diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 711e3eaf..53d3e35f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,7 @@ jobs: linux-compat: runs-on: ubuntu-20.04 # latest strategy: + fail-fast: false matrix: image: - manylinux1-x64 @@ -40,6 +41,7 @@ jobs: linux-compiler-compat: runs-on: ubuntu-20.04 # latest strategy: + fail-fast: false matrix: compiler: - clang-3 @@ -80,6 +82,7 @@ jobs: windows-vc14: runs-on: windows-2019 # windows-2019 is last env with Visual Studio 2015 (v14.0) strategy: + fail-fast: false matrix: arch: [x86, x64] steps: diff --git a/include/aws/auth/auth.h b/include/aws/auth/auth.h index 7899cb89..fcd50cd0 100644 --- a/include/aws/auth/auth.h +++ b/include/aws/auth/auth.h @@ -52,6 +52,7 @@ enum aws_auth_errors { AWS_AUTH_IMDS_CLIENT_SOURCE_FAILURE, AWS_AUTH_PROFILE_STS_CREDENTIALS_PROVIDER_CYCLE_FAILURE, AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_TOKEN_FILE_PATH, + AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST, AWS_AUTH_ERROR_END_RANGE = AWS_ERROR_ENUM_END_RANGE(AWS_C_AUTH_PACKAGE_ID) }; diff --git a/include/aws/auth/credentials.h b/include/aws/auth/credentials.h index 4aa8979b..0478f99a 100644 --- a/include/aws/auth/credentials.h +++ b/include/aws/auth/credentials.h @@ -232,6 +232,11 @@ struct aws_credentials_provider_imds_options { * AWS_CONTAINER_CREDENTIALS_RELATIVE_URI * AWS_CONTAINER_CREDENTIALS_FULL_URI * + *`AWS_CONTAINER_CREDENTIALS_FULL_URI` URL must satisfy one of the following: + * 1. The URL begins with `https`. + * 2. The resolved IP address is within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128), ECS container address + * (169.254.170.2), or EKS Pod Identity address (169.254.170.23 or fd00:ec2::23). + * * For the Authorization token, there are two ways (in order of priority): * 1. AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE (an env var which contains the absolute path to the token file. The file * will be re-read for each call to get credentials.) @@ -261,6 +266,11 @@ struct aws_credentials_provider_ecs_environment_options { * Configuration options for the provider that sources credentials from ECS container metadata. * This options struct doesn't read anything from the environment and requires everything to be explicitly passed in. If * you need to read properties from the environment, use the `aws_credentials_provider_ecs_environment_options`. + * + *`host` must satisfy one of the following: + * 1. tls_context is set + * 2. The resolved IP address is within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128), ECS container address + * (169.254.170.2), or EKS Pod Identity address (169.254.170.23 or fd00:ec2::23). */ struct aws_credentials_provider_ecs_options { struct aws_credentials_provider_shutdown_options shutdown_options; diff --git a/source/auth.c b/source/auth.c index da93f49c..db7da7a6 100644 --- a/source/auth.c +++ b/source/auth.c @@ -112,6 +112,9 @@ static struct aws_error_info s_errors[] = { AWS_DEFINE_ERROR_INFO_AUTH( AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_TOKEN_FILE_PATH, "Failed to read the ECS token file specified in the AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable."), + AWS_DEFINE_ERROR_INFO_AUTH( + AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST, + "Failed to establish connection. The specified host is not allowed. It must be a loopback address, ECS/EKS container host, or use HTTPS."), }; /* clang-format on */ diff --git a/source/credentials_provider_ecs.c b/source/credentials_provider_ecs.c index 08fd5785..41324f81 100644 --- a/source/credentials_provider_ecs.c +++ b/source/credentials_provider_ecs.c @@ -10,11 +10,14 @@ #include #include #include +#include #include #include #include #include #include +#include +#include #include #include #include @@ -45,6 +48,8 @@ struct aws_credentials_provider_ecs_impl { struct aws_string *path_and_query; struct aws_string *auth_token_file_path; struct aws_string *auth_token; + struct aws_client_bootstrap *bootstrap; + bool is_https; }; /* @@ -459,6 +464,89 @@ static void s_ecs_on_acquire_connection(struct aws_http_connection *connection, s_ecs_query_task_role_credentials(ecs_user_data); } +/* + * The resolved IP address must satisfy one of the following: + * 1. within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128) + * 2. corresponds to the ECS container host 169.254.170.2 + * 3. corresponds to the EKS container host IPs (IPv4 169.254.170.23, IPv6 fd00:ec2::23) + */ +static bool s_is_valid_remote_host_ip(const struct aws_host_address *host_address) { + bool result = false; + struct aws_byte_cursor address = aws_byte_cursor_from_string(host_address->address); + if (host_address->record_type == AWS_ADDRESS_RECORD_TYPE_A) { + const struct aws_byte_cursor ipv4_loopback_address_prefix = aws_byte_cursor_from_c_str("127."); + const struct aws_byte_cursor ecs_container_host_address = aws_byte_cursor_from_c_str("169.254.170.2"); + const struct aws_byte_cursor eks_container_host_address = aws_byte_cursor_from_c_str("169.254.170.23"); + + result |= aws_byte_cursor_starts_with(&address, &ipv4_loopback_address_prefix); + result |= aws_byte_cursor_eq(&address, &ecs_container_host_address); + result |= aws_byte_cursor_eq(&address, &eks_container_host_address); + + } else if (host_address->record_type == AWS_ADDRESS_RECORD_TYPE_AAAA) { + /* Check for both the short form and long form of an IPv6 address to be safe. */ + const struct aws_byte_cursor ipv6_loopback_address = aws_byte_cursor_from_c_str("::1"); + const struct aws_byte_cursor ipv6_loopback_address_verbose = aws_byte_cursor_from_c_str("0:0:0:0:0:0:0:1"); + const struct aws_byte_cursor eks_container_host_ipv6_address = aws_byte_cursor_from_c_str("fd00:ec2::23"); + const struct aws_byte_cursor eks_container_host_ipv6_address_verbose = + aws_byte_cursor_from_c_str("fd00:ec2:0:0:0:0:0:23"); + + result |= aws_byte_cursor_eq(&address, &ipv6_loopback_address); + result |= aws_byte_cursor_eq(&address, &ipv6_loopback_address_verbose); + result |= aws_byte_cursor_eq(&address, &eks_container_host_ipv6_address); + result |= aws_byte_cursor_eq(&address, &eks_container_host_ipv6_address_verbose); + } + + return result; +} + +static void s_on_host_resolved( + struct aws_host_resolver *resolver, + const struct aws_string *host_name, + int error_code, + const struct aws_array_list *host_addresses, + void *user_data) { + (void)resolver; + (void)host_name; + + struct aws_credentials_provider_ecs_user_data *ecs_user_data = user_data; + if (error_code) { + AWS_LOGF_WARN( + AWS_LS_AUTH_CREDENTIALS_PROVIDER, + "id=%p: ECS provider failed to resolve host, error code %d(%s)", + (void *)ecs_user_data->ecs_provider, + error_code, + aws_error_str(error_code)); + ecs_user_data->error_code = error_code; + s_ecs_finalize_get_credentials_query(ecs_user_data); + return; + } + size_t host_addresses_len = aws_array_list_length(host_addresses); + if (!host_addresses_len) { + goto on_error; + } + for (size_t i = 0; i < host_addresses_len; ++i) { + struct aws_host_address *host_address_ptr = NULL; + aws_array_list_get_at_ptr(host_addresses, (void **)&host_address_ptr, i); + if (!s_is_valid_remote_host_ip(host_address_ptr)) { + goto on_error; + } + } + struct aws_credentials_provider_ecs_impl *impl = ecs_user_data->ecs_provider->impl; + impl->function_table->aws_http_connection_manager_acquire_connection( + impl->connection_manager, s_ecs_on_acquire_connection, ecs_user_data); + + return; +on_error: + AWS_LOGF_ERROR( + AWS_LS_AUTH_CREDENTIALS_PROVIDER, + "id=%p: ECS provider failed to resolve address to an allowed ip address with error %d(%s)", + (void *)ecs_user_data->ecs_provider, + AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST, + aws_error_str(AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST)); + ecs_user_data->error_code = AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST; + s_ecs_finalize_get_credentials_query(ecs_user_data); +} + static int s_credentials_provider_ecs_get_credentials_async( struct aws_credentials_provider *provider, aws_on_get_credentials_callback_fn callback, @@ -474,10 +562,19 @@ static int s_credentials_provider_ecs_get_credentials_async( if (wrapped_user_data == NULL) { goto error; } - - impl->function_table->aws_http_connection_manager_acquire_connection( - impl->connection_manager, s_ecs_on_acquire_connection, wrapped_user_data); - + /* No need to verify the host IP address if the connection is using HTTPS or the ECS container host (relative URI) + */ + if (impl->is_https || aws_string_eq(impl->host, s_ecs_host)) { + impl->function_table->aws_http_connection_manager_acquire_connection( + impl->connection_manager, s_ecs_on_acquire_connection, wrapped_user_data); + } else if (aws_host_resolver_resolve_host( + impl->bootstrap->host_resolver, + impl->host, + s_on_host_resolved, + &impl->bootstrap->host_resolver_config, + wrapped_user_data)) { + goto error; + } return AWS_OP_SUCCESS; error: @@ -497,6 +594,7 @@ static void s_credentials_provider_ecs_destroy(struct aws_credentials_provider * aws_string_destroy(impl->auth_token); aws_string_destroy(impl->auth_token_file_path); aws_string_destroy(impl->host); + aws_client_bootstrap_release(impl->bootstrap); /* aws_http_connection_manager_release will eventually leads to call of s_on_connection_manager_shutdown, * which will do memory release for provider and impl. So We should be freeing impl @@ -554,7 +652,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_ecs( AWS_ZERO_STRUCT(*impl); aws_credentials_provider_init_base(provider, allocator, &s_aws_credentials_provider_ecs_vtable, impl); - + impl->bootstrap = aws_client_bootstrap_acquire(options->bootstrap); struct aws_tls_connection_options tls_connection_options; AWS_ZERO_STRUCT(tls_connection_options); if (options->tls_ctx) { @@ -568,6 +666,7 @@ struct aws_credentials_provider *aws_credentials_provider_new_ecs( aws_error_debug_str(aws_last_error())); goto on_error; } + impl->is_https = true; } struct aws_socket_options socket_options; diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 001b7000..099323d4 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -45,16 +45,17 @@ if(AWS_BUILDING_ON_EC2) add_test_case(credentials_provider_imds_real_success) endif() -add_test_case(credentials_provider_ecs_new_destroy) -add_test_case(credentials_provider_ecs_connect_failure) -add_test_case(credentials_provider_ecs_request_failure) -add_test_case(credentials_provider_ecs_bad_document_failure) -add_test_case(credentials_provider_ecs_basic_success) -add_test_case(credentials_provider_ecs_basic_success_token_file) +add_net_test_case(credentials_provider_ecs_new_destroy) +add_net_test_case(credentials_provider_ecs_connect_failure) +add_net_test_case(credentials_provider_ecs_request_failure) +add_net_test_case(credentials_provider_ecs_bad_document_failure) +add_net_test_case(credentials_provider_ecs_bad_host_failure) +add_net_test_case(credentials_provider_ecs_basic_success) +add_net_test_case(credentials_provider_ecs_basic_success_token_file) add_net_test_case(credentials_provider_ecs_basic_success_uri_env) -add_test_case(credentials_provider_ecs_no_auth_token_success) -add_test_case(credentials_provider_ecs_success_multi_part_doc) -add_test_case(credentials_provider_ecs_real_new_destroy) +add_net_test_case(credentials_provider_ecs_no_auth_token_success) +add_net_test_case(credentials_provider_ecs_success_multi_part_doc) +add_net_test_case(credentials_provider_ecs_real_new_destroy) if(AWS_BUILDING_ON_ECS) add_test_case(credentials_provider_ecs_real_success) diff --git a/tests/credentials_provider_ecs_tests.c b/tests/credentials_provider_ecs_tests.c index d698c399..900e7816 100644 --- a/tests/credentials_provider_ecs_tests.c +++ b/tests/credentials_provider_ecs_tests.c @@ -54,6 +54,7 @@ struct aws_mock_ecs_tester { struct aws_event_loop_group *el_group; struct aws_host_resolver *host_resolver; struct aws_client_bootstrap *bootstrap; + struct aws_tls_ctx *tls_ctx; }; static struct aws_mock_ecs_tester s_tester; @@ -259,6 +260,13 @@ static int s_aws_ecs_tester_init(struct aws_allocator *allocator) { }; s_tester.bootstrap = aws_client_bootstrap_new(allocator, &bootstrap_options); + struct aws_tls_ctx_options tls_options; + aws_tls_ctx_options_init_default_client(&tls_options, allocator); + struct aws_tls_ctx *tls_ctx = aws_tls_client_ctx_new(allocator, &tls_options); + ASSERT_NOT_NULL(tls_ctx); + s_tester.tls_ctx = tls_ctx; + aws_tls_ctx_options_clean_up(&tls_options); + /* ensure pre-existing environment doesn't interfere with tests */ aws_unset_environment_value(s_ecs_creds_env_relative_uri); aws_unset_environment_value(s_ecs_creds_env_full_uri); @@ -279,6 +287,7 @@ static void s_aws_ecs_tester_reset(void) { aws_client_bootstrap_release(s_tester.bootstrap); aws_host_resolver_release(s_tester.host_resolver); aws_event_loop_group_release(s_tester.el_group); + aws_tls_ctx_release(s_tester.tls_ctx); AWS_ZERO_STRUCT(s_tester); } @@ -362,6 +371,7 @@ static int s_credentials_provider_ecs_connect_failure(struct aws_allocator *allo .host = aws_byte_cursor_from_c_str("www.xxx123321testmocknonexsitingawsservice.com"), .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), .auth_token = aws_byte_cursor_from_c_str("test-token-1234-abcd"), + .tls_ctx = s_tester.tls_ctx, }; struct aws_credentials_provider *provider = aws_credentials_provider_new_ecs(allocator, &options); @@ -373,7 +383,7 @@ static int s_credentials_provider_ecs_connect_failure(struct aws_allocator *allo aws_mutex_lock(&s_tester.lock); ASSERT_TRUE(s_tester.has_received_credentials_callback == true); ASSERT_TRUE(s_tester.credentials == NULL); - ASSERT_UINT_EQUALS(80, s_tester.selected_port); + ASSERT_UINT_EQUALS(443, s_tester.selected_port); aws_mutex_unlock(&s_tester.lock); aws_credentials_provider_release(provider); @@ -407,6 +417,7 @@ static int s_credentials_provider_ecs_request_failure(struct aws_allocator *allo .host = aws_byte_cursor_from_c_str("www.xxx123321testmocknonexsitingawsservice.com"), .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), .auth_token = aws_byte_cursor_from_c_str("test-token-1234-abcd"), + .tls_ctx = s_tester.tls_ctx, }; struct aws_credentials_provider *provider = aws_credentials_provider_new_ecs(allocator, &options); @@ -419,7 +430,7 @@ static int s_credentials_provider_ecs_request_failure(struct aws_allocator *allo ASSERT_STR_EQUALS("/path/to/resource/?a=b&c=d", aws_string_c_str(s_tester.request_path_and_query)); ASSERT_TRUE(s_tester.has_received_credentials_callback == true); ASSERT_TRUE(s_tester.credentials == NULL); - ASSERT_UINT_EQUALS(80, s_tester.selected_port); + ASSERT_UINT_EQUALS(443, s_tester.selected_port); aws_mutex_unlock(&s_tester.lock); aws_credentials_provider_release(provider); @@ -457,7 +468,7 @@ static int s_credentials_provider_ecs_bad_document_failure(struct aws_allocator .host = aws_byte_cursor_from_c_str("www.xxx123321testmocknonexsitingawsservice.com"), .