Merge pull request #74 from jmgilman/fix/RUSTSEC_2023_0052

Fix/rustsec 2023 0052

vaultrs-login/Cargo.toml

@@ -12,15 +12,17 @@ edition = "2018"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-aws = ["aws-sdk-iam", "aws-sdk-sts", "aws-sigv4", "aws-types", "base64", "http", "serde_json"]
+aws = ["aws-sdk-iam", "aws-sdk-sts", "aws-sigv4", "aws-types", "aws-credential-types", "aws-smithy-runtime-api", "base64", "http", "serde_json"]
 oidc = ["tiny_http", "tokio"]
 
 [dependencies]
 async-trait = "0.1.68"
-aws-sdk-iam = { version = "0.14", optional = true }
-aws-sdk-sts = { version = "0.14", optional = true }
-aws-sigv4 = { version = "0.54", optional = true }
-aws-types = { version = "0.14", optional = true }
+aws-credential-types = { version = "1.1.5", optional = true }
+aws-sdk-iam = { version = "1.13", optional = true }
+aws-sdk-sts = { version = "1.13", optional = true }
+aws-sigv4 = { version = "1.1", optional = true }
+aws-smithy-runtime-api = { version = "1.1.5", optional = true }
+aws-types = { version = "1.1", optional = true }
 base64 = { version = "0.21", optional = true }
 http = { version = "0.2", optional = true }
 serde = "1.0.158"

vaultrs-login/src/engines/aws.rs

@@ -1,12 +1,15 @@
 use std::collections::HashMap;
 
 use async_trait::async_trait;
+use aws_credential_types::Credentials;
+use aws_smithy_runtime_api::client::identity::Identity;
 use base64::{engine::general_purpose, Engine as _};
 use std::time::SystemTime;
 use vaultrs::{api::AuthInfo, client::Client, error::ClientError};
 
 use crate::LoginMethod;
-use aws_sigv4::http_request::{sign, SignableRequest, SigningParams, SigningSettings};
+use aws_sigv4::http_request::{sign, SignableRequest, SigningSettings};
+use aws_sigv4::sign::v4;
 
 /// A login method which uses AWS credentials for obtaining a new token.
 #[derive(Debug)]
@@ -47,23 +50,39 @@ impl LoginMethod for AwsIamLogin {
         let mut request = req_builder
             .body("Action=GetCallerIdentity&Version=2011-06-15")
             .unwrap();
+        let identity = Identity::new(
+            Credentials::new(
+                &self.access_key,
+                &self.secret_key,
+                self.session_token.clone(),
+                None,
+                "hardcoded-credentials",
+            ),
+            None,
+        );
 
-        let mut signing_params = SigningParams::builder()
-            .access_key(&self.access_key)
-            .secret_key(&self.secret_key)
+        let signing_params = v4::SigningParams::builder()
+            .identity(&identity)
             .region(&self.region)
-            .service_name("sts")
+            .name("sts")
             .settings(SigningSettings::default())
             .time(SystemTime::now());
 
-        signing_params.set_security_token(self.session_token.as_deref());
-
-        let signable_request = SignableRequest::from(&request);
-        let (out, _sig) = sign(signable_request, &signing_params.build().unwrap())
+        let signable_request = SignableRequest::new(
+            request.method().as_str(),
+            request.uri().to_string(),
+            request
+                .headers()
+                .into_iter()
+                .map(|(name, value)| (name.as_str(), value.to_str().unwrap())),
+            aws_sigv4::http_request::SignableBody::Bytes(request.body().as_bytes()),
+        )
+        .unwrap();
+        let (out, _sig) = sign(signable_request, &signing_params.build().unwrap().into())
             .unwrap()
             .into_parts();
 
-        out.apply_to_request(&mut request);
+        out.apply_to_request_http0x(&mut request);
 
         let iam_http_request_method = request.method().as_str();
         let iam_request_url = general_purpose::STANDARD.encode(request.uri().to_string());

vaultrs-login/src/lib.rs

@@ -85,6 +85,8 @@ pub trait LoginClient: Client + Sized {
     /// Performs a login using the given method and sets the resulting token to
     /// this client.
     #[instrument(skip(self, method), err)]
+    /// Workaround until https://github.com/tokio-rs/tracing/issues/2876 is fixed
+    #[allow(clippy::blocks_in_conditions)]
     async fn login<M: 'static + LoginMethod>(
         &mut self,
         mount: &str,
@@ -99,6 +101,8 @@ pub trait LoginClient: Client + Sized {
     /// callback which must be passed back to the client to finish the login
     /// flow.
     #[instrument(skip(self, method), err)]
+    /// Workaround until https://github.com/tokio-rs/tracing/issues/2876 is fixed
+    #[allow(clippy::blocks_in_conditions)]
     async fn login_multi<M: 'static + MultiLoginMethod>(
         &self,
         mount: &str,
@@ -110,6 +114,8 @@ pub trait LoginClient: Client + Sized {
     /// Performs the second step of a multi-step login and sets the resulting
     /// token to this client.
     #[instrument(skip(self, callback), err)]
+    /// Workaround until https://github.com/tokio-rs/tracing/issues/2876 is fixed
+    #[allow(clippy::blocks_in_conditions)]
     async fn login_multi_callback<C: 'static + MultiLoginCallback>(
         &mut self,
         mount: &str,

vaultrs-login/tests/login.rs

@@ -250,12 +250,8 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) {
     .unwrap();
 
     // create role
-
-    use aws_types::{
-        credentials::{Credentials, SharedCredentialsProvider},
-        region::Region,
-        SdkConfig,
-    };
+    use aws_credential_types::Credentials;
+    use aws_types::{region::Region, sdk_config::SharedCredentialsProvider, SdkConfig};
 
     let credentials = Credentials::new("test", "test", None, None, "static");
 
@@ -265,9 +261,8 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) {
         .build();
 
     let iam_config = aws_sdk_iam::config::Builder::from(&aws_config)
-        .endpoint_resolver(aws_sdk_iam::Endpoint::immutable(
-            localstack.internal_url().parse().unwrap(),
-        ))
+        .endpoint_url(localstack.internal_url())
+        .behavior_version_latest()
         .build();
 
     let iam_client = aws_sdk_iam::Client::from_conf(iam_config);
@@ -291,7 +286,7 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) {
         .await
         .unwrap();
 
-    let aws_role_arn = aws_role.role().unwrap().arn().unwrap();
+    let aws_role_arn = aws_role.role().unwrap().arn();
 
     aws::role::create(
         client,
@@ -308,9 +303,8 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) {
     .unwrap();
 
     let sts_config = aws_sdk_sts::config::Builder::from(&aws_config)
-        .endpoint_resolver(aws_sdk_sts::Endpoint::immutable(
-            localstack.internal_url().parse().unwrap(),
-        ))
+        .endpoint_url(localstack.internal_url())
+        .behavior_version_latest()
         .build();
     let sts_client = aws_sdk_sts::Client::from_conf(sts_config);
 
@@ -326,10 +320,10 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) {
 
     // Test login
     let login = vaultrs_login::engines::aws::AwsIamLogin {
-        access_key: assumed_role_credentials.access_key_id.unwrap(),
-        secret_key: assumed_role_credentials.secret_access_key.unwrap(),
+        access_key: assumed_role_credentials.access_key_id,
+        secret_key: assumed_role_credentials.secret_access_key,
         region: "local".to_string(),
-        session_token: assumed_role_credentials.session_token,
+        session_token: Some(assumed_role_credentials.session_token),
         role: Some("test_role".to_string()),
         header_value: None,
     };