refactor(libstore): minimize NIX_WITH_S3_SUPPORT scope to auth only

lovesegfault · lovesegfault · commit bb1f22a8dfb0 · 2025-10-15T18:23:56.000Z
Move S3 URL parsing, store configuration, and public bucket support
outside of NIX_WITH_S3_SUPPORT guards. Only AWS credential resolution
remains gated, allowing builds with withAWS = false to:

- Parse s3:// URLs
- Register S3 store types
- Access public S3 buckets (via HTTPS conversion)
- Use S3-compatible services without authentication

The setupForS3() function now always performs URL conversion, with
authentication code conditionally compiled based on NIX_WITH_S3_SUPPORT.
The aws-creds.cc file (only code using AWS CRT SDK) is now conditionally
compiled by meson.
diff --git a/src/libstore-tests/s3-binary-cache-store.cc b/src/libstore-tests/s3-binary-cache-store.cc
@@ -1,12 +1,9 @@
 #include "nix/store/s3-binary-cache-store.hh"
+#include "nix/store/http-binary-cache-store.hh"
+#include "nix/store/filetransfer.hh"
+#include "nix/store/s3-url.hh"
 
-#if NIX_WITH_S3_SUPPORT
-
-#  include "nix/store/http-binary-cache-store.hh"
-#  include "nix/store/filetransfer.hh"
-#  include "nix/store/s3-url.hh"
-
-#  include <gtest/gtest.h>
+#include <gtest/gtest.h>
 
 namespace nix {
 
@@ -126,5 +123,3 @@ TEST(S3BinaryCacheStore, parameterFiltering)
 }
 
 } // namespace nix
-
-#endif
diff --git a/src/libstore-tests/s3-url.cc b/src/libstore-tests/s3-url.cc
@@ -1,10 +1,8 @@
 #include "nix/store/s3-url.hh"
 #include "nix/util/tests/gmock-matchers.hh"
 
-#if NIX_WITH_S3_SUPPORT
-
-#  include <gtest/gtest.h>
-#  include <gmock/gmock.h>
+#include <gtest/gtest.h>
+#include <gmock/gmock.h>
 
 namespace nix {
 
@@ -228,5 +226,3 @@ INSTANTIATE_TEST_SUITE_P(
     [](const ::testing::TestParamInfo<S3ToHttpsConversionTestCase> & info) { return info.param.description; });
 
 } // namespace nix
-
-#endif
diff --git a/src/libstore/filetransfer.cc b/src/libstore/filetransfer.cc
@@ -8,10 +8,10 @@
 #include "nix/util/signals.hh"
 
 #include "store-config-private.hh"
+#include "nix/store/s3-url.hh"
 #include <optional>
 #if NIX_WITH_S3_SUPPORT
 #  include "nix/store/aws-creds.hh"
-#  include "nix/store/s3-url.hh"
 #endif
 
 #ifdef __linux__
@@ -820,10 +820,7 @@ struct curlFileTransfer : public FileTransfer
     void enqueueItem(std::shared_ptr<TransferItem> item)
     {
         if (item->request.data && item->request.uri.scheme() != "http" && item->request.uri.scheme() != "https"
-#if NIX_WITH_S3_SUPPORT
-            && item->request.uri.scheme() != "s3"
-#endif
-        )
+            && item->request.uri.scheme() != "s3")
             throw nix::Error("uploading to '%s' is not supported", item->request.uri.to_string());
 
         {
@@ -839,16 +836,11 @@ struct curlFileTransfer : public FileTransfer
 
     void enqueueFileTransfer(const FileTransferRequest & request, Callback<FileTransferResult> callback) override
     {
-        /* Ugly hack to support s3:// URIs. */
+        /* Handle s3:// URIs by converting to HTTPS and optionally adding auth */
         if (request.uri.scheme() == "s3") {
-#if NIX_WITH_S3_SUPPORT
-            // New curl-based S3 implementation
             auto modifiedRequest = request;
             modifiedRequest.setupForS3();
             enqueueItem(std::make_shared<TransferItem>(*this, std::move(modifiedRequest), std::move(callback)));
-#else
-            throw nix::Error("cannot download '%s' because Nix is not built with S3 support", request.uri.to_string());
-#endif
             return;
         }
 
@@ -876,14 +868,16 @@ ref<FileTransfer> makeFileTransfer()
     return makeCurlFileTransfer();
 }
 