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), .auth_token = aws_byte_cursor_from_c_str("test-token-1234-abcd"), - .port = 555, + .tls_ctx = s_tester.tls_ctx, }; struct aws_credentials_provider *provider = aws_credentials_provider_new_ecs(allocator, &options); @@ -471,7 +482,7 @@ static int s_credentials_provider_ecs_bad_document_failure(struct aws_allocator ASSERT_TRUE(s_tester.has_received_credentials_callback == true); ASSERT_TRUE(s_tester.credentials == NULL); - ASSERT_UINT_EQUALS(555, s_tester.selected_port); + ASSERT_UINT_EQUALS(443, s_tester.selected_port); aws_mutex_unlock(&s_tester.lock); aws_credentials_provider_release(provider); @@ -488,6 +499,49 @@ static int s_credentials_provider_ecs_bad_document_failure(struct aws_allocator AWS_TEST_CASE(credentials_provider_ecs_bad_document_failure, s_credentials_provider_ecs_bad_document_failure); +static int s_credentials_provider_ecs_bad_host_failure(struct aws_allocator *allocator, void *ctx) { + (void)ctx; + + s_aws_ecs_tester_init(allocator); + + struct aws_credentials_provider_ecs_options options = { + .bootstrap = s_tester.bootstrap, + .function_table = &s_mock_function_table, + .shutdown_options = + { + .shutdown_callback = s_on_shutdown_complete, + .shutdown_user_data = NULL, + }, + .host = aws_byte_cursor_from_c_str("www.google.com"), + .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), + .auth_token = aws_byte_cursor_from_c_str("test-token-1234-abcd"), + }; + + struct aws_credentials_provider *provider = aws_credentials_provider_new_ecs(allocator, &options); + + aws_credentials_provider_get_credentials(provider, s_get_credentials_callback, NULL); + + s_aws_wait_for_credentials_result(); + + aws_mutex_lock(&s_tester.lock); + ASSERT_NULL(s_tester.credentials); + ASSERT_INT_EQUALS(AWS_AUTH_CREDENTIALS_PROVIDER_ECS_INVALID_HOST, s_tester.error_code); + aws_mutex_unlock(&s_tester.lock); + + aws_credentials_provider_release(provider); + + s_aws_wait_for_provider_shutdown_callback(); + + /* Because we mock the http connection manager, we never get a callback back from it */ + aws_mem_release(provider->allocator, provider); + + s_aws_ecs_tester_cleanup(); + + return 0; +} + +AWS_TEST_CASE(credentials_provider_ecs_bad_host_failure, s_credentials_provider_ecs_bad_host_failure); + AWS_STATIC_STRING_FROM_LITERAL( s_good_response, "{\"AccessKeyId\":\"SuccessfulAccessKey\", \n \"SecretAccessKey\":\"SuccessfulSecret\", \n " @@ -655,12 +709,13 @@ static int s_credentials_provider_ecs_basic_success(struct aws_allocator *alloca .host = aws_byte_cursor_from_c_str("www.xxx123321testmocknonexsitingawsservice.com"), .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), .auth_token = aws_byte_cursor_from_c_str("test-token-1234-abcd"), + .tls_ctx = s_tester.tls_ctx, }; ASSERT_SUCCESS(s_do_ecs_success_test( allocator, &options, - "http://www.xxx123321testmocknonexsitingawsservice.com:80/path/to/resource/?a=b&c=d" /*expected_uri*/, + "https://www.xxx123321testmocknonexsitingawsservice.com:443/path/to/resource/?a=b&c=d" /*expected_uri*/, "test-token-1234-abcd" /*expected_token*/)); s_aws_ecs_tester_cleanup(); @@ -697,6 +752,7 @@ static int s_credentials_provider_ecs_basic_success_token_file(struct aws_alloca .