refactor(libstore): Replace AWS SDK with curl-based S3 implementation

This commit replaces the AWS C++ SDK with a lighter curl-based approach
for S3 binary cache operations.

- Removed dependency on the heavy aws-cpp-sdk-s3 and aws-cpp-sdk-transfer
- Added lightweight aws-crt-cpp for credential resolution only
- Leverages curl's native AWS SigV4 authentication (requires curl >= 7.75.0)
- S3BinaryCacheStore now delegates to HttpBinaryCacheStore
- Function s3ToHttpsUrl converts ParsedS3URL to ParsedURL
- Multipart uploads are no longer supported (may be reimplemented later)
- Build now requires curl >= 7.75.0 for AWS SigV4 support

Fixes: #13084, #12671, #11748, #12403, #5947

Author: lovesegfault

doc/manual/rl-next/s3-curl-implementation.md

@@ -0,0 +1,36 @@
+---
+synopsis: "Improved S3 binary cache support via HTTP"
+prs: [13752]
+issues: [13084, 12671, 11748, 12403, 5947]
+---
+
+S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native AWS
+SigV4 authentication instead of the AWS C++ SDK, providing significant
+improvements:
+
+- **Reduced memory usage**: Eliminates memory buffering issues that caused
+  segfaults with large files (>3.5GB)
+- **Fixed upload reliability**: Resolves AWS SDK chunking errors
+  (`InvalidChunkSizeError`)
+- **Resolved OpenSSL conflicts**: No more S2N engine override issues in
+  sandboxed builds
+- **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full
+  `aws-cpp-sdk`, reducing build complexity
+
+The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential
+management.
+
+All existing S3 URL formats and parameters remain supported.
+
+## Breaking changes
+
+The legacy `S3BinaryCacheStore` implementation has been removed in favor of the
+new curl-based approach, as a result multipart uploads are no longer supported. They may be reimplemented in the future.
+
+**Migration**: No action required for most users. S3 URLs continue to work
+with the same syntax. Users directly using `S3BinaryCacheStore` class
+should migrate to standard HTTP binary cache stores with S3 endpoints.
+
+**Build requirement**: S3 support now requires curl >= 7.75.0 for AWS SigV4
+authentication. Build configuration will warn if `aws-crt-cpp` is available
+but S3 support is disabled due to an insufficient curl version.

meson.options

@@ -27,3 +27,10 @@ option(
   value : false,
   description : 'Build benchmarks (requires gbenchmark)',
 )
+
+option(
+  's3-store',
+  type : 'feature',
+  value : 'auto',
+  description : 'Enable S3 binary cache store support (requires aws-crt-cpp and curl >= 7.75.0)',
+)

packaging/components.nix

@@ -458,7 +458,7 @@ in
 
       Example:
       ```
-      overrideScope (finalScope: prevScope: { aws-sdk-cpp = null; })
+      overrideScope (finalScope: prevScope: { aws-crt-cpp = null; })
       ```
     */
     overrideScope = f: (scope.overrideScope f).nix-everything;

packaging/dependencies.nix

@@ -16,21 +16,6 @@ in
 scope: {
   inherit stdenv;
 
-  aws-sdk-cpp =
-    (pkgs.aws-sdk-cpp.override {
-      apis = [
-        "identity-management"
-        "s3"
-        "transfer"
-      ];
-      customMemoryManagement = false;
-    }).overrideAttrs
-      {
-        # only a stripped down version is built, which takes a lot less resources
-        # to build, so we don't need a "big-parallel" machine.
-        requiredSystemFeatures = [ ];
-      };
-
   boehmgc =
     (pkgs.boehmgc.override {
       enableLargeConfig = true;

src/libstore-tests/meson.build

@@ -77,7 +77,7 @@ sources = files(
   'realisation.cc',
   'references.cc',
   's3-binary-cache-store.cc',
-  's3.cc',
+  's3-url.cc',
   'serve-protocol.cc',
   'ssh-store.cc',
   'store-reference.cc',

src/libstore-tests/s3-binary-cache-store.cc

@@ -1,4 +1,7 @@
 #include "nix/store/s3-binary-cache-store.hh"
+#include "nix/store/http-binary-cache-store.hh"
+#include "nix/store/filetransfer.hh"
+#include "nix/store/s3-url.hh"
 
 #if NIX_WITH_S3_SUPPORT
 
@@ -10,7 +13,62 @@ TEST(S3BinaryCacheStore, constructConfig)
 {
     S3BinaryCacheStoreConfig config{"s3", "foobar", {}};
 
