diff --git a/spec/04-services/05-sts_spec.lua b/spec/04-services/05-sts_spec.lua index cb7660e..2c318db 100644 --- a/spec/04-services/05-sts_spec.lua +++ b/spec/04-services/05-sts_spec.lua @@ -185,4 +185,124 @@ describe("STS service", function() end) end) end + + -- CN Region check, the STS endpoint will be suffixed with ".com.cn" + -- For CN Region there will be no region injections since globalEndpoint + -- is not defined for "cn-*/*" in region_config_data.lua + for _, region in ipairs({"cn-north-1", "cn-northwest-1"}) do + describe("In Region #" .. region, function () + -- before_each(function() + -- aws.config.region = region + -- end) + + it("AWS_STS_REGIONAL_ENDPOINT==regional with default endpoint", function () + local config = { + region = region, + stsRegionalEndpoints = "regional", + dry_run = true, + } + + local sts = aws:STS(config) + local request = sts:assumeRole({ + RoleArn = test_assume_role_arn, + RoleSessionName = test_role_session_name, + }) + + assert.same(sts.config.stsRegionalEndpoints, "regional") + assert.is_nil(sts.config.signingRegion) + assert.falsy(sts.config._regionalEndpointInjected) + -- Check the endpoint has not been injected + assert.same(sts.config.endpoint, "sts." .. region .. ".amazonaws.com.cn") + assert.not_nil(request.headers.Authorization:find(region, 1, true)) + end) + + describe("AWS_STS_REGIONAL_ENDPOINT==regional with non-default endpoint", function() + it("and endpoint is regional domain", function () + local config = { + region = region, + stsRegionalEndpoints = "regional", + endpoint = "https://sts." .. region .. ".amazonaws.com.cn", + dry_run = true, + } + + local sts = aws:STS(config) + local request = sts:assumeRole({ + RoleArn = test_assume_role_arn, + RoleSessionName = test_role_session_name, + }) + + assert.same(sts.config.stsRegionalEndpoints, "regional") + assert.is_nil(sts.config.signingRegion) + assert.falsy(sts.config._regionalEndpointInjected) + -- Check thes endpoint has not been injected + assert.same(sts.config.endpoint, config.endpoint) + assert.not_nil(request.headers.Authorization:find(region, 1, true)) + end) + + it("and endpoint is region VPC endpoint", function () + local config = { + region = region, + stsRegionalEndpoints = "regional", + endpoint = "https://vpce-1234567-abcdefg.sts." .. region .. ".vpce.amazonaws.com", + dry_run = true, + } + + local sts = aws:STS(config) + local request = sts:assumeRole({ + RoleArn = test_assume_role_arn, + RoleSessionName = test_role_session_name, + }) + + assert.same(sts.config.stsRegionalEndpoints, "regional") + assert.is_nil(sts.config.signingRegion) + assert.falsy(sts.config._regionalEndpointInjected) + -- Check the endpoint has not been injected when endpoint is a vpc endpoint + assert.same(sts.config.endpoint, config.endpoint) + assert.not_nil(request.headers.Authorization:find(region, 1, true)) + end) + + it("and endpoint is AZ VPC endpoint", function () + local config = { + region = region, + stsRegionalEndpoints = "regional", + endpoint = "https://vpce-1234567-abcdefg-" .. region .. "c" .. ".sts." .. region .. ".vpce.amazonaws.com", + dry_run = true, + } + + local sts = aws:STS(config) + local request = sts:assumeRole({ + RoleArn = test_assume_role_arn, + RoleSessionName = test_role_session_name, + }) + + assert.same(sts.config.stsRegionalEndpoints, "regional") + assert.is_nil(sts.config.signingRegion) + assert.falsy(sts.config._regionalEndpointInjected) + -- Check the endpoint has not been injected when endpoint is a vpc endpoint + assert.same(sts.config.endpoint, config.endpoint) + assert.not_nil(request.headers.Authorization:find(region, 1, true)) + end) + end) + + it("AWS_STS_REGIONAL_ENDPOINT==legacy with default endpoint", function () + local config = { + region = region, + stsRegionalEndpoints = "legacy", + dry_run = true, + } + + local sts = aws:STS(config) + local request = sts:assumeRole({ + RoleArn = test_assume_role_arn, + RoleSessionName = test_role_session_name, + }) + + assert.same(sts.config.stsRegionalEndpoints, "legacy") + assert.is_nil(sts.config.signingRegion) + assert.falsy(sts.config._regionalEndpointInjected) + assert.same(sts.config.endpoint, "sts." .. region .. ".amazonaws.com.cn") + assert.not_nil(request.headers.Authorization:find(region, 1, true)) + end) + end) + end end) diff --git a/src/resty/aws/init.lua b/src/resty/aws/init.lua index 9d3b9a1..7894c7d 100644 --- a/src/resty/aws/init.lua +++ b/src/resty/aws/init.lua @@ -133,8 +133,10 @@ end do + -- https://github.com/aws/aws-sdk-js/blob/c0ec9d31057748cda57eac863273f5ef5a695782/lib/region_config.js#L4 -- returns the region with the last element replaced by "*" - -- "us-east-1" --> "us-east-*" + -- "us-east-1" --> "us-*" + -- "us-isob-west-1" --> "us-isob-*" local function generateRegionPrefix(region) if not region then return nil, "no region given" @@ -144,7 +146,10 @@ do if #parts < 3 then return nil, "not a valid region, only 2 parts; "..region end - parts[#parts] = "*" + + local n_parts = #parts + parts[n_parts] = nil + parts[n_parts - 1] = "*" return table.concat(parts, "-") end @@ -159,9 +164,9 @@ do -- 'sts' configured for region 'us-west-2'; -- { -- "us-west-2/sts", - -- "us-west-*/sts", + -- "us-*/sts", -- "us-west-2/*", - -- "us-west-*/*", + -- "us-*/*", -- "*/sts", -- "*/*", -- }