refactor(libstore): Replace AWS SDK with curl-based S3 implementation

This commit replaces the AWS C++ SDK with a lighter curl-based approach
for S3 binary cache operations, addressing multiple issues and improving
the overall architecture.

## Key Changes

### 1. Replaced AWS SDK with aws-crt-cpp + curl
- Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer
- Added lightweight aws-crt-cpp for credential resolution only
- Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0)

### 2. Consolidated S3 support into HttpBinaryCacheStore
- S3BinaryCacheStore now delegates to HttpBinaryCacheStore
- Eliminates layer violation (S3 logic no longer in generic FileTransfer)
- S3 URLs are converted to HTTPS URLs with proper authentication headers

### 3. Improved S3 URL handling
- Added ParsedS3URL for structured S3 URL parsing
- Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL
- Better support for custom endpoints and regions via query parameters

### 4. Fixed thread safety test
- threadSafety_MultipleProviders now actually tests concurrent access
- Spawns multiple threads accessing shared credential providers
- Tests both concurrent credential fetching and provider creation

## Benefits

- **Reduced memory usage**: Eliminates memory buffering issues that caused
  segfaults with large files (>3.5GB)
- **Fixed upload reliability**: Resolves AWS SDK chunking errors
  (InvalidChunkSizeError)
- **Resolved OpenSSL conflicts**: No more S2N engine override issues in
  sandboxed builds
- **Lighter dependencies**: ~500 lines less code, simpler build process
- **Better architecture**: Clean separation between storage and transport layers

## Breaking Changes

- Multipart uploads are no longer supported (may be reimplemented later)
- Build now requires curl >= 7.75.0 for AWS SigV4 support

## Migration

No action required for most users. S3 URLs continue to work with the
same syntax. Users directly using S3BinaryCacheStore class should
migrate to standard HTTP binary cache stores with S3 endpoints.

Fixes: #13084, #12671, #11748, #12403, #5947
PR: #13752

Co-authored-by: John Ericson <git@johnericson.me>

Author: lovesegfault

doc/manual/rl-next/s3-curl-implementation.md

@@ -0,0 +1,36 @@
+---
+synopsis: "Improved S3 binary cache support via HTTP"
+prs: [13752]
+issues: [13084, 12671, 11748, 12403, 5947]
+---
+
+S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native AWS
+SigV4 authentication instead of the AWS C++ SDK, providing significant
+improvements:
+
+- **Reduced memory usage**: Eliminates memory buffering issues that caused
+  segfaults with large files (>3.5GB)
+- **Fixed upload reliability**: Resolves AWS SDK chunking errors
+  (`InvalidChunkSizeError`)
+- **Resolved OpenSSL conflicts**: No more S2N engine override issues in
+  sandboxed builds
+- **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full
+  `aws-cpp-sdk`, reducing build complexity
+
+The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential
+management.
+
+All existing S3 URL formats and parameters remain supported.
+
+## Breaking changes
+
+The legacy `S3BinaryCacheStore` implementation has been removed in favor of the
+new curl-based approach, as a result multipart uploads are no longer supported. They may be reimplemented in the future.
+
+**Migration**: No action required for most users. S3 URLs continue to work
+with the same syntax. Users directly using `S3BinaryCacheStore` class
+should migrate to standard HTTP binary cache stores with S3 endpoints.
+
+**Build requirement**: S3 support now requires curl >= 7.75.0 for AWS SigV4
+authentication. Build configuration will warn if `aws-crt-cpp` is available
+but S3 support is disabled due to an insufficient curl version.

packaging/components.nix

@@ -440,7 +440,7 @@ in
 
       Example:
       ```
-      overrideScope (finalScope: prevScope: { aws-sdk-cpp = null; })
+      overrideScope (finalScope: prevScope: { aws-crt-cpp = null; })
       ```
     */
     overrideScope = f: (scope.overrideScope f).nix-everything;

packaging/dependencies.nix

@@ -35,21 +35,6 @@ in
 scope: {
   inherit stdenv;
 
