;
-        // assert!(serde_xml::from_str::<AssumeRoleWithWebIdentityResponse>(&response.text()?).unwrap());
+            quick_xml::de::from_str::<AssumeRoleWithWebIdentityResponse>(&response.text()?)?;
+        // assert!(quick_xml::de::from_str::<AssumeRoleWithWebIdentityResponse>(&response.text()?).unwrap());
 
         Ok(Credentials {
             access_key: Some(
@@ -218,7 +262,7 @@ impl Credentials {
         })
     }
 
-    #[cfg(feature = "http-credentials")]
+    #[allow(clippy::should_implement_trait)]
     pub fn default() -> Result<Credentials, CredentialsError> {
         Credentials::new(None, None, None, None, None)
     }
@@ -235,7 +279,6 @@ impl Credentials {
 
     /// Initialize Credentials directly with key ID, secret key, and optional
     /// token.
-    #[cfg(feature = "http-credentials")]
     pub fn new(
         access_key: Option<&str>,
         secret_key: Option<&str>,
@@ -253,10 +296,15 @@ impl Credentials {
             });
         }
 
-        Credentials::from_sts_env("aws-creds")
-            .or_else(|_| Credentials::from_env())
-            .or_else(|_| Credentials::from_profile(profile))
-            .or_else(|_| Credentials::from_instance_metadata())
+        let credentials = Credentials::from_env().or_else(|_| Credentials::from_profile(profile));
+
+        #[cfg(feature = "http-credentials")]
+        let credentials = credentials
+            .or_else(|_| Credentials::from_sts_env("aws-creds"))
+            .or_else(|_| Credentials::from_instance_metadata_v2(false))
+            .or_else(|_| Credentials::from_instance_metadata(false));
+
+        credentials.map_err(|_| CredentialsError::NoCredentials)
     }
 
     pub fn from_env_specific(
@@ -284,30 +332,33 @@ impl Credentials {
     }
 
     #[cfg(feature = "http-credentials")]
-    pub fn from_instance_metadata() -> Result<Credentials, CredentialsError> {
+    pub fn from_instance_metadata(not_ec2: bool) -> Result<Credentials, CredentialsError> {
         let resp: CredentialsFromInstanceMetadata =
             match env::var("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI") {
                 Ok(credentials_path) => {
                     // We are on ECS
-                    attohttpc::get(&format!("http://169.254.170.2{}", credentials_path))
-                        .send()?
-                        .json()?
+                    apply_timeout(attohttpc::get(format!(
+                        "http://169.254.170.2{}",
+                        credentials_path
+                    )))
+                    .send()?
+                    .json()?
                 }
                 Err(_) => {
-                    if !is_ec2() {
+                    if !not_ec2 && !is_ec2() {
                         return Err(CredentialsError::NotEc2);
                     }
 
-                    let role = attohttpc::get(
+                    let role = apply_timeout(attohttpc::get(
                         "http://169.254.169.254/latest/meta-data/iam/security-credentials",
-                    )
+                    ))
                     .send()?
                     .text()?;
 
-                    attohttpc::get(&format!(
+                    apply_timeout(attohttpc::get(format!(
                         "http://169.254.169.254/latest/meta-data/iam/security-credentials/{}",
                         role
-                    ))
+                    )))
                     .send()?
                     .json()?
                 }
@@ -322,10 +373,50 @@ impl Credentials {
         })
     }
 
+    #[cfg(feature = "http-credentials")]
+    pub fn from_instance_metadata_v2(not_ec2: bool) -> Result<Credentials, CredentialsError> {
+        if !not_ec2 && !is_ec2() {
+            return Err(CredentialsError::NotEc2);
+        }
+
+        let token = apply_timeout(attohttpc::put("http://169.254.169.254/latest/api/token"))
+            .header("X-aws-ec2-metadata-token-ttl-seconds", "21600")
+            .send()?;
+        if !token.is_success() {
+            return Err(CredentialsError::UnexpectedStatusCode(
+                token.status().as_u16(),
+            ));
+        }
+        let token = token.text()?;
+
+        let role = apply_timeout(attohttpc::get(
+            "http://169.254.169.254/latest/meta-data/iam/security-credentials",
+        ))
+        .header("X-aws-ec2-metadata-token", &token)
+        .send()?
+        .text()?;
+
+        let resp: CredentialsFromInstanceMetadata = apply_timeout(attohttpc::get(format!(
+            "http://169.254.169.254/latest/meta-data/iam/security-credentials/{}",
+            role
+        )))
+        .header("X-aws-ec2-metadata-token", &token)
+        .send()?
+        .json()?;
+
+        Ok(Credentials {
+            access_key: Some(resp.access_key_id),
+            secret_key: Some(resp.secret_access_key),
+            security_token: Some(resp.token),
+            expiration: Some(resp.expiration),
+            session_token: None,
+        })
+    }
+
     pub fn from_profile(section: Option<&str>) -> Result<Credentials, CredentialsError> {
-        let home_dir = dirs::home_dir().ok_or(CredentialsError::HomeDir)?;
+        let home_dir = home::home_dir().ok_or(CredentialsError::HomeDir)?;
         let profile = format!("{}/.aws/credentials", home_dir.display());
-        let conf = Ini::load_from_file(&profile)?;
+        let conf = Ini::load_from_file(profile)?;
         let section = section.unwrap_or("default");
         let data = conf
             .section(Some(section))
@@ -376,9 +467,9 @@ struct CredentialsFromInstanceMetadata {
     access_key_id: String,
     secret_access_key: String,
     token: String,
-    #[serde(with = "time::serde::rfc3339")]
-    expiration: time::OffsetDateTime, // TODO fix #163
+    expiration: Rfc3339OffsetDateTime, // TODO fix #163
 }
+
 #[cfg(test)]
 #[test]
 fn test_instance_metadata_creds_deserialization() {
@@ -399,3 +490,15 @@ fn test_instance_metadata_creds_deserialization() {
     )
     .unwrap();
 }
+
+#[cfg(test)]
+#[ignore]
+#[test]
+fn test_credentials_refresh() {
+    let mut c = Credentials::default().expect("Could not generate credentials");
+    let e = Rfc3339OffsetDateTime(OffsetDateTime::now_utc());
+    c.expiration = Some(e);
+    std::thread::sleep(std::time::Duration::from_secs(3));
+    c.refresh().expect("Could not refresh");
+    assert!(c.expiration.is_none())
+}