aws: Add AWS Greengrass schema to approved credential URIs #11369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

ShelbyZ wants to merge 2 commits into fluent:master from ShelbyZ:aws-greengrass

+126 −6

src/aws/flb_aws_credentials_http.c

-Original file line number
+Diff line change
@@ Expand Up / @@ -40,6 +40,8 @@ @@
     #define ECS_CREDENTIALS_HOST_LEN       13
     #define EKS_CREDENTIALS_HOST           "169.254.170.23"
     #define EKS_CREDENTIALS_HOST_LEN       14
+    #define GREENGRASS_CREDENTIALS_HOST    "localhost"
+    #define GREENGRASS_CREDENTIALS_PATH    "/2016-11-01/credentialprovider/"
     #define AWS_CREDENTIALS_RELATIVE_URI   "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
     #define AWS_CREDENTIALS_FULL_URI       "AWS_CONTAINER_CREDENTIALS_FULL_URI"
@@ Expand All / @@ -60,8 +62,9 @@ does not satisfy any of the following conditions: @@
     is within the loopback CIDR (IPv4 127.0.0.0/8, IPv6 ::1/128)
     is the ECS container host 169.254.170.2
-    is the EKS container host (IPv4 169.254.170.23, IPv6 fd00:ec2::23)*/
-    static int validate_http_credential_uri(flb_sds_t protocol, flb_sds_t host)
+    is the EKS container host (IPv4 169.254.170.23, IPv6 fd00:ec2::23)
+    is localhost with Greengrass credential provider path (/2016-11-01/credentialprovider/)*/
+    static int validate_http_credential_uri(flb_sds_t protocol, flb_sds_t host, flb_sds_t path)
     {
         if (strncmp(protocol, "https", 5) == 0) {
             return 0;
@@ Expand All @@
                    strncmp(host, EKS_CREDENTIALS_HOST, EKS_CREDENTIALS_HOST_LEN) == 0 ||
                    strstr(host, "::1") != NULL ||
                    strstr(host, "fd00:ec2::23") != NULL ||
-                   strstr(host, "fe80:") != NULL) {
+                   strstr(host, "fe80:") != NULL ||
+                   (strcmp(host, GREENGRASS_CREDENTIALS_HOST) == 0 && path != NULL &&
+                    strcmp(path, GREENGRASS_CREDENTIALS_PATH) == 0)) {
             return 0;
         }
@@ Expand Down Expand Up @@
             }
             insecure = strncmp(protocol, "http", 4) == 0 ? FLB_TRUE : FLB_FALSE;
-            ret = validate_http_credential_uri(protocol, host);
+            ret = validate_http_credential_uri(protocol, host, path);
             if (ret < 0) {
-                flb_error("[aws credentials] %s must be set to an https:// address or a link local IP address."
-                          " Found protocol=%s, host=%s, port=%s, path=%s",
+                flb_error("[aws credentials] %s must be set to an https:// address, a link local IP address, "
+                          "or localhost with Greengrass credential provider path. "
+                          "Found protocol=%s, host=%s, port=%s, path=%s",
                           AWS_CREDENTIALS_FULL_URI, protocol, host, port_sds, path);
                 flb_sds_destroy(protocol);
                 flb_sds_destroy(host);
@@ Expand Down @@

