From 0401300da6ab9e7f5b5d94ceb52d41d3f107ed15 Mon Sep 17 00:00:00 2001
From: windmgc <windmgc@gmail.com>
Date: Thu, 15 Aug 2024 16:39:49 +0800
Subject: [PATCH 1/2] fix(region_config): fix configure endpoint bug in
 derivedKeys

---
 spec/04-services/05-sts_spec.lua | 120 +++++++++++++++++++++++++++++++
 src/resty/aws/init.lua           |  10 ++-
 2 files changed, 127 insertions(+), 3 deletions(-)

diff --git a/spec/04-services/05-sts_spec.lua b/spec/04-services/05-sts_spec.lua
index cb7660e..2c318db 100644
--- a/spec/04-services/05-sts_spec.lua
+++ b/spec/04-services/05-sts_spec.lua
@@ -185,4 +185,124 @@ describe("STS service", function()
       end)
     end)
   end
+
+  -- CN Region check, the STS endpoint will be suffixed with ".com.cn"
+  -- For CN Region there will be no region injections since globalEndpoint
+  -- is not defined for "cn-*/*" in region_config_data.lua
+  for _, region in ipairs({"cn-north-1", "cn-northwest-1"}) do
+    describe("In Region #" .. region, function ()
+      -- before_each(function()
+      --   aws.config.region = region
+      -- end)
+
+      it("AWS_STS_REGIONAL_ENDPOINT==regional with default endpoint", function ()
+        local config = {
+          region = region,
+          stsRegionalEndpoints = "regional",
+          dry_run = true,
+        }
+
+        local sts = aws:STS(config)
+        local request = sts:assumeRole({
+          RoleArn = test_assume_role_arn,
+          RoleSessionName = test_role_session_name,
+        })
+
+        assert.same(sts.config.stsRegionalEndpoints, "regional")
+        assert.is_nil(sts.config.signingRegion)
+        assert.falsy(sts.config._regionalEndpointInjected)
+        -- Check the endpoint has not been injected
+        assert.same(sts.config.endpoint, "sts." .. region .. ".amazonaws.com.cn")
+        assert.not_nil(request.headers.Authorization:find(region, 1, true))
+      end)
+
+      describe("AWS_STS_REGIONAL_ENDPOINT==regional with non-default endpoint", function()
+        it("and endpoint is regional domain", function ()
+          local config = {
+            region = region,
+            stsRegionalEndpoints = "regional",
+            endpoint = "https://sts." .. region .. ".amazonaws.com.cn",
+            dry_run = true,
+          }
+
+          local sts = aws:STS(config)
+          local request = sts:assumeRole({
+            RoleArn = test_assume_role_arn,
+            RoleSessionName = test_role_session_name,
+          })
+
+          assert.same(sts.config.stsRegionalEndpoints, "regional")
+          assert.is_nil(sts.config.signingRegion)
+          assert.falsy(sts.config._regionalEndpointInjected)
+          -- Check thes endpoint has not been injected
+          assert.same(sts.config.endpoint, config.endpoint)
+          assert.not_nil(request.headers.Authorization:find(region, 1, true))
+        end)
+
+        it("and endpoint is region VPC endpoint", function ()
+          local config = {
+            region = region,
+            stsRegionalEndpoints = "regional",
+            endpoint = "https://vpce-1234567-abcdefg.sts." .. region .. ".vpce.amazonaws.com",
+            dry_run = true,
+          }
+
+          local sts = aws:STS(config)
+          local request = sts:assumeRole({
+            RoleArn = test_assume_role_arn,
+            RoleSessionName = test_role_session_name,
+          })
+
+          assert.same(sts.config.stsRegionalEndpoints, "regional")
+          assert.is_nil(sts.config.signingRegion)
+          assert.falsy(sts.config._regionalEndpointInjected)
+          -- Check the endpoint has not been injected when endpoint is a vpc endpoint
+          assert.same(sts.config.endpoint, config.endpoint)
+          assert.not_nil(request.headers.Authorization:find(region, 1, true))
+        end)
+
+        it("and endpoint is AZ VPC endpoint", function ()
+          local config = {
+            region = region,
+            stsRegionalEndpoints = "regional",
+            endpoint = "https://vpce-1234567-abcdefg-" .. region .. "c" .. ".sts." .. region .. ".vpce.amazonaws.com",
+            dry_run = true,
+          }
+
+          local sts = aws:STS(config)
+          local request = sts:assumeRole({
+            RoleArn = test_assume_role_arn,
+            RoleSessionName = test_role_session_name,
+          })
+
+          assert.same(sts.config.stsRegionalEndpoints, "regional")
+          assert.is_nil(sts.config.signingRegion)
+          assert.falsy(sts.config._regionalEndpointInjected)
+          -- Check the endpoint has not been injected when endpoint is a vpc endpoint
+          assert.same(sts.config.endpoint, config.endpoint)
+          assert.not_nil(request.headers.Authorization:find(region, 1, true))
+        end)
+      end)
+
+      it("AWS_STS_REGIONAL_ENDPOINT==legacy with default endpoint", function ()
+        local config = {
+          region = region,
+          stsRegionalEndpoints = "legacy",
+          dry_run = true,
+        }
+
+        local sts = aws:STS(config)
+        local request = sts:assumeRole({
+          RoleArn = test_assume_role_arn,
+          RoleSessionName = test_role_session_name,
+        })
+
+        assert.same(sts.config.stsRegionalEndpoints, "legacy")
+        assert.is_nil(sts.config.signingRegion)
+        assert.falsy(sts.config._regionalEndpointInjected)
+        assert.same(sts.config.endpoint, "sts." .. region .. ".amazonaws.com.cn")
+        assert.not_nil(request.headers.Authorization:find(region, 1, true))
+      end)
+    end)
+  end
 end)
diff --git a/src/resty/aws/init.lua b/src/resty/aws/init.lua
index 9d3b9a1..705bf27 100644
--- a/src/resty/aws/init.lua
+++ b/src/resty/aws/init.lua
@@ -133,8 +133,10 @@ end
 
