fluxcd
diff --git a/‎auth/aws/provider.go‎
Lines changed: 78 additions & 32 deletions b/‎auth/aws/provider.go‎
Lines changed: 78 additions & 32 deletions
diff --git a/‎auth/aws/provider_test.go‎
Lines changed: 74 additions & 45 deletions b/‎auth/aws/provider_test.go‎
Lines changed: 74 additions & 45 deletions
diff --git a/‎auth/azure/provider.go‎
Lines changed: 29 additions & 0 deletions b/‎auth/azure/provider.go‎
Lines changed: 29 additions & 0 deletions
@@ -45,8 +45,20 @@ import (
 
 // ProviderName is the name of the AWS authentication provider.
 const (
-	ProviderName                       = "aws"
+	ProviderName = "aws"
+
+	// codeCommitCanonicalTimestampFormat is the SigV4 canonical timestamp
+	// format (ISO 8601 basic, no separators, no fractional seconds) embedded
+	// in the CodeCommit Git password and used as the canonical request time
+	// during signing. The trailing 'Z' is appended separately by the caller.
 	codeCommitCanonicalTimestampFormat = "20060102T150405"
+
+	// codeCommitSignatureValidity is the server-side replay window for
+	// SigV4-signed CodeCommit Git requests. AWS documents that the password
+	// generated for HTTPS access to a CodeCommit repository stops working
+	// after about 15 minutes:
+	// https://docs.aws.amazon.com/codecommit/latest/userguide/troubleshooting-ch.html
+	codeCommitSignatureValidity = 15 * time.Minute
 )
 
 // Provider implements the auth.Provider interface for AWS authentication.
@@ -398,24 +410,11 @@ func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 	}, nil
 }
 
-func (p Provider) impl() Implementation {
-	if p.Implementation == nil {
-		return implementation{}
-	}
-	return p.Implementation
-}
-
-type signerHeaderHostOnly struct{}
-
-func (signerHeaderHostOnly) IsSigned(h string) bool {
-	return h == "host"
-}
-
-// GetRegionFromCodeCommitURL extracts the AWS region from a CodeCommit HTTPS
+// getRegionFromCodeCommitURL extracts the AWS region from a CodeCommit HTTPS
 // git URL (e.g. https://git-codecommit.us-east-1.amazonaws.com/...).
 // Returns an error if the URL is nil, not HTTPS, or not a valid CodeCommit URL.
 // https://docs.aws.amazon.com/codecommit/latest/userguide/regions.html#regions-git
-func GetRegionFromCodeCommitURL(gitURL *url.URL) (string, error) {
+func getRegionFromCodeCommitURL(gitURL *url.URL) (string, error) {
 	if gitURL == nil {
 		return "", fmt.Errorf("Git URL must be specified for AWS CodeCommit authentication")
 	}
@@ -431,28 +430,51 @@ func GetRegionFromCodeCommitURL(gitURL *url.URL) (string, error) {
 	return urlSplit[1], nil
 }
 
-// NewCodeCommitGitToken returns HTTPS Git credentials for AWS CodeCommit.
-func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []auth.Token, opts ...auth.Option) (string, string, error) {
-	var o auth.Options
-	o.Apply(opts...)
+// GetAccessTokenOptionsForGitRepository implements auth.GitCredentialsProvider.
+// AWS requires a region for obtaining access credentials. To avoid requiring
+// callers to pass a region in addition to the CodeCommit URL, we extract the
+// region from the URL and inject it as STSRegion so that object-level workload
+// identity (which requires an explicit region) works without extra config.
+func (Provider) GetAccessTokenOptionsForGitRepository(gitURL *url.URL) ([]auth.Option, error) {
+	region, err := getRegionFromCodeCommitURL(gitURL)
+	if err != nil {
+		return nil, err
+	}
+	return []auth.Option{auth.WithSTSRegion(region)}, nil
+}
 
