Add credentials exposure test & fix STS + SSO (#2603) (9a41e359) · Commits · Public Repositories / Smithy Rust

CHANGELOG.next.toml

+16 −0

Original line number	Original line	Diff line number	Diff line
	@@ -128,3 +128,19 @@ message = "Fix server code generation bug affecting constrained shapes bound wit
	references = ["smithy-rs#2583", "smithy-rs#2584"]		references = ["smithy-rs#2583", "smithy-rs#2584"]
	meta = { "breaking" = false, "tada" = false, "bug" = true, "target" = "server" }		meta = { "breaking" = false, "tada" = false, "bug" = true, "target" = "server" }
	author = "david-perez"		author = "david-perez"

			[[aws-sdk-rust]]
			message = """Reduce several instances of credential exposure in the SDK logs:
			- IMDS now suppresses the body of the response from logs
			- `aws-sigv4` marks the `x-amz-session-token` header as sensitive
			- STS & SSO credentials have been manually marked as sensitive which suppresses logging of response bodies for relevant operations
			"""
			author = "rcoh"
			references = ["smithy-rs#2603"]
			meta = { "breaking" = false, "tada" = false, "bug" = false }

			[[smithy-rs]]
			message = "Add a sensitive method to `ParseHttpResponse`. When this returns true, logging of the HTTP response body will be suppressed."
			author = "rcoh"
			references = ["smithy-rs#2603"]
			meta = { "breaking" = false, "tada" = false, "bug" = false, "target" = "client" }

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -49,6 +49,7 @@ zeroize = { version = "1", optional = true }
	[dev-dependencies]		[dev-dependencies]
	futures-util = { version = "0.3.16", default-features = false }		futures-util = { version = "0.3.16", default-features = false }
	tracing-test = "0.2.1"		tracing-test = "0.2.1"
			tracing-subscriber = { version = "0.3.16", features = ["fmt", "json"] }

	tokio = { version = "1.23.1", features = ["full", "test-util"] }		tokio = { version = "1.23.1", features = ["full", "test-util"] }

+0 −4

Original line number	Original line	Diff line number	Diff line
	@@ -198,8 +198,6 @@ impl Builder {

	#[cfg(test)]		#[cfg(test)]
	mod test {		mod test {
	use tracing_test::traced_test;

	use aws_credential_types::provider::ProvideCredentials;		use aws_credential_types::provider::ProvideCredentials;

	use crate::default_provider::credentials::DefaultCredentialsChain;		use crate::default_provider::credentials::DefaultCredentialsChain;
	@@ -242,7 +240,6 @@ mod test {
	make_test!($name, execute, $provider_config_builder);		make_test!($name, execute, $provider_config_builder);
	};		};
	($name: ident, $func: ident, $provider_config_builder: expr) => {		($name: ident, $func: ident, $provider_config_builder: expr) => {
	#[traced_test]
	#[tokio::test]		#[tokio::test]
	async fn $name() {		async fn $name() {
	crate::test_case::TestEnvironment::from_dir(concat!(		crate::test_case::TestEnvironment::from_dir(concat!(
	@@ -324,7 +321,6 @@ mod test {
	}		}

	#[tokio::test]		#[tokio::test]
	#[traced_test]
	#[cfg(feature = "client-hyper")]		#[cfg(feature = "client-hyper")]
	async fn no_providers_configured_err() {		async fn no_providers_configured_err() {
	use crate::provider_config::ProviderConfig;		use crate::provider_config::ProviderConfig;

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -149,6 +149,10 @@ impl ParseStrictResponse for CredentialsResponseParser {
	)),		)),
	}		}
	}		}

			fn sensitive(&self) -> bool {
			true
			}
	}		}

	#[derive(Clone, Debug)]		#[derive(Clone, Debug)]

+4 −0

Original line number	Original line	Diff line number	Diff line
	@@ -280,6 +280,10 @@ impl ParseStrictResponse for ImdsGetResponseHandler {
	Err(InnerImdsError::BadStatus)		Err(InnerImdsError::BadStatus)
	}		}
	}		}

			fn sensitive(&self) -> bool {
			true
			}
	}		}

	/// IMDSv2 Endpoint Mode		/// IMDSv2 Endpoint Mode