nixos/nix
1
1
Fork 0
mirror of https://github.com/NixOS/nix.git synced 2025-12-22 17:01:08 +01:00
Code Activity

refactor(libstore/aws-creds): improve error handling and logging

Browse source 
Add validation for TLS context and client bootstrap initialization,
with appropriate error messages when these fail. The TLS context failure
is now a warning that gracefully disables SSO, while bootstrap failure
throws since it's required for all providers.
This commit is contained in:
Bernardo Meurer 2025-11-25 13:59:25 -05:00 committed by Jörg Thalheim
parent ec91479076
commit 3c8e45c061
1 changed files with 34 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

46
src/libstore/aws-creds.cc
View file

@ -138,6 +138,10 @@ public:
auto tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient(allocator); auto tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient(allocator);
tlsContext = tlsContext =
std::make_shared<Aws::Crt::Io::TlsContext>(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT, allocator); std::make_shared<Aws::Crt::Io::TlsContext>(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT, allocator);
if (!tlsContext || !*tlsContext) {
warn("failed to create TLS context for AWS SSO; SSO authentication will be unavailable");
tlsContext = nullptr;
}
} }
AwsCredentials getCredentialsRaw(const std::string & profile); AwsCredentials getCredentialsRaw(const std::string & profile);
@ -172,6 +176,9 @@ AwsCredentialProviderImpl::createProviderForProfile(const std::string & profile)
profile.empty() ? "(default)" : profile.c_str()); profile.empty() ? "(default)" : profile.c_str());
auto bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap(); auto bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
if (!bootstrap) {
throw AwsAuthError("failed to create AWS client bootstrap");
}
// If no profile specified, use the default chain // If no profile specified, use the default chain
if (profile.empty()) { if (profile.empty()) {
@ -186,36 +193,41 @@ AwsCredentialProviderImpl::createProviderForProfile(const std::string & profile)
Aws::Crt::Auth::CredentialsProviderChainConfig chainConfig; Aws::Crt::Auth::CredentialsProviderChainConfig chainConfig;
auto allocator = Aws::Crt::ApiAllocator(); auto allocator = Aws::Crt::ApiAllocator();
// 1. Environment variables (highest priority) auto addProviderToChain = [&](std::string_view name, auto createProvider) {
auto envProvider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderEnvironment(allocator); if (auto provider = createProvider()) {
if (envProvider) { chainConfig.Providers.push_back(provider);
chainConfig.Providers.push_back(envProvider); debug("Added AWS %s Credential Provider to chain for profile '%s'", name, profile);
} else {
debug("Skipped AWS %s Credential Provider for profile '%s'", name, profile);
} }
};
// 1. Environment variables (highest priority)
addProviderToChain("Environment", [&]() {
return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderEnvironment(allocator);
});
// 2. SSO provider (try it, will fail gracefully if not configured) // 2. SSO provider (try it, will fail gracefully if not configured)
auto ssoProvider = createSSOProvider(profile, bootstrap, tlsContext.get(), allocator); if (tlsContext) {
if (ssoProvider) { addProviderToChain("SSO", [&]() { return createSSOProvider(profile, bootstrap, tlsContext.get(), allocator); });
debug("[pid=%d] added SSO provider to credential chain for profile '%s'", getpid(), profile.c_str()); } else {
chainConfig.Providers.push_back(ssoProvider); debug("Skipped AWS SSO Credential Provider for profile '%s': TLS context unavailable", profile);
} }
// 3. Profile provider (for static credentials) // 3. Profile provider (for static credentials)
addProviderToChain("Profile", [&]() {
Aws::Crt::Auth::CredentialsProviderProfileConfig profileConfig; Aws::Crt::Auth::CredentialsProviderProfileConfig profileConfig;
profileConfig.Bootstrap = bootstrap; profileConfig.Bootstrap = bootstrap;
profileConfig.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str()); profileConfig.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
auto profileProvider = return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(profileConfig, allocator);
Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(profileConfig, allocator); });
if (profileProvider) {
chainConfig.Providers.push_back(profileProvider);
}
// 4. IMDS provider (for EC2 instances, lowest priority) // 4. IMDS provider (for EC2 instances, lowest priority)
addProviderToChain("IMDS", [&]() {
Aws::Crt::Auth::CredentialsProviderImdsConfig imdsConfig; Aws::Crt::Auth::CredentialsProviderImdsConfig imdsConfig;
imdsConfig.Bootstrap = bootstrap; imdsConfig.Bootstrap = bootstrap;
auto imdsProvider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderImds(imdsConfig, allocator); return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderImds(imdsConfig, allocator);
if (imdsProvider) { });
chainConfig.Providers.push_back(imdsProvider);
}
return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChain(chainConfig, allocator); return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChain(chainConfig, allocator);
} }