wezone
/
selling-partner-api-models
mirror of https://github.com/amzn/selling-partner-api-models.git
10
0
Fork 0
Code Issues Projects Releases Wiki Activity

Added basic IAM Role Implementation to C# Auth and Auth client with no STS Token reusability

This commit is contained in:
Alejandro Chavarria 2021-04-27 15:32:46 -06:00
parent 7c7d355dab
commit c8104bdd44
13 changed files with 230 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
clients/sellingpartner-api-aa-csharp/Config Normal file
View File

@ -0,0 +1,26 @@
package.SellingPartnerAPIAuthAndAuthCSharp = {
interfaces = (1.0);
# Use NoOpBuild. See https://w.amazon.com/index.php/BrazilBuildSystem/NoOpBuild
build-system = no-op;
build-tools = {
1.0 = {
NoOpBuild = 1.0;
};
};
# Use runtime-dependencies for when you want to bring in additional
# packages when deploying.
# Use dependencies instead if you intend for these dependencies to
# be exported to other packages that build against you.
dependencies = {
1.0 = {
};
};
runtime-dependencies = {
1.0 = {
};
};
};

10
clients/sellingpartner-api-aa-csharp/README.md
View File

@ -42,6 +42,8 @@ Note the IRestRequest reference is treated as **mutable** when signed.
Signs a request with [AWS Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
using the provided AWS developer account credentials.
This implementation of the IAM Role-based Authentication, will work only as long as the initial STS Token is valid (typically for 3600 seconds) and until an instance is able to refresh the STS Token on its own, otherwise, the Token needs to be reinitialized via the AWSSigV4Signer.
*Example*
```
using RestSharp;
@ -58,7 +60,13 @@ AWSAuthenticationCredentials awsAuthenticationCredentials = new AWSAuthenticatio
Region = "..."
};
restRequest = new AWSSigV4Signer(awsAuthenticationCredentials)
AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider = new AWSAuthenticationCredentialsProvider
{
RoleArn = "...",
RoleSessionName = "..."
};
restRequest = new AWSSigV4Signer(awsAuthenticationCredentials, awsAuthenticationCredentialsProvider)
.Sign(restRequest, restClient.BaseUrl.Host);
```
Note the IRestRequest reference is treated as **mutable** when signed.

46
clients/sellingpartner-api-aa-csharp/SellingPartnerAPIAuthAndAuthCSharp.sln
View File

@ -1,23 +1,23 @@
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Amazon.SellingPartnerAPIAA", "src\Amazon.SellingPartnerAPIAA\Amazon.SellingPartnerAPIAA.csproj", "{64339397-3AAB-49D3-8B50-7A467B16D545}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Amazon.SellingPartnerAPIAATests", "test\Amazon.SellingPartnerAPIAATests\Amazon.SellingPartnerAPIAATests.csproj", "{12B130EB-1087-4F88-BDFA-3088868C0A46}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{64339397-3AAB-49D3-8B50-7A467B16D545}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{64339397-3AAB-49D3-8B50-7A467B16D545}.Debug|Any CPU.Build.0 = Debug|Any CPU
{64339397-3AAB-49D3-8B50-7A467B16D545}.Release|Any CPU.ActiveCfg = Release|Any CPU
{64339397-3AAB-49D3-8B50-7A467B16D545}.Release|Any CPU.Build.0 = Release|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Debug|Any CPU.Build.0 = Debug|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Release|Any CPU.ActiveCfg = Release|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
EndGlobal
Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Amazon.SellingPartnerAPIAA", "src\Amazon.SellingPartnerAPIAA\Amazon.SellingPartnerAPIAA.csproj", "{64339397-3AAB-49D3-8B50-7A467B16D545}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Amazon.SellingPartnerAPIAATests", "test\Amazon.SellingPartnerAPIAATests\Amazon.SellingPartnerAPIAATests.csproj", "{12B130EB-1087-4F88-BDFA-3088868C0A46}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{64339397-3AAB-49D3-8B50-7A467B16D545}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{64339397-3AAB-49D3-8B50-7A467B16D545}.Debug|Any CPU.Build.0 = Debug|Any CPU
{64339397-3AAB-49D3-8B50-7A467B16D545}.Release|Any CPU.ActiveCfg = Release|Any CPU
{64339397-3AAB-49D3-8B50-7A467B16D545}.Release|Any CPU.Build.0 = Release|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Debug|Any CPU.Build.0 = Debug|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Release|Any CPU.ActiveCfg = Release|Any CPU
{12B130EB-1087-4F88-BDFA-3088868C0A46}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
EndGlobal

