CDRIVER-4439 add AWS credential cache #1207
Conversation
test-awsauth is intended to replace mongoc-ping in AWS tests. test-awsauth will include caching tests specific to AWS.
There is no reason to condition on the presence of ENABLE_MONGODB_AWS_AUTH Removing reduces duplicate definitions.
add _mongoc_aws_credentials_copy_to add _mongoc_aws_credentials_cache_t
test-awsauth statically links the C driver
| // expiration is the time in milliseconds since the Epoch when these | ||
| // credentials expire. If expiration is 0, the credentials do not have a | ||
| // known expiration. | ||
| uint64_t expiration_ms; |
There was a problem hiding this comment.
Could this be done with mcd_duration from mcd-time.h?
It would require a conversion of the time points:
- Calculate the duration
$D$ as the difference between the current UTC time andExpiration. - Create an
mcd_duration dfrom$D$ - Store the computed expire-time:
mcd_time_point expires_at = mcd_later(mcd_now(), d)
Not sure if it's worth the trouble, but may eek out later issues with a bare integer-as-time. Also has a "never-expires" of MCD_TIME_POINT_MAX and "always-expired" MCD_TIME_POINT_MIN.
There was a problem hiding this comment.
I think so. Updated to use mcd_timer.
| bool | ||
| _mongoc_aws_credentials_obtain (mongoc_uri_t *uri, | ||
| _mongoc_aws_credentials_t *creds, | ||
| bson_error_t *error); | ||
|
|
||
| void | ||
| _mongoc_aws_credentials_copy_to (const _mongoc_aws_credentials_t *src, |
There was a problem hiding this comment.
I believe it is more conventional to have the dest parameter first.
There was a problem hiding this comment.
I plan to keep as is. The src, dst order is consistent with all other C driver functions named *_copy_to.
| mcd_timer expiration_timer; | ||
| bool expiration_set; |
There was a problem hiding this comment.
These can be dropped and the values written directly into creds->expiration, IIUC.
| // Zero creds, so callers can safely call _mongoc_aws_credentials_cleanup. | ||
| *creds = MONGOC_AWS_CREDENTIALS_INIT; |
There was a problem hiding this comment.
| // Zero creds, so callers can safely call _mongoc_aws_credentials_cleanup. | |
| *creds = MONGOC_AWS_CREDENTIALS_INIT; | |
| _mongoc_aws_credentials_cleanup (creds); | |
| *creds = MONGOC_AWS_CREDENTIALS_INIT; |
Suggest redefining behavior to be capable of handling an already-initialized "non-zero" creds argument, and suggest removing the line "The passed creds is expected to be uninitialized or zeroed." from documentation, to avoid encouraging the "require/support an uninitialized argument for a conditionally-initializing function" pattern.
There was a problem hiding this comment.
to avoid encouraging the "require/support an uninitialized argument for a conditionally-initializing function" pattern.
Done. I agree with preferring not to support uninitialized arguments. That has been a source of confusion in C driver APIs that expect an uninitialized bson_t. CDRIVER-3368 is one example.
| (_mongoc_aws_credentials_t) \ | ||
| { \ | ||
| .access_key_id = NULL, .secret_access_key = NULL, .session_token = NULL, \ | ||
| .expiration = {{0}}, \ |
There was a problem hiding this comment.
| .expiration = {{0}}, \ | |
| .expiration = {.value = {0}, .set = false}, \ |
Addresses the following warning:
warning: missing field 'set' initializer [-Wmissing-field-initializers]
*creds = MONGOC_AWS_CREDENTIALS_INIT;
^
note: expanded from macro 'MONGOC_AWS_CREDENTIALS_INIT'
.expiration = {{0}}, \
^
There was a problem hiding this comment.
Thank you for the suggested fix.
There was a problem hiding this comment.
*-auth tasks with latest are failing with:
[2023/02/22 21:47:29.636] /data/mci/a00f187bc87fef01fb2eecba06c8c43c/mongoc/src/libmongoc/tests/test-mongoc-scram.c:295 _check_error(): [Unable to use SCRAM-SHA-256 based authentication for user without any SCRAM-SHA-256 credentials registered] does not contain [Authentication failed]
This is failing on the waterfall, and appears unrelated to this commit. The AWS tasks still pass, proceeding with merge.
| (_mongoc_aws_credentials_t) \ | ||
| { \ | ||
| .access_key_id = NULL, .secret_access_key = NULL, .session_token = NULL, \ | ||
| .expiration = {{0}}, \ |
There was a problem hiding this comment.
Thank you for the suggested fix.
| // Zero creds, so callers can safely call _mongoc_aws_credentials_cleanup. | ||
| *creds = MONGOC_AWS_CREDENTIALS_INIT; |
There was a problem hiding this comment.
to avoid encouraging the "require/support an uninitialized argument for a conditionally-initializing function" pattern.
Done. I agree with preferring not to support uninitialized arguments. That has been a source of confusion in C driver APIs that expect an uninitialized bson_t. CDRIVER-3368 is one example.
Summary
test-awsauth, to test new auth in AWS environments.Verified with this patch build of AWS tasks.
Background & Motivation
DRIVERS-2333 describes the required behavior.
The
test-awsauthtarget replacesmongoc-pingin AWS tests.test-awsauthincludes caching tests specific to AWS authentication.test-awsauthrequires access to API in private headers to modify the cache.Cache locking
The cache is locked when making requests for credentials that may be cached.
This is consistent with the AWS SDK behavior locking around fetching.
I assume this is intended to prevent duplicate requests.