CPL AWS: Fix aws sso cache file location and region parameter (Fixes OSGeo#12064)

Needed to wire through the profile name from the config, then use that for the file name hash rather than the start url if it exists. This makes it match the way boto3 (the aws python library) does it.

Also pulled the region out of the cache file and used that when building the token url as the old way only worked if your AWS account was based in US-east-1

Author: emilyselwood

autotest/gcore/vsis3.py

@@ -6238,7 +6238,7 @@ def test_vsis3_read_credentials_sso(tmp_vsimem, aws_test_config, webserver_port)
     )
 
     gdal.FileFromMemBuffer(
-        tmp_vsimem / "sso" / "cache" / "327c3fda87ce286848a574982ddd0b7c7487f816.json",
+        tmp_vsimem / "sso" / "cache" / "0ad374308c5a4e22f723adf10145eafad7c4031c.json",
         '{"startUrl": "https://example.com", "region": "us-east-1", "accessToken": "sso-accessToken", "expiresAt": "9999-01-01T00:00:00Z"}',
     )
 

port/cpl_aws.cpp

@@ -1187,7 +1187,8 @@ bool VSIS3HandleHelper::GetConfigurationFromAWSConfigFiles(
     std::string &osSourceProfile, std::string &osExternalId,
     std::string &osMFASerial, std::string &osRoleSessionName,
     std::string &osWebIdentityTokenFile, std::string &osSSOStartURL,
-    std::string &osSSOAccountID, std::string &osSSORoleName)
+    std::string &osSSOAccountID, std::string &osSSORoleName,
+    std::string &osSSOSession)
 {
     // See http://docs.aws.amazon.com/cli/latest/userguide/cli-config-files.html
     // If AWS_DEFAULT_PROFILE is set (obsolete, no longer documented), use it in
@@ -1247,7 +1248,6 @@ bool VSIS3HandleHelper::GetConfigurationFromAWSConfigFiles(
         const char *pszLine;
         std::map<std::string, std::map<std::string, std::string>>
             oMapSSOSessions;
-        std::string osSSOSession;
         while ((pszLine = CPLReadLineL(fp)) != nullptr)
         {
             if (STARTS_WITH(pszLine, "[sso-session ") &&
@@ -1516,13 +1516,11 @@ static bool GetTemporaryCredentialsForRole(
 /************************************************************************/
 
 // Issue a GetRoleCredentials request
-static bool GetTemporaryCredentialsForSSO(const std::string &osSSOStartURL,
-                                          const std::string &osSSOAccountID,
-                                          const std::string &osSSORoleName,
-                                          std::string &osTempSecretAccessKey,
-                                          std::string &osTempAccessKeyId,
-                                          std::string &osTempSessionToken,
-                                          std::string &osExpirationEpochInMS)
+static bool GetTemporaryCredentialsForSSO(
+    const std::string &osSSOStartURL, const std::string &osSSOSession,
+    const std::string &osSSOAccountID, const std::string &osSSORoleName,
+    std::string &osTempSecretAccessKey, std::string &osTempAccessKeyId,
+    std::string &osTempSessionToken, std::string &osExpirationEpochInMS)
 {
     std::string osSSOFilename = GetAWSRootDirectory();
     osSSOFilename += GetDirSeparator();
@@ -1531,8 +1529,14 @@ static bool GetTemporaryCredentialsForSSO(const std::string &osSSOStartURL,
     osSSOFilename += "cache";
     osSSOFilename += GetDirSeparator();
 
+    std::string hashValue = osSSOStartURL;
+    if (!osSSOSession.empty())
+    {
+        hashValue = osSSOSession;
+    }
+
     GByte hash[CPL_SHA1_HASH_SIZE];
-    CPL_SHA1(osSSOStartURL.data(), osSSOStartURL.size(), hash);
+    CPL_SHA1(hashValue.data(), hashValue.size(), hash);
     osSSOFilename += CPLGetLowerCaseHex(hash, sizeof(hash));
     osSSOFilename += ".json";
 
@@ -1587,9 +1591,13 @@ static bool GetTemporaryCredentialsForSSO(const std::string &osSSOStartURL,
     headers += "x-amz-sso_bearer_token: " + osAccessToken;
     aosOptions.AddNameValue("HEADERS", headers.c_str());
 
