Sync with upstream 2.33.2

.github/actions/install-nix-action/action.yaml

@@ -24,8 +24,8 @@ inputs:
     description: "Github token"
     required: true
   use_cache:
-    description: "Whether to setup magic-nix-cache"
-    default: true
+    description: "Whether to setup github actions cache (not implemented currently)"
+    default: false
     required: false
 runs:
   using: "composite"
@@ -122,10 +122,3 @@ runs:
         source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
         nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
         extra-conf: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
-      if: ${{ inputs.use_cache == 'true' }}
-      with:
-        diagnostic-endpoint: ''
-        use-flakehub: false
-        use-gha-cache: true
-        source-revision: 92d9581367be2233c2d5714a2640e1339f4087d8 # main

.version

@@ -1 +1 @@
-2.33.1
+2.33.2

src/libstore/aws-creds.cc

@@ -4,15 +4,20 @@
 
 #  include <aws/crt/Types.h>
 #  include "nix/store/s3-url.hh"
-#  include "nix/util/finally.hh"
 #  include "nix/util/logging.hh"
-#  include "nix/util/url.hh"
-#  include "nix/util/util.hh"
 
 #  include <aws/crt/Api.h>
 #  include <aws/crt/auth/Credentials.h>
 #  include <aws/crt/io/Bootstrap.h>
 
+// C library headers for SSO provider support
+#  include <aws/auth/credentials.h>
+
+// C library headers for custom logging
+#  include <aws/common/logging.h>
+
+#  include <cstdarg>
+
 #  include <boost/unordered/concurrent_flat_map.hpp>
 
