From d9e53aae661aa7826584104d363759f0e0f26b8b Mon Sep 17 00:00:00 2001 From: Peet Whittaker Date: Thu, 2 May 2024 15:13:01 +0100 Subject: [PATCH 1/2] Update S3 cache to read AWS_SESSION_TOKEN env var if present --- lib/cache_rest.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/cache_rest.c b/lib/cache_rest.c index 4c7e9ed2..e6c489ec 100644 --- a/lib/cache_rest.c +++ b/lib/cache_rest.c @@ -108,6 +108,7 @@ struct mapcache_cache_s3 { mapcache_cache_rest cache; char *id; char *secret; + char *session_token; char *region; char *credentials_file; }; @@ -894,7 +895,7 @@ static void _mapcache_cache_s3_headers_add(mapcache_context *ctx, const char* me } else { aws_access_key_id = s3->id; aws_secret_access_key = s3->secret; - aws_security_token = NULL; + aws_security_token = s3->session_token; } if(!strcmp(method,"PUT")) { @@ -1366,6 +1367,13 @@ static void _mapcache_cache_s3_configuration_parse_xml(mapcache_context *ctx, ez ctx->set_error(ctx,400,"s3 cache (%s) is missing required child or AWS_SECRET_ACCESS_KEY environment", cache->name); return; } + if ((cur_node = ezxml_child(node,"session_token")) != NULL) { + s3->session_token = apr_pstrdup(ctx->pool, cur_node->txt); + } else if ( getenv("AWS_SESSION_TOKEN")) { + s3->session_token = apr_pstrdup(ctx->pool,getenv("AWS_SESSION_TOKEN")); + } else { + s3->session_token = NULL; + } } if ((cur_node = ezxml_child(node,"region")) != NULL) { s3->region = apr_pstrdup(ctx->pool, cur_node->txt); From 33d9549c6bc66ea0b1fa8a1ae7126159dc308ec9 Mon Sep 17 00:00:00 2001 From: Peet Whittaker Date: Thu, 2 May 2024 15:52:56 +0100 Subject: [PATCH 2/2] Increase line buffer size when reading S3 credentials file --- lib/cache_rest.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/cache_rest.c b/lib/cache_rest.c index e6c489ec..9fd601c6 100644 --- a/lib/cache_rest.c +++ b/lib/cache_rest.c @@ -869,16 +869,18 @@ static void _mapcache_cache_s3_headers_add(mapcache_context *ctx, const char* me if((rv=apr_file_open(&f, s3->credentials_file, APR_FOPEN_READ|APR_FOPEN_BUFFERED|APR_FOPEN_BINARY,APR_OS_DEFAULT, ctx->pool)) == APR_SUCCESS) { - char line[2048]; - if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) { + // Line length buffer increased to handle longer session tokens; see: + // https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html + char line[4096]; + if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) { _remove_lineends(line); aws_access_key_id = apr_pstrdup(ctx->pool,line); } - if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) { + if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) { _remove_lineends(line); aws_secret_access_key = apr_pstrdup(ctx->pool,line); } - if( (rv = apr_file_gets(line,2048,f))== APR_SUCCESS) { + if( (rv = apr_file_gets(line,4096,f))== APR_SUCCESS) { _remove_lineends(line); aws_security_token = apr_pstrdup(ctx->pool,line); }