feat(clp-json): Add session token support for presigned URL authentication.

[gibber9809]

Description

This PR adds support for using an aws session token (the X-Amz-Security-Token request parameter) to authenticate requests against S3 in combination with the access key ID and secret access key.

We add an std::optional<> option to AwsAuthenticationSigner to represent this new optional argument, and conditionally use it to generate the canonical query string.

Inside of clp-s we now look for the AWS_SESSION_TOKEN environment variable, and pass it to AwsAuthenticationSigner when it exists.

Note that we chose to pass the session token as a url parameter instead of as an http header, because passing the session token as a url parameter is required for some configurations per the docs.

Validation performed

• Validated that GET using a presigned url that contains a valid session token completes succesfully

Summary by CodeRabbit

• New Features

  • Added support for optional AWS session token in authentication.
  • Enhanced AWS authentication flexibility for S3 operations.

• Documentation

  • Updated help text to clarify optional AWS session token requirements.

• Improvements

  • Introduced new constants for AWS session token handling.
  • Modified authentication signer to support session token parameter.

[coderabbitai]

Walkthrough

The pull request introduces support for AWS session tokens across multiple components of the system. The changes modify the AWS authentication mechanism to optionally include a session token during authentication processes. This enhancement allows for more flexible AWS credential management by adding support for temporary security credentials. The modifications span several files in the core and S3 reader components, updating constructors, method signatures, and help text to accommodate the new optional session token parameter.

Changes

File	Change Summary
components/core/src/clp/aws/AwsAuthenticationSigner.hpp	- Added optional session_token to constructor - Introduced m_session_token member variable
components/core/src/clp/aws/AwsAuthenticationSigner.cpp	- Updated get_canonical_query_string method to handle session token - Conditionally include session token in canonical query string
components/core/src/clp_s/CommandLineArguments.cpp	- Updated help text to mention optional AWS_SESSION_TOKEN
components/core/src/clp_s/InputConfig.hpp	- Added cAwsSessionTokenEnvVar constant
components/core/src/clp_s/ReaderUtils.cpp	- Added headers for string - Modified try_sign_url to support optional AWS session token
components/core/src/clp/aws/constants.hpp	- Added cXAmzSecurityToken constant for security token

Sequence Diagram

sequenceDiagram
    participant User
    participant AuthSigner as AWS Authentication Signer
    participant S3 as AWS S3

    User->>AuthSigner: Create with access key, secret key, optional session token
    AuthSigner->>S3: Generate signed URL
    alt Session Token Present
        AuthSigner->>S3: Include session token in authentication
    else No Session Token
        AuthSigner->>S3: Authenticate without session token
    end

Loading

Possibly related PRs

• fix(clp-package): Temporarily remove support for implicit AWS credentials. #682: The main PR enhances the handling of session tokens in AWS authentication, while PR fix(clp-package): Temporarily remove support for implicit AWS credentials. #682 discusses the limitations of handling implicit AWS credentials that also require session tokens, indicating a direct relationship in the context of AWS credential management.

Suggested reviewers

• kirkrodrigues

✨ Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

components/core/src/clp_s/ReaderUtils.cpp (1)

6-6: Remove unused header.

The <unordered_map> header appears to be unused in this file.

-#include <unordered_map>

components/core/src/clp_s/CommandLineArguments.cpp (1)

277-277: LGTM! Consider improving help text readability.

The addition of AWS session token support in the help text is accurate and consistent across all command modes. However, to improve readability, consider breaking the authentication requirements into multiple lines.

Apply this formatting improvement to all three locations:

-                    " variables, and optionally the AWS_SESSION_TOKEN environment variable."
+                    " variables, and optionally the AWS_SESSION_TOKEN environment"
+                    " variable."

Also applies to: 431-431, 585-585

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ba63a76 and 0637d46.

📒 Files selected for processing (5)

• components/core/src/clp/aws/AwsAuthenticationSigner.cpp (2 hunks)
• components/core/src/clp/aws/AwsAuthenticationSigner.hpp (3 hunks)
• components/core/src/clp_s/CommandLineArguments.cpp (3 hunks)
• components/core/src/clp_s/InputConfig.hpp (1 hunks)
• components/core/src/clp_s/ReaderUtils.cpp (2 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

components/core/src/clp_s/InputConfig.hpp (1)

Pattern **/*.{cpp,hpp,java,js,jsx,ts,tsx}: - Prefer false == <expression> rather than !<expression>.

components/core/src/clp_s/CommandLineArguments.cpp (1)

Pattern **/*.{cpp,hpp,java,js,jsx,ts,tsx}: - Prefer false == <expression> rather than !<expression>.

components/core/src/clp/aws/AwsAuthenticationSigner.cpp (1)

Pattern **/*.{cpp,hpp,java,js,jsx,ts,tsx}: - Prefer false == <expression> rather than !<expression>.

components/core/src/clp/aws/AwsAuthenticationSigner.hpp (1)

Pattern **/*.{cpp,hpp,java,js,jsx,ts,tsx}: - Prefer false == <expression> rather than !<expression>.

components/core/src/clp_s/ReaderUtils.cpp (1)

Pattern **/*.{cpp,hpp,java,js,jsx,ts,tsx}: - Prefer false == <expression> rather than !<expression>.

⏰ Context from checks skipped due to timeout of 90000ms (12)

• GitHub Check: ubuntu-focal-static-linked-bins
• GitHub Check: centos-stream-9-static-linked-bins
• GitHub Check: ubuntu-jammy-static-linked-bins
• GitHub Check: ubuntu-focal-dynamic-linked-bins
• GitHub Check: centos-stream-9-dynamic-linked-bins
• GitHub Check: ubuntu-jammy-dynamic-linked-bins
• GitHub Check: build-macos (macos-14, false)
• GitHub Check: build-macos (macos-14, true)
• GitHub Check: lint-check (ubuntu-latest)
• GitHub Check: build-macos (macos-13, false)
• GitHub Check: lint-check (macos-latest)
• GitHub Check: build-macos (macos-13, true)

🔇 Additional comments (8)

components/core/src/clp_s/InputConfig.hpp (1)

14-14: LGTM! The AWS session token environment variable constant is well-defined.