tests/internal/aws_credentials_http.c

-Original file line number
+Diff line change
@@ Expand Up / @@ -755,6 +755,116 @@ static void test_http_validator_invalid_port() @@
         flb_free(config);
     }
+    static void test_http_validator_greengrass_valid()
+    {
+        struct flb_aws_provider *provider;
+        struct flb_aws_credentials *creds;
+        struct flb_config *config;
+        /* Test valid Greengrass URL with localhost and correct path */
+        setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:8080/2016-11-01/credentialprovider/", 1);
+        setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+        setup_test(FLB_AWS_CLIENT_MOCK(
+            response(
+                expect(URI, "/2016-11-01/credentialprovider/"),
+                expect(METHOD, FLB_HTTP_GET),
+                expect(HEADER, "Authorization", "greengrass-token"),
+                set(STATUS, 200),
+                set(PAYLOAD, "{\n  \"Code\" : \"Success\",\n  \"LastUpdated\" : \"2021-09-16T18:29:09Z\",\n"
+                    "  \"Type\" : \"AWS-HMAC\",\n  \"AccessKeyId\" : \"GREENGRASSACCESSKEY\",\n  \"SecretAccessKey\""
+                    " : \"GREENGRASSSECRETKEY\",\n  \"Token\" : \"GREENGRASSTOKEN\",\n"
+                    "  \"Expiration\" : \"3021-09-17T00:41:00Z\"\n}"),
+                set(PAYLOAD_SIZE, 257)
+            )
+        ), &provider, &config);
+        flb_time_msleep(1000);
+        /* Should successfully get credentials */
+        creds = provider->provider_vtable->get_credentials(provider);
+        TEST_ASSERT(creds != NULL);
+        TEST_CHECK(strcmp("GREENGRASSACCESSKEY", creds->access_key_id) == 0);
+        TEST_CHECK(strcmp("GREENGRASSSECRETKEY", creds->secret_access_key) == 0);
+        TEST_CHECK(strcmp("GREENGRASSTOKEN", creds->session_token) == 0);
+        flb_aws_credentials_destroy(creds);
+        /* Check we have exhausted our response list */
+        TEST_CHECK(flb_aws_client_mock_generator_count_unused_requests() == 0);
+        cleanup_test(provider, config);
+    }
+    static void test_http_validator_greengrass_invalid_host()
+    {
+        struct flb_aws_provider *provider;
+        struct flb_config *config;
+        /* Test invalid Greengrass URL - correct path but wrong host */
+        setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://example.com:8080/2016-11-01/credentialprovider/", 1);
+        setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+        flb_aws_client_mock_configure_generator(NULL);
+        config = flb_calloc(1, sizeof(struct flb_config));
+        TEST_ASSERT(config != NULL);
+        mk_list_init(&config->upstreams);
+        /* provider creation will fail because host is not localhost */
+        provider = flb_http_provider_create(config, flb_aws_client_get_mock_generator());
+        TEST_ASSERT(provider == NULL);
+        flb_aws_client_mock_destroy_generator();
+        flb_free(config);
+    }
+    static void test_http_validator_greengrass_invalid_path()
+    {
+        struct flb_aws_provider *provider;
+        struct flb_config *config;
+        /* Test invalid Greengrass URL - localhost but wrong path */
+        setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:8080/invalid/path", 1);
+        setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+        flb_aws_client_mock_configure_generator(NULL);
+        config = flb_calloc(1, sizeof(struct flb_config));
+        TEST_ASSERT(config != NULL);
+        mk_list_init(&config->upstreams);
+        /* provider creation will fail because path doesn't match Greengrass pattern */
+        provider = flb_http_provider_create(config, flb_aws_client_get_mock_generator());
+        TEST_ASSERT(provider == NULL);
+        flb_aws_client_mock_destroy_generator();
+        flb_free(config);
+    }
+    static void test_http_validator_greengrass_invalid_path_prefix()
+    {
+        struct flb_aws_provider *provider;
+        struct flb_config *config;
+        /* Test invalid Greengrass URL - localhost but path has Greengrass pattern in middle, not at start */
+        setenv("AWS_CONTAINER_CREDENTIALS_FULL_URI", "http://localhost:8080/prefix/2016-11-01/credentialprovider/", 1);
+        setenv("AWS_CONTAINER_AUTHORIZATION_TOKEN", "greengrass-token", 1);
+        flb_aws_client_mock_configure_generator(NULL);
+        config = flb_calloc(1, sizeof(struct flb_config));
+        TEST_ASSERT(config != NULL);
+        mk_list_init(&config->upstreams);
+        /* provider creation will fail because path doesn't start with Greengrass pattern */
+        provider = flb_http_provider_create(config, flb_aws_client_get_mock_generator());
+        TEST_ASSERT(provider == NULL);
+        flb_aws_client_mock_destroy_generator();
+        flb_free(config);
+    }
     TEST_LIST = {
         { "test_http_provider", test_http_provider},
         { "test_http_provider_error_case", test_http_provider_error_case},
@@ Expand All / @@ -766,5 +876,9 @@ TEST_LIST = { @@
         { "test_http_provider_server_failure", test_http_provider_server_failure},
         { "test_http_validator_invalid_host", test_http_validator_invalid_host},
         { "test_http_validator_invalid_port", test_http_validator_invalid_port},
+        { "test_http_validator_greengrass_valid", test_http_validator_greengrass_valid},
+        { "test_http_validator_greengrass_invalid_host", test_http_validator_greengrass_invalid_host},
+        { "test_http_validator_greengrass_invalid_path", test_http_validator_greengrass_invalid_path},
+        { "test_http_validator_greengrass_invalid_path_prefix", test_http_validator_greengrass_invalid_path_prefix},
         { 0 }
     };

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

aws: Add AWS Greengrass schema to approved credential URIs #11369

Diff view

Diff view

There are no files selected for viewing

rawalexe Jan 20, 2026

Uh oh!

Uh oh!

aws: Add AWS Greengrass schema to approved credential URIs #11369

Are you sure you want to change the base?

aws: Add AWS Greengrass schema to approved credential URIs #11369

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

rawalexe Jan 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!