Added basic IAM Role Implementation to C# Auth and Auth client with no STS Token reusability
This commit is contained in:
parent
7c7d355dab
commit
c8104bdd44
|
@ -0,0 +1,26 @@
|
|||
package.SellingPartnerAPIAuthAndAuthCSharp = {
|
||||
interfaces = (1.0);
|
||||
|
||||
# Use NoOpBuild. See https://w.amazon.com/index.php/BrazilBuildSystem/NoOpBuild
|
||||
build-system = no-op;
|
||||
build-tools = {
|
||||
1.0 = {
|
||||
NoOpBuild = 1.0;
|
||||
};
|
||||
};
|
||||
|
||||
# Use runtime-dependencies for when you want to bring in additional
|
||||
# packages when deploying.
|
||||
# Use dependencies instead if you intend for these dependencies to
|
||||
# be exported to other packages that build against you.
|
||||
dependencies = {
|
||||
1.0 = {
|
||||
};
|
||||
};
|
||||
|
||||
runtime-dependencies = {
|
||||
1.0 = {
|
||||
};
|
||||
};
|
||||
|
||||
};
|
|
@ -42,6 +42,8 @@ Note the IRestRequest reference is treated as **mutable** when signed.
|
|||
Signs a request with [AWS Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html)
|
||||
using the provided AWS developer account credentials.
|
||||
|
||||
This implementation of the IAM Role-based Authentication, will work only as long as the initial STS Token is valid (typically for 3600 seconds) and until an instance is able to refresh the STS Token on its own, otherwise, the Token needs to be reinitialized via the AWSSigV4Signer.
|
||||
|
||||
*Example*
|
||||
```
|
||||
using RestSharp;
|
||||
|
@ -58,7 +60,13 @@ AWSAuthenticationCredentials awsAuthenticationCredentials = new AWSAuthenticatio
|
|||
Region = "..."
|
||||
};
|
||||
|
||||
restRequest = new AWSSigV4Signer(awsAuthenticationCredentials)
|
||||
AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider = new AWSAuthenticationCredentialsProvider
|
||||
{
|
||||
RoleArn = "...",
|
||||
RoleSessionName = "..."
|
||||
};
|
||||
|
||||
restRequest = new AWSSigV4Signer(awsAuthenticationCredentials, awsAuthenticationCredentialsProvider)
|
||||
.Sign(restRequest, restClient.BaseUrl.Host);
|
||||
```
|
||||
Note the IRestRequest reference is treated as **mutable** when signed.
|
||||
|
|
|
@ -0,0 +1,22 @@
|
|||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Text;
|
||||
|
||||
namespace Amazon.SellingPartnerAPIAA
|
||||
{
|
||||
/**
|
||||
* AWSAuthenticationCredentialsProvider
|
||||
*/
|
||||
public class AWSAuthenticationCredentialsProvider
|
||||
{
|
||||
/**
|
||||
* AWS IAM Role ARN
|
||||
*/
|
||||
public String RoleArn { get; set; }
|
||||
|
||||
/**
|
||||
* AWS IAM Role Session Name
|
||||
*/
|
||||
public String RoleSessionName { get; set; }
|
||||
}
|
||||
}
|
|
@ -1,6 +1,10 @@
|
|||
using System;
|
||||
using System.Text;
|
||||
using RestSharp;
|
||||
using Amazon.Runtime;
|
||||
using Amazon.SecurityToken;
|
||||
using Amazon.SecurityToken.Model;
|
||||
using System.Threading;
|
||||
|
||||
namespace Amazon.SellingPartnerAPIAA
|
||||
{
|
||||
|
@ -9,6 +13,9 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
{
|
||||
public virtual AWSSignerHelper AwsSignerHelper { get; set; }
|
||||
private AWSAuthenticationCredentials awsCredentials;
|
||||
private AssumeRoleResponse assumeRole;
|
||||
public const string SecurityTokenHeaderName = "X-Amz-Security-Token";
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Constructor for AWSSigV4Signer
|
||||
|
@ -20,6 +27,29 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
AwsSignerHelper = new AWSSignerHelper();
|
||||
}
|
||||
|
||||
|
||||
/// <summary>
|
||||
/// Overloaded Constructor for AWSSigV4Signer using IAM Role
|
||||
/// </summary>
|
||||
/// <param name="awsAuthenticationCredentials">AWS Developer Account Credentials</param>
|
||||
/// <param name="awsAuthenticationCredentialsProvider">AWS IAM Role and Session Name container</param>
