From 517db69ebd061cf9f3260fed9f993bb4370526ea Mon Sep 17 00:00:00 2001 From: Jan Rochel Date: Thu, 4 Mar 2021 11:13:58 +0100 Subject: [PATCH] support for authentification using temporary session tokens MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Note that depending on which service one uses, the token needs to be added either before or after signing. https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html « When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service. » --- async/runtime.ml | 4 ++++ async/runtime.mli | 2 ++ lib/aws.ml | 12 +++++++++++- lib/aws.mli | 2 ++ libraries/s3/lib_test/test_async.ml | 3 ++- libraries/s3/lib_test/test_lwt.ml | 3 ++- lwt/runtime.ml | 4 ++++ lwt/runtime.mli | 2 ++ 8 files changed, 29 insertions(+), 3 deletions(-) diff --git a/async/runtime.ml b/async/runtime.ml index 6d30c6d39..24a21cb2d 100644 --- a/async/runtime.ml +++ b/async/runtime.ml @@ -44,6 +44,8 @@ let run_request ~region ~access_key ~secret_key + ?session_token_signed + ?session_token_unsigned (module M : Aws.Call with type input = input and type output = output @@ -53,6 +55,8 @@ let run_request Aws.Signing.sign_request ~access_key ~secret_key + ?session_token_signed + ?session_token_unsigned ~service:M.service ~region (M.to_http M.service region inp) diff --git a/async/runtime.mli b/async/runtime.mli index 579d4c9dc..46c88892b 100644 --- a/async/runtime.mli +++ b/async/runtime.mli @@ -35,6 +35,8 @@ val run_request : region:string -> access_key:string -> secret_key:string + -> ?session_token_signed:string + -> ?session_token_unsigned:string -> ('input, 'output, 'error) Aws.call -> 'input -> [ `Ok of 'output | `Error of 'error Aws.Error.t ] Async.Deferred.t diff --git a/lib/aws.ml b/lib/aws.ml index 8c9790c9f..a8371287a 100644 --- a/lib/aws.ml +++ b/lib/aws.ml @@ -501,7 +501,9 @@ module Signing = struct (* NOTE(dbp 2015-01-13): This is a direct translation of reference implementation at: * http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html *) - let sign_request ~access_key ~secret_key ~service ~region (meth, uri, headers) = + let sign_request ~access_key ~secret_key + ?session_token_signed ?session_token_unsigned + ~service ~region (meth, uri, headers) = let host = Util.of_option_exn (Endpoints.endpoint_of service region) in let params = encode_query (Uri.query uri) in let sign key msg = Hash.sha256 ~key msg in @@ -519,6 +521,10 @@ module Signing = struct ; "x-amz-content-sha256", payload_hash ; "x-amz-date", amzdate ] + @ + match session_token_signed with + | None -> [] + | Some token -> ["x-amz-security-token", token] in let signed_headers = String.concat ";" (List.map fst canonical_headers) in let canonical_headers_str = @@ -575,6 +581,10 @@ module Signing = struct :: ("x-amz-content-sha256", payload_hash) :: ("Authorization", authorization_header) :: headers + @ + match session_token_unsigned with + | None -> headers + | Some token -> headers @ ["x-amz-security-token", token] in meth, uri, headers end diff --git a/lib/aws.mli b/lib/aws.mli index 22f7153e8..9a2462935 100644 --- a/lib/aws.mli +++ b/lib/aws.mli @@ -281,6 +281,8 @@ module Signing : sig val sign_request : access_key:string -> secret_key:string + -> ?session_token_signed:string + -> ?session_token_unsigned:string -> service:string -> region:string -> Request.t diff --git a/libraries/s3/lib_test/test_async.ml b/libraries/s3/lib_test/test_async.ml index 5445b7c0e..3f6a73a63 100644 --- a/libraries/s3/lib_test/test_async.ml +++ b/libraries/s3/lib_test/test_async.ml @@ -7,7 +7,8 @@ module T = TestSuite (struct let secret_key = Unix.getenv "AWS_SECRET_KEY" - let run_request = Aws_async.Runtime.run_request ~access_key ~secret_key + let run_request ~region call input = + Aws_async.Runtime.run_request ~region ~access_key ~secret_key call input let un_m v = Async.Thread_safe.block_on_async_exn (fun () -> v) end) diff --git a/libraries/s3/lib_test/test_lwt.ml b/libraries/s3/lib_test/test_lwt.ml index 1ea21bc02..6b388cb59 100644 --- a/libraries/s3/lib_test/test_lwt.ml +++ b/libraries/s3/lib_test/test_lwt.ml @@ -7,7 +7,8 @@ module T = TestSuite (struct let secret_key = Unix.getenv "AWS_SECRET_KEY" - let run_request = Aws_lwt.Runtime.run_request ~access_key ~secret_key + let run_request ~region call input = + Aws_lwt.Runtime.run_request ~region ~access_key ~secret_key call input let un_m = Lwt_main.run end) diff --git a/lwt/runtime.ml b/lwt/runtime.ml index dc6bf4634..7b140b074 100644 --- a/lwt/runtime.ml +++ b/lwt/runtime.ml @@ -38,6 +38,8 @@ let run_request ~region ~access_key ~secret_key + ?session_token_signed + ?session_token_unsigned (module M : Aws.Call with type input = input and type output = output @@ -47,6 +49,8 @@ let run_request Aws.Signing.sign_request ~access_key ~secret_key + ?session_token_signed + ?session_token_unsigned ~service:M.service ~region (M.to_http M.service region inp) diff --git a/lwt/runtime.mli b/lwt/runtime.mli index e72eb344f..a287c588d 100644 --- a/lwt/runtime.mli +++ b/lwt/runtime.mli @@ -37,6 +37,8 @@ val run_request : region:string -> access_key:string -> secret_key:string + -> ?session_token_signed:string + -> ?session_token_unsigned:string -> ('input, 'output, 'error) Aws.call -> 'input -> [ `Ok of 'output | `Error of 'error Aws.Error.t ] Lwt.t