22
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/AWSAuthenticationCredentialsProvider.cs Normal file
View File

@ -0,0 +1,22 @@
using System;
using System.Collections.Generic;
using System.Text;
namespace Amazon.SellingPartnerAPIAA
{
/**
* AWSAuthenticationCredentialsProvider
*/
public class AWSAuthenticationCredentialsProvider
{
/**
* AWS IAM Role ARN
*/
public String RoleArn { get; set; }
/**
* AWS IAM Role Session Name
*/
public String RoleSessionName { get; set; }
}
}

78
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/AWSSigV4Signer.cs
View File

@ -1,7 +1,11 @@
using System;
using System.Text;
using RestSharp;
using Amazon.Runtime;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;
using System.Threading;
namespace Amazon.SellingPartnerAPIAA
{
public class AWSSigV4Signer
@ -9,6 +13,9 @@ namespace Amazon.SellingPartnerAPIAA
{
public virtual AWSSignerHelper AwsSignerHelper { get; set; }
private AWSAuthenticationCredentials awsCredentials;
private AssumeRoleResponse assumeRole;
public const string SecurityTokenHeaderName = "X-Amz-Security-Token";
/// <summary>
/// Constructor for AWSSigV4Signer
@ -17,6 +24,29 @@ namespace Amazon.SellingPartnerAPIAA
public AWSSigV4Signer(AWSAuthenticationCredentials awsAuthenticationCredentials)
{
awsCredentials = awsAuthenticationCredentials;
AwsSignerHelper = new AWSSignerHelper();
}
/// <summary>
/// Overloaded Constructor for AWSSigV4Signer using IAM Role
/// </summary>
/// <param name="awsAuthenticationCredentials">AWS Developer Account Credentials</param>
/// <param name="awsAuthenticationCredentialsProvider">AWS IAM Role and Session Name container</param>
public AWSSigV4Signer(AWSAuthenticationCredentials awsAuthenticationCredentials,
AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider)
{
awsCredentials = awsAuthenticationCredentials;
BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials(
awsAuthenticationCredentials.AccessKeyId, awsAuthenticationCredentials.SecretKey);
AmazonSecurityTokenServiceClient sts = new AmazonSecurityTokenServiceClient(basicAWSCredentials);
CancellationTokenSource source = new CancellationTokenSource();
CancellationToken cancellationToken = source.Token;
assumeRole = sts.AssumeRoleAsync(new AssumeRoleRequest{
RoleArn = awsAuthenticationCredentialsProvider.RoleArn,
RoleSessionName = awsAuthenticationCredentialsProvider.RoleSessionName
}).Result;
AwsSignerHelper = new AWSSignerHelper();
}
@ -28,7 +58,8 @@ namespace Amazon.SellingPartnerAPIAA
/// <returns>RestRequest with AWS Signature</returns>
public IRestRequest Sign(IRestRequest request, string host)
{
DateTime signingDate = AwsSignerHelper.InitializeHeaders(request, host);
DateTime signingDate = AwsSignerHelper.SetDateAndHostHeaders(request, host);
string signedHeaders = AwsSignerHelper.ExtractSignedHeaders(request);
string hashedCanonicalRequest = CreateCanonicalRequest(request, signedHeaders);
@ -37,19 +68,44 @@ namespace Amazon.SellingPartnerAPIAA
hashedCanonicalRequest,
awsCredentials.Region);
string signature = AwsSignerHelper.CalculateSignature(stringToSign,
if (assumeRole != null)
{
Credentials credentials = assumeRole.Credentials;
AwsSignerHelper.SetSessionTokenHeader(request, credentials.SessionToken);
string signature = AwsSignerHelper.CalculateSignature(stringToSign,
signingDate,
awsCredentials.SecretKey,
awsCredentials.Region);
AwsSignerHelper.AddSignature(request,
awsCredentials.AccessKeyId,
credentials.SecretAccessKey,
awsCredentials.Region);
AwsSignerHelper.AddSignature(request,
credentials.AccessKeyId,
signedHeaders,
signature,
awsCredentials.Region,
signingDate);
return request;
signingDate);
return request;
}
else
{
string signature = AwsSignerHelper.CalculateSignature(stringToSign,
signingDate,
awsCredentials.SecretKey,
awsCredentials.Region);
AwsSignerHelper.AddSignature(request,
awsCredentials.AccessKeyId,
signedHeaders,
signature,
awsCredentials.Region,
signingDate);
return request;
}
}
private string CreateCanonicalRequest(IRestRequest restRequest, string signedHeaders)