|
||||
public AWSSigV4Signer(AWSAuthenticationCredentials awsAuthenticationCredentials,
|
||||
AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider)
|
||||
{
|
||||
awsCredentials = awsAuthenticationCredentials;
|
||||
BasicAWSCredentials basicAWSCredentials = new BasicAWSCredentials(
|
||||
awsAuthenticationCredentials.AccessKeyId, awsAuthenticationCredentials.SecretKey);
|
||||
AmazonSecurityTokenServiceClient sts = new AmazonSecurityTokenServiceClient(basicAWSCredentials);
|
||||
CancellationTokenSource source = new CancellationTokenSource();
|
||||
CancellationToken cancellationToken = source.Token;
|
||||
assumeRole = sts.AssumeRoleAsync(new AssumeRoleRequest{
|
||||
RoleArn = awsAuthenticationCredentialsProvider.RoleArn,
|
||||
RoleSessionName = awsAuthenticationCredentialsProvider.RoleSessionName
|
||||
}).Result;
|
||||
|
||||
AwsSignerHelper = new AWSSignerHelper();
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Signs a Request with AWS Signature Version 4
|
||||
/// </summary>
|
||||
|
@ -28,7 +58,8 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
/// <returns>RestRequest with AWS Signature</returns>
|
||||
public IRestRequest Sign(IRestRequest request, string host)
|
||||
{
|
||||
DateTime signingDate = AwsSignerHelper.InitializeHeaders(request, host);
|
||||
DateTime signingDate = AwsSignerHelper.SetDateAndHostHeaders(request, host);
|
||||
|
||||
string signedHeaders = AwsSignerHelper.ExtractSignedHeaders(request);
|
||||
|
||||
string hashedCanonicalRequest = CreateCanonicalRequest(request, signedHeaders);
|
||||
|
@ -37,6 +68,30 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
hashedCanonicalRequest,
|
||||
awsCredentials.Region);
|
||||
|
||||
if (assumeRole != null)
|
||||
{
|
||||
|
||||
Credentials credentials = assumeRole.Credentials;
|
||||
AwsSignerHelper.SetSessionTokenHeader(request, credentials.SessionToken);
|
||||
|
||||
string signature = AwsSignerHelper.CalculateSignature(stringToSign,
|
||||
signingDate,
|
||||
credentials.SecretAccessKey,
|
||||
awsCredentials.Region);
|
||||
AwsSignerHelper.AddSignature(request,
|
||||
credentials.AccessKeyId,
|
||||
signedHeaders,
|
||||
signature,
|
||||
awsCredentials.Region,
|
||||
signingDate);
|
||||
|
||||
return request;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
||||
|
||||
|
||||
string signature = AwsSignerHelper.CalculateSignature(stringToSign,
|
||||
signingDate,
|
||||
awsCredentials.SecretKey,
|
||||
|
@ -51,6 +106,7 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
|
||||
return request;
|
||||
}
|
||||
}
|
||||
|
||||
private string CreateCanonicalRequest(IRestRequest restRequest, string signedHeaders)
|
||||
{
|
||||
|
|
|
@ -5,6 +5,7 @@ using System.Text;
|
|||
using RestSharp;
|
||||
using System.Text.RegularExpressions;
|
||||
using System.Globalization;
|
||||
using Amazon.SecurityToken.Model;
|
||||
|
||||
namespace Amazon.SellingPartnerAPIAA
|
||||
{
|
||||
|
@ -19,6 +20,7 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
public const string SignatureSubHeaderName = "Signature";
|
||||
public const string SignedHeadersSubHeaderName = "SignedHeaders";
|
||||
public const string HostHeaderName = "host";
|
||||
public const string SecurityTokenHeaderName = "X-Amz-Security-Token";
|
||||
|
||||
public const string Scheme = "AWS4";
|
||||
public const string Algorithm = "HMAC-SHA256";
|
||||
|
@ -168,13 +170,13 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
}
|
||||
|
||||
/// <summary>
|
||||
/// Sets AWS4 mandated 'x-amz-date' header, returning the date/time that will
|
||||
/// Sets AWS4 mandated 'x-amz-date' and 'host' headers, returning the date/time that will
|
||||
/// be used throughout the signing process.
