support for authentification using temporary session tokens

Note that depending on which service one uses, the token needs to be added either before or after signing. https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html « When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service. »
inhabitedtype · Mar 4, 2021 · 517db69 · 517db69
1 parent 30767d5
commit 517db69
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 3 deletions.
diff --git a/async/runtime.ml b/async/runtime.ml
@@ -44,6 +44,8 @@ let run_request
     ~region
     ~access_key
     ~secret_key
+    ?session_token_signed
+    ?session_token_unsigned
     (module M : Aws.Call
       with type input = input
        and type output = output
@@ -53,6 +55,8 @@ let run_request
     Aws.Signing.sign_request
       ~access_key
       ~secret_key
+      ?session_token_signed
+      ?session_token_unsigned
       ~service:M.service
       ~region
       (M.to_http M.service region inp)

diff --git a/async/runtime.mli b/async/runtime.mli
@@ -35,6 +35,8 @@ val run_request :
      region:string
   -> access_key:string
   -> secret_key:string
+  -> ?session_token_signed:string
+  -> ?session_token_unsigned:string
   -> ('input, 'output, 'error) Aws.call
   -> 'input
   -> [ `Ok of 'output | `Error of 'error Aws.Error.t ] Async.Deferred.t

diff --git a/lib/aws.ml b/lib/aws.ml
@@ -501,7 +501,9 @@ module Signing = struct
   (* NOTE(dbp 2015-01-13): This is a direct translation of reference implementation at:
    * http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
    *)
-  let sign_request ~access_key ~secret_key ~service ~region (meth, uri, headers) =
+  let sign_request ~access_key ~secret_key
+                   ?session_token_signed ?session_token_unsigned
+                   ~service ~region (meth, uri, headers) =
     let host = Util.of_option_exn (Endpoints.endpoint_of service region) in
     let params = encode_query (Uri.query uri) in
     let sign key msg = Hash.sha256 ~key msg in
@@ -519,6 +521,10 @@ module Signing = struct
       ; "x-amz-content-sha256", payload_hash
       ; "x-amz-date", amzdate
       ]
+      @
+      match session_token_signed with
+      | None -> []
+      | Some token -> ["x-amz-security-token", token]
     in
     let signed_headers = String.concat ";" (List.map fst canonical_headers) in
     let canonical_headers_str =
@@ -575,6 +581,10 @@ module Signing = struct
       :: ("x-amz-content-sha256", payload_hash)
       :: ("Authorization", authorization_header)
       :: headers
+      @
+      match session_token_unsigned with
+      | None -> headers
+      | Some token -> headers @ ["x-amz-security-token", token]
     in
     meth, uri, headers
 end
diff --git a/lib/aws.mli b/lib/aws.mli
@@ -281,6 +281,8 @@ module Signing : sig
   val sign_request :
        access_key:string
     -> secret_key:string
+    -> ?session_token_signed:string
+    -> ?session_token_unsigned:string
     -> service:string
     -> region:string
     -> Request.t

diff --git a/libraries/s3/lib_test/test_async.ml b/libraries/s3/lib_test/test_async.ml
@@ -7,7 +7,8 @@ module T = TestSuite (struct
 
   let secret_key = Unix.getenv "AWS_SECRET_KEY"
 
-  let run_request = Aws_async.Runtime.run_request ~access_key ~secret_key
+  let run_request ~region call input =
+    Aws_async.Runtime.run_request ~region ~access_key ~secret_key call input
 
   let un_m v = Async.Thread_safe.block_on_async_exn (fun () -> v)
 end)
diff --git a/libraries/s3/lib_test/test_lwt.ml b/libraries/s3/lib_test/test_lwt.ml
@@ -7,7 +7,8 @@ module T = TestSuite (struct
 
   let secret_key = Unix.getenv "AWS_SECRET_KEY"
 
-  let run_request = Aws_lwt.Runtime.run_request ~access_key ~secret_key
+  let run_request ~region call input =
+    Aws_lwt.Runtime.run_request ~region ~access_key ~secret_key call input
 
   let un_m = Lwt_main.run
 end)
diff --git a/lwt/runtime.ml b/lwt/runtime.ml
@@ -38,6 +38,8 @@ let run_request
     ~region
     ~access_key
     ~secret_key
+    ?session_token_signed
+    ?session_token_unsigned
     (module M : Aws.Call
       with type input = input
        and type output = output
@@ -47,6 +49,8 @@ let run_request
     Aws.Signing.sign_request
       ~access_key
       ~secret_key
+      ?session_token_signed
+      ?session_token_unsigned
       ~service:M.service
       ~region
       (M.to_http M.service region inp)

diff --git a/lwt/runtime.mli b/lwt/runtime.mli
@@ -37,6 +37,8 @@ val run_request :
      region:string
   -> access_key:string
   -> secret_key:string
+  -> ?session_token_signed:string
+  -> ?session_token_unsigned:string
   -> ('input, 'output, 'error) Aws.call
   -> 'input
   -> [ `Ok of 'output | `Error of 'error Aws.Error.t ] Lwt.t