fix(*): replace deprecated pl.xml module with luaexpat

.github/workflows/tests.yml

@@ -2,6 +2,9 @@ name: Test
 
 on: [push, pull_request]
 
+env:
+  LIBEXPAT_DOWNLOAD_URL: https://github.com/libexpat/libexpat/releases/download/R_2_5_0/expat-2.5.0.tar.gz
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -33,6 +36,18 @@ jobs:
         apk add --no-cache curl perl bash wget git perl-dev libarchive-tools nodejs jq
         ln -s /usr/bin/bsdtar /usr/bin/tar
 
+    - name: Build libexpat
+      if: matrix.openresty_version == '1.17.8.2'
+      run: |
+        mkdir -p /tmp/expat
+        curl -Ls $LIBEXPAT_DOWNLOAD_URL | tar -xz --strip-components=1 -f - -C /tmp/expat
+        cd /tmp/expat && ./configure && make && make install
+
+    - name: Install libexpat from package manager
+      if: matrix.openresty_version == '1.19.9.1'
+      run: |
+        apk add --no-cache expat-dev
+
     - name: Cache
       uses: actions/cache@v2
       with:

README.md

@@ -169,6 +169,8 @@ Release process:
   [#59](https://github.com/Kong/lua-resty-aws/pull/59)
 - fix: fix STS regional endpoint injection in build_request
   [#62](https://github.com/Kong/lua-resty-aws/pull/62)
+- fix: replace deprecated pl.xml with luaexpat; fix STS assume role logic.
+  [#61](https://github.com/Kong/lua-resty-aws/pull/61)
 
 ### 1.2.2 (2-May-2023)
 

lua-resty-aws-dev-1.rockspec.template

@@ -27,6 +27,7 @@ dependencies = {
   "lua-resty-http >= 0.16",
   "lua-resty-luasocket ~> 1",
   "lua-resty-openssl >= 0.8.17",
+  "luaexpat >= 1.5.1",
 }
 
 build = {

spec/02-requests/02-build_request_spec.lua

@@ -1,4 +1,5 @@
 local cjson = require "cjson"
+local pl_stringx = require "pl.stringx"
 
 describe("operations protocol", function()
 
@@ -253,7 +254,11 @@ describe("operations protocol", function()
     local request = build_request(operation, config, params)
     if request and request.body then
       -- cannot reliably compare non-canonicalized json, so decode to Lua table
-      request.body = assert(require("pl.xml").parse(request.body))
+      local body_lines = pl_stringx.splitlines(request.body)
+      for i, line in ipairs(body_lines) do
+        body_lines[i] = pl_stringx.strip(line, ' ')
+      end
+      request.body = assert(require("pl.xml").parse(table.concat(body_lines, "")))
       local to_lua = function(t)
         -- convert LOM to comparable Lua table
         for i, v in ipairs(t) do
@@ -290,6 +295,7 @@ describe("operations protocol", function()
         RoleSessionName = {
           [1] = 'world' },
         attr = {
+          [1] = 'xmlns',
           xmlns = 'cool-name-space' },
         someSubStructure = {
           hello = {

src/resty/aws/credentials/ChainableTemporaryCredentials.lua

@@ -1,7 +1,7 @@
 --- ChainedTemporaryCredentials class.
 -- @classmod ChainedTemporaryCredentials
 
-local cjson = require("cjson.safe").new()
+local lom = require("lxp.lom")
 
 
 -- Create class
@@ -104,21 +104,34 @@ end
 -- updates credentials.
 -- @return success, or nil+err
 function ChainedTemporaryCredentials:refresh()
-  local result, err = self.sts:assumeRole(self.params)
-  if not result then
-    return nil, err
+  local response, err = self.sts:assumeRole(self.params)
+  if not response then
+    return nil, "Request for token data failed: " .. tostring(err)
   end
 
-  if type(result) == "string" then
-    local res, err = cjson.decode(result)
-    if not res then
-      return nil, "failed to json-decode assumeRole results with '" .. err .. "', input: " .. result
-    end
-    result = res
+  if response.status ~= 200 then
+    return nil, ("request for token returned '%s': %s"):format(tostring(response.status), response.body)
+  end
+
+  if type(response.body) ~= "string" then
+    return nil, "request for token returned invalid body: " .. err
+  end
+
+  local resp_body_lom, err = lom.parse(response.body)
+  if not resp_body_lom then
+    return nil, "failed to parse response body: " .. err
   end
 
-  local cred = result.Credentials
-  self:set(cred.AccessKeyId, cred.SecretAccessKey, cred.SessionToken, cred.Expiration)
+  local cred_lom = lom.find_elem(lom.find_elem(resp_body_lom, "AssumeRoleResult"), "Credentials")
+
+  local AccessKeyId = lom.find_elem(cred_lom, "AccessKeyId")[1]
+  local SecretAccessKey = lom.find_elem(cred_lom, "SecretAccessKey")[1]
+  local SessionToken = lom.find_elem(cred_lom, "SessionToken")[1]
+  local Expiration = lom.find_elem(cred_lom, "Expiration")[1]
+
+  self:set(AccessKeyId, SecretAccessKey, SessionToken, Expiration)
+
+  return true
 end
 
 return ChainedTemporaryCredentials

src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua

@@ -2,7 +2,7 @@
 -- @classmod TokenFileWebIdentityCredentials
 
 local readfile = require("pl.utils").readfile
-local xml = require("pl.xml")
+local lom = require("lxp.lom")
 
 
 local global_config = require("resty.aws.config").global
@@ -79,14 +79,21 @@ function TokenFileWebIdentityCredentials:refresh()
     return nil, ("request for token returned '%s': %s"):format(tostring(response.status), response.body)
   end
 
-  local cred = xml.parse(response.body, nil, true):
-    child_with_name("AssumeRoleWithWebIdentityResult"):
-    child_with_name("Credentials")
+  if type(response.body) ~= "string" then
+    return nil, "request for token returned invalid body: " .. err
+  end
+
+  local resp_body_lom, err = lom.parse(response.body)
+  if not resp_body_lom then
+    return nil, "failed to parse response body: " .. err
+  end
+
+  local cred_lom = lom.find_elem(lom.find_elem(resp_body_lom, "AssumeRoleWithWebIdentityResult"), "Credentials")
 
-  local AccessKeyId = cred:child_with_name("AccessKeyId")[1]
-  local SecretAccessKey = cred:child_with_name("SecretAccessKey")[1]
-  local SessionToken = cred:child_with_name("SessionToken")[1]
-  local Expiration = cred:child_with_name("Expiration")[1]
+  local AccessKeyId = lom.find_elem(cred_lom, "AccessKeyId")[1]
+  local SecretAccessKey = lom.find_elem(cred_lom, "SecretAccessKey")[1]
+  local SessionToken = lom.find_elem(cred_lom, "SessionToken")[1]
+  local Expiration = lom.find_elem(cred_lom, "Expiration")[1]
 
   self:set(AccessKeyId, SecretAccessKey, SessionToken, Expiration)