|
||||
/// </summary>
|
||||
/// <param name="restRequest">RestRequest</param>
|
||||
/// <param name="host">Request endpoint</param>
|
||||
/// <returns>Date and time used for x-amz-date, in UTC</returns>
|
||||
public virtual DateTime InitializeHeaders(IRestRequest restRequest, string host)
|
||||
public virtual DateTime SetDateAndHostHeaders(IRestRequest restRequest, string host)
|
||||
{
|
||||
restRequest.Parameters.RemoveAll(parameter => ParameterType.HttpHeader.Equals(parameter.Type)
|
||||
&& parameter.Name == XAmzDateHeaderName);
|
||||
|
@ -189,6 +191,20 @@ namespace Amazon.SellingPartnerAPIAA
|
|||
return signingDate;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Sets AWS4 'X-Amz-Security-Token' header, used to pass the STS Token to
|
||||
/// be used throughout the signing process.
|
||||
/// </summary>
|
||||
/// <param name="restRequest">RestRequest</param>
|
||||
/// <param name="sessionToken">STS Session Token</param>
|
||||
public void SetSessionTokenHeader(IRestRequest restRequest, String sessionToken)
|
||||
{
|
||||
restRequest.Parameters.RemoveAll(parameter => ParameterType.HttpHeader.Equals(parameter.Type)
|
||||
&& parameter.Name == SecurityTokenHeaderName);
|
||||
|
||||
restRequest.AddHeader(SecurityTokenHeaderName, sessionToken);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Calculates AWS4 signature for the string, prepared for signing
|
||||
/// </summary>
|
||||
|
|
|
@ -70,8 +70,15 @@ namespace {{packageName}}.Client
|
|||
{{/netStandard}}
|
||||
|
||||
lwaAuthorizationSigner = new LWAAuthorizationSigner(Configuration.AuthorizationCredentials);
|
||||
if (Configuration.AuthenticationCredentialsProvider!=null)
|
||||
{
|
||||
awsSigV4Signer = new AWSSigV4Signer(configuration.AuthenticationCredentials, Configuration.AuthenticationCredentialsProvider);
|
||||
}
|
||||
else
|
||||
{
|
||||
awsSigV4Signer = new AWSSigV4Signer(Configuration.AuthenticationCredentials);
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Gets or sets the default API client for making HTTP calls.
|
||||
|
|
|
@ -275,6 +275,12 @@ namespace {{packageName}}.Client
|
|||
/// <value>The AWSAuthenticationCredentials</value>
|
||||
public virtual AWSAuthenticationCredentials AuthenticationCredentials { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets or sets the AWSAuthenticationCredentialsProvider for Amazon Selling Partner API Authentication
|
||||
/// </summary>
|
||||
/// <value>The AWSAuthenticationCredentialsProvider</value>
|
||||
public virtual AWSAuthenticationCredentialsProvider AuthenticationCredentialsProvider { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets the API key with prefix.
|
||||
/// </summary>
|
||||
|
|
|
@ -94,5 +94,11 @@ namespace {{packageName}}.Client
|
|||
/// </summary>
|
||||
/// <value>AuthenticationCredentials</value>
|
||||
AWSAuthenticationCredentials AuthenticationCredentials { get; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets the AWSAuthenticationCredentialsProvider for Amazon Selling Partner API Authentication
|
||||
/// </summary>
|
||||
/// <value>AWSAuthenticationCredentialsProvider</value>
|
||||
AWSAuthenticationCredentialsProvider AuthenticationCredentialsProvider { get; }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -436,6 +436,7 @@ namespace {{packageName}}.{{apiPackage}}
|
|||
{
|
||||
private LWAAuthorizationCredentials lwaAuthorizationCredentials;
|
||||
private AWSAuthenticationCredentials awsAuthenticationCredentials;
|
||||
private AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider;
|
||||
|
||||
public Builder SetLWAAuthorizationCredentials(LWAAuthorizationCredentials lwaAuthorizationCredentials)
|
||||
{
|
||||
|
@ -449,6 +450,12 @@ namespace {{packageName}}.{{apiPackage}}
|
|||
return this;
|
||||
}
|
||||
|
||||
