From f916852fdc440add6f169424c06c76be242822f0 Mon Sep 17 00:00:00 2001 From: Peet Whittaker Date: Thu, 16 May 2024 13:12:50 +0100 Subject: [PATCH] Update S3 cache to read AWS_SESSION_TOKEN env var if present (#339) * Update S3 cache to read AWS_SESSION_TOKEN env var if present * Increase line buffer size when reading S3 credentials file --- lib/cache_rest.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/lib/cache_rest.c b/lib/cache_rest.c index 4c7e9ed2..9fd601c6 100644 --- a/lib/cache_rest.c +++ b/lib/cache_rest.c @@ -108,6 +108,7 @@ struct mapcache_cache_s3 { mapcache_cache_rest cache; char *id; char *secret; + char *session_token; char *region; char *credentials_file; }; @@ -868,16 +869,18 @@ static void _mapcache_cache_s3_headers_add(mapcache_context *ctx, const char* me if((rv=apr_file_open(&f, s3->credentials_file, APR_FOPEN_READ|APR_FOPEN_BUFFERED|APR_FOPEN_BINARY,APR_OS_DEFAULT, ctx->pool)) == APR_SUCCESS) { - char line[2048]; - if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) { + // Line length buffer increased to handle longer session tokens; see: + // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html + char line[4096]; + if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) { _remove_lineends(line); aws_access_key_id = apr_pstrdup(ctx->pool,line); } - if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) { + if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) { _remove_lineends(line); aws_secret_access_key = apr_pstrdup(ctx->pool,line); } - if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) { + if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) { _remove_lineends(line); aws_security_token = apr_pstrdup(ctx->pool,line); } @@ -894,7 +897,7 @@ static void _mapcache_cache_s3_headers_add(mapcache_context *ctx, const char* me } else { aws_access_key_id = s3->id; aws_secret_access_key = s3->secret; - aws_security_token = NULL; + aws_security_token = s3->session_token; } if(!strcmp(method,"PUT")) { @@ -1366,6 +1369,13 @@ static void _mapcache_cache_s3_configuration_parse_xml(mapcache_context *ctx, ez ctx->set_error(ctx,400,"s3 cache (%s) is missing required child or AWS_SECRET_ACCESS_KEY environment", cache->name); return; } + if ((cur_node = ezxml_child(node,"session_token")) != NULL) { + s3->session_token = apr_pstrdup(ctx->pool, cur_node->txt); + } else if ( getenv("AWS_SESSION_TOKEN")) { + s3->session_token = apr_pstrdup(ctx->pool,getenv("AWS_SESSION_TOKEN")); + } else { + s3->session_token = NULL; + } } if ((cur_node = ezxml_child(node,"region")) != NULL) { s3->region = apr_pstrdup(ctx->pool, cur_node->txt);