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), .auth_token = aws_byte_cursor_from_string(auth_token), .auth_token_file_path = aws_byte_cursor_from_string(token_file_path), + .tls_ctx = s_tester.tls_ctx, }; struct aws_credentials_provider *provider = aws_credentials_provider_new_ecs(allocator, &options); @@ -707,7 +763,7 @@ static int s_credentials_provider_ecs_basic_success_token_file(struct aws_alloca aws_mutex_lock(&s_tester.lock); ASSERT_SUCCESS(s_check_ecs_tester_request_uri_and_authorization( - "http://www.xxx123321testmocknonexsitingawsservice.com:80/path/to/resource/?a=b&c=d", + "https://www.xxx123321testmocknonexsitingawsservice.com:443/path/to/resource/?a=b&c=d", aws_string_c_str(auth_token))); aws_string_destroy(s_tester.request_path_and_query); @@ -726,7 +782,7 @@ static int s_credentials_provider_ecs_basic_success_token_file(struct aws_alloca aws_mutex_lock(&s_tester.lock); ASSERT_SUCCESS(s_check_ecs_tester_request_uri_and_authorization( - "http://www.xxx123321testmocknonexsitingawsservice.com:80/path/to/resource/?a=b&c=d", + "https://www.xxx123321testmocknonexsitingawsservice.com:443/path/to/resource/?a=b&c=d", aws_string_c_str(auth_token2))); aws_mutex_unlock(&s_tester.lock); @@ -819,14 +875,33 @@ static int s_credentials_provider_ecs_basic_success_uri_env(struct aws_allocator .auth_token_file_content = "testToken", .expected_auth_token = "testToken", }, + /* IPv4 loopback address */ + { + .full_uri = "http://127.1.2.3:456/credentials", + .expected_uri = "http://127.1.2.3:456/credentials", + }, + /* IPv4 EKS container host address */ + { + .full_uri = "http://169.254.170.23:8080/credentials", + .expected_uri = "http://169.254.170.23:8080/credentials", + }, + /* IPv4 ECS container host address */ + { + .full_uri = "http://169.254.170.2:8080/credentials", + .expected_uri = "http://169.254.170.2:8080/credentials", + }, + /* IPv6 loopback address */ + { + .full_uri = "http://[::1]:8080/credentials", + .expected_uri = "http://[::1]:8080/credentials", + }, + /* IPv6 EKS host */ + { + .full_uri = "http://[fd00:ec2::23]:8080/credentials", + .expected_uri = "http://[fd00:ec2::23]:8080/credentials", + }, }; - /* Provide tls_ctx, in case FULL_URI scheme is "https://" */ - struct aws_tls_ctx_options tls_options; - aws_tls_ctx_options_init_default_client(&tls_options, allocator); - struct aws_tls_ctx *tls_ctx = aws_tls_client_ctx_new(allocator, &tls_options); - ASSERT_NOT_NULL(tls_ctx); - for (size_t case_idx = 0; case_idx < AWS_ARRAY_SIZE(test_cases); ++case_idx) { struct test_case case_i = test_cases[case_idx]; printf( @@ -852,7 +927,7 @@ static int s_credentials_provider_ecs_basic_success_uri_env(struct aws_allocator .shutdown_callback = s_on_shutdown_complete, .shutdown_user_data = NULL, }, - .tls_ctx = tls_ctx, + .tls_ctx = s_tester.tls_ctx, }; ASSERT_SUCCESS(s_do_ecs_env_success_test( @@ -868,8 +943,6 @@ static int s_credentials_provider_ecs_basic_success_uri_env(struct aws_allocator s_aws_ecs_tester_reset(); } - aws_tls_ctx_release(tls_ctx); - aws_tls_ctx_options_clean_up(&tls_options); s_aws_ecs_tester_cleanup(); return 0; } @@ -893,12 +966,13 @@ static int s_credentials_provider_ecs_no_auth_token_success(struct aws_allocator }, .host = aws_byte_cursor_from_c_str("www.xxx123321testmocknonexsitingawsservice.com"), .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), + .tls_ctx = s_tester.tls_ctx, }; ASSERT_SUCCESS(s_do_ecs_success_test( allocator, &options, - "http://www.xxx123321testmocknonexsitingawsservice.com:80/path/to/resource/?a=b&c=d" /*expected_uri*/, + "https://www.xxx123321testmocknonexsitingawsservice.com:443/path/to/resource/?a=b&c=d" /*expected_uri*/, NULL /*expected_token*/)); s_aws_ecs_tester_cleanup(); @@ -935,6 +1009,7 @@ static int s_credentials_provider_ecs_success_multi_part_doc(struct aws_allocato .host = aws_byte_cursor_from_c_str("www.xxx123321testmocknonexsitingawsservice.com"), .path_and_query = aws_byte_cursor_from_c_str("/path/to/resource/?a=b&c=d"), .auth_token = aws_byte_cursor_from_c_str("test-token-1234-abcd"), + .tls_ctx = s_tester.tls_ctx, }; struct aws_credentials_provider *provider = aws_credentials_provider_new_ecs(allocator, &options);