stacklok / toolhive / 21885824641 / 1
62%
main: 62%

DEFAULT BRANCH: main
Ran
Files 520
Run time 13s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 61.518% (+0.07%) from 61.452%
21885824641.1

push

github

web-flow 
Add SigV4 signing middleware for AWS STS token exchange (#3730)

* Add SigV4 signing middleware for AWS STS token exchange

Add an HTTP middleware that converts incoming OIDC bearer tokens into
SigV4-signed AWS requests. The pipeline extracts JWT claims from the
auth context, selects an IAM role via the RoleMapper, calls STS
AssumeRoleWithWebIdentity for temporary credentials, and signs the
outbound request with SigV4.

When a target URL is configured, the middleware clones the request with
the target host for signing purposes but copies only the SigV4 headers
(Authorization, X-Amz-Date, X-Amz-Security-Token) back to the original
request, leaving host rewriting to the reverse proxy. Request bodies are
buffered with a 10 MB size limit and restored for downstream handlers.

Also add GetService() and GetSessionDuration() config helpers, an
ErrAccessDenied sentinel, and clean up the signer's body-close handling
to use defer.

Fixes: #3569

* Move ErrAccessDenied to test file since it is only used in mocks

The ErrAccessDenied sentinel was only referenced in middleware_test.go
to simulate STS access denial. Demote it to an unexported test-local
variable to keep the public error surface honest.

* Validate session name against AWS constraints early in middleware

Call ValidateSessionName() immediately after extracting the session name
from JWT claims, before passing it to ExchangeToken(). This gives
clearer error feedback at the middleware level when the claim value
violates AWS RoleSessionName constraints (length, allowed characters).

ExchangeToken already validates internally, so this is defense-in-depth.

42716 of 69437 relevant lines covered (61.52%)

77.63 hits per line

Source Files on job 21885824641.1