object-store: fix handling of AWS profile credentials without expiry (#3766)

* fix aws profile

* fix unused import

* support None as expiry

* fix clippy

* fix fmt

* revert fmt whitespace fix

Author: helmus

object_store/src/aws/credential.rs

@@ -438,7 +438,7 @@ async fn instance_creds(
     let ttl = (creds.expiration - now).to_std().unwrap_or_default();
     Ok(TemporaryToken {
         token: Arc::new(creds.into()),
-        expiry: Instant::now() + ttl,
+        expiry: Some(Instant::now() + ttl),
     })
 }
 
@@ -509,7 +509,7 @@ async fn web_identity(
 
     Ok(TemporaryToken {
         token: Arc::new(creds.into()),
-        expiry: Instant::now() + ttl,
+        expiry: Some(Instant::now() + ttl),
     })
 }
 
@@ -553,17 +553,11 @@ mod profile {
                             store: "S3",
                             source: Box::new(source),
                         })?;
-
                 let t_now = SystemTime::now();
-                let expiry = match c.expiry().and_then(|e| e.duration_since(t_now).ok()) {
-                    Some(ttl) => Instant::now() + ttl,
-                    None => {
-                        return Err(crate::Error::Generic {
-                            store: "S3",
-                            source: "Invalid expiry".into(),
-                        })
-                    }
-                };
+                let expiry = c
+                    .expiry()
+                    .and_then(|e| e.duration_since(t_now).ok())
+                    .map(|ttl| Instant::now() + ttl);
 
                 Ok(TemporaryToken {
                     token: Arc::new(AwsCredential {

object_store/src/azure/credential.rs

@@ -360,7 +360,7 @@ impl TokenCredential for ClientSecretOAuthProvider {
 
         let token = TemporaryToken {
             token: response.access_token,
-            expiry: Instant::now() + Duration::from_secs(response.expires_in),
+            expiry: Some(Instant::now() + Duration::from_secs(response.expires_in)),
         };
 
         Ok(token)
@@ -467,7 +467,7 @@ impl TokenCredential for ImdsManagedIdentityOAuthProvider {
 
         let token = TemporaryToken {
             token: response.access_token,
-            expiry: Instant::now() + Duration::from_secs(response.expires_in),
+            expiry: Some(Instant::now() + Duration::from_secs(response.expires_in)),
         };
 
         Ok(token)
@@ -541,7 +541,7 @@ impl TokenCredential for WorkloadIdentityOAuthProvider {
 
         let token = TemporaryToken {
             token: response.access_token,
-            expiry: Instant::now() + Duration::from_secs(response.expires_in),
+            expiry: Some(Instant::now() + Duration::from_secs(response.expires_in)),
         };
 
         Ok(token)
@@ -640,10 +640,12 @@ impl TokenCredential for AzureCliCredential {
                     - chrono::Local::now().naive_local();
                 Ok(TemporaryToken {
                     token: token_response.access_token,
-                    expiry: Instant::now()
-                        + duration.to_std().map_err(|_| Error::AzureCli {
-                            message: "az returned invalid lifetime".to_string(),
-                        })?,
+                    expiry: Some(
+                        Instant::now()
+                            + duration.to_std().map_err(|_| Error::AzureCli {
+                                message: "az returned invalid lifetime".to_string(),
+                            })?,
+                    ),
                 })
             }
             Ok(az_output) => {

object_store/src/client/token.rs

@@ -25,7 +25,8 @@ pub struct TemporaryToken<T> {
     /// The temporary credential
     pub token: T,
     /// The instant at which this credential is no longer valid
-    pub expiry: Instant,
+    /// None means the credential does not expire
+    pub expiry: Option<Instant>,
 }
 
 /// Provides [`TokenCache::get_or_insert_with`] which can be used to cache a
@@ -53,13 +54,18 @@ impl<T: Clone + Send> TokenCache<T> {
         let mut locked = self.cache.lock().await;
 
         if let Some(cached) = locked.as_ref() {
-            let delta = cached
-                .expiry
-                .checked_duration_since(now)
-                .unwrap_or_default();
-
-            if delta.as_secs() > 300 {
-                return Ok(cached.token.clone());
+            match cached.expiry {
+                Some(ttl)
+                    if ttl
+                        .checked_duration_since(now)
+                        .unwrap_or_default()
+                        .as_secs()
+                        > 300 =>
+                {
+                    return Ok(cached.token.clone());
+                }
+                None => return Ok(cached.token.clone()),
+                _ => (),
             }
         }
 

object_store/src/gcp/credential.rs

@@ -220,7 +220,7 @@ impl TokenProvider for OAuthProvider {
 
         let token = TemporaryToken {
             token: response.access_token,
-            expiry: Instant::now() + Duration::from_secs(response.expires_in),
+            expiry: Some(Instant::now() + Duration::from_secs(response.expires_in)),
         };
 
         Ok(token)
@@ -393,7 +393,7 @@ impl TokenProvider for InstanceCredentialProvider {
                 .await?;
         let token = TemporaryToken {
             token: response.access_token,
-            expiry: Instant::now() + Duration::from_secs(response.expires_in),
+            expiry: Some(Instant::now() + Duration::from_secs(response.expires_in)),
         };
         Ok(token)
     }
@@ -467,7 +467,7 @@ impl TokenProvider for ApplicationDefaultCredentials {
             .context(TokenResponseBodySnafu)?;
         let token = TemporaryToken {
             token: response.access_token,
-            expiry: Instant::now() + Duration::from_secs(response.expires_in),
+            expiry: Some(Instant::now() + Duration::from_secs(response.expires_in)),
         };
         Ok(token)
     }