-	gitURL := o.GitURL
-	region, err := GetRegionFromCodeCommitURL(gitURL)
+// ParseGitRepository implements auth.GitCredentialsProvider.
+// It validates the URL is a CodeCommit URL and returns the URL string so that
+// it is included in the cache key: CodeCommit credentials are a SigV4 signature
+// over the request URL, so distinct URLs must map to distinct cache entries.
+func (Provider) ParseGitRepository(gitURL *url.URL) (string, error) {
+	if _, err := getRegionFromCodeCommitURL(gitURL); err != nil {
+		return "", err
+	}
+	return gitURL.String(), nil
+}
+
+// NewGitCredentials implements auth.GitCredentialsProvider.
+func (Provider) NewGitCredentials(_ context.Context, gitInput string,
+	accessToken auth.Token, _ ...auth.Option) (*auth.GitCredentials, error) {
+
+	gitURL, err := url.Parse(gitInput)
 	if err != nil {
-		return "", "", err
+		return nil, fmt.Errorf("failed to parse CodeCommit URL: %w", err)
 	}
-	if len(accessTokens) == 0 {
-		return "", "", fmt.Errorf("AWS access token is required for region %q", region)
+	region, err := getRegionFromCodeCommitURL(gitURL)
+	if err != nil {
+		return nil, err
 	}
 
-	creds, ok := accessTokens[0].(*Credentials)
+	creds, ok := accessToken.(*Credentials)
 	if !ok {
-		return "", "", fmt.Errorf("failed to cast token to AWS token: %T", accessTokens[0])
+		return nil, fmt.Errorf("failed to cast token to AWS token: %T", accessToken)
 	}
 
 	req, err := http.NewRequest("GIT", gitURL.String(), nil)
 	if err != nil {
-		return "", "", fmt.Errorf("failed to build CodeCommit signing request: %w", err)
+		return nil, fmt.Errorf("failed to build CodeCommit signing request: %w", err)
 	}
 	req.Host = gitURL.Host
 
@@ -477,15 +499,39 @@ func (Provider) NewCodeCommitGitCredentials(_ context.Context, accessTokens []au
 	}
 
 	if err := signer.SignRequest(signInput); err != nil {
-		return "", "", fmt.Errorf("failed to sign request: %w", err)
+		return nil, fmt.Errorf("failed to sign request: %w", err)
 	}
 
 	authHeader := req.Header.Get("Authorization")
-	sigStart := strings.Index(authHeader, "Signature=")
-	signature := authHeader[sigStart+10:]
+	_, after, _ := strings.Cut(authHeader, "Signature=")
+	signature := after
 
 	username := strings.Join([]string{*creds.AccessKeyId, *creds.SessionToken}, "%")
 	password := signingTime.Format(codeCommitCanonicalTimestampFormat) + "Z" + signature
 
-	return username, password, nil
+	// The signed password is invalid once either the server's replay window
+	// elapses or the underlying credentials expire, whichever comes first.
+	expiresAt := signingTime.Add(codeCommitSignatureValidity)
+	if creds.Expiration.Before(expiresAt) {
+		expiresAt = *creds.Expiration
+	}
+
+	return &auth.GitCredentials{
+		Username:  username,
+		Password:  password,
+		ExpiresAt: expiresAt,
+	}, nil
+}
+
+func (p Provider) impl() Implementation {
+	if p.Implementation == nil {
+		return implementation{}
+	}
+	return p.Implementation
+}
+
+type signerHeaderHostOnly struct{}
+
+func (signerHeaderHostOnly) IsSigned(h string) bool {
+	return h == "host"
 }
@@ -538,7 +538,7 @@ func TestProvider_GetAccessTokenOptionsForCluster(t *testing.T) {
 	g.Expect(o.STSRegion).To(Equal("us-west-2"))
 }
 
-func TestGetRegionFromCodeCommitURL(t *testing.T) {
+func TestProvider_GetAccessTokenOptionsForGitRepository(t *testing.T) {
 	for _, tt := range []struct {
 		name           string
 		gitURL         string
@@ -583,27 +583,88 @@ func TestGetRegionFromCodeCommitURL(t *testing.T) {
 				parsedURL, err = url.Parse(tt.gitURL)
 				g.Expect(err).NotTo(HaveOccurred())
 			}
-			region, err := aws.GetRegionFromCodeCommitURL(parsedURL)
+			atOpts, err := aws.Provider{}.GetAccessTokenOptionsForGitRepository(parsedURL)
 			if tt.err != "" {
 				g.Expect(err).To(HaveOccurred())
 				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(atOpts).To(BeNil())
 			} else {
 				g.Expect(err).NotTo(HaveOccurred())
-				g.Expect(region).To(Equal(tt.expectedRegion))
+				var o auth.Options
+				o.Apply(atOpts...)
+				g.Expect(o.STSRegion).To(Equal(tt.expectedRegion))
 			}
 		})
 	}
 }
 