-    EXPECT_EQ(config.bucketName, "foobar");
+    // The bucket name is stored as the host part of the authority in cacheUri
+    ASSERT_TRUE(config.cacheUri.authority.has_value());
+    EXPECT_EQ(config.cacheUri.authority->host, "foobar");
+    EXPECT_EQ(config.cacheUri.scheme, "s3");
+}
+
+TEST(S3BinaryCacheStore, constructConfigWithRegion)
+{
+    Store::Config::Params params{{"region", "eu-west-1"}};
+    S3BinaryCacheStoreConfig config{"s3", "my-bucket", params};
+
+    ASSERT_TRUE(config.cacheUri.authority.has_value());
+    EXPECT_EQ(config.cacheUri.authority->host, "my-bucket");
+    EXPECT_EQ(config.region.get(), "eu-west-1");
+}
+
+TEST(S3BinaryCacheStore, defaultSettings)
+{
+    S3BinaryCacheStoreConfig config{"s3", "test-bucket", {}};
+
+    // Check default values
+    EXPECT_EQ(config.region.get(), "us-east-1");
+    EXPECT_EQ(config.profile.get(), "");
+    EXPECT_EQ(config.endpoint.get(), "");
+}
+
+/**
+ * Test that S3BinaryCacheStore properly preserves S3-specific parameters
+ */
+TEST(S3BinaryCacheStore, s3StoreConfigPreservesParameters)
+{
+    StringMap params;
+    params["region"] = "eu-west-1";
+    params["endpoint"] = "custom.s3.com";
+
+    S3BinaryCacheStoreConfig config("s3", "test-bucket", params);
+
+    // The config should preserve S3-specific parameters
+    EXPECT_EQ(config.cacheUri.scheme, "s3");
+    EXPECT_EQ(config.cacheUri.authority->host, "test-bucket");
+    EXPECT_FALSE(config.cacheUri.query.empty());
+    EXPECT_EQ(config.cacheUri.query["region"], "eu-west-1");
+    EXPECT_EQ(config.cacheUri.query["endpoint"], "custom.s3.com");
+}
+
+/**
+ * Test that S3 store scheme is properly registered
+ */
+TEST(S3BinaryCacheStore, s3SchemeRegistration)
+{
+    auto schemes = S3BinaryCacheStoreConfig::uriSchemes();
+    EXPECT_TRUE(schemes.count("s3") > 0) << "S3 scheme should be supported";
+
+    // Verify HttpBinaryCacheStoreConfig doesn't directly list S3
+    auto httpSchemes = HttpBinaryCacheStoreConfig::uriSchemes();
+    EXPECT_FALSE(httpSchemes.count("s3") > 0) << "HTTP store shouldn't directly list S3 scheme";
 }
 
 } // namespace nix

src/libstore-tests/s3.cc renamed to src/libstore-tests/s3-url.cc

@@ -1,4 +1,4 @@
-#include "nix/store/s3.hh"
+#include "nix/store/s3-url.hh"
 #include "nix/util/tests/gmock-matchers.hh"
 
