feat(libstore): curl-based s3

Author: lovesegfault

src/libstore/aws-auth.cc

@@ -0,0 +1,118 @@
+#include "nix/store/aws-auth.hh"
+#include "nix/store/config.hh"
+
+#if NIX_WITH_AWS_CRT_SUPPORT
+
+#  include "nix/util/logging.hh"
+#  include "nix/util/finally.hh"
+
+#  include <aws/crt/Api.h>
+#  include <aws/crt/auth/Credentials.h>
+#  include <aws/crt/io/Bootstrap.h>
+
+#  include <condition_variable>
+#  include <mutex>
+
+namespace nix {
+
+static std::once_flag crtInitFlag;
+static std::unique_ptr<Aws::Crt::ApiHandle> crtApiHandle;
+
+static void initAwsCrt()
+{
+    std::call_once(crtInitFlag, []() {
+        crtApiHandle = std::make_unique<Aws::Crt::ApiHandle>();
+        crtApiHandle->InitializeLogging(Aws::Crt::LogLevel::Warn, (FILE *) nullptr);
+    });
+}
+
+std::unique_ptr<AwsCredentialProvider> AwsCredentialProvider::createDefault()
+{
+    initAwsCrt();
+
+    Aws::Crt::Auth::CredentialsProviderChainDefaultConfig config;
+    config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+
+    auto provider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChainDefault(config);
+    if (!provider) {
+        debug("Failed to create default AWS credentials provider");
+        return nullptr;
+    }
+
+    return std::make_unique<AwsCredentialProvider>(provider);
+}
+
+std::unique_ptr<AwsCredentialProvider> AwsCredentialProvider::createProfile(const std::string & profile)
+{
+    initAwsCrt();
+
+    if (profile.empty()) {
+        return createDefault();
+    }
+
+    Aws::Crt::Auth::CredentialsProviderProfileConfig config;
+    config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+    config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
+
+    auto provider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(config);
+    if (!provider) {
+        debug("Failed to create AWS credentials provider for profile '%s'", profile);
+        return nullptr;
+    }
+
+    return std::make_unique<AwsCredentialProvider>(provider);
+}
+
+AwsCredentialProvider::AwsCredentialProvider(std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider)
+    : provider(provider)
+{
+}
+
+AwsCredentialProvider::~AwsCredentialProvider() = default;
+
+std::optional<AwsCredentials> AwsCredentialProvider::getCredentials()
+{
+    if (!provider || !provider->IsValid()) {
+        debug("AWS credential provider is invalid");
+        return std::nullopt;
+    }
+
+    std::mutex mutex;
+    std::condition_variable cv;
+    std::optional<AwsCredentials> result;
+    bool resolved = false;
+
+    provider->GetCredentials([&](std::shared_ptr<Aws::Crt::Auth::Credentials> credentials, int errorCode) {
+        std::lock_guard<std::mutex> lock(mutex);
+
+        if (errorCode != 0 || !credentials) {
+            debug("Failed to resolve AWS credentials: error code %d", errorCode);
+        } else {
+            auto accessKeyId = credentials->GetAccessKeyId();
+            auto secretAccessKey = credentials->GetSecretAccessKey();
+            auto sessionToken = credentials->GetSessionToken();
+
+            std::optional<std::string> sessionTokenStr;
+            if (sessionToken.len > 0) {
+                sessionTokenStr = std::string(reinterpret_cast<const char *>(sessionToken.ptr), sessionToken.len);
+            }
+
+            result = AwsCredentials(
+                std::string(reinterpret_cast<const char *>(accessKeyId.ptr), accessKeyId.len),
+                std::string(reinterpret_cast<const char *>(secretAccessKey.ptr), secretAccessKey.len),
+                sessionTokenStr);
+        }
+
+        resolved = true;
+        cv.notify_one();
+    });
+
+    std::unique_lock<std::mutex> lock(mutex);
+    cv.wait(lock, [&] { return resolved; });
+
+    return result;
+}
+
+} // namespace nix
+
+#endif // NIX_WITH_AWS_CRT_SUPPORT

src/libstore/filetransfer.cc

@@ -7,11 +7,15 @@
 #include "nix/util/finally.hh"
 #include "nix/util/callback.hh"
 #include "nix/util/signals.hh"
+#include "nix/store/store-reference.hh"
 
 #include "store-config-private.hh"
 #if NIX_WITH_S3_SUPPORT
 #  include <aws/core/client/ClientConfiguration.h>
 #endif
+#if NIX_WITH_AWS_CRT_SUPPORT
+#  include "nix/store/aws-auth.hh"
+#endif
 
 #ifdef __linux__
 #  include "nix/util/linux-namespaces.hh"
@@ -77,6 +81,13 @@ struct curlFileTransfer : public FileTransfer
 
         std::chrono::steady_clock::time_point startTime = std::chrono::steady_clock::now();
 