30
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/AWSSignerHelper.cs
View File

@ -5,7 +5,8 @@ using System.Text;
using RestSharp;
using System.Text.RegularExpressions;
using System.Globalization;
using Amazon.SecurityToken.Model;
namespace Amazon.SellingPartnerAPIAA
{
public class AWSSignerHelper
@ -19,6 +20,7 @@ namespace Amazon.SellingPartnerAPIAA
public const string SignatureSubHeaderName = "Signature";
public const string SignedHeadersSubHeaderName = "SignedHeaders";
public const string HostHeaderName = "host";
public const string SecurityTokenHeaderName = "X-Amz-Security-Token";
public const string Scheme = "AWS4";
public const string Algorithm = "HMAC-SHA256";
@ -168,27 +170,41 @@ namespace Amazon.SellingPartnerAPIAA
}
/// <summary>
/// Sets AWS4 mandated 'x-amz-date' header, returning the date/time that will
/// Sets AWS4 mandated 'x-amz-date' and 'host' headers, returning the date/time that will
/// be used throughout the signing process.
/// </summary>
/// <param name="restRequest">RestRequest</param>
/// <param name="host">Request endpoint</param>
/// <returns>Date and time used for x-amz-date, in UTC</returns>
public virtual DateTime InitializeHeaders(IRestRequest restRequest, string host)
public virtual DateTime SetDateAndHostHeaders(IRestRequest restRequest, string host)
{
restRequest.Parameters.RemoveAll(parameter => ParameterType.HttpHeader.Equals(parameter.Type)
&& parameter.Name == XAmzDateHeaderName);
restRequest.Parameters.RemoveAll(parameter => ParameterType.HttpHeader.Equals(parameter.Type)
&& parameter.Name == HostHeaderName);
&& parameter.Name == HostHeaderName);
DateTime signingDate = DateHelper.GetUtcNow();
restRequest.AddHeader(XAmzDateHeaderName, signingDate.ToString(ISO8601BasicDateTimeFormat, CultureInfo.InvariantCulture));
restRequest.AddHeader(HostHeaderName, host);
restRequest.AddHeader(HostHeaderName, host);
return signingDate;
}
/// <summary>
/// Sets AWS4 'X-Amz-Security-Token' header, used to pass the STS Token to
/// be used throughout the signing process.
/// </summary>
/// <param name="restRequest">RestRequest</param>
/// <param name="sessionToken">STS Session Token</param>
public void SetSessionTokenHeader(IRestRequest restRequest, String sessionToken)
{
restRequest.Parameters.RemoveAll(parameter => ParameterType.HttpHeader.Equals(parameter.Type)
&& parameter.Name == SecurityTokenHeaderName);
restRequest.AddHeader(SecurityTokenHeaderName, sessionToken);
}
/// <summary>
/// Calculates AWS4 signature for the string, prepared for signing
/// </summary>

2
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/LWAAccessTokenRequestMeta.cs
View File

@ -1,4 +1,4 @@
using System.Collections.Generic;
using System.Collections.Generic;
using Newtonsoft.Json;
namespace Amazon.SellingPartnerAPIAA

9
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/resources/swagger-codegen/templates/ApiClient.mustache
View File

@ -70,7 +70,14 @@ namespace {{packageName}}.Client
{{/netStandard}}
lwaAuthorizationSigner = new LWAAuthorizationSigner(Configuration.AuthorizationCredentials);
awsSigV4Signer = new AWSSigV4Signer(Configuration.AuthenticationCredentials);
if (Configuration.AuthenticationCredentialsProvider!=null)
{
awsSigV4Signer = new AWSSigV4Signer(configuration.AuthenticationCredentials, Configuration.AuthenticationCredentialsProvider);
}
else
{
awsSigV4Signer = new AWSSigV4Signer(Configuration.AuthenticationCredentials);
}
}
/// <summary>

