Fix STSCredentialsProvider Signing Region (#239)

awslabs · May 10, 2024 · 432b765 · 432b765
1 parent ef9cfa1
commit 432b765
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 4 deletions.
diff --git a/source/credentials_provider_sts.c b/source/credentials_provider_sts.c
@@ -48,7 +48,6 @@ static struct aws_http_header s_content_type_header = {
 
 static struct aws_byte_cursor s_content_length = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("content-length");
 static struct aws_byte_cursor s_path = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("/");
-static struct aws_byte_cursor s_signing_region = AWS_BYTE_CUR_INIT_FROM_STRING_LITERAL("us-east-1");
 AWS_STATIC_STRING_FROM_LITERAL(s_sts_service_name, "sts");
 static const int s_max_retries = 3;
 
@@ -59,6 +58,7 @@ struct aws_credentials_provider_sts_impl {
     struct aws_string *assume_role_profile;
     struct aws_string *role_session_name;
     struct aws_string *endpoint;
+    struct aws_string *region;
     uint16_t duration_seconds;
     struct aws_credentials_provider *provider;
     struct aws_credentials_provider_shutdown_options source_shutdown_options;
@@ -533,8 +533,13 @@ static void s_start_make_request(
     provider_user_data->signing_config.signed_body_header = AWS_SBHT_NONE;
     provider_user_data->signing_config.config_type = AWS_SIGNING_CONFIG_AWS;
     provider_user_data->signing_config.credentials_provider = impl->provider;
-    aws_date_time_init_now(&provider_user_data->signing_config.date);
-    provider_user_data->signing_config.region = s_signing_region;
+    uint64_t now = UINT64_MAX;
+    if (impl->system_clock_fn(&now) != AWS_OP_SUCCESS) {
+        goto error;
+    }
+    uint64_t now_millis = aws_timestamp_convert(now, AWS_TIMESTAMP_NANOS, AWS_TIMESTAMP_MILLIS, NULL);
+    aws_date_time_init_epoch_millis(&provider_user_data->signing_config.date, now_millis);
+    provider_user_data->signing_config.region = aws_byte_cursor_from_string(impl->region);
     provider_user_data->signing_config.service = aws_byte_cursor_from_string(s_sts_service_name);
     provider_user_data->signing_config.flags.use_double_uri_encode = false;
 
@@ -648,7 +653,7 @@ static void s_on_credentials_provider_shutdown(void *user_data) {
     aws_string_destroy(impl->role_session_name);
     aws_string_destroy(impl->assume_role_profile);
     aws_string_destroy(impl->endpoint);
-
+    aws_string_destroy(impl->region);
     aws_mem_release(provider->allocator, provider);
 }
 
@@ -830,9 +835,11 @@ struct aws_credentials_provider *aws_credentials_provider_new_sts(
                 allocator, &impl->endpoint, region, s_sts_service_name)) {
             goto on_done;
         }
+        impl->region = aws_string_new_from_string(allocator, region);
     } else {
         /* use the global endpoint */
         impl->endpoint = aws_string_new_from_c_str(allocator, "sts.amazonaws.com");
+        impl->region = aws_string_new_from_c_str(allocator, "us-east-1");
     }
     struct aws_byte_cursor endpoint_cursor = aws_byte_cursor_from_string(impl->endpoint);
 

diff --git a/tests/credentials_provider_sts_tests.c b/tests/credentials_provider_sts_tests.c
@@ -30,6 +30,7 @@ struct aws_mock_http_request {
     struct aws_byte_buf host_header;
     struct aws_byte_buf body;
     bool had_auth_header;
+    struct aws_byte_buf auth_header;
     int response_code;
 };
 
@@ -203,6 +204,7 @@ static struct aws_http_stream *s_aws_http_connection_make_request_mock(
 
         if (aws_byte_cursor_eq_c_str_ignore_case(&header.name, "authorization")) {
             mocked_request->had_auth_header = true;
+            aws_byte_buf_init_copy_from_cursor(&mocked_request->auth_header, s_tester.allocator, header.value);
         }
     }
 
@@ -329,6 +331,7 @@ static void s_cleanup_creds_callback_data(void) {
         aws_byte_buf_clean_up(&s_tester.mocked_requests[i].path);
         aws_byte_buf_clean_up(&s_tester.mocked_requests[i].method);
         aws_byte_buf_clean_up(&s_tester.mocked_requests[i].host_header);
+        aws_byte_buf_clean_up(&s_tester.mocked_requests[i].auth_header);
         aws_byte_buf_clean_up(&s_tester.mocked_requests[i].body);
     }
 
@@ -472,6 +475,15 @@ static int s_credentials_provider_sts_direct_config_succeeds_fn(struct aws_alloc
         s_tester.mocked_requests[0].path.len);
 
     ASSERT_TRUE(s_tester.mocked_requests[0].had_auth_header);
+    const char *expected_auth_header =
+        "AWS4-HMAC-SHA256 Credential=accessKey12345/19700101/us-east-1/sts/aws4_request, "
+        "SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, "
+        "Signature=06e941853a2cc010ed8ac7072754e0089be8aae59e319924fb0105b20dda77cd";
+    ASSERT_BIN_ARRAYS_EQUALS(
+        expected_auth_header,
+        strlen(expected_auth_header),
+        s_tester.mocked_requests[0].auth_header.buffer,
+        s_tester.mocked_requests[0].auth_header.len);
 
     const char *expected_host_header = "sts.amazonaws.com";
     ASSERT_BIN_ARRAYS_EQUALS(
@@ -565,6 +577,16 @@ static int s_credentials_provider_sts_direct_config_with_region_succeeds_fn(
         s_tester.mocked_requests[0].host_header.buffer,
         s_tester.mocked_requests[0].host_header.len);
 
+    const char *expected_auth_header =
+        "AWS4-HMAC-SHA256 Credential=accessKey12345/19700101/us-west-2/sts/aws4_request, "
+        "SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token, "
+        "Signature=a4a164e00acb40795ea491092dfcfbbfcda817b6b0bb5d06d328f535ec163ac6";
+    ASSERT_BIN_ARRAYS_EQUALS(
+        expected_auth_header,
+        strlen(expected_auth_header),
+        s_tester.mocked_requests[0].auth_header.buffer,
+        s_tester.mocked_requests[0].auth_header.len);
+
     ASSERT_BIN_ARRAYS_EQUALS(
         s_expected_payload.ptr,
         s_expected_payload.len,