-  aws-sdk-cpp =
-    (pkgs.aws-sdk-cpp.override {
-      apis = [
-        "identity-management"
-        "s3"
-        "transfer"
-      ];
-      customMemoryManagement = false;
-    }).overrideAttrs
-      {
-        # only a stripped down version is built, which takes a lot less resources
-        # to build, so we don't need a "big-parallel" machine.
-        requiredSystemFeatures = [ ];
-      };
-
   boehmgc =
     (pkgs.boehmgc.override {
       enableLargeConfig = true;

src/libstore-tests/filetransfer-s3.cc

@@ -0,0 +1,150 @@
+#include "nix/store/filetransfer.hh"
+#include "nix/store/config.hh"
+#include "nix/store/http-binary-cache-store.hh"
+#include "nix/store/s3-binary-cache-store.hh"
+#include "nix/store/store-api.hh"
+#include "nix/util/types.hh"
+
+#if NIX_WITH_S3_SUPPORT
+
+#  include <gtest/gtest.h>
+#  include <gmock/gmock.h>
+
+namespace nix {
+
+class S3FileTransferTest : public ::testing::Test
+{
+protected:
+    void SetUp() override
+    {
+        // Clean environment for predictable tests
+        unsetenv("AWS_ACCESS_KEY_ID");
+        unsetenv("AWS_SECRET_ACCESS_KEY");
+        unsetenv("AWS_SESSION_TOKEN");
+        unsetenv("AWS_PROFILE");
+    }
+};
+
+// Note: Basic S3 URL parsing tests are covered by ParsedS3URL tests in s3.cc
+// These tests focus on FileTransfer-specific S3 functionality
+
+TEST_F(S3FileTransferTest, s3Request_WithMockCredentials)
+{
+    // Set up mock credentials for testing
+    setenv("AWS_ACCESS_KEY_ID", "AKIAIOSFODNN7EXAMPLE", 1);
+    setenv("AWS_SECRET_ACCESS_KEY", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", 1);
+
+    std::string s3Uri = "s3://test-bucket/test-key.txt?region=us-east-1";
+    FileTransferRequest request(s3Uri);
+
+    // Test that request setup works with credentials
+    EXPECT_TRUE(hasPrefix(request.uri, "s3://"));
+
+    // Clean up
+    unsetenv("AWS_ACCESS_KEY_ID");
+    unsetenv("AWS_SECRET_ACCESS_KEY");
+}
+
+TEST_F(S3FileTransferTest, s3Request_WithSessionToken)
+{
+    // Test session token handling
+    setenv("AWS_ACCESS_KEY_ID", "ASIAIOSFODNN7EXAMPLE", 1);
+    setenv("AWS_SECRET_ACCESS_KEY", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", 1);
+    setenv("AWS_SESSION_TOKEN", "AQoDYXdzEJr1K...example-session-token", 1);
+
+    std::string s3Uri = "s3://test-bucket/test-key.txt";
+    FileTransferRequest request(s3Uri);
+
+    EXPECT_TRUE(hasPrefix(request.uri, "s3://"));
+
+    // Clean up
+    unsetenv("AWS_ACCESS_KEY_ID");
+    unsetenv("AWS_SECRET_ACCESS_KEY");
+    unsetenv("AWS_SESSION_TOKEN");
+}
+
+/**
+ * Regression test for commit 7a2f2891e
+ * Test that S3 store URLs are properly recognized and handled
+ */
+TEST_F(S3FileTransferTest, s3StoreRegistration)
+{
+    // Test that S3 URI scheme is in the supported schemes (now in S3BinaryCacheStoreConfig)
+    auto s3Schemes = S3BinaryCacheStoreConfig::uriSchemes();
+    EXPECT_TRUE(s3Schemes.count("s3") > 0) << "S3 scheme should be in S3BinaryCacheStoreConfig URI schemes";
+
+    // Verify that HttpBinaryCacheStoreConfig does NOT include S3
+    auto httpSchemes = HttpBinaryCacheStoreConfig::uriSchemes();