 #  include <chrono>
@@ -30,6 +35,141 @@ AwsAuthError::AwsAuthError(int errorCode)
 
 namespace {
 
+/**
+ * Map AWS log level to Nix verbosity.
+ * AWS levels: AWS_LL_NONE=0, AWS_LL_FATAL=1, AWS_LL_ERROR=2, AWS_LL_WARN=3,
+ *             AWS_LL_INFO=4, AWS_LL_DEBUG=5, AWS_LL_TRACE=6
+ *
+ * We map very conservatively because the AWS SDK is extremely noisy. What AWS
+ * considers "info" includes low-level details like "Initializing epoll" and
+ * "Starting event-loop thread". What it considers "errors" includes expected
+ * conditions like missing ~/.aws/config or IMDS being unavailable on non-EC2.
+ *
+ * To avoid spamming users, we only show FATAL at default verbosity. Everything
+ * else requires -vvvvv (lvlDebug) or higher to see.
+ */
+static Verbosity awsLogLevelToVerbosity(enum aws_log_level level)
+{
+    switch (level) {
+    case AWS_LL_FATAL:
+        return lvlError;
+    case AWS_LL_ERROR:
+    case AWS_LL_WARN:
+    case AWS_LL_INFO:
+        return lvlDebug;
+    case AWS_LL_DEBUG:
+    case AWS_LL_TRACE:
+        return lvlVomit;
+    // AWS_LL_NONE and AWS_LL_COUNT are enum sentinels, not real log levels
+    case AWS_LL_NONE:
+    case AWS_LL_COUNT:
+        return lvlDebug;
+    }
+    unreachable();
+}
+
+/**
+ * Custom AWS logger that routes logs through Nix's logging infrastructure.
+ *
+ * The AWS CRT C++ wrapper (ApiHandle::InitializeLogging) only supports FILE*
+ * or filename-based logging. The underlying C library supports custom loggers
+ * via aws_logger struct with a vtable containing callback functions.
+ */
+static int nixAwsLoggerLog(
+    struct aws_logger * logger, enum aws_log_level logLevel, aws_log_subject_t subject, const char * format, ...)
+{
+    Verbosity nixLevel = awsLogLevelToVerbosity(logLevel);
+    if (nixLevel > verbosity)
+        return AWS_OP_SUCCESS; /* Bail out early to avoid formatting the message unnecessarily. */
+
+    va_list args;
+    va_start(args, format);
+    std::array<char, 4096> buffer{};
+    auto res = vsnprintf(buffer.data(), buffer.size(), format, args);
+    va_end(args);
+    if (res < 0) /* Skip garbage debug messages in case the SDK is busted. */
+        return AWS_OP_SUCCESS;
+
+    const char * subjectName = aws_log_subject_name(subject);
+    printMsgUsing(nix::logger, nixLevel, "(aws:%s) %s", subjectName ? subjectName : "unknown", chomp(buffer.data()));
+    return AWS_OP_SUCCESS;
+}
+
+/**
+ * Get current log level for a subject - determines which messages will be logged.
+ * Must be consistent with awsLogLevelToVerbosity mapping.
+ */
+static aws_log_level nixAwsLoggerGetLevel(struct aws_logger * logger, aws_log_subject_t subject)
+{
+    // Map Nix verbosity back to AWS log level (inverse of awsLogLevelToVerbosity)
+    if (verbosity >= lvlVomit)
+        return AWS_LL_TRACE;
+    if (verbosity >= lvlDebug)
+        return AWS_LL_INFO; // error/warn/info are all mapped to lvlDebug
+    return AWS_LL_FATAL;
+}
+
+static void initialiseAwsLogger()
+{
+    static std::once_flag initialised; /* aws_logger_set must only be called once */
+    std::call_once(initialised, []() {
+        static aws_logger_vtable nixAwsLoggerVtable = {
+            .log = nixAwsLoggerLog,
+            .get_log_level = nixAwsLoggerGetLevel,
+            .clean_up = [](struct aws_logger *) {}, // No resources to clean up
+            .set_log_level = nullptr,
+        };
+
+        static aws_logger nixAwsLogger = {
+            .vtable = &nixAwsLoggerVtable,
+            .allocator = nullptr,
+            .p_impl = nullptr,
+        };
+
+        aws_logger_set(&nixAwsLogger);
+    });
+}
+
+/**
+ * Helper function to wrap a C credentials provider in the C++ interface.
+ * This replicates the static s_CreateWrappedProvider from aws-crt-cpp.
+ */
+static std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> createWrappedProvider(
+    aws_credentials_provider * rawProvider, Aws::Crt::Allocator * allocator = Aws::Crt::ApiAllocator())
+{
+    if (rawProvider == nullptr) {
+        return nullptr;
+    }
+
+    auto provider = Aws::Crt::MakeShared<Aws::Crt::Auth::CredentialsProvider>(allocator, rawProvider, allocator);
+    return std::static_pointer_cast<Aws::Crt::Auth::ICredentialsProvider>(provider);
+}
+
+/**
+ * Create an SSO credentials provider using the C library directly.
+ * The C++ wrapper doesn't expose SSO, so we call the C library and wrap the result.
+ * Returns nullptr if SSO provider creation fails (e.g., profile doesn't have SSO config).
+ */
+static std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> createSSOProvider(
+    const std::string & profileName,
+    Aws::Crt::Io::ClientBootstrap * bootstrap,
+    Aws::Crt::Io::TlsContext * tlsContext,
+    Aws::Crt::Allocator * allocator = Aws::Crt::ApiAllocator())
+{
+    aws_credentials_provider_sso_options options;
+    AWS_ZERO_STRUCT(options);
+
+    options.bootstrap = bootstrap->GetUnderlyingHandle();
+    options.tls_ctx = tlsContext ? tlsContext->GetUnderlyingHandle() : nullptr;
+    if (!profileName.empty()) {
+        options.profile_name_override = aws_byte_cursor_from_c_str(profileName.c_str());
+    }
+
+    // Create the SSO provider - will return nullptr if SSO isn't configured for this profile
+    // createWrappedProvider handles nullptr gracefully
+    return createWrappedProvider(aws_credentials_provider_new_sso(allocator, &options), allocator);
+}
+
 static AwsCredentials getCredentialsFromProvider(std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider)
 {
     if (!provider || !provider->IsValid()) {
@@ -79,18 +219,25 @@ class AwsCredentialProviderImpl : public AwsCredentialProvider
 public:
     AwsCredentialProviderImpl()
     {
-        // Map Nix's verbosity to AWS CRT log level
-        Aws::Crt::LogLevel logLevel;
-        if (verbosity >= lvlVomit) {
-            logLevel = Aws::Crt::LogLevel::Trace;
-        } else if (verbosity >= lvlDebug) {
-            logLevel = Aws::Crt::LogLevel::Debug;
-        } else if (verbosity >= lvlChatty) {
-            logLevel = Aws::Crt::LogLevel::Info;
-        } else {
-            logLevel = Aws::Crt::LogLevel::Warn;
+        // Install custom logger that routes AWS CRT logs through Nix's logging infrastructure.
+        // This ensures AWS logs respect Nix's verbosity settings and are formatted consistently.
+        initialiseAwsLogger();
+
+        // Create a shared TLS context for SSO (required for HTTPS connections)
+        auto allocator = Aws::Crt::ApiAllocator();
+        auto tlsCtxOptions = Aws::Crt::Io::TlsContextOptions::InitDefaultClient(allocator);
+        tlsContext =
+            std::make_shared<Aws::Crt::Io::TlsContext>(tlsCtxOptions, Aws::Crt::Io::TlsMode::CLIENT, allocator);
+        if (!tlsContext || !*tlsContext) {
+            warn("failed to create TLS context for AWS SSO; SSO authentication will be unavailable");
+            tlsContext = nullptr;
+        }
+
+        // Get bootstrap (lives as long as apiHandle)
+        bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+        if (!bootstrap) {
+            throw AwsAuthError("failed to create AWS client bootstrap");
         }
-        apiHandle.InitializeLogging(logLevel, stderr);
     }
 