+    const std::string osRegion = oRoot.GetString("region", "us-east-1");
+    const std::string osDefaultHost("portal.sso." + osRegion +
+                                    ".amazonaws.com");
+
     const bool bUseHTTPS = CPLTestBool(CPLGetConfigOption("AWS_HTTPS", "YES"));
-    const std::string osHost(CPLGetConfigOption(
-        "CPL_AWS_SSO_ENDPOINT", "portal.sso.us-east-1.amazonaws.com"));
+    const std::string osHost(
+        CPLGetConfigOption("CPL_AWS_SSO_ENDPOINT", osDefaultHost.c_str()));
 
     const std::string osURL = (bUseHTTPS ? "https://" : "http://") + osHost +
                               osResourceAndQueryString;
@@ -1721,7 +1729,7 @@ bool VSIS3HandleHelper::GetOrRefreshTemporaryCredentialsForSSO(
         gosGlobalAccessKeyId.clear();
         gosGlobalSessionToken.clear();
         if (GetTemporaryCredentialsForSSO(
-                gosSSOStartURL, gosSSOAccountID, gosSSORoleName,
+                gosSSOStartURL, "", gosSSOAccountID, gosSSORoleName,
                 gosGlobalSecretAccessKey, gosGlobalAccessKeyId,
                 gosGlobalSessionToken, osExpirationEpochInMS))
         {
@@ -1824,14 +1832,15 @@ bool VSIS3HandleHelper::GetConfiguration(
     std::string osSSOStartURL;
     std::string osSSOAccountID;
     std::string osSSORoleName;
+    std::string osSSOSession;
     // coverity[tainted_data]
     if (GetConfigurationFromAWSConfigFiles(
             osPathForOption,
             /* pszProfile = */ nullptr, osSecretAccessKey, osAccessKeyId,
             osSessionToken, osRegion, osCredentials, osRoleArn, osSourceProfile,
             osExternalId, osMFASerial, osRoleSessionName,
             osWebIdentityTokenFile, osSSOStartURL, osSSOAccountID,
-            osSSORoleName))
+            osSSORoleName, osSSOSession))
     {
         if (osSecretAccessKey.empty() && !osRoleArn.empty())
         {
@@ -1858,7 +1867,8 @@ bool VSIS3HandleHelper::GetConfiguration(
                         osRegionSP, osCredentialsSP, osRoleArnSP,
                         osSourceProfileSP, osExternalIdSP, osMFASerialSP,
                         osRoleSessionNameSP, osWebIdentityTokenFile,
-                        osSSOStartURLSP, osSSOAccountIDSP, osSSORoleNameSP))
+                        osSSOStartURLSP, osSSOAccountIDSP, osSSORoleNameSP,
+                        osSSOSession))
                 {
                     if (GetConfigurationFromAssumeRoleWithWebIdentity(
                             /* bForceRefresh = */ false, osPathForOption,
@@ -1929,14 +1939,14 @@ bool VSIS3HandleHelper::GetConfiguration(
             return false;
         }
 
-        if (!osSSOStartURL.empty())
+        if (!osSSOStartURL.empty() || !osSSOSession.empty())
         {
             std::string osTempSecretAccessKey;
             std::string osTempAccessKeyId;
             std::string osTempSessionToken;
             std::string osExpirationEpochInMS;
             if (GetTemporaryCredentialsForSSO(
-                    osSSOStartURL, osSSOAccountID, osSSORoleName,
+                    osSSOStartURL, osSSOSession, osSSOAccountID, osSSORoleName,
                     osTempSecretAccessKey, osTempAccessKeyId,
                     osTempSessionToken, osExpirationEpochInMS))
             {

port/cpl_aws.h

@@ -165,7 +165,8 @@ class VSIS3HandleHelper final : public IVSIS3LikeHandleHelper
         std::string &osSourceProfile, std::string &osExternalId,
         std::string &osMFASerial, std::string &osRoleSessionName,
         std::string &osWebIdentityTokenFile, std::string &osSSOStartURL,
-        std::string &osSSOAccountID, std::string &osSSORoleName);
+        std::string &osSSOAccountID, std::string &osSSORoleName,
+        std::string &osSSOSession);
 
     static bool GetConfiguration(const std::string &osPathForOption,
                                  CSLConstList papszOptions,