credential cleanup/working on Windows

2022-01-20 12:18:47 -08:00 · 2022-01-20 12:18:47 -08:00 · 691a32d719
commit 691a32d719
parent 1f0e3d0632
4 changed files with 71 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# AWS SDK for Zig (zig-native branch)
+# AWS SDK for Zig (zig native branch)

 [![Build Status](https://drone.lerch.org/api/badges/lobo/aws-sdk-for-zig/status.svg?ref=refs/heads/master)](https://drone.lerch.org/api/badges/lobo/aws-sdk-for-zig/)

@ -10,9 +10,19 @@ services only support XML, and zig 0.8.0 and master both trigger compile
 errors while incorporating the XML parser. S3 also requires some plumbing
 tweaks in the signature calculation. Examples of usage are in src/main.zig.

-Current executable size for the demo is 868k after compiling with -Drelease-safe
-and [stripping the executable after compilation](https://github.com/ziglang/zig/issues/351).
-This is for x86_linux, (which is all that's tested at the moment).
+Current executable size for the demo is 953k (90k of which is the AWS PEM file)
+after compiling with -Drelease-safe and
+[stripping the executable after compilation](https://github.com/ziglang/zig/issues/351).
+This is for x86_linux. Tested targets:
+
+* x86_64-linux
+* riscv64-linux
+* aarch64-linux
+* x86_64 Windows
+
+Tested/not working:
+
+* arm-linux

 ## Building

@ -51,6 +61,7 @@ Only environment variable based credentials can be used at the moment.
 TODO List:

 * Add STS key support
+* Add option to cache signature keys
 * Implement credentials provider
 * Implement jitter/exponential backoff
 * Implement timeouts and other TODO's in the code
--- a/src/aws_authentication.zig
+++ b/src/aws_authentication.zig
@ -1,6 +1,33 @@
+const std = @import("std");
+
 pub const Credentials = struct {
    access_key: []const u8,
-    secret_key: []const u8,
+    secret_key: []u8,
    session_token: ?[]const u8,
    // uint64_t expiration_timepoint_seconds);
+
+    allocator: std.mem.Allocator,
+
+    const Self = @This();
+
+    pub fn init(
+        allocator: std.mem.Allocator,
+        access_key: []const u8,
+        secret_key: []u8,
+        session_token: ?[]const u8,
+    ) Self {
+        return .{
+            .access_key = access_key,
+            .secret_key = secret_key,
+            .session_token = session_token,
+
+            .allocator = allocator,
+        };
+    }
+    pub fn deinit(self: Self) void {
+        for (self.secret_key) |_, i| self.secret_key[i] = 0;
+        self.allocator.free(self.access_key);
+        self.allocator.free(self.secret_key);
+        if (self.session_token) |t| self.allocator.free(t);
+    }
 };
--- a/src/aws_credentials.zig
+++ b/src/aws_credentials.zig
@ -5,19 +5,31 @@
 //! 4. ECS Container credentials, using AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
 //! 5. EC2 instance profile credentials
 const std = @import("std");
+const builtin = @import("builtin");
 const auth = @import("aws_authentication.zig");

 pub fn getCredentials(allocator: std.mem.Allocator) !auth.Credentials {
-    _ = allocator;
-    if (getEnvironmentCredentials()) |cred| return cred;
+    if (try getEnvironmentCredentials(allocator)) |cred| return cred;
    // TODO: 2-5
    return error.NotImplemented;
 }

-fn getEnvironmentCredentials() ?auth.Credentials {
-    return auth.Credentials{
-        .access_key = std.os.getenv("AWS_ACCESS_KEY_ID") orelse return null,
-        .secret_key = std.os.getenv("AWS_SECRET_ACCESS_KEY") orelse return null,
-        .session_token = std.os.getenv("AWS_SESSION_TOKEN"),
+fn getEnvironmentCredentials(allocator: std.mem.Allocator) !?auth.Credentials {
+    const secret_key = (try getEnvironmentVariable(allocator, "AWS_SECRET_ACCESS_KEY")) orelse return null;
+    defer allocator.free(secret_key); //yes, we're not zeroing. But then, the secret key is in an environment var anyway
+    const mutable_key = try allocator.dupe(u8, secret_key);
+    // Use cross-platform API (requires allocation)
+    return auth.Credentials.init(
+        allocator,
+        (try getEnvironmentVariable(allocator, "AWS_ACCESS_KEY_ID")) orelse return null,
+        mutable_key,
+        try getEnvironmentVariable(allocator, "AWS_SESSION_TOKEN"),
+    );
+}
+
+fn getEnvironmentVariable(allocator: std.mem.Allocator, key: []const u8) !?[]const u8 {
+    return std.process.getEnvVarOwned(allocator, key) catch |e| switch (e) {
+        std.process.GetEnvVarOwnedError.EnvironmentVariableNotFound => return null,
+        else => return e,
    };
 }
--- a/src/aws_http.zig
+++ b/src/aws_http.zig
@ -98,7 +98,7 @@ pub const AwsHttp = struct {
        defer endpoint.deinit();
        log.debug("Calling endpoint {s}", .{endpoint.uri});
        const creds = try credentials.getCredentials(self.allocator);
-        // defer allocator.free(), except sometimes we don't need freeing...
+        defer creds.deinit();
        const signing_config: signing.Config = .{
            .region = options.region,
            .service = options.sigv4_service_name orelse service,
@ -217,8 +217,15 @@ fn addHeaders(allocator: std.mem.Allocator, headers: *std.ArrayList(base.Header)
    return null;
 }

+fn getEnvironmentVariable(allocator: std.mem.Allocator, key: []const u8) !?[]const u8 {
+    return std.process.getEnvVarOwned(allocator, key) catch |e| switch (e) {
+        std.process.GetEnvVarOwnedError.EnvironmentVariableNotFound => return null,
+        else => return e,
+    };
+}
+
 fn regionSubDomain(allocator: std.mem.Allocator, service: []const u8, region: []const u8, useDualStack: bool) !EndPoint {
-    const environment_override = std.os.getenv("AWS_ENDPOINT_URL");
+    const environment_override = try getEnvironmentVariable(allocator, "AWS_ENDPOINT_URL");
    if (environment_override) |override| {
        const uri = try allocator.dupeZ(u8, override);
        return endPointFromUri(allocator, uri);