 
 do
+  -- https://github.com/aws/aws-sdk-js/blob/c0ec9d31057748cda57eac863273f5ef5a695782/lib/region_config.js#L4
   -- returns the region with the last element replaced by "*"
-  -- "us-east-1" --> "us-east-*"
+  -- "us-east-1" --> "us-*"
+  -- "us-isob-west-1" --> "us-isob-*"
   local function generateRegionPrefix(region)
     if not region then
       return nil, "no region given"
@@ -144,6 +146,8 @@ do
     if #parts < 3 then
       return nil, "not a valid region, only 2 parts; "..region
     end
+
+    parts = tablex.sub(parts, 1, #parts - 1)
     parts[#parts] = "*"
     return table.concat(parts, "-")
   end
@@ -159,9 +163,9 @@ do
   -- 'sts' configured for region 'us-west-2';
   -- {
   --   "us-west-2/sts",
-  --   "us-west-*/sts",
+  --   "us-*/sts",
   --   "us-west-2/*",
-  --   "us-west-*/*",
+  --   "us-*/*",
   --   "*/sts",
   --   "*/*",
   -- }

From 93d3c6b7c104581f6dda191e6a29d96d8a10fe6c Mon Sep 17 00:00:00 2001
From: windmgc <windmgc@gmail.com>
Date: Thu, 15 Aug 2024 18:06:19 +0800
Subject: [PATCH 2/2] fix(*): remove tablex.sub calling

---
 src/resty/aws/init.lua | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/resty/aws/init.lua b/src/resty/aws/init.lua
index 705bf27..7894c7d 100644
--- a/src/resty/aws/init.lua
+++ b/src/resty/aws/init.lua
@@ -147,8 +147,9 @@ do
       return nil, "not a valid region, only 2 parts; "..region
     end
 
-    parts = tablex.sub(parts, 1, #parts - 1)
-    parts[#parts] = "*"
+    local n_parts = #parts
+    parts[n_parts] = nil
+    parts[n_parts - 1] = "*"
     return table.concat(parts, "-")
   end