Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(region_config): fix configure endpoint bug in getRegionPrefix #129

Merged
merged 2 commits into from
Aug 21, 2024
Merged

fix(region_config): fix configure endpoint bug in getRegionPrefix #129

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0401300
fix(region_config): fix configure endpoint bug in derivedKeys
windmgc Aug 15, 2024
93d3c6b
fix(*): remove tablex.sub calling
windmgc Aug 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 120 additions & 0 deletions spec/04-services/05-sts_spec.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,4 +185,124 @@ describe("STS service", function()
end)
end)
end

-- CN Region check, the STS endpoint will be suffixed with ".com.cn"
-- For CN Region there will be no region injections since globalEndpoint
-- is not defined for "cn-*/*" in region_config_data.lua
for _, region in ipairs({"cn-north-1", "cn-northwest-1"}) do
describe("In Region #" .. region, function ()
-- before_each(function()
-- aws.config.region = region
-- end)

it("AWS_STS_REGIONAL_ENDPOINT==regional with default endpoint", function ()
local config = {
region = region,
stsRegionalEndpoints = "regional",
dry_run = true,
}

local sts = aws:STS(config)
local request = sts:assumeRole({
RoleArn = test_assume_role_arn,
RoleSessionName = test_role_session_name,
})

assert.same(sts.config.stsRegionalEndpoints, "regional")
assert.is_nil(sts.config.signingRegion)
assert.falsy(sts.config._regionalEndpointInjected)
-- Check the endpoint has not been injected
assert.same(sts.config.endpoint, "sts." .. region .. ".amazonaws.com.cn")
assert.not_nil(request.headers.Authorization:find(region, 1, true))
end)

describe("AWS_STS_REGIONAL_ENDPOINT==regional with non-default endpoint", function()
it("and endpoint is regional domain", function ()
local config = {
region = region,
stsRegionalEndpoints = "regional",
endpoint = "https://sts." .. region .. ".amazonaws.com.cn",
dry_run = true,
}

local sts = aws:STS(config)
local request = sts:assumeRole({
RoleArn = test_assume_role_arn,
RoleSessionName = test_role_session_name,
})

assert.same(sts.config.stsRegionalEndpoints, "regional")
assert.is_nil(sts.config.signingRegion)
assert.falsy(sts.config._regionalEndpointInjected)
-- Check thes endpoint has not been injected
assert.same(sts.config.endpoint, config.endpoint)
assert.not_nil(request.headers.Authorization:find(region, 1, true))
end)

it("and endpoint is region VPC endpoint", function ()
local config = {
region = region,
stsRegionalEndpoints = "regional",
endpoint = "https://vpce-1234567-abcdefg.sts." .. region .. ".vpce.amazonaws.com",
dry_run = true,
}

local sts = aws:STS(config)
local request = sts:assumeRole({
RoleArn = test_assume_role_arn,
RoleSessionName = test_role_session_name,
})

assert.same(sts.config.stsRegionalEndpoints, "regional")
assert.is_nil(sts.config.signingRegion)
assert.falsy(sts.config._regionalEndpointInjected)
-- Check the endpoint has not been injected when endpoint is a vpc endpoint
assert.same(sts.config.endpoint, config.endpoint)
assert.not_nil(request.headers.Authorization:find(region, 1, true))
end)

it("and endpoint is AZ VPC endpoint", function ()
local config = {
region = region,
stsRegionalEndpoints = "regional",
endpoint = "https://vpce-1234567-abcdefg-" .. region .. "c" .. ".sts." .. region .. ".vpce.amazonaws.com",
dry_run = true,
}

local sts = aws:STS(config)
local request = sts:assumeRole({
RoleArn = test_assume_role_arn,
RoleSessionName = test_role_session_name,
})

assert.same(sts.config.stsRegionalEndpoints, "regional")
assert.is_nil(sts.config.signingRegion)
assert.falsy(sts.config._regionalEndpointInjected)
-- Check the endpoint has not been injected when endpoint is a vpc endpoint
assert.same(sts.config.endpoint, config.endpoint)
assert.not_nil(request.headers.Authorization:find(region, 1, true))
end)
end)

it("AWS_STS_REGIONAL_ENDPOINT==legacy with default endpoint", function ()
local config = {
region = region,
stsRegionalEndpoints = "legacy",
dry_run = true,
}

local sts = aws:STS(config)
local request = sts:assumeRole({
RoleArn = test_assume_role_arn,
RoleSessionName = test_role_session_name,
})

assert.same(sts.config.stsRegionalEndpoints, "legacy")
assert.is_nil(sts.config.signingRegion)
assert.falsy(sts.config._regionalEndpointInjected)
assert.same(sts.config.endpoint, "sts." .. region .. ".amazonaws.com.cn")
assert.not_nil(request.headers.Authorization:find(region, 1, true))
end)
end)
end
end)
13 changes: 9 additions & 4 deletions src/resty/aws/init.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,8 +133,10 @@ end


do
-- https://github.com/aws/aws-sdk-js/blob/c0ec9d31057748cda57eac863273f5ef5a695782/lib/region_config.js#L4
-- returns the region with the last element replaced by "*"
-- "us-east-1" --> "us-east-*"
-- "us-east-1" --> "us-*"
-- "us-isob-west-1" --> "us-isob-*"
local function generateRegionPrefix(region)
if not region then
return nil, "no region given"
Expand All @@ -144,7 +146,10 @@ do
if #parts < 3 then
return nil, "not a valid region, only 2 parts; "..region
end
parts[#parts] = "*"

local n_parts = #parts
parts[n_parts] = nil
parts[n_parts - 1] = "*"
return table.concat(parts, "-")
end

Expand All @@ -159,9 +164,9 @@ do
-- 'sts' configured for region 'us-west-2';
-- {
-- "us-west-2/sts",
-- "us-west-*/sts",
-- "us-*/sts",
-- "us-west-2/*",
-- "us-west-*/*",
-- "us-*/*",
-- "*/sts",
-- "*/*",
-- }
Expand Down
Loading