From 035c305d84460a9094870c3fd90f6d03c8ab627c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A4nnetz?= <34142036+Haennetz@users.noreply.github.com> Date: Sun, 11 Feb 2024 15:31:01 +0100 Subject: [PATCH 1/2] fix: disable clippy blocks_in_conditions tokio tracing instrument causes clippy to fail see https://github.com/tokio-rs/tracing/issues/2876 --- vaultrs-login/src/lib.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/vaultrs-login/src/lib.rs b/vaultrs-login/src/lib.rs index 1980fdc..e0b32c3 100644 --- a/vaultrs-login/src/lib.rs +++ b/vaultrs-login/src/lib.rs @@ -85,6 +85,8 @@ pub trait LoginClient: Client + Sized { /// Performs a login using the given method and sets the resulting token to /// this client. #[instrument(skip(self, method), err)] + /// Workaround until https://github.com/tokio-rs/tracing/issues/2876 is fixed + #[allow(clippy::blocks_in_conditions)] async fn login( &mut self, mount: &str, @@ -99,6 +101,8 @@ pub trait LoginClient: Client + Sized { /// callback which must be passed back to the client to finish the login /// flow. #[instrument(skip(self, method), err)] + /// Workaround until https://github.com/tokio-rs/tracing/issues/2876 is fixed + #[allow(clippy::blocks_in_conditions)] async fn login_multi( &self, mount: &str, @@ -110,6 +114,8 @@ pub trait LoginClient: Client + Sized { /// Performs the second step of a multi-step login and sets the resulting /// token to this client. #[instrument(skip(self, callback), err)] + /// Workaround until https://github.com/tokio-rs/tracing/issues/2876 is fixed + #[allow(clippy::blocks_in_conditions)] async fn login_multi_callback( &mut self, mount: &str, From 2a67ad9e6a19c20837977b00494cdfe81347f616 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A4nnetz?= <34142036+Haennetz@users.noreply.github.com> Date: Mon, 12 Feb 2024 09:25:59 +0100 Subject: [PATCH 2/2] fix: RUSTSEC-2023-0052 --- vaultrs-login/Cargo.toml | 12 ++++++---- vaultrs-login/src/engines/aws.rs | 39 ++++++++++++++++++++++++-------- vaultrs-login/tests/login.rs | 26 ++++++++------------- 3 files changed, 46 insertions(+), 31 deletions(-) diff --git a/vaultrs-login/Cargo.toml b/vaultrs-login/Cargo.toml index e7c8119..a9b9b9d 100644 --- a/vaultrs-login/Cargo.toml +++ b/vaultrs-login/Cargo.toml @@ -12,15 +12,17 @@ edition = "2018" # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [features] -aws = ["aws-sdk-iam", "aws-sdk-sts", "aws-sigv4", "aws-types", "base64", "http", "serde_json"] +aws = ["aws-sdk-iam", "aws-sdk-sts", "aws-sigv4", "aws-types", "aws-credential-types", "aws-smithy-runtime-api", "base64", "http", "serde_json"] oidc = ["tiny_http", "tokio"] [dependencies] async-trait = "0.1.68" -aws-sdk-iam = { version = "0.14", optional = true } -aws-sdk-sts = { version = "0.14", optional = true } -aws-sigv4 = { version = "0.54", optional = true } -aws-types = { version = "0.14", optional = true } +aws-credential-types = { version = "1.1.5", optional = true } +aws-sdk-iam = { version = "1.13", optional = true } +aws-sdk-sts = { version = "1.13", optional = true } +aws-sigv4 = { version = "1.1", optional = true } +aws-smithy-runtime-api = { version = "1.1.5", optional = true } +aws-types = { version = "1.1", optional = true } base64 = { version = "0.21", optional = true } http = { version = "0.2", optional = true } serde = "1.0.158" diff --git a/vaultrs-login/src/engines/aws.rs b/vaultrs-login/src/engines/aws.rs index f247d65..b11f4c7 100644 --- a/vaultrs-login/src/engines/aws.rs +++ b/vaultrs-login/src/engines/aws.rs @@ -1,12 +1,15 @@ use std::collections::HashMap; use async_trait::async_trait; +use aws_credential_types::Credentials; +use aws_smithy_runtime_api::client::identity::Identity; use base64::{engine::general_purpose, Engine as _}; use std::time::SystemTime; use vaultrs::{api::AuthInfo, client::Client, error::ClientError}; use crate::LoginMethod; -use aws_sigv4::http_request::{sign, SignableRequest, SigningParams, SigningSettings}; +use