================================================================================ Changed-lines coverage summary ================================================================================ Denominator: lines added/modified by this PR in C/C++ source files that LCOV considers coverable (excludes blank lines, braces, comments, header-only declarations, and error-path noise such as `LOGICAL_ERROR`, `UNREACHABLE()`, `abort()`). Numerator: of those coverable lines, the number actually executed by the test suite during this coverage run. PR changed C/C++ lines covered by tests: 93.00% (372/400) Uncovered changed code (with context): ================================================================================ src/Backups/BackupIO_S3.cpp ================================================================================ --- uncovered block 222-223 --- 220 | s3_uri.uri.toString(), context->getUserName(), ignore_user)) 221 | { >> 222 | s3_settings.updateIfChanged(*endpoint_settings); >> 223 | return; 224 | } 225 | ================================================================================ src/Backups/registerBackupEngineS3.cpp ================================================================================ --- uncovered block 97-97 --- 95 | 96 | if (collection->has("filename")) >> 97 | s3_uri = std::filesystem::path(s3_uri) / collection->get("filename"); 98 | 99 | if (args.size() > 1) --- uncovered block 123-123 --- 121 | 122 | if (!StorageS3Configuration::collectCredentials(params.backup_info.function_arg, auth_settings, params.context).found) >> 123 | throw Exception(ErrorCodes::BAD_ARGUMENTS, "Invalid argument: {}", params.backup_info.function_arg->formatForErrorMessage()); 124 | 125 | role_arn = std::move(auth_settings[S3AuthSetting::role_arn]); ================================================================================ src/Databases/DataLake/DatabaseDataLake.cpp ================================================================================ --- uncovered block 147-149 --- 145 | { 146 | if (settings[DatabaseDataLakeSetting::region].value.empty()) >> 147 | throw Exception( >> 148 | ErrorCodes::BAD_ARGUMENTS, "`region` setting cannot be empty for Glue Catalog. " >> 149 | "Please specify 'SETTINGS region=' in the CREATE DATABASE query"); 150 | 151 | /// `GlueCatalog` configures the AWS client with `use_environment_credentials = true`, so --- uncovered block 161-166 --- 159 | && !settings[DatabaseDataLakeSetting::aws_role_arn].value.empty() 160 | && (settings[DatabaseDataLakeSetting::aws_access_key_id].value.empty() >> 161 | || settings[DatabaseDataLakeSetting::aws_secret_access_key].value.empty())) 162 | { >> 163 | throw Exception( >> 164 | ErrorCodes::ACCESS_DENIED, >> 165 | "Using `aws_role_arn` without user-supplied `aws_access_key_id` and `aws_secret_access_key` " >> 166 | "in Glue catalog settings is not allowed"); 167 | } 168 | --- uncovered block 173-176 --- 171 | || settings[DatabaseDataLakeSetting::aws_secret_access_key].value.empty())) 172 | { >> 173 | throw Exception( >> 174 | ErrorCodes::ACCESS_DENIED, >> 175 | "Glue catalog requires user-supplied `aws_access_key_id` and `aws_secret_access_key` " >> 176 | "in settings. Falling back to server environment credentials is not allowed."); 177 | } 178 | } ================================================================================ src/IO/S3/Credentials.cpp ================================================================================ --- uncovered block 1294-1294 --- 1292 | if (!outcome.IsSuccess()) 1293 | { >> 1294 | LOG_WARNING(logger, "Failed to get credentials using AssumeRole. Error: {}", sanitizeS3ErrorMessage(outcome.GetError().GetMessage())); 1295 | return; 1296 | } ================================================================================ src/Storages/ObjectStorage/S3/Configuration.cpp ================================================================================ --- uncovered block 284-286 --- 282 | s3_settings->auth_settings[S3AuthSetting::no_sign_request] = collection.get("no_sign_request"); 