The constant follows the established naming convention and uses the standard AWS environment variable name.

components/core/src/clp/aws/AwsAuthenticationSigner.hpp (3)

5-5: LGTM! Appropriate header inclusion.

The std::optional header is correctly included to support the optional session token parameter.

---

73-80: LGTM! Well-structured constructor signature.

The constructor is properly updated to handle the optional session token parameter, maintaining a clean interface with required parameters first and optional parameters last.

---

138-138: LGTM! Member variable follows class conventions.

The m_session_token member variable follows the class's naming convention with the m_ prefix.

components/core/src/clp_s/ReaderUtils.cpp (2)

170-174: LGTM! Proper session token handling.

The code correctly handles the optional session token by:

1. Initializing with std::nullopt
2. Checking for environment variable presence
3. Converting to std::string only when the token exists

---

176-180: LGTM! Proper signer initialization.

The AwsAuthenticationSigner is correctly initialized with all required credentials, including the optional session token.

components/core/src/clp/aws/AwsAuthenticationSigner.cpp (2)

251-258: LGTM! Proper session token parameter handling.

The code correctly:

1. Creates the session token parameter only when present
2. Uses the correct AWS parameter name "X-Amz-Security-Token"
3. Properly encodes the token value

---

Line range hint 260-271: LGTM! Clean string formatting with session token.

The canonical query string formatting properly incorporates the optional session token parameter while maintaining readability.

[haiqi96]

What will be the behavior is m_session_token.has_value() == false?

I assume session_token_parameter will have an empty string as value hence the extra {} will evaluate to nothing?

[haiqi96]

I personally feel it might be better to append session_token_parameter explicitly, since te number of {}={} already make the original fmt::format pretty hard to decipher (I had to count by myself when making the change), but ulitimately it's up to you.

[gibber9809]

Sure. Will refactor to append session token explicitly.

[haiqi96]

missing an "X"?

Suggested change

	constexpr std::string_view cAmzSecurityToken{"X-Amz-Security-Token"};
	constexpr std::string_view cXAmzSecurityToken{"X-Amz-Security-Token"};

[haiqi96]

intended?

[gibber9809]

Also a leftover. Will delete.

[haiqi96]

didn't see this used in the file. Is it intended?

[gibber9809]

Nope -- leftover from when I was going to pass the token as an http header. Will delete.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

components/core/src/clp_s/ReaderUtils.cpp (2)

174-178: Consider single-line initialization for better readability.

The constructor initialization is correct, but since it's a simple case with three parameters, consider using a single-line format:

-    clp::aws::AwsAuthenticationSigner signer{
-            aws_access_key,
-            aws_secret_access_key,
-            optional_aws_session_token
-    };
+    clp::aws::AwsAuthenticationSigner signer{aws_access_key, aws_secret_access_key, optional_aws_session_token};

---

168-172: Consider adding specific error logging for session token issues.

The current implementation silently handles session token related failures. Consider adding specific error logging when session token validation fails to help with debugging.

     if (nullptr != aws_session_token) {
         optional_aws_session_token = std::string{aws_session_token};
+        SPDLOG_DEBUG("Using AWS session token for authentication");
     }

     clp::aws::AwsAuthenticationSigner signer{
             aws_access_key,
             aws_secret_access_key,
             optional_aws_session_token
     };

Also applies to: 174-178

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1415789 and a46fd09.

📒 Files selected for processing (3)

• components/core/src/clp/aws/AwsAuthenticationSigner.cpp (1 hunks)
• components/core/src/clp/aws/constants.hpp (1 hunks)
• components/core/src/clp_s/ReaderUtils.cpp (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• components/core/src/clp/aws/constants.hpp
• components/core/src/clp/aws/AwsAuthenticationSigner.cpp

🧰 Additional context used

📓 Path-based instructions (1)

components/core/src/clp_s/ReaderUtils.cpp (1)

Pattern **/*.{cpp,hpp,java,js,jsx,ts,tsx}: - Prefer false == <expression> rather than !<expression>.

⏰ Context from checks skipped due to timeout of 90000ms (12)

• GitHub Check: centos-stream-9-static-linked-bins
• GitHub Check: ubuntu-jammy-static-linked-bins
• GitHub Check: centos-stream-9-dynamic-linked-bins
• GitHub Check: ubuntu-jammy-dynamic-linked-bins
• GitHub Check: ubuntu-focal-static-linked-bins
• GitHub Check: ubuntu-focal-dynamic-linked-bins
• GitHub Check: build-macos (macos-14, true)
• GitHub Check: build-macos (macos-13, false)
• GitHub Check: lint-check (ubuntu-latest)
• GitHub Check: build (macos-latest)
• GitHub Check: lint-check (macos-latest)
• GitHub Check: build-macos (macos-13, true)

🔇 Additional comments (2)

components/core/src/clp_s/ReaderUtils.cpp (2)

4-4: Good addition of explicit dependency.

The <string> header is now properly included for string operations, rather than relying on indirect inclusion through other headers.

---

168-172: Well-structured session token handling.

The implementation properly handles the optional nature of session tokens using std::optional and follows the same pattern as other AWS credential checks.

[haiqi96]

Looks good to me, as long as you tested once after making all fixes.

As for title, I feel it looks ok. if I have to suggest something it would be:

feat(clp-json): Add session token support for presigned URL authentication.