Skip to content

Commit

Permalink
fix: test aws signer with web loader (#342)
Browse files Browse the repository at this point in the history
  • Loading branch information
@everpcpc
everpcpc committed Jun 29, 2023
1 parent 1f828aa commit e28d700
Show file tree
Hide file tree
Showing 2 changed files with 83 additions and 44 deletions.
43 changes: 37 additions & 6 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,17 +138,14 @@ jobs:
- name: Install cargo-nextest
run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin

- name: Install OIDC Client from Core Package
run: npm install @actions/[email protected] @actions/http-client
- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
const client = require('@actions/core')
let id_token = await client.getIDToken('sts.tencentcloudapi.com')
client.exportVariable('GITHUB_ID_TOKEN', id_token)
client.setSecret(id_token)
let id_token = await core.getIDToken('sts.tencentcloudapi.com')
core.exportVariable('GITHUB_ID_TOKEN', id_token)
core.setSecret(id_token)
- name: Test
run: cargo nextest run --no-fail-fast
Expand All @@ -162,3 +159,37 @@ jobs:
REQSIGN_TENCENT_COS_ROLE_ARN: ${{ secrets.REQSIGN_TENCENT_COS_ROLE_ARN }}
REQSIGN_TENCENT_COS_PROVIDER_ID: ${{ secrets.REQSIGN_TENCENT_COS_PROVIDER_ID }}
REQSIGN_TENCENT_COS_REGION: ${{ secrets.REQSIGN_TENCENT_COS_REGION }}

test_aws_web_identity:
runs-on: ubuntu-latest
permissions:
contents: "read"
id-token: "write"
if: github.event_name == 'push' || !github.event.pull_request.head.repo.fork
steps:
- uses: actions/checkout@v3
- name: Install cargo-nextest
run: curl -LsSf https://get.nexte.st/latest/linux | tar zxf - -C ${CARGO_HOME:-~/.cargo}/bin

- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
let id_token = await core.getIDToken('sts.amazonaws.com')
core.exportVariable('GITHUB_ID_TOKEN', id_token)
core.setSecret(id_token)
- name: Test
run: cargo nextest run --no-fail-fast
env:
RUST_LOG: DEBUG
RUST_BACKTRACE: full
REQSIGN_AWS_V4_TEST: ${{ secrets.REQSIGN_AWS_V4_TEST }}
REQSIGN_AWS_V4_SERVICE: ${{ secrets.REQSIGN_AWS_V4_SERVICE }}
REQSIGN_AWS_V4_URL: ${{ secrets.REQSIGN_AWS_V4_URL }}
REQSIGN_AWS_V4_REGION: ${{ secrets.REQSIGN_AWS_V4_REGION }}
REQSIGN_AWS_V4_ACCESS_KEY: ${{ secrets.REQSIGN_AWS_V4_ACCESS_KEY }}
REQSIGN_AWS_V4_SECRET_KEY: ${{ secrets.REQSIGN_AWS_V4_SECRET_KEY }}
REQSIGN_AWS_ROLE_ARN: ${{ secrets.REQSIGN_AWS_ROLE_ARN }}
REQSIGN_AWS_PROVIDER_ARN: ${{ secrets.REQSIGN_AWS_PROVIDER_ARN }}
84 changes: 46 additions & 38 deletions src/aws/credential.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -435,20 +435,19 @@ struct Ec2MetadataIamSecurityCredentials {

#[cfg(test)]
mod tests {
use std::env;
use std::str::FromStr;
use std::{env, vec};

use anyhow::Result;
use base64::prelude::BASE64_STANDARD;
use base64::Engine;
use http::Request;
use http::{Request, StatusCode};
use once_cell::sync::Lazy;
use quick_xml::de;
use reqwest::Client;
use tokio::runtime::Runtime;

use super::*;
use crate::aws::constants::*;
use crate::aws::v4::Signer;

static RUNTIME: Lazy<Runtime> = Lazy::new(|| {
tokio::runtime::Builder::new_multi_thread()
Expand Down Expand Up @@ -620,55 +619,64 @@ mod tests {
return Ok(());
}

let role_arn = env::var("REQSIGN_AWS_ROLE_ARN").expect("REQSIGN_AWS_ROLE_ARN not exist");
let idp_url = env::var("REQSIGN_AWS_IDP_URL").expect("REQSIGN_AWS_IDP_URL not exist");
let idp_content = BASE64_STANDARD
.decode(env::var("REQSIGN_AWS_IDP_BODY").expect("REQSIGN_AWS_IDP_BODY not exist"))?;

let client = Client::new();

let mut req = Request::new(idp_content);
*req.method_mut() = http::Method::POST;
*req.uri_mut() = http::Uri::from_str(&idp_url)?;
req.headers_mut()
.insert(http::header::CONTENT_TYPE, "application/json".parse()?);
// Ignore test if role_arn not set
let role_arn = if let Ok(v) = env::var("REQSIGN_AWS_ROLE_ARN") {
v
} else {
return Ok(());
};

let token = RUNTIME.block_on(async {
#[derive(Deserialize)]
struct Token {
access_token: String,
}
client
.execute(req.try_into().unwrap())
.await
.unwrap()
.json::<Token>()
.await
.unwrap()
.access_token
});
// let provider_arn = env::var("REQSIGN_AWS_PROVIDER_ARN").expect("REQSIGN_AWS_PROVIDER_ARN not exist");
let region = env::var("REQSIGN_AWS_V4_REGION").expect("REQSIGN_AWS_V4_REGION not exist");

let github_token = env::var("GITHUB_ID_TOKEN").expect("GITHUB_ID_TOKEN not exist");
let file_path = format!(
"{}/testdata/services/aws/web_identity_token_file",
env::current_dir()
.expect("current_dir must exist")
.to_string_lossy()
);
fs::write(&file_path, token)?;
fs::write(&file_path, github_token)?;

temp_env::with_vars(
vec![
("AWS_ROLE_ARN", Some(&role_arn)),
("AWS_WEB_IDENTITY_TOKEN_FILE", Some(&file_path)),
(AWS_REGION, Some(&region)),
(AWS_ROLE_ARN, Some(&role_arn)),
(AWS_WEB_IDENTITY_TOKEN_FILE, Some(&file_path)),
],
|| {
let l = Loader::new(Client::new(), Config::default().from_env());
let x = RUNTIME
.block_on(l.load())
.expect("load_credential must success")
RUNTIME.block_on(async {
let config = Config::default().from_env();
let loader = Loader::new(reqwest::Client::new(), config);

let signer = Signer::new("s3", &region);

let mut req = Request::new("");
*req.method_mut() = http::Method::GET;
*req.uri_mut() = http::Uri::from_str(
"https://s3.amazonaws.com/opendal-testing/not_exist_file",
)
.unwrap();

assert!(x.is_valid());
let cred = loader
.load()
.await
.expect("credential must be valid")
.unwrap();

signer.sign(&mut req, &cred).expect("sign must success");

debug!("signed request url: {:?}", req.uri().to_string());
debug!("signed request: {:?}", req);

let client = Client::new();
let resp = client.execute(req.try_into().unwrap()).await.unwrap();

let status = resp.status();
debug!("got response: {:?}", resp);
debug!("got response content: {:?}", resp.text().await.unwrap());
assert_eq!(status, StatusCode::NOT_FOUND);
})
},
);

Expand Down

1 comment on commit e28d700

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deploy preview for reqsign ready!

✅ Preview
https://reqsign-4yyaru5yl-xuanwo.vercel.app

Built with commit e28d700.
This pull request is being automatically deployed with vercel-action

Please sign in to comment.