Skip to content

fix(*): replace deprecated pl.xml module with luaexpat #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 18, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: Test

on: [push, pull_request]

env:
LIBEXPAT_DOWNLOAD_URL: https://github.com/libexpat/libexpat/releases/download/R_2_5_0/expat-2.5.0.tar.gz

jobs:
lint:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -33,6 +36,18 @@ jobs:
apk add --no-cache curl perl bash wget git perl-dev libarchive-tools nodejs jq
ln -s /usr/bin/bsdtar /usr/bin/tar

- name: Build libexpat
if: matrix.openresty_version == '1.17.8.2'
run: |
mkdir -p /tmp/expat
curl -Ls $LIBEXPAT_DOWNLOAD_URL | tar -xz --strip-components=1 -f - -C /tmp/expat
cd /tmp/expat && ./configure && make && make install

- name: Install libexpat from package manager
if: matrix.openresty_version == '1.19.9.1'
run: |
apk add --no-cache expat-dev

- name: Cache
uses: actions/cache@v2
with:
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,8 @@ Release process:
[#59](https://github.com/Kong/lua-resty-aws/pull/59)
- fix: fix STS regional endpoint injection in build_request
[#62](https://github.com/Kong/lua-resty-aws/pull/62)
- fix: replace deprecated pl.xml with luaexpat; fix STS assume role logic.
[#61](https://github.com/Kong/lua-resty-aws/pull/61)

### 1.2.2 (2-May-2023)

Expand Down
1 change: 1 addition & 0 deletions lua-resty-aws-dev-1.rockspec.template
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ dependencies = {
"lua-resty-http >= 0.16",
"lua-resty-luasocket ~> 1",
"lua-resty-openssl >= 0.8.17",
"luaexpat >= 1.5.1",
}

build = {
Expand Down
8 changes: 7 additions & 1 deletion spec/02-requests/02-build_request_spec.lua
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
local cjson = require "cjson"
local pl_stringx = require "pl.stringx"

describe("operations protocol", function()

Expand Down Expand Up @@ -253,7 +254,11 @@ describe("operations protocol", function()
local request = build_request(operation, config, params)
if request and request.body then
-- cannot reliably compare non-canonicalized json, so decode to Lua table
request.body = assert(require("pl.xml").parse(request.body))
local body_lines = pl_stringx.splitlines(request.body)
for i, line in ipairs(body_lines) do
body_lines[i] = pl_stringx.strip(line, ' ')
end
request.body = assert(require("pl.xml").parse(table.concat(body_lines, "")))
local to_lua = function(t)
-- convert LOM to comparable Lua table
for i, v in ipairs(t) do
Expand Down Expand Up @@ -290,6 +295,7 @@ describe("operations protocol", function()
RoleSessionName = {
[1] = 'world' },
attr = {
[1] = 'xmlns',
xmlns = 'cool-name-space' },
someSubStructure = {
hello = {
Expand Down
37 changes: 25 additions & 12 deletions src/resty/aws/credentials/ChainableTemporaryCredentials.lua
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
--- ChainedTemporaryCredentials class.
-- @classmod ChainedTemporaryCredentials

local cjson = require("cjson.safe").new()
local lom = require("lxp.lom")


-- Create class
Expand Down Expand Up @@ -104,21 +104,34 @@ end
-- updates credentials.
-- @return success, or nil+err
function ChainedTemporaryCredentials:refresh()
local result, err = self.sts:assumeRole(self.params)
if not result then
return nil, err
local response, err = self.sts:assumeRole(self.params)
if not response then
return nil, "Request for token data failed: " .. tostring(err)
end

if type(result) == "string" then
local res, err = cjson.decode(result)
if not res then
return nil, "failed to json-decode assumeRole results with '" .. err .. "', input: " .. result
end
result = res
if response.status ~= 200 then
return nil, ("request for token returned '%s': %s"):format(tostring(response.status), response.body)
end

if type(response.body) ~= "string" then
return nil, "request for token returned invalid body: " .. err
end

local resp_body_lom, err = lom.parse(response.body)
if not resp_body_lom then
return nil, "failed to parse response body: " .. err
end

local cred = result.Credentials
self:set(cred.AccessKeyId, cred.SecretAccessKey, cred.SessionToken, cred.Expiration)
local cred_lom = lom.find_elem(lom.find_elem(resp_body_lom, "AssumeRoleResult"), "Credentials")

local AccessKeyId = lom.find_elem(cred_lom, "AccessKeyId")[1]
local SecretAccessKey = lom.find_elem(cred_lom, "SecretAccessKey")[1]
local SessionToken = lom.find_elem(cred_lom, "SessionToken")[1]
local Expiration = lom.find_elem(cred_lom, "Expiration")[1]

self:set(AccessKeyId, SecretAccessKey, SessionToken, Expiration)

return true
end

return ChainedTemporaryCredentials
23 changes: 15 additions & 8 deletions src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
-- @classmod TokenFileWebIdentityCredentials

local readfile = require("pl.utils").readfile
local xml = require("pl.xml")
local lom = require("lxp.lom")


local global_config = require("resty.aws.config").global
Expand Down Expand Up @@ -79,14 +79,21 @@ function TokenFileWebIdentityCredentials:refresh()
return nil, ("request for token returned '%s': %s"):format(tostring(response.status), response.body)
end

local cred = xml.parse(response.body, nil, true):
child_with_name("AssumeRoleWithWebIdentityResult"):
child_with_name("Credentials")
if type(response.body) ~= "string" then
return nil, "request for token returned invalid body: " .. err
end

local resp_body_lom, err = lom.parse(response.body)
if not resp_body_lom then
return nil, "failed to parse response body: " .. err
end

local cred_lom = lom.find_elem(lom.find_elem(resp_body_lom, "AssumeRoleWithWebIdentityResult"), "Credentials")

local AccessKeyId = cred:child_with_name("AccessKeyId")[1]
local SecretAccessKey = cred:child_with_name("SecretAccessKey")[1]
local SessionToken = cred:child_with_name("SessionToken")[1]
local Expiration = cred:child_with_name("Expiration")[1]
local AccessKeyId = lom.find_elem(cred_lom, "AccessKeyId")[1]
local SecretAccessKey = lom.find_elem(cred_lom, "SecretAccessKey")[1]
local SessionToken = lom.find_elem(cred_lom, "SessionToken")[1]
local Expiration = lom.find_elem(cred_lom, "Expiration")[1]

self:set(AccessKeyId, SecretAccessKey, SessionToken, Expiration)

Expand Down