aws_sigv4::http_request::{sign, SignableRequest, SigningSettings}; +use aws_sigv4::sign::v4; /// A login method which uses AWS credentials for obtaining a new token. #[derive(Debug)] @@ -47,23 +50,39 @@ impl LoginMethod for AwsIamLogin { let mut request = req_builder .body("Action=GetCallerIdentity&Version=2011-06-15") .unwrap(); + let identity = Identity::new( + Credentials::new( + &self.access_key, + &self.secret_key, + self.session_token.clone(), + None, + "hardcoded-credentials", + ), + None, + ); - let mut signing_params = SigningParams::builder() - .access_key(&self.access_key) - .secret_key(&self.secret_key) + let signing_params = v4::SigningParams::builder() + .identity(&identity) .region(&self.region) - .service_name("sts") + .name("sts") .settings(SigningSettings::default()) .time(SystemTime::now()); - signing_params.set_security_token(self.session_token.as_deref()); - - let signable_request = SignableRequest::from(&request); - let (out, _sig) = sign(signable_request, &signing_params.build().unwrap()) + let signable_request = SignableRequest::new( + request.method().as_str(), + request.uri().to_string(), + request + .headers() + .into_iter() + .map(|(name, value)| (name.as_str(), value.to_str().unwrap())), + aws_sigv4::http_request::SignableBody::Bytes(request.body().as_bytes()), + ) + .unwrap(); + let (out, _sig) = sign(signable_request, &signing_params.build().unwrap().into()) .unwrap() .into_parts(); - out.apply_to_request(&mut request); + out.apply_to_request_http0x(&mut request); let iam_http_request_method = request.method().as_str(); let iam_request_url = general_purpose::STANDARD.encode(request.uri().to_string()); diff --git a/vaultrs-login/tests/login.rs b/vaultrs-login/tests/login.rs index cb12731..7912640 100644 --- a/vaultrs-login/tests/login.rs +++ b/vaultrs-login/tests/login.rs @@ -250,12 +250,8 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) { .unwrap(); // create role - - use aws_types::{ - credentials::{Credentials, SharedCredentialsProvider}, - region::Region, - SdkConfig, - }; + use aws_credential_types::Credentials; + use aws_types::{region::Region, sdk_config::SharedCredentialsProvider, SdkConfig}; let credentials = Credentials::new("test", "test", None, None, "static"); @@ -265,9 +261,8 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) { .build(); let iam_config = aws_sdk_iam::config::Builder::from(&aws_config) - .endpoint_resolver(aws_sdk_iam::Endpoint::immutable( - localstack.internal_url().parse().unwrap(), - )) + .endpoint_url(localstack.internal_url()) + .behavior_version_latest() .build(); let iam_client = aws_sdk_iam::Client::from_conf(iam_config); @@ -291,7 +286,7 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) { .await .unwrap(); - let aws_role_arn = aws_role.role().unwrap().arn().unwrap(); + let aws_role_arn = aws_role.role().unwrap().arn(); aws::role::create( client, @@ -308,9 +303,8 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) { .unwrap(); let sts_config = aws_sdk_sts::config::Builder::from(&aws_config) - .endpoint_resolver(aws_sdk_sts::Endpoint::immutable( - localstack.internal_url().parse().unwrap(), - )) + .endpoint_url(localstack.internal_url()) + .behavior_version_latest() .build(); let sts_client = aws_sdk_sts::Client::from_conf(sts_config); @@ -326,10 +320,10 @@ async fn test_aws(localstack: &LocalStackServer, client: &mut VaultClient) { // Test login let login = vaultrs_login::engines::aws::AwsIamLogin { - access_key: assumed_role_credentials.access_key_id.unwrap(), - secret_key: assumed_role_credentials.secret_access_key.unwrap(), + access_key: assumed_role_credentials.access_key_id, + secret_key: assumed_role_credentials.secret_access_key, region: "local".to_string(), - session_token: assumed_role_credentials.session_token, + session_token: Some(assumed_role_credentials.session_token), role: Some("test_role".to_string()), header_value: None, };