 #if NIX_WITH_S3_SUPPORT

src/libstore/aws-creds.cc

@@ -0,0 +1,219 @@
+#include "nix/store/aws-creds.hh"
+
+#if NIX_WITH_S3_SUPPORT
+
+#  include <aws/crt/Types.h>
+#  include "nix/store/s3-url.hh"
+#  include "nix/util/finally.hh"
+#  include "nix/util/logging.hh"
+#  include "nix/util/sync.hh"
+#  include "nix/util/url.hh"
+#  include "nix/util/util.hh"
+
+#  include <aws/crt/Api.h>
+#  include <aws/crt/auth/Credentials.h>
+#  include <aws/crt/io/Bootstrap.h>
+
+#  include <boost/unordered/concurrent_flat_map.hpp>
+
+#  include <chrono>
+#  include <condition_variable>
+#  include <mutex>
+#  include <unistd.h>
+
+namespace nix {
+
+namespace {
+
+static void initAwsCrt()
+{
+    struct CrtWrapper
+    {
+        Aws::Crt::ApiHandle apiHandle;
+
+        CrtWrapper()
+        {
+            apiHandle.InitializeLogging(Aws::Crt::LogLevel::Warn, static_cast<FILE *>(nullptr));
+        }
+
+        ~CrtWrapper()
+        {
+            try {
+                // CRITICAL: Clear credential provider cache BEFORE AWS CRT shuts down
+                // This ensures all providers (which hold references to ClientBootstrap)
+                // are destroyed while AWS CRT is still valid
+                clearAwsCredentialsCache();
+                // Now it's safe for ApiHandle destructor to run
+            } catch (...) {
+                ignoreExceptionInDestructor();
+            }
+        }
+    };
+
+    static CrtWrapper crt;
+}
+
+static AwsCredentials getCredentialsFromProvider(std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider)
+{
+    if (!provider || !provider->IsValid()) {
+        throw AwsAuthError("AWS credential provider is invalid");
+    }
+
+    struct State
+    {
+        std::optional<AwsCredentials> result;
+        int resolvedErrorCode = 0;
+        bool resolved = false;
+    };
+
+    Sync<State> state;
+    std::condition_variable cv;
+
+    provider->GetCredentials([&](std::shared_ptr<Aws::Crt::Auth::Credentials> credentials, int errorCode) {
+        auto state_ = state.lock();
+
+        if (errorCode != 0 || !credentials) {
+            state_->resolvedErrorCode = errorCode;
+        } else {
+            auto accessKeyId = Aws::Crt::ByteCursorToStringView(credentials->GetAccessKeyId());
+            auto secretAccessKey = Aws::Crt::ByteCursorToStringView(credentials->GetSecretAccessKey());
+            auto sessionToken = Aws::Crt::ByteCursorToStringView(credentials->GetSessionToken());
+
+            std::optional<std::string> sessionTokenStr;
+            if (!sessionToken.empty()) {
+                sessionTokenStr = std::string(sessionToken.data(), sessionToken.size());
+            }
+
+            state_->result = AwsCredentials(
+                std::string(accessKeyId.data(), accessKeyId.size()),
+                std::string(secretAccessKey.data(), secretAccessKey.size()),
+                sessionTokenStr);
+        }
+
+        state_->resolved = true;
+        cv.notify_one();
+    });
+
+    {
+        auto state_ = state.lock();
+        // AWS CRT GetCredentials is asynchronous and only guarantees the callback will be
+        // invoked if the initial call returns success. There's no documented timeout mechanism,
+        // so we add a timeout to prevent indefinite hanging if the callback is never called.
+        // Use an absolute deadline to handle spurious wakeups correctly.
+        auto timeout = std::chrono::seconds(30);
+        auto deadline = std::chrono::steady_clock::now() + timeout;
+
+        while (!state_->resolved) {
+            if (state_.wait_until(cv, deadline) == std::cv_status::timeout) {
+                // Double-check the condition after timeout to avoid race
+                if (!state_->resolved) {
+                    throw AwsAuthError(
+                        "Timeout waiting for AWS credentials (%d seconds)",
+                        std::chrono::duration_cast<std::chrono::seconds>(timeout).count());
+                }
+                break;
+            }
+        }
+    }
+
+    auto state_ = state.lock();
+    if (!state_->result) {
+        throw AwsAuthError("Failed to resolve AWS credentials: error code %d", state_->resolvedErrorCode);
+    }
+
+    return *state_->result;
+}
+
+// Global credential provider cache using boost's concurrent map
+// Key: profile name (empty string for default profile)
+using CredentialProviderCache =
+    boost::concurrent_flat_map<std::string, std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider>>;
+
+static CredentialProviderCache credentialProviderCache;
+
+} // anonymous namespace
+
+AwsCredentials getAwsCredentials(const std::string & profile)
+{
+    // Get or create credential provider with caching
+    std::shared_ptr<Aws::Crt::Auth::ICredentialsProvider> provider;
+
+    // Try to find existing provider
+    credentialProviderCache.visit(profile, [&](const auto & pair) { provider = pair.second; });
+
+    if (!provider) {
+        // Create new provider if not found
+        debug(
+            "[pid=%d] creating new AWS credential provider for profile '%s'",
+            getpid(),
+            profile.empty() ? "(default)" : profile.c_str());
+
+        try {
+            initAwsCrt();
+
+            if (profile.empty()) {
+                Aws::Crt::Auth::CredentialsProviderChainDefaultConfig config;
+                config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+                provider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderChainDefault(config);
+            } else {
+                Aws::Crt::Auth::CredentialsProviderProfileConfig config;
+                config.Bootstrap = Aws::Crt::ApiHandle::GetOrCreateStaticDefaultClientBootstrap();
+                config.ProfileNameOverride = Aws::Crt::ByteCursorFromCString(profile.c_str());
+                provider = Aws::Crt::Auth::CredentialsProvider::CreateCredentialsProviderProfile(config);
+            }
+        } catch (Error & e) {
+            e.addTrace(
+                {},
+                "while creating AWS credentials provider for %s",
+                profile.empty() ? "default profile" : fmt("profile '%s'", profile));
+            throw;
+        }
+
+        if (!provider) {
+            throw AwsAuthError(
+                "Failed to create AWS credentials provider for %s",
+                profile.empty() ? "default profile" : fmt("profile '%s'", profile));
+        }
+
+        // Insert into cache (try_emplace is thread-safe and won't overwrite if another thread added it)
+        credentialProviderCache.try_emplace(profile, provider);
+    }
+
+    return getCredentialsFromProvider(provider);
+}
+
+void invalidateAwsCredentials(const std::string & profile)
+{
+    credentialProviderCache.erase(profile);
+}
+
+void clearAwsCredentialsCache()
+{
+    credentialProviderCache.clear();
+}
+
+std::optional<AwsCredentials> preResolveAwsCredentials(const std::string & url)
+{
+    try {
+        auto parsedUrl = parseURL(url);
+        if (parsedUrl.scheme != "s3") {
+            return std::nullopt;
+        }
+
+        auto s3Url = ParsedS3URL::parse(parsedUrl);
+        std::string profile = s3Url.profile.value_or("");
+
+        // Get credentials (automatically cached)
+        return getAwsCredentials(profile);
+    } catch (const AwsAuthError & e) {
+        debug("Failed to pre-resolve AWS credentials: %s", e.what());
+        return std::nullopt;
+    } catch (const std::exception & e) {
+        debug("Failed to pre-resolve AWS credentials: %s", e.what());
+        return std::nullopt;
+    }
+}
+
+} // namespace nix
+
+#endif