Support session tokens in environment variables (#191)

* Support session tokens in the environment credential providers
paws-r · Sep 21, 2019 · f01a24c · f01a24c
1 parent dced442
commit f01a24c
Show file tree

Hide file tree

Showing 7 changed files with 51 additions and 6 deletions.
diff --git a/paws.common/DESCRIPTION b/paws.common/DESCRIPTION
@@ -1,7 +1,7 @@
 Package: paws.common
 Type: Package
 Title: Paws Low-Level Amazon Web Services API
-Version: 0.2.0
+Version: 0.2.1
 Authors@R: c(
         person("David", "Kretch", email = "david.kretch@gmail.com", role = c("aut", "cre")),
         person("Adam", "Banker", email = "adam.banker39@gmail.com", role = "aut"),

diff --git a/paws.common/NEWS.md b/paws.common/NEWS.md
@@ -1,3 +1,7 @@
+# paws.common 0.2.1
+
+* Support session tokens stored in the AWS_SESSION_TOKEN environment variable.
+
 # paws.common 0.2.0
 
 * Use the global signing region (us-east-1) for services with global endpoints,

diff --git a/paws.common/R/credential_providers.R b/paws.common/R/credential_providers.R
@@ -5,11 +5,12 @@ NULL
 r_env_provider <- function() {
   access_key_id <- Sys.getenv("AWS_ACCESS_KEY_ID")
   secret_access_key <- Sys.getenv("AWS_SECRET_ACCESS_KEY")
+  session_token <- Sys.getenv("AWS_SESSION_TOKEN")
   if (access_key_id != "" && secret_access_key != "") {
     creds <- list(
       access_key_id = access_key_id,
       secret_access_key = secret_access_key,
-      session_token = "",
+      session_token = session_token,
       provider_name = ""
     )
   } else {
@@ -23,12 +24,13 @@ os_env_provider <- function() {
 
   access_key_id <- get_os_env_variable("AWS_ACCESS_KEY_ID")
   secret_access_key <- get_os_env_variable("AWS_SECRET_ACCESS_KEY")
+  session_token <- get_os_env_variable("AWS_SESSION_TOKEN")
 
   if (access_key_id != "" && secret_access_key != "") {
     creds <- list(
       access_key_id = access_key_id,
       secret_access_key = secret_access_key,
-      session_token = "",
+      session_token = session_token,
       provider_name = ""
     )
   } else {

diff --git a/paws.common/R/request.R b/paws.common/R/request.R
@@ -88,7 +88,11 @@ Request <- struct(
 #'
 #' @examples
 #' # Make a request object for the S3 ListBuckets operation.
-#' \donttest{client <- function() {new_service(metadata, handlers)}
+#' \donttest{metadata <- list(
+#'   endpoints = list("*" = list(endpoint = "s3.{region}.amazonaws.com", global = FALSE)),
+#'   service_name = "s3"
+#' )
+#' client <- new_service(metadata, new_handlers("restxml", "s3"))
 #' op <- new_operation("ListBuckets", "GET", "/", list())
 #' params <- list()
 #' data <- tag_add(list(Buckets = list()), list(type = "structure"))

diff --git a/paws.common/man/new_request.Rd b/paws.common/man/new_request.Rd
diff --git a/paws.common/tests/testthat/test_credential_providers.R b/paws.common/tests/testthat/test_credential_providers.R
@@ -9,9 +9,20 @@ test_that("r_env_provider", {
   expect_equal(creds$access_key_id, "foo")
   expect_equal(creds$secret_access_key, "bar")
 
+  Sys.setenv(
+    "AWS_ACCESS_KEY_ID" = "foo",
+    "AWS_SECRET_ACCESS_KEY" = "bar",
+    "AWS_SESSION_TOKEN" = "foobar"
+  )
+  creds <- r_env_provider()
+  expect_equal(creds$access_key_id, "foo")
+  expect_equal(creds$secret_access_key, "bar")
+  expect_equal(creds$session_token, "foobar")
+
   Sys.setenv(
     "AWS_ACCESS_KEY_ID" = "",
-    "AWS_SECRET_ACCESS_KEY" = ""
+    "AWS_SECRET_ACCESS_KEY" = "",
+    "AWS_SESSION_TOKEN" = ""
   )
   creds <- r_env_provider()
   expect_null(creds)

diff --git a/paws.common/tests/testthat/test_signer_v4.R b/paws.common/tests/testthat/test_signer_v4.R
@@ -14,6 +14,26 @@ test_creds <- Credentials(
   )
 )
 
+test_that("v4_sign_request_handler", {
+  metadata <- list(
+    endpoints = list("*" = list(endpoint = "s3.{region}.amazonaws.com", global = FALSE)),
+    service_name = "s3"
+  )
+  client <- new_service(metadata, new_handlers("restxml", "s3"))
+  client$config$credentials <- test_creds
+  client$client_info$signing_region <- "us-east-1"
+
+  op <- new_operation("ListBuckets", "GET", "/", list())
+  params <- list()
+  data <- tag_add(list(Buckets = list()), list(type = "structure"))
+  req <- new_request(client, op, params, data)
+  res <- v4_sign_request_handler(req)
+
+  actual <- res$http_request$header[["Authorization"]]
+  expected <- "AWS4-HMAC-SHA256 Credential=AKID/\\d{8}/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=[0-9a-f]{64}"
+  expect_match(actual, expected)
+})
+
 test_that("sign with custom URI escape", {
   expected <- "AWS4-HMAC-SHA256 Credential=AKID/19700101/us-east-1/es/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=6601e883cc6d23871fd6c2a394c5677ea2b8c82b04a6446786d64cd74f520967"