Merge pull request #97 from patterninc/remove-aws-sts-signature

Remove AWS STS Signature

Author: natesalisbury

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 2.4.13
+
+- Remove AWS STS Signature in requests [#97](https://github.com/patterninc/muffin_man/pull/97)
+
 # 2.4.12
 
 - [#95](https://github.com/patterninc/muffin_man/pull/95)

README.md

@@ -66,10 +66,7 @@ credentials = {
   refresh_token: LWA_REFRESH_TOKEN,
   client_id: CLIENT_ID,
   client_secret: CLIENT_SECRET,
-  aws_access_key_id: AWS_ACCESS_KEY_ID,
-  aws_secret_access_key: AWS_SECRET_ACCESS_KEY,
   region: REGION, # This can be one of ['na', 'eu', 'fe'] and defaults to 'na'
-  sts_iam_role_arn: STS_IAM_ROLE_ARN, # Optional
   access_token_cache_key: SELLING_PARTNER_ID, # Optional if you want access token caching
 }
 client = MuffinMan::Solicitations::V1.new(credentials)
@@ -115,9 +112,6 @@ To retrieve the refresh token from an LWA Website authorization workflow, you ca
 credentials = {
   client_id: CLIENT_ID,
   client_secret: CLIENT_SECRET,
-  aws_access_key_id: AWS_ACCESS_KEY_ID,
-  aws_secret_access_key: AWS_SECRET_ACCESS_KEY,
-  sts_iam_role_arn: STS_IAM_ROLE_ARN, # Optional
   scope: 'sellingpartnerapi::migration' # Grantless scope for MWS migration
 }
 client = MuffinMan::Authorization::V1.new(credentials)

lib/muffin_man/sp_api_client.rb

@@ -6,8 +6,7 @@
 
 module MuffinMan
   class SpApiClient
-    attr_reader :refresh_token, :client_id, :client_secret, :aws_access_key_id,
-                :aws_secret_access_key, :sts_iam_role_arn, :sandbox, :config,
+    attr_reader :refresh_token, :client_id, :client_secret, :sandbox, :config,
                 :region, :request_type, :local_var_path, :query_params,
                 :request_body, :scope, :access_token_cache_key, :credentials,
                 :pii_data_elements
@@ -26,9 +25,6 @@ def initialize(credentials, sandbox = false)
       @refresh_token = credentials[:refresh_token]
       @client_id = credentials[:client_id]
       @client_secret = credentials[:client_secret]
-      @aws_access_key_id = credentials[:aws_access_key_id]
-      @aws_secret_access_key = credentials[:aws_secret_access_key]
-      @sts_iam_role_arn = credentials[:sts_iam_role_arn]
       @region = credentials[:region] || "na"
       @scope = credentials[:scope]
       @access_token_cache_key = credentials[:access_token_cache_key]
@@ -135,43 +131,17 @@ def request_grantless_access_token
       JSON.parse(response.body)
     end
 
-    def request_sts_token
-      client = Aws::STS::Client.new(
-        region: derive_aws_region,
-        credentials: Aws::Credentials.new(aws_access_key_id, aws_secret_access_key),
-        http_wire_trace: ENV.fetch("AWS_DEBUG", nil) == "true" || false
-      )
-      client.assume_role(role_arn: sts_iam_role_arn, role_session_name: SecureRandom.uuid)
-    end
-
-    def signed_request
-      request_config = {
-        service: SERVICE_NAME,
-        region: derive_aws_region,
-        endpoint: sp_api_host
-      }
-      if sts_iam_role_arn.nil?
-        request_config[:access_key_id] = aws_access_key_id
-        request_config[:secret_access_key] = aws_secret_access_key
-      else
-        request_config[:credentials_provider] = request_sts_token
-      end
-      signer = Aws::Sigv4::Signer.new(request_config)
-      signer.sign_request(http_method: request_type, url: request.url, body: request_body&.to_json)
-    end
-
     def headers
       if requires_rdt_token_for_pii?
         access_token = retrieve_rdt_access_token || retrieve_lwa_access_token
       else
         access_token = scope ? retrieve_grantless_access_token : retrieve_lwa_access_token
       end
-      headers = {
+      {
         "x-amz-access-token" => access_token,
         "user-agent" => "MuffinMan/#{VERSION} (Language=Ruby)",
         "content-type" => "application/json"
       }
-      signed_request.headers.merge(headers)
     end
 
     def requires_rdt_token_for_pii?

