Skip to content

Commit d3e4c7e

Browse files
committed
fix(clippy): fix restriction lint violations in secret_backends AWS module
1 parent bbd4665 commit d3e4c7e

1 file changed

Lines changed: 32 additions & 33 deletions

File tree

crate/server/src/config/command_line/secret_backends.rs

Lines changed: 32 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -237,8 +237,6 @@ mod vault {
237237

238238
#[cfg(feature = "secret-aws")]
239239
mod aws {
240-
use std::fmt::Write as _;
241-
242240
use chrono::Utc;
243241
use hmac::{Hmac, Mac};
244242
use sha2::{Digest, Sha256};
@@ -269,28 +267,26 @@ mod aws {
269267
}
270268

271269
fn hex_encode(bytes: &[u8]) -> String {
272-
bytes.iter().fold(String::new(), |mut s, b| {
273-
write!(s, "{b:02x}").expect("write to String cannot fail");
274-
s
275-
})
270+
hex::encode(bytes)
276271
}
277272

278273
fn sha256_hex(data: &[u8]) -> String {
279274
hex_encode(&Sha256::digest(data))
280275
}
281276

282-
fn hmac_sha256(key: &[u8], data: &[u8]) -> Vec<u8> {
283-
let mut mac = HmacSha256::new_from_slice(key).expect("HMAC accepts any key size");
277+
fn hmac_sha256(key: &[u8], data: &[u8]) -> KResult<Vec<u8>> {
278+
let mut mac = HmacSha256::new_from_slice(key)
279+
.map_err(|e| KmsError::ServerError(format!("HMAC key error: {e}")))?;
284280
mac.update(data);
285-
mac.finalize().into_bytes().to_vec()
281+
Ok(mac.finalize().into_bytes().to_vec())
286282
}
287283

288-
/// Build the SigV4 signing key:
284+
/// Build the `SigV4` signing key:
289285
/// `HMAC(HMAC(HMAC(HMAC("AWS4" + secret, date), region), service), "aws4_request")`
290-
fn signing_key(secret: &str, date: &str, region: &str, service: &str) -> Vec<u8> {
291-
let k_date = hmac_sha256(format!("AWS4{secret}").as_bytes(), date.as_bytes());
292-
let k_region = hmac_sha256(&k_date, region.as_bytes());
293-
let k_service = hmac_sha256(&k_region, service.as_bytes());
286+
fn signing_key(secret: &str, date: &str, region: &str, service: &str) -> KResult<Vec<u8>> {
287+
let k_date = hmac_sha256(format!("AWS4{secret}").as_bytes(), date.as_bytes())?;
288+
let k_region = hmac_sha256(&k_date, region.as_bytes())?;
289+
let k_service = hmac_sha256(&k_region, service.as_bytes())?;
294290
hmac_sha256(&k_service, b"aws4_request")
295291
}
296292

@@ -314,12 +310,12 @@ mod aws {
314310
// Parameter name starts with '/', e.g. /kms/prod/db
315311
let param_name = rest[slash..].to_owned();
316312

317-
let access_key_id = std::env::var("AWS_ACCESS_KEY_ID").map_err(|_| {
313+
let access_key_id = std::env::var("AWS_ACCESS_KEY_ID").map_err(|_e| {
318314
KmsError::ServerError(
319315
"AWS_ACCESS_KEY_ID env var not set for secret-aws backend".to_owned(),
320316
)
321317
})?;
322-
let secret_key = std::env::var("AWS_SECRET_ACCESS_KEY").map_err(|_| {
318+
let secret_key = std::env::var("AWS_SECRET_ACCESS_KEY").map_err(|_e| {
323319
KmsError::ServerError(
324320
"AWS_SECRET_ACCESS_KEY env var not set for secret-aws backend".to_owned(),
325321
)
@@ -377,21 +373,24 @@ mod aws {
377373
// Canonical headers must be sorted alphabetically by name (lowercased).
378374
// Without session token: content-type, host, x-amz-date, x-amz-target.
379375
// With session token: insert x-amz-security-token between x-amz-date and x-amz-target.
380-
let (canonical_headers, signed_headers) = if let Some(token) = session_token {
381-
(
382-
format!(
383-
"content-type:application/x-amz-json-1.1\nhost:{host}\nx-amz-date:{datetime}\nx-amz-security-token:{token}\nx-amz-target:AmazonSSM.GetParameter\n"
384-
),
385-
"content-type;host;x-amz-date;x-amz-security-token;x-amz-target".to_owned(),
386-
)
387-
} else {
388-
(
389-
format!(
390-
"content-type:application/x-amz-json-1.1\nhost:{host}\nx-amz-date:{datetime}\nx-amz-target:AmazonSSM.GetParameter\n"
391-
),
392-
"content-type;host;x-amz-date;x-amz-target".to_owned(),
393-
)
394-
};
376+
let (canonical_headers, signed_headers) = session_token.map_or_else(
377+
|| {
378+
(
379+
format!(
380+
"content-type:application/x-amz-json-1.1\nhost:{host}\nx-amz-date:{datetime}\nx-amz-target:AmazonSSM.GetParameter\n"
381+
),
382+
"content-type;host;x-amz-date;x-amz-target".to_owned(),
383+
)
384+
},
385+
|token| {
386+
(
387+
format!(
388+
"content-type:application/x-amz-json-1.1\nhost:{host}\nx-amz-date:{datetime}\nx-amz-security-token:{token}\nx-amz-target:AmazonSSM.GetParameter\n"
389+
),
390+
"content-type;host;x-amz-date;x-amz-security-token;x-amz-target".to_owned(),
391+
)
392+
},
393+
);
395394

396395
let canonical_request =
397396
format!("POST\n/\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}");
@@ -401,8 +400,8 @@ mod aws {
401400
sha256_hex(canonical_request.as_bytes())
402401
);
403402

404-
let key = signing_key(secret_key, &date, region, service);
405-
let signature = hex_encode(&hmac_sha256(&key, string_to_sign.as_bytes()));
403+
let key = signing_key(secret_key, &date, region, service)?;
404+
let signature = hex_encode(&hmac_sha256(&key, string_to_sign.as_bytes())?);
406405
let authorization = format!(
407406
"AWS4-HMAC-SHA256 Credential={access_key_id}/{credential_scope}, SignedHeaders={signed_headers}, Signature={signature}"
408407
);

0 commit comments

Comments
 (0)