wroclaw-git-backups/nix
1
0
Fork 0
mirror of https://github.com/NixOS/nix synced 2025-07-18 07:08:27 +02:00
Code Activity

Merge pull request #13460 from m4dc4p/m4dc4p/handle-expired-tokens

Browse source 
Better Handling for Expired Credentials
This commit is contained in:
Eelco Dolstra 2025-07-14 11:51:30 +02:00 committed by GitHub
commit e8314e69ab
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/libstore/s3-binary-cache-store.cc
View file

@ -37,10 +37,11 @@ namespace nix {
struct S3Error : public Error struct S3Error : public Error
{ {
Aws::S3::S3Errors err; Aws::S3::S3Errors err;
Aws::String exceptionName;
template<typename... Args> template<typename... Args>
S3Error(Aws::S3::S3Errors err, const Args & ... args) S3Error(Aws::S3::S3Errors err, Aws::String exceptionName, const Args & ... args)
: Error(args...), err(err) { }; : Error(args...), err(err), exceptionName(exceptionName) { };
}; };
/* Helper: given an Outcome<R, E>, return R in case of success, or /* Helper: given an Outcome<R, E>, return R in case of success, or
@ -51,6 +52,7 @@ R && checkAws(std::string_view s, Aws::Utils::Outcome<R, E> && outcome)
if (!outcome.IsSuccess()) if (!outcome.IsSuccess())
throw S3Error( throw S3Error(
outcome.GetError().GetErrorType(), outcome.GetError().GetErrorType(),
outcome.GetError().GetExceptionName(),
fmt( fmt(
"%s: %s (request id: %s)", "%s: %s (request id: %s)",
s, s,
@ -226,7 +228,13 @@ S3Helper::FileTransferResult S3Helper::getObject(
} catch (S3Error & e) { } catch (S3Error & e) {
if ((e.err != Aws::S3::S3Errors::NO_SUCH_KEY) && if ((e.err != Aws::S3::S3Errors::NO_SUCH_KEY) &&
(e.err != Aws::S3::S3Errors::ACCESS_DENIED)) throw; (e.err != Aws::S3::S3Errors::ACCESS_DENIED) &&
// Expired tokens are not really an error, more of a caching problem. Should be treated same as 403.
//
// AWS unwilling to provide a specific error type for the situation (https://github.com/aws/aws-sdk-cpp/issues/1843)
// so use this hack
(e.exceptionName != "ExpiredToken")
) throw;
} }
auto now2 = std::chrono::steady_clock::now(); auto now2 = std::chrono::steady_clock::now();
@ -334,6 +342,10 @@ struct S3BinaryCacheStoreImpl : virtual S3BinaryCacheStore
auto & error = res.GetError(); auto & error = res.GetError();
if (error.GetErrorType() == Aws::S3::S3Errors::RESOURCE_NOT_FOUND if (error.GetErrorType() == Aws::S3::S3Errors::RESOURCE_NOT_FOUND
|| error.GetErrorType() == Aws::S3::S3Errors::NO_SUCH_KEY || error.GetErrorType() == Aws::S3::S3Errors::NO_SUCH_KEY
// Expired tokens are not really an error, more of a caching problem. Should be treated same as 403.
// AWS unwilling to provide a specific error type for the situation (https://github.com/aws/aws-sdk-cpp/issues/1843)
// so use this hack
|| (error.GetErrorType() == Aws::S3::S3Errors::UNKNOWN && error.GetExceptionName() == "ExpiredToken")
// If bucket listing is disabled, 404s turn into 403s // If bucket listing is disabled, 404s turn into 403s
|| error.GetErrorType() == Aws::S3::S3Errors::ACCESS_DENIED) || error.GetErrorType() == Aws::S3::S3Errors::ACCESS_DENIED)
return false; return false;