-func TestProvider_NewCodeCommitGitCredentials(t *testing.T) {
+func TestProvider_ParseGitRepository(t *testing.T) {
+	for _, tt := range []struct {
+		name           string
+		gitURL         string
+		expectedRegion string
+		err            string
+	}{
+		{
+			name:           "valid CodeCommit URL",
+			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			expectedRegion: "us-east-1",
+		},
+		{
+			name:           "valid CodeCommit FIPS URL",
+			gitURL:         "https://git-codecommit-fips.us-west-2.amazonaws.com/v1/repos/test-repo",
+			expectedRegion: "us-west-2",
+		},
+		{
+			name:           "valid CodeCommit China URL",
+			gitURL:         "https://git-codecommit.cn-north-1.amazonaws.com.cn/v1/repos/test-repo",
+			expectedRegion: "cn-north-1",
+		},
+		{
+			name: "nil URL",
+			err:  "Git URL must be specified for AWS CodeCommit authentication",
+		},
+		{
+			name:   "non-HTTPS URL",
+			gitURL: "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
+			err:    "AWS CodeCommit authentication requires an HTTPS Git URL",
+		},
+		{
+			name:   "invalid CodeCommit URL",
+			gitURL: "https://github.com/org/repo",
+			err:    "invalid AWS CodeCommit Git URL: github.com",
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+			var parsedURL *url.URL
+			if tt.gitURL != "" {
+				var err error
+				parsedURL, err = url.Parse(tt.gitURL)
+				g.Expect(err).NotTo(HaveOccurred())
+			}
+			gitInput, err := aws.Provider{}.ParseGitRepository(parsedURL)
+			if tt.err != "" {
+				g.Expect(err).To(HaveOccurred())
+				g.Expect(err.Error()).To(Equal(tt.err))
+				g.Expect(gitInput).To(BeEmpty())
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(gitInput).To(Equal(tt.gitURL))
+			}
+		})
+	}
+}
+
+func TestProvider_NewGitCredentials(t *testing.T) {
 	invalidToken := &generic.Token{Token: "invalid", ExpiresAt: time.Now().Add(time.Hour)}
 	proxyUrl := url.URL{Scheme: "http", Host: "proxy.example.com"}
 	awsRegion := "us-east-1"
 	for _, tt := range []struct {
 		name             string
 		gitURL           string
 		getAccessToken   bool
-		accessTokens     []auth.Token
+		accessToken      auth.Token
 		expectedUsername string
 		err              string
 	}{
@@ -625,35 +686,11 @@ func TestProvider_NewCodeCommitGitCredentials(t *testing.T) {
 			getAccessToken:   true,
 			expectedUsername: "access-key-id%session-token",
 		},
-		{
-			name:           "missing Git URL",
-			getAccessToken: true,
-			err:            "Git URL must be specified for AWS CodeCommit authentication",
-		},
-		{
-			name:           "non HTTPS URL",
-			gitURL:         "http://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
-			getAccessToken: true,
-			err:            "AWS CodeCommit authentication requires an HTTPS Git URL",
-		},
-		{
-			name:           "invalid CodeCommit URL",
-			gitURL:         "https://github.com/org/repo",
-			getAccessToken: true,
-			err:            "invalid AWS CodeCommit Git URL: github.com",
-		},
-		{
-			name:           "missing access token",
-			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
-			getAccessToken: false,
-			accessTokens:   []auth.Token{},
-			err:            `AWS access token is required for region "us-east-1"`,
-		},
 		{
 			name:           "invalid access token type",
 			gitURL:         "https://git-codecommit.us-east-1.amazonaws.com/v1/repos/test-repo",
 			getAccessToken: false,
-			accessTokens:   []auth.Token{invalidToken},
+			accessToken:    invalidToken,
 			err:            "failed to cast token to AWS token: *generic.Token",
 		},
 	} {
@@ -667,35 +704,27 @@ func TestProvider_NewCodeCommitGitCredentials(t *testing.T) {
 				returnCreds: awssdk.Credentials{AccessKeyID: "access-key-id", SecretAccessKey: "secret-access-key", SessionToken: "session-token"},
 			}
 