+#if NIX_WITH_AWS_CRT_SUPPORT
+        // AWS SigV4 authentication data
+        bool isS3Request = false;
+        std::string awsCredentials;   // "access_key:secret_key" for CURLOPT_USERPWD
+        std::string awsSigV4Provider; // Provider string for CURLOPT_AWS_SIGV4
+#endif
+
         inline static const std::set<long> successfulStatuses{200, 201, 204, 206, 304, 0 /* other protocol */};
 
         /* Get the HTTP status code, or 0 for other protocols. */
@@ -131,6 +142,52 @@ struct curlFileTransfer : public FileTransfer
             for (auto it = request.headers.begin(); it != request.headers.end(); ++it) {
                 requestHeaders = curl_slist_append(requestHeaders, fmt("%s: %s", it->first, it->second).c_str());
             }
+
+#if NIX_WITH_AWS_CRT_SUPPORT && NIX_WITH_S3_SUPPORT
+            // Handle S3 URLs with curl-based AWS SigV4 authentication
+            if (hasPrefix(request.uri, "s3://")) {
+                try {
+                    auto [httpsUri, params] = fileTransfer.convertS3ToHttpsUri(request.uri);
+
+                    // Update the request URI to use HTTPS
+                    const_cast<FileTransferRequest &>(request).uri = httpsUri;
+                    result.urls.clear();
+                    result.urls.push_back(httpsUri);
+
+                    isS3Request = true;
+
+                    // Get credentials
+                    std::string profile = getOr(params, "profile", "");
+                    auto credProvider = profile.empty() ? AwsCredentialProvider::createDefault()
+                                                        : AwsCredentialProvider::createProfile(profile);
+
+                    if (credProvider) {
+                        auto creds = credProvider->getCredentials();
+                        if (creds) {
+                            awsCredentials = creds->accessKeyId + ":" + creds->secretAccessKey;
+
+                            std::string region = getOr(params, "region", "us-east-1");
+                            std::string service = "s3";
+                            awsSigV4Provider = "aws:amz:" + region + ":" + service;
+
+                            // Add session token header if present
+                            if (creds->sessionToken) {
+                                requestHeaders = curl_slist_append(
+                                    requestHeaders, ("x-amz-security-token: " + *creds->sessionToken).c_str());
+                            }
+
+                            debug("Using AWS SigV4 authentication for S3 request to %s", httpsUri);
+                        } else {
+                            warn("Failed to obtain AWS credentials for S3 request %s", request.uri);
+                        }
+                    } else {
+                        warn("Failed to create AWS credential provider for S3 request %s", request.uri);
+                    }
+                } catch (std::exception & e) {
+                    warn("Failed to set up AWS SigV4 authentication for S3 request %s: %s", request.uri, e.what());
+                }
+            }
+#endif
         }
 
         ~TransferItem()
@@ -426,6 +483,15 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_ERRORBUFFER, errbuf);
             errbuf[0] = 0;
 
+#if NIX_WITH_AWS_CRT_SUPPORT && LIBCURL_VERSION_NUM >= 0x074b00 // curl 7.75.0
+            // Set up AWS SigV4 authentication if this is an S3 request
+            if (isS3Request && !awsCredentials.empty() && !awsSigV4Provider.empty()) {
+                curl_easy_setopt(req, CURLOPT_USERPWD, awsCredentials.c_str());
+                curl_easy_setopt(req, CURLOPT_AWS_SIGV4, awsSigV4Provider.c_str());
+                debug("Configured curl with AWS SigV4 authentication: provider=%s", awsSigV4Provider);
+            }
+#endif
+
             result.data.clear();
             result.bodySize = 0;
         }
@@ -812,15 +878,42 @@ struct curlFileTransfer : public FileTransfer
 
         return {bucketName, key, params};
     }
+
+    /**
+     * Convert S3 URI to HTTPS URI for use with curl's AWS SigV4 authentication
+     */
+    std::pair<std::string, Store::Config::Params> convertS3ToHttpsUri(const std::string & s3Uri)
+    {
+        auto [bucketName, key, params] = parseS3Uri(s3Uri);
+
+        std::string region = getOr(params, "region", "us-east-1");
+        std::string endpoint = getOr(params, "endpoint", "");
+        std::string scheme = getOr(params, "scheme", "https");
+
+        std::string httpsUri;
+        if (!endpoint.empty()) {
+            // Custom endpoint (e.g., MinIO, custom S3-compatible service)
+            httpsUri = scheme + "://" + endpoint + "/" + bucketName + "/" + key;
+        } else {
+            // Standard AWS S3 endpoint
+            httpsUri = scheme + "://s3." + region + ".amazonaws.com/" + bucketName + "/" + key;
+        }
+
+        return {httpsUri, params};
+    }
 #endif
 
