stacklok / toolhive / 21885824641

62%

Build Type

push

github

Committed by web-flow

Commit Message

Add SigV4 signing middleware for AWS STS token exchange (#3730)

* Add SigV4 signing middleware for AWS STS token exchange

Add an HTTP middleware that converts incoming OIDC bearer tokens into
SigV4-signed AWS requests. The pipeline extracts JWT claims from the
auth context, selects an IAM role via the RoleMapper, calls STS
AssumeRoleWithWebIdentity for temporary credentials, and signs the
outbound request with SigV4.

When a target URL is configured, the middleware clones the request with
the target host for signing purposes but copies only the SigV4 headers
(Authorization, X-Amz-Date, X-Amz-Security-Token) back to the original
request, leaving host rewriting to the reverse proxy. Request bodies are
buffered with a 10 MB size limit and restored for downstream handlers.

Also add GetService() and GetSessionDuration() config helpers, an
ErrAccessDenied sentinel, and clean up the signer's body-close handling
to use defer.

Fixes: #3569

* Move ErrAccessDenied to test file since it is only used in mocks

The ErrAccessDenied sentinel was only referenced in middleware_test.go
to simulate STS access denial. Demote it to an unexported test-local
variable to keep the public error surface honest.

* Validate session name against AWS constraints early in middleware

Call ValidateSessionName() immediately after extracting the session name
from JWT claims, before passing it to ExchangeToken(). This gives
clearer error feedback at the middleware level when the claim value
violates AWS RoleSessionName constraints (length, allowed characters).

ExchangeToken already validates internally, so this is defense-in-depth.

Run Details

141 of 181 new or added lines in 3 files covered. (77.9%)

2 existing lines in 1 file now uncovered.

42716 of 69437 relevant lines covered (61.52%)

77.63 hits per line