-			opts := []auth.Option{}
-			if tt.gitURL != "" {
-				gitURL, err := url.Parse(tt.gitURL)
-				g.Expect(err).NotTo(HaveOccurred())
-				opts = append(opts, auth.WithGitURL(*gitURL))
-			}
-
 			provider := aws.Provider{Implementation: impl}
-			accessTokens := tt.accessTokens
+			accessToken := tt.accessToken
 			if tt.getAccessToken {
-				accessToken, err := auth.GetAccessToken(t.Context(), provider,
+				var err error
+				accessToken, err = auth.GetAccessToken(t.Context(), provider,
 					auth.WithSTSRegion(awsRegion),
 					auth.WithProxyURL(proxyUrl),
 				)
 				g.Expect(err).NotTo(HaveOccurred())
-				accessTokens = []auth.Token{accessToken}
 			}
 
-			username, password, err := provider.NewCodeCommitGitCredentials(t.Context(), accessTokens, opts...)
+			creds, err := provider.NewGitCredentials(t.Context(), tt.gitURL, accessToken)
 
 			if tt.err == "" {
 				g.Expect(err).NotTo(HaveOccurred())
-				g.Expect(username).To(Equal(tt.expectedUsername))
-				g.Expect(password).To(MatchRegexp(`^[0-9]{8}T[0-9]{6}Z[0-9a-f]{64}$`))
+				g.Expect(creds.Username).To(Equal(tt.expectedUsername))
+				g.Expect(creds.Password).To(MatchRegexp(`^[0-9]{8}T[0-9]{6}Z[0-9a-f]{64}$`))
 			} else {
 				g.Expect(err).To(HaveOccurred())
 				g.Expect(err.Error()).To(Equal(tt.err))
-				g.Expect(username).To(BeEmpty())
-				g.Expect(password).To(BeEmpty())
+				g.Expect(creds).To(BeNil())
 			}
 		})
 	}
 
@@ -19,6 +19,7 @@ package azure
 import (
 	"context"
 	"fmt"
+	"net/url"
 	"os"
 	"regexp"
 	"strings"
@@ -394,6 +395,34 @@ func (p Provider) NewRESTConfig(ctx context.Context, accessTokens []auth.Token,
 	}, nil
 }
 
+// GetAccessTokenOptionsForGitRepository implements auth.GitCredentialsProvider.
+// Azure DevOps requires the DevOps scope for obtaining an access token that
+// can be used as a bearer token against Azure Repos.
+func (Provider) GetAccessTokenOptionsForGitRepository(*url.URL) ([]auth.Option, error) {
+	return []auth.Option{auth.WithScopes(ScopeDevOps)}, nil
+}
+
+// ParseGitRepository implements auth.GitCredentialsProvider.
+// Azure DevOps access tokens are not bound to the Git repository URL,
+// so this returns a constant input that does not affect the cache key.
+func (Provider) ParseGitRepository(*url.URL) (string, error) {
+	return "azure-devops", nil
+}
+
+// NewGitCredentials implements auth.GitCredentialsProvider.
+func (Provider) NewGitCredentials(_ context.Context, _ string,
+	accessToken auth.Token, _ ...auth.Option) (*auth.GitCredentials, error) {
+
+	token, ok := accessToken.(*Token)
+	if !ok {
+		return nil, fmt.Errorf("failed to cast token to Azure token: %T", accessToken)
+	}
+	return &auth.GitCredentials{
+		BearerToken: token.Token,
+		ExpiresAt:   token.ExpiresOn,
+	}, nil
+}
+
 func (p Provider) impl() Implementation {
 	if p.Implementation == nil {
 		return implementation{}