spec/muffin_man/sp_api_client_spec.rb

@@ -5,8 +5,6 @@
       refresh_token: "a-refresh-token",
       client_id: "a-client-id",
       client_secret: "a-client-secret",
-      aws_access_key_id: "an-aws-access-key-id",
-      aws_secret_access_key: "an-aws-secret-access-key",
       access_token_cache_key: "a-selling_partner_id"
     }
   end
@@ -20,8 +18,6 @@
     expect(client.refresh_token).not_to be_nil
     expect(client.client_id).not_to be_nil
     expect(client.client_secret).not_to be_nil
-    expect(client.aws_access_key_id).not_to be_nil
-    expect(client.aws_secret_access_key).not_to be_nil
   end
 
   it "sets the Typhoeus user agent to an empty string" do
@@ -52,8 +48,10 @@ def make_a_request(region = "na", query_params: {})
 
     it "gets an access token and signs the headers" do
       expect(Typhoeus).to receive(:get)
-        .with("https://#{hostname}/some_path", headers: hash_including("x-amz-access-token" => fake_lwa_access_token,
-                                                                       "authorization" => a_string_including("SignedHeaders=host;x-amz-content-sha256;x-amz-date")))
+        .with("https://#{hostname}/some_path",
+              hash_including(
+                headers: hash_including("x-amz-access-token" => fake_lwa_access_token)
+              ))
       client.make_a_request
     end
 
@@ -83,7 +81,10 @@ def make_a_request(region = "na", query_params: {})
           expect_any_instance_of(MockRedis).to receive(:set).with("SP-TOKEN-#{credentials[:access_token_cache_key]}",
                                                                   fake_lwa_access_token)
           expect(Typhoeus).to receive(:get)
-            .with("https://#{hostname}/some_path", headers: hash_including("x-amz-access-token" => fake_lwa_access_token))
+            .with("https://#{hostname}/some_path",
+                  hash_including(
+                    headers: hash_including("x-amz-access-token" => fake_lwa_access_token)
+                  ))
           client.make_a_request
         end
       end
@@ -97,26 +98,30 @@ def make_a_request(region = "na", query_params: {})
         it "uses the stored token" do
           expect_any_instance_of(MockRedis).to receive(:get).with("SP-TOKEN-#{credentials[:access_token_cache_key]}").and_return(another_fake_lwa_access_token)
           expect(Typhoeus).to receive(:get)
-            .with("https://#{hostname}/some_path", headers: hash_including("x-amz-access-token" => another_fake_lwa_access_token))
+            .with("https://#{hostname}/some_path",
+                  hash_including(
+                    headers: hash_including("x-amz-access-token" => another_fake_lwa_access_token)
+                  ))
           client.make_a_request
         end
       end
 
       context "when using the sandbox environment" do
         let(:sandbox) { true }
         it "correctly builds the canonical api hostname" do
-          expect(Typhoeus).to receive(:get).with("https://sandbox.#{hostname}/some_path", headers: hash_including({}))
+          expect(Typhoeus).to receive(:get).with("https://sandbox.#{hostname}/some_path",
+                                                 hash_including(headers: hash_including({})))
           client.make_a_request
         end
       end
 
       context "multiple requests with the same client instance" do
         it "uses correct query params for each new request" do
           expect(Typhoeus).to receive(:get).with("https://#{hostname}/some_path?flavor=blueberry",
-                                                 headers: hash_including({}))
+                                                 hash_including(headers: hash_including({})))
           client.make_a_request(query_params: { "flavor" => "blueberry" })
           expect(Typhoeus).to receive(:get).with("https://#{hostname}/some_path?flavor=chocolate",
-                                                 headers: hash_including({}))
+                                                 hash_including(headers: hash_including({})))
           client.make_a_request(query_params: { "flavor" => "chocolate" })
         end
       end

spec/support/sp_api_helpers.rb

@@ -523,9 +523,7 @@ def credentials
       {
         refresh_token: "a-refresh-token",
         client_id: "a-client-id",
-        client_secret: "a-client-secret",
-        aws_access_key_id: "an-aws-access-key-id",
-        aws_secret_access_key: "an-aws-secret-access-key"
+        client_secret: "a-client-secret"
       }
     end