-#if NIX_WITH_S3_SUPPORT
 void FileTransferRequest::setupForS3()
 {
     auto parsedS3 = ParsedS3URL::parse(uri.parsed());
-    // Update the request URI to use HTTPS
+    // Update the request URI to use HTTPS (works without AWS SDK)
     uri = parsedS3.toHttpsUrl();
-    // This gets used later in a curl setopt
+
+#if NIX_WITH_S3_SUPPORT
+    // Auth-specific code only compiled when AWS support is available
     awsSigV4Provider = "aws:amz:" + parsedS3.region.value_or("us-east-1") + ":s3";
+
     // check if the request already has pre-resolved credentials
     std::optional<std::string> sessionToken;
     if (usernameAuth) {
@@ -908,8 +902,11 @@ void FileTransferRequest::setupForS3()
     }
     if (sessionToken)
         headers.emplace_back("x-amz-security-token", *sessionToken);
-}
+#else
+    // When built without AWS support, just try as public bucket
+    debug("S3 request without authentication (built without AWS support)");
 #endif
+}
 
 std::future<FileTransferResult> FileTransfer::enqueueFileTransfer(const FileTransferRequest & request)
 {
diff --git a/src/libstore/include/nix/store/filetransfer.hh b/src/libstore/include/nix/store/filetransfer.hh
@@ -15,6 +15,7 @@
 #if NIX_WITH_S3_SUPPORT
 #  include "nix/store/aws-creds.hh"
 #endif
+#include "nix/store/s3-url.hh"
 
 namespace nix {
 
@@ -132,10 +133,10 @@ struct FileTransferRequest
         return data ? "upload" : "download";
     }
 
-#if NIX_WITH_S3_SUPPORT
 private:
     friend struct curlFileTransfer;
     void setupForS3();
+#if NIX_WITH_S3_SUPPORT
     std::optional<std::string> awsSigV4Provider;
 #endif
 };
diff --git a/src/libstore/include/nix/store/s3-binary-cache-store.hh b/src/libstore/include/nix/store/s3-binary-cache-store.hh
@@ -2,10 +2,7 @@
 ///@file
 
 #include "nix/store/config.hh"
-
-#if NIX_WITH_S3_SUPPORT
-
-#  include "nix/store/http-binary-cache-store.hh"
+#include "nix/store/http-binary-cache-store.hh"
 
 namespace nix {
 
@@ -77,5 +74,3 @@ public:
 };
 
 } // namespace nix
-
-#endif
diff --git a/src/libstore/include/nix/store/s3-url.hh b/src/libstore/include/nix/store/s3-url.hh
@@ -1,16 +1,13 @@
 #pragma once
 ///@file
 #include "nix/store/config.hh"
+#include "nix/util/url.hh"
+#include "nix/util/util.hh"
 
-#if NIX_WITH_S3_SUPPORT
-
-#  include "nix/util/url.hh"
-#  include "nix/util/util.hh"
-
-#  include <optional>
-#  include <string>
-#  include <variant>
-#  include <vector>
+#include <optional>
+#include <string>
+#include <variant>
+#include <vector>
 
 namespace nix {
 
@@ -56,5 +53,3 @@ struct ParsedS3URL
 };
 
 } // namespace nix
-
-#endif
diff --git a/src/libstore/meson.build b/src/libstore/meson.build
@@ -265,7 +265,6 @@ config_priv_h = configure_file(
 subdir('nix-meson-build-support/common')
 
 sources = files(
-  'aws-creds.cc',
   'binary-cache-store.cc',
   'build-result.cc',
   'build/derivation-builder.cc',
@@ -344,6 +343,11 @@ sources = files(
   'worker-protocol.cc',
 )
 
+# AWS credentials code requires AWS CRT, so only compile when enabled
+if curl_s3_store_opt.enabled()
+  sources += files('aws-creds.cc')
+endif
+
 subdir('include/nix/store')
 
 if host_machine.system() == 'linux'
diff --git a/src/libstore/s3-binary-cache-store.cc b/src/libstore/s3-binary-cache-store.cc
@@ -1,12 +1,9 @@
 #include "nix/store/s3-binary-cache-store.hh"
 
-#if NIX_WITH_S3_SUPPORT
+#include <cassert>
 
-#  include <cassert>
-
-#  include "nix/store/s3-binary-cache-store.hh"
-#  include "nix/store/http-binary-cache-store.hh"
-#  include "nix/store/store-registration.hh"
+#include "nix/store/http-binary-cache-store.hh"
+#include "nix/store/store-registration.hh"
 
 namespace nix {
 
@@ -45,5 +42,3 @@ std::string S3BinaryCacheStoreConfig::doc()
 static RegisterStoreImplementation<S3BinaryCacheStoreConfig> registerS3BinaryCacheStore;
 
 } // namespace nix
-
-#endif
diff --git a/src/libstore/s3-url.cc b/src/libstore/s3-url.cc
@@ -1,13 +1,10 @@
 #include "nix/store/s3-url.hh"
+#include "nix/util/error.hh"
+#include "nix/util/split.hh"
+#include "nix/util/strings-inline.hh"
 
-#if NIX_WITH_S3_SUPPORT
-
-#  include "nix/util/error.hh"
-#  include "nix/util/split.hh"
-#  include "nix/util/strings-inline.hh"
-
-#  include <ranges>
-#  include <string_view>
+#include <ranges>
+#include <string_view>
 
 using namespace std::string_view_literals;
 
@@ -117,5 +114,3 @@ ParsedURL ParsedS3URL::toHttpsUrl() const
 }
 
 } // namespace nix
-
-#endif