     void enqueueFileTransfer(const FileTransferRequest & request, Callback<FileTransferResult> callback) override
     {
-        /* Ugly hack to support s3:// URIs. */
+        /* Handle s3:// URIs with curl-based AWS SigV4 authentication or fall back to legacy S3Helper */
         if (hasPrefix(request.uri, "s3://")) {
+#if NIX_WITH_AWS_CRT_SUPPORT && LIBCURL_VERSION_NUM >= 0x074b00
+            // Use new curl-based approach with AWS SigV4 authentication
+            enqueueItem(std::make_shared<TransferItem>(*this, request, std::move(callback)));
+#elif NIX_WITH_S3_SUPPORT
+            // Fall back to legacy S3Helper approach
             // FIXME: do this on a worker thread
             try {
-#if NIX_WITH_S3_SUPPORT
                 auto [bucketName, key, params] = parseS3Uri(request.uri);
 
                 std::string profile = getOr(params, "profile", "");
@@ -838,12 +931,12 @@ struct curlFileTransfer : public FileTransfer
                 res.data = std::move(*s3Res.data);
                 res.urls.push_back(request.uri);
                 callback(std::move(res));
-#else
-                throw nix::Error("cannot download '%s' because Nix is not built with S3 support", request.uri);
-#endif
             } catch (...) {
                 callback.rethrow();
             }
+#else
+            throw nix::Error("cannot download '%s' because Nix is not built with S3 support", request.uri);
+#endif
             return;
         }
 

src/libstore/include/nix/store/aws-auth.hh

@@ -0,0 +1,78 @@
+#pragma once
+///@file
+
+#include "nix/util/types.hh"
+#include "nix/util/ref.hh"
+#include "nix/store/config.hh"
+
+#include <memory>
+#include <optional>
+#include <string>
+
+#if NIX_WITH_AWS_CRT_SUPPORT
+
+namespace Aws {
+namespace Crt {
+namespace Auth {
+class ICredentialsProvider;
+class Credentials;
+} // namespace Auth
+} // namespace Crt
+} // namespace Aws
+
+namespace nix {
+
+/**
+ * AWS credentials obtained from credential providers
+ */
+struct AwsCredentials
+{
+    std::string accessKeyId;
+    std::string secretAccessKey;
+    std::optional<std::string> sessionToken;
+
+    AwsCredentials(
+        const std::string & accessKeyId,
+        const std::string & secretAccessKey,
+        const std::optional<std::string> & sessionToken = std::nullopt)
+        : accessKeyId(accessKeyId)
+        , secretAccessKey(secretAccessKey)
+        , sessionToken(sessionToken)
+    {
+    }
+};
+
+/**
+ * AWS credential provider wrapper using aws-crt-cpp
+ * Provides lightweight credential resolution without full AWS SDK dependency
+ */
+class AwsCredentialProvider
+{
+private:
+    std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider;
+
+public:
+    /**
+     * Create credential provider using the default AWS credential chain
+     * This includes: Environment -> Profile -> IMDS/ECS
+     */
+    static std::unique_ptr<AwsCredentialProvider> createDefault();
+
+    /**
+     * Create credential provider for a specific profile
+     */
+    static std::unique_ptr<AwsCredentialProvider> createProfile(const std::string & profile);
+
+    /**
+     * Get credentials synchronously
+     * Returns nullopt if credentials cannot be resolved
+     */
+    std::optional<AwsCredentials> getCredentials();
+
+    AwsCredentialProvider(std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider);
+    ~AwsCredentialProvider();
+};
+
+} // namespace nix
+
+#endif // NIX_WITH_AWS_CRT_SUPPORT

src/libstore/meson.build

@@ -159,6 +159,23 @@ if aws_s3.found()
 endif
 deps_other += aws_s3
 
+# AWS CRT C++ for lightweight credential management
+# Similar to aws-cpp-sdk, but lighter weight dependency for credential resolution only
+aws_crt_cpp = dependency('aws-crt-cpp', required : false)
+if not aws_crt_cpp.found()
+  # Fallback: try pkg-config with different name
+  aws_crt_cpp = dependency('libaws-crt-cpp', required : false)
+endif
+if not aws_crt_cpp.found()
+  # Fallback: try to find library manually
+  aws_crt_cpp_lib = cxx.find_library('aws-crt-cpp', required : false)
+  if aws_crt_cpp_lib.found()
+    aws_crt_cpp = aws_crt_cpp_lib
+  endif
+endif
+configdata_pub.set('NIX_WITH_AWS_CRT_SUPPORT', aws_crt_cpp.found().to_int())
+deps_other += aws_crt_cpp
+
 subdir('nix-meson-build-support/generate-header')
 
 generated_headers = []
@@ -262,6 +279,7 @@ config_priv_h = configure_file(
 subdir('nix-meson-build-support/common')
 
 sources = files(
+  'aws-auth.cc',
   'binary-cache-store.cc',
   'build-result.cc',
   'build/derivation-building-goal.cc',