+    EXPECT_FALSE(httpSchemes.count("s3") > 0) << "S3 scheme should NOT be in HttpBinaryCacheStoreConfig URI schemes";
+
+    // Test that S3 store can be opened without error
+    try {
+        auto storeUrl = "s3://test-bucket";
+        auto parsedUrl = parseURL(storeUrl);
+        EXPECT_EQ(parsedUrl.scheme, "s3");
+
+        // Verify that S3BinaryCacheStoreConfig accepts S3 URLs
+        S3BinaryCacheStoreConfig config("s3", "test-bucket", {});
+        EXPECT_EQ(config.cacheUri.scheme, "s3");
+        EXPECT_EQ(config.cacheUri.authority->host, "test-bucket");
+    } catch (const std::exception & e) {
+        FAIL() << "Should be able to create S3 store config: " << e.what();
+    }
+}
+
+/**
+ * Regression test for commit c0164e087
+ * Test that S3 uploads are not rejected with "not supported" error
+ */
+TEST_F(S3FileTransferTest, s3UploadsNotRejected)
+{
+    auto ft = makeFileTransfer();
+
+    // Create a mock upload request
+    FileTransferRequest uploadReq("s3://test-bucket/test-file");
+    uploadReq.data = std::string("test data");
+
+    // This should not throw "uploading to 's3://...' is not supported"
+    // We're testing that S3 uploads aren't immediately rejected
+    bool gotNotSupportedError = false;
+    try {
+        ft->upload(uploadReq);
+    } catch (const Error & e) {
+        std::string msg = e.what();
+        if (msg.find("is not supported") != std::string::npos) {
+            gotNotSupportedError = true;
+        }
+    } catch (...) {
+        // Other errors are expected (no credentials, network issues, etc.)
+    }
+
+    EXPECT_FALSE(gotNotSupportedError) << "S3 uploads should not be rejected with 'not supported' error";
+}
+
+/**
+ * Regression test for commit e618ac7e0
+ * Test that S3 URLs with region query parameters are handled correctly
+ */
+TEST_F(S3FileTransferTest, s3RegionQueryParameters)
+{
+    // Test that query parameters are preserved in S3 URLs
+    StringMap params;
+    params["region"] = "us-west-2";
+
+    S3BinaryCacheStoreConfig config("s3", "test-bucket", params);
+
+    // For S3 stores, query parameters should be preserved
+    EXPECT_FALSE(config.cacheUri.query.empty()) << "S3 store should preserve query parameters";
+    EXPECT_EQ(config.cacheUri.query["region"], "us-west-2") << "Region parameter should be preserved";
+
+    // Test with different regions
+    StringMap params2;
+    params2["region"] = "eu-central-1";
+
+    S3BinaryCacheStoreConfig config2("s3", "another-bucket", params2);
+    EXPECT_EQ(config2.cacheUri.query["region"], "eu-central-1") << "Different region parameter should be preserved";
+}
+
+} // namespace nix
+
+#endif // NIX_WITH_S3_SUPPORT

src/libstore-tests/meson.build

@@ -60,6 +60,7 @@ sources = files(
   'derivation.cc',
   'derived-path.cc',
   'downstream-placeholder.cc',
+  'filetransfer-s3.cc',
   'http-binary-cache-store.cc',
   'legacy-ssh-store.cc',
   'local-binary-cache-store.cc',
@@ -73,8 +74,8 @@ sources = files(
   'path-info.cc',
   'path.cc',
   'references.cc',
-  's3-binary-cache-store.cc',
-  's3.cc',
+  's3-edge-cases.cc',
+  's3-http-integration.cc',
   'serve-protocol.cc',
   'ssh-store.cc',
   'store-reference.cc',