6
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/resources/swagger-codegen/templates/Configuration.mustache
View File

@ -275,6 +275,12 @@ namespace {{packageName}}.Client
/// <value>The AWSAuthenticationCredentials</value>
public virtual AWSAuthenticationCredentials AuthenticationCredentials { get; set; }
/// <summary>
/// Gets or sets the AWSAuthenticationCredentialsProvider for Amazon Selling Partner API Authentication
/// </summary>
/// <value>The AWSAuthenticationCredentialsProvider</value>
public virtual AWSAuthenticationCredentialsProvider AuthenticationCredentialsProvider { get; set; }
/// <summary>
/// Gets the API key with prefix.
/// </summary>

6
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/resources/swagger-codegen/templates/IReadableConfiguration.mustache
View File

@ -94,5 +94,11 @@ namespace {{packageName}}.Client
/// </summary>
/// <value>AuthenticationCredentials</value>
AWSAuthenticationCredentials AuthenticationCredentials { get; }
/// <summary>
/// Gets the AWSAuthenticationCredentialsProvider for Amazon Selling Partner API Authentication
/// </summary>
/// <value>AWSAuthenticationCredentialsProvider</value>
AWSAuthenticationCredentialsProvider AuthenticationCredentialsProvider { get; }
}
}

11
clients/sellingpartner-api-aa-csharp/src/Amazon.SellingPartnerAPIAA/resources/swagger-codegen/templates/api.mustache
View File

@ -436,6 +436,7 @@ namespace {{packageName}}.{{apiPackage}}
{
private LWAAuthorizationCredentials lwaAuthorizationCredentials;
private AWSAuthenticationCredentials awsAuthenticationCredentials;
private AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider;
public Builder SetLWAAuthorizationCredentials(LWAAuthorizationCredentials lwaAuthorizationCredentials)
{
@ -449,6 +450,12 @@ namespace {{packageName}}.{{apiPackage}}
return this;
}
public Builder SetAWSAuthenticationCredentialsProvider(AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider)
{
this.awsAuthenticationCredentialsProvider = awsAuthenticationCredentialsProvider;
return this;
}
public {{classname}} Build()
{
if (lwaAuthorizationCredentials == null)
@ -463,6 +470,10 @@ namespace {{packageName}}.{{apiPackage}}
{{packageName}}.Client.Configuration configuration = new {{packageName}}.Client.Configuration()
{
if (awsAuthenticationCredentialsProvider != null)
{
AuthenticationCredentialsProvider = awsAuthenticationCredentialsProvider,
}
AuthorizationCredentials = lwaAuthorizationCredentials,
AuthenticationCredentials = awsAuthenticationCredentials
};

4
clients/sellingpartner-api-aa-csharp/test/Amazon.SellingPartnerAPIAATests/AWSSigV4SignerTest.cs
View File

@ -41,7 +41,7 @@ namespace Amazon.SellingPartnerAPIAATests
string expectedSignedHeaders = "testSignedHeaders";
string expectedSignature = "testSignature";
string expectedStringToSign = "testStringToSign";
mockAWSSignerHelper.Setup(signerHelper => signerHelper.InitializeHeaders(request, TestHost))
mockAWSSignerHelper.Setup(signerHelper => signerHelper.SetDateAndHostHeaders(request, TestHost))
.Returns(signingDate);
mockAWSSignerHelper.Setup(signerHelper => signerHelper.ExtractCanonicalURIParameters(request.Resource))
.Returns("testURIParameters");
@ -62,7 +62,7 @@ namespace Amazon.SellingPartnerAPIAATests
IRestRequest actualRestRequest = sigV4SignerUnderTest.Sign(request, TestHost);
mockAWSSignerHelper.Verify(signerHelper => signerHelper.InitializeHeaders(request, TestHost));
mockAWSSignerHelper.Verify(signerHelper => signerHelper.SetDateAndHostHeaders(request, TestHost));
mockAWSSignerHelper.Verify(signerHelper => signerHelper.ExtractCanonicalURIParameters(request.Resource));
mockAWSSignerHelper.Verify(signerHelper => signerHelper.ExtractCanonicalQueryString(request));
mockAWSSignerHelper.Verify(signerHelper => signerHelper.ExtractCanonicalHeaders(request));

