From f916852fdc440add6f169424c06c76be242822f0 Mon Sep 17 00:00:00 2001
From: Peet Whittaker <peet.whittaker@gmail.com>
Date: Thu, 16 May 2024 13:12:50 +0100
Subject: [PATCH] Update S3 cache to read AWS_SESSION_TOKEN env var if present
 (#339)

* Update S3 cache to read AWS_SESSION_TOKEN env var if present

* Increase line buffer size when reading S3 credentials file
---
 lib/cache_rest.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/lib/cache_rest.c b/lib/cache_rest.c
index 4c7e9ed2..9fd601c6 100644
--- a/lib/cache_rest.c
+++ b/lib/cache_rest.c
@@ -108,6 +108,7 @@ struct mapcache_cache_s3 {
   mapcache_cache_rest cache;
   char *id;
   char *secret;
+  char *session_token;
   char *region;
   char *credentials_file;
 };
@@ -868,16 +869,18 @@ static void _mapcache_cache_s3_headers_add(mapcache_context *ctx, const char* me
     if((rv=apr_file_open(&f, s3->credentials_file,
                        APR_FOPEN_READ|APR_FOPEN_BUFFERED|APR_FOPEN_BINARY,APR_OS_DEFAULT,
                        ctx->pool)) == APR_SUCCESS) {
-      char line[2048];
-      if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) {
+      // Line length buffer increased to handle longer session tokens; see:
+      // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+      char line[4096];
+      if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) {
         _remove_lineends(line);
         aws_access_key_id = apr_pstrdup(ctx->pool,line);
       }
-      if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) {
+      if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) {
         _remove_lineends(line);
         aws_secret_access_key = apr_pstrdup(ctx->pool,line);
       }
-      if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) {
+      if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) {
         _remove_lineends(line);
         aws_security_token = apr_pstrdup(ctx->pool,line);
       }
@@ -894,7 +897,7 @@ static void _mapcache_cache_s3_headers_add(mapcache_context *ctx, const char* me
   } else {
     aws_access_key_id = s3->id;
     aws_secret_access_key = s3->secret;
-    aws_security_token = NULL;
+    aws_security_token = s3->session_token;
   }
 
   if(!strcmp(method,"PUT")) {
@@ -1366,6 +1369,13 @@ static void _mapcache_cache_s3_configuration_parse_xml(mapcache_context *ctx, ez
       ctx->set_error(ctx,400,"s3 cache (%s) is missing required <secret> child or AWS_SECRET_ACCESS_KEY environment", cache->name);
       return;
     }
+    if ((cur_node = ezxml_child(node,"session_token")) != NULL) {
+      s3->session_token = apr_pstrdup(ctx->pool, cur_node->txt);
+    } else if ( getenv("AWS_SESSION_TOKEN")) {
+      s3->session_token = apr_pstrdup(ctx->pool,getenv("AWS_SESSION_TOKEN"));
+    } else {
+      s3->session_token = NULL;
+    }
   }
   if ((cur_node = ezxml_child(node,"region")) != NULL) {
     s3->region = apr_pstrdup(ctx->pool, cur_node->txt);