     AwsCredentials getCredentialsRaw(const std::string & profile);
@@ -111,30 +258,67 @@ class AwsCredentialProviderImpl : public AwsCredentialProvider
 
 private:
     Aws::Crt::ApiHandle apiHandle;
+    std::shared_ptr<Aws::Crt::Io::TlsContext> tlsContext;
+    Aws::Crt::Io::ClientBootstrap * bootstrap;
     boost::concurrent_flat_map<std::string, std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>>
         credentialProviderCache;
 };
 
 std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>
 AwsCredentialProviderImpl::createProviderForProfile(const std::string & profile)
 {
-    debug(
-        "[pid=%d] creating new AWS credential provider for profile '%s'",
-        getpid(),
-        profile.empty() ? "(default)" : profile.c_str());
-
-    if (profile.empty()) {
-        Aws::Crt::Auth::CredentialsProviderChainDefaultConfig config;
-        config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
-        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChainDefault(config);
+    // profileDisplayName is only used for debug logging - SDK uses its default profile
+    // when ProfileNameOverride is not set
+    const char * profileDisplayName = profile.empty() ? "(default)" : profile.c_str();
+
+    debug("[pid=%d] creating new AWS credential provider for profile '%s'", getpid(), profileDisplayName);
+
+    // Build a custom credential chain: Environment → SSO → Profile → IMDS
+    // This works for both default and named profiles, ensuring consistent behavior
+    // including SSO support and proper TLS context for STS-based role assumption.
+    Aws::Crt::Auth::CredentialsProviderChainConfig chainConfig;
+    auto allocator = Aws::Crt::ApiAllocator();
+
+    auto addProviderToChain = [&](std::string_view name, auto createProvider) {
+        if (auto provider = createProvider()) {
+            chainConfig.Providers.push_back(provider);
+            debug("Added AWS %s Credential Provider to chain for profile '%s'", name, profileDisplayName);
+        } else {
+            debug("Skipped AWS %s Credential Provider for profile '%s'", name, profileDisplayName);
+        }
+    };
+
+    // 1. Environment variables (highest priority)
+    addProviderToChain("Environment", [&]() {
+        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderEnvironment(allocator);
+    });
+
+    // 2. SSO provider (try it, will fail gracefully if not configured)
+    if (tlsContext) {
+        addProviderToChain("SSO", [&]() { return createSSOProvider(profile, bootstrap, tlsContext.get(), allocator); });
+    } else {
+        debug("Skipped AWS SSO Credential Provider for profile '%s': TLS context unavailable", profileDisplayName);
     }
 
-    Aws::Crt::Auth::CredentialsProviderProfileConfig config;
-    config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
-    // This is safe because the underlying C library will copy this string
-    // c.f. https://github.com/awslabs/aws-c-auth/blob/main/source/credentials_provider_profile.c#L220
-    config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
-    return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(config);
+    // 3. Profile provider (for static credentials and role_arn/source_profile with STS)
+    addProviderToChain("Profile", [&]() {
+        Aws::Crt::Auth::CredentialsProviderProfileConfig profileConfig;
+        profileConfig.Bootstrap = bootstrap;
+        profileConfig.TlsContext = tlsContext.get();
+        if (!profile.empty()) {
+            profileConfig.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
+        }
+        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(profileConfig, allocator);
+    });
+
+    // 4. IMDS provider (for EC2 instances, lowest priority)
+    addProviderToChain("IMDS", [&]() {
+        Aws::Crt::Auth::CredentialsProviderImdsConfig imdsConfig;
+        imdsConfig.Bootstrap = bootstrap;
+        return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderImds(imdsConfig, allocator);
+    });
+
+    return Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChain(chainConfig, allocator);
 }
 
 AwsCredentials AwsCredentialProviderImpl::getCredentialsRaw(const std::string & profile)