33
clients/sellingpartner-api-aa-csharp/test/Amazon.SellingPartnerAPIAATests/AWSSignerHelperTest.cs
View File

@ -4,6 +4,9 @@ using RestSharp;
using Amazon.SellingPartnerAPIAA;
using System.Text;
using Moq;
using Amazon.SecurityToken.Model;
using Amazon.Runtime;
using Amazon.SecurityToken;
namespace Amazon.SellingPartnerAPIAATests
{
@ -18,6 +21,7 @@ namespace Amazon.SellingPartnerAPIAATests
private const string TestResourcePath = "iam/user";
private const string TestHost = "sellingpartnerapi.amazon.com";
private const string JsonMediaType = "application/json; charset=utf-8";
private const string TestSessionToken = "sToken";
private static readonly DateTime SigningDate = DateTime.Parse("2020-05-04 12:12:12");
@ -156,8 +160,8 @@ namespace Amazon.SellingPartnerAPIAATests
{
string expectedCanonicalHash = "foo";
StringBuilder expectedStringBuilder = new StringBuilder();
expectedStringBuilder.AppendLine("AWS4-HMAC-SHA256");
expectedStringBuilder.AppendLine(ISOSigningDateTime);
expectedStringBuilder.Append("AWS4-HMAC-SHA256" + "\n");
expectedStringBuilder.Append(ISOSigningDateTime + "\n");
expectedStringBuilder.AppendFormat("{0}/{1}/execute-api/aws4_request\n", ISOSigningDate, TestRegion);
expectedStringBuilder.Append(expectedCanonicalHash);
@ -169,14 +173,14 @@ namespace Amazon.SellingPartnerAPIAATests
[Fact]
public void TestInitializeHeadersReturnsUtcNow()
{
Assert.Equal(SigningDate, awsSignerHelperUnderTest.InitializeHeaders(new RestRequest(), TestHost));
Assert.Equal(SigningDate, awsSignerHelperUnderTest.SetDateAndHostHeaders(new RestRequest(), TestHost));
}
[Fact]
public void TestInitializeHeadersSetsUtcNowXAmzDateHeader()
{
IRestRequest request = new RestRequest();
awsSignerHelperUnderTest.InitializeHeaders(request, TestHost);
awsSignerHelperUnderTest.SetDateAndHostHeaders(request, TestHost);
Parameter actualParameter = request.Parameters.Find(parameter =>
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.XAmzDateHeaderName);
@ -190,7 +194,7 @@ namespace Amazon.SellingPartnerAPIAATests
IRestRequest request = new RestRequest();
request.AddHeader(AWSSignerHelper.XAmzDateHeaderName, "foobar");
awsSignerHelperUnderTest.InitializeHeaders(request, TestHost);
awsSignerHelperUnderTest.SetDateAndHostHeaders(request, TestHost);
Parameter actualParameter = request.Parameters.Find(parameter =>
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.XAmzDateHeaderName);
@ -243,7 +247,7 @@ namespace Amazon.SellingPartnerAPIAATests
{
IRestRequest restRequest = new RestRequest();
awsSignerHelperUnderTest.InitializeHeaders(restRequest, TestHost);
awsSignerHelperUnderTest.SetDateAndHostHeaders(restRequest, TestHost);
Parameter actualParamter = restRequest.Parameters.Find(parameter =>
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.HostHeaderName);
@ -258,12 +262,27 @@ namespace Amazon.SellingPartnerAPIAATests
restRequest.AddHeader(AWSSignerHelper.HostHeaderName, "foobar");
awsSignerHelperUnderTest.InitializeHeaders(restRequest, TestHost);
awsSignerHelperUnderTest.SetDateAndHostHeaders(restRequest, TestHost);
Parameter actualParamter = restRequest.Parameters.Find(parameter =>
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.HostHeaderName);
Assert.Equal(TestHost, actualParamter.Value);
}
[Fact]
public void TestSetSessionHeader()
{
IRestRequest restRequest = new RestRequest();
restRequest.AddHeader(AWSSignerHelper.SecurityTokenHeaderName, "testName");
awsSignerHelperUnderTest.SetSessionTokenHeader(restRequest, TestSessionToken);
Parameter actualParameter = restRequest.Parameters.Find(parameter =>
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.SecurityTokenHeaderName);
Assert.Equal(TestSessionToken, actualParameter.Value);
}
}
}