283 | if (collection.has("expiration_window_seconds")) >> 284 | s3_settings->auth_settings[S3AuthSetting::expiration_window_seconds] = collection.get("expiration_window_seconds"); 285 | if (collection.has("session_token")) >> 286 | s3_settings->auth_settings[S3AuthSetting::session_token] = collection.get("session_token"); 287 | 288 | if (collection.has("partition_strategy")) --- uncovered block 314-314 --- 312 | throwRoleArnRequiresUserSuppliedKeys("S3 named collections"); 313 | if (collection.has("role_session_name")) >> 314 | s3_settings->auth_settings[S3AuthSetting::role_session_name] = collection.get("role_session_name"); 315 | 316 | if (collection.has("http_client")) --- uncovered block 323-323 --- 321 | s3_settings->auth_settings[S3AuthSetting::metadata_service] = collection.get("metadata_service"); 322 | if (collection.has("request_token_path")) >> 323 | s3_settings->auth_settings[S3AuthSetting::request_token_path] = collection.get("request_token_path"); 324 | 325 | format = collection.getOrDefault("format", format); --- uncovered block 369-369 --- 367 | const auto * credentials_ast_function = maybe_credentials->as(); 368 | if (!credentials_ast_function || credentials_ast_function->name != "extra_credentials") >> 369 | return result; 370 | 371 | result.found = true; --- uncovered block 399-408 --- 397 | auto arg_value = credential_args[1]->as()->value; 398 | if (arg_value.getType() != Field::Types::Which::String) >> 399 | throw Exception(ErrorCodes::BAD_ARGUMENTS, "Expected string as credential value"); 400 | else if (arg_name == "role_arn") 401 | { 402 | auth_settings_[S3AuthSetting::role_arn] = arg_value.safeGet(); 403 | result.role_arn_provided = !auth_settings_[S3AuthSetting::role_arn].value.empty(); 404 | } >> 405 | else if (arg_name == "role_session_name") >> 406 | auth_settings_[S3AuthSetting::role_session_name] = arg_value.safeGet(); 407 | else >> 408 | throw Exception(ErrorCodes::BAD_ARGUMENTS, "Invalid credential argument found: {}", arg_name); 409 | } 410 | --- uncovered block 1141-1142 --- 1139 | s3_settings->auth_settings[S3AuthSetting::http_client] = "gcp_oauth"; 1140 | s3_settings->auth_settings[S3AuthSetting::google_adc_client_id] = biglake_adc_client_id; >> 1141 | s3_settings->auth_settings[S3AuthSetting::google_adc_client_secret] = biglake_adc_client_secret; >> 1142 | s3_settings->auth_settings[S3AuthSetting::google_adc_refresh_token] = biglake_adc_refresh_token; 1143 | } 1144 | has_user_or_catalog_credentials = has_user_supplied_credentials || !biglake_adc_client_id.empty(); === Lost Baseline Coverage: 10 lines === ================================================================================ src/IO/S3/Credentials.cpp ================================================================================ --- lost coverage block 1072-1084 --- 1070 | else if (!absolute_uri.empty()) 1071 | { >> 1072 | auto token = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_AUTHORIZATION_TOKEN); >> 1073 | const auto token_path = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_AUTHORIZATION_TOKEN_FILE); 1074 | >> 1075 | AddProvider(std::make_shared( >> 1076 | relative_uri, >> 1077 | absolute_uri, >> 1078 | token, >> 1079 | token_path >> 1080 | )); 1081 | 1082 | /// DO NOT log the value of the authorization token for security purposes. >> 1083 | LOG_INFO(logger, "Added ECS credentials provider with URI: [{}] to the provider chain with a{} authorization token.", >> 1084 | absolute_uri, token.empty() ? "n empty" : " non-empty"); 1085 | } 1086 | else if (Aws::Utils::StringUtils::ToLower(ec2_metadata_disabled.c_str()) != "true") WARNING: Failed to get start time for [Print Uncovered Code] - start time and duration won't be set --- Coverage counts --- Lines : baseline 777,184/921,253 -> current 777,382/921,536 (delta +198 / +283) Functions : baseline 886,207/969,777 -> current 886,281/969,791 (delta +74 / +14) Branches : baseline 254,124/330,010 -> current 254,070/330,234 (delta -54 / +224)