public Builder SetAWSAuthenticationCredentialsProvider(AWSAuthenticationCredentialsProvider awsAuthenticationCredentialsProvider)
|
||||
{
|
||||
this.awsAuthenticationCredentialsProvider = awsAuthenticationCredentialsProvider;
|
||||
return this;
|
||||
}
|
||||
|
||||
public {{classname}} Build()
|
||||
{
|
||||
if (lwaAuthorizationCredentials == null)
|
||||
|
@ -463,6 +470,10 @@ namespace {{packageName}}.{{apiPackage}}
|
|||
|
||||
{{packageName}}.Client.Configuration configuration = new {{packageName}}.Client.Configuration()
|
||||
{
|
||||
if (awsAuthenticationCredentialsProvider != null)
|
||||
{
|
||||
AuthenticationCredentialsProvider = awsAuthenticationCredentialsProvider,
|
||||
}
|
||||
AuthorizationCredentials = lwaAuthorizationCredentials,
|
||||
AuthenticationCredentials = awsAuthenticationCredentials
|
||||
};
|
||||
|
|
|
@ -41,7 +41,7 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
string expectedSignedHeaders = "testSignedHeaders";
|
||||
string expectedSignature = "testSignature";
|
||||
string expectedStringToSign = "testStringToSign";
|
||||
mockAWSSignerHelper.Setup(signerHelper => signerHelper.InitializeHeaders(request, TestHost))
|
||||
mockAWSSignerHelper.Setup(signerHelper => signerHelper.SetDateAndHostHeaders(request, TestHost))
|
||||
.Returns(signingDate);
|
||||
mockAWSSignerHelper.Setup(signerHelper => signerHelper.ExtractCanonicalURIParameters(request.Resource))
|
||||
.Returns("testURIParameters");
|
||||
|
@ -62,7 +62,7 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
|
||||
IRestRequest actualRestRequest = sigV4SignerUnderTest.Sign(request, TestHost);
|
||||
|
||||
mockAWSSignerHelper.Verify(signerHelper => signerHelper.InitializeHeaders(request, TestHost));
|
||||
mockAWSSignerHelper.Verify(signerHelper => signerHelper.SetDateAndHostHeaders(request, TestHost));
|
||||
mockAWSSignerHelper.Verify(signerHelper => signerHelper.ExtractCanonicalURIParameters(request.Resource));
|
||||
mockAWSSignerHelper.Verify(signerHelper => signerHelper.ExtractCanonicalQueryString(request));
|
||||
mockAWSSignerHelper.Verify(signerHelper => signerHelper.ExtractCanonicalHeaders(request));
|
||||
|
|
|
@ -4,6 +4,9 @@ using RestSharp;
|
|||
using Amazon.SellingPartnerAPIAA;
|
||||
using System.Text;
|
||||
using Moq;
|
||||
using Amazon.SecurityToken.Model;
|
||||
using Amazon.Runtime;
|
||||
using Amazon.SecurityToken;
|
||||
|
||||
namespace Amazon.SellingPartnerAPIAATests
|
||||
{
|
||||
|
@ -18,6 +21,7 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
private const string TestResourcePath = "iam/user";
|
||||
private const string TestHost = "sellingpartnerapi.amazon.com";
|
||||
private const string JsonMediaType = "application/json; charset=utf-8";
|
||||
private const string TestSessionToken = "sToken";
|
||||
|
||||
private static readonly DateTime SigningDate = DateTime.Parse("2020-05-04 12:12:12");
|
||||
|
||||
|
@ -156,8 +160,8 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
{
|
||||
string expectedCanonicalHash = "foo";
|
||||
StringBuilder expectedStringBuilder = new StringBuilder();
|
||||
expectedStringBuilder.AppendLine("AWS4-HMAC-SHA256");
|
||||
expectedStringBuilder.AppendLine(ISOSigningDateTime);
|
||||
expectedStringBuilder.Append("AWS4-HMAC-SHA256" + "\n");
|
||||
expectedStringBuilder.Append(ISOSigningDateTime + "\n");
|
||||
expectedStringBuilder.AppendFormat("{0}/{1}/execute-api/aws4_request\n", ISOSigningDate, TestRegion);
|
||||
expectedStringBuilder.Append(expectedCanonicalHash);
|
||||
|
||||
|
@ -169,14 +173,14 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
[Fact]
|
||||
public void TestInitializeHeadersReturnsUtcNow()
|
||||
{
|
||||
Assert.Equal(SigningDate, awsSignerHelperUnderTest.InitializeHeaders(new RestRequest(), TestHost));
|
||||
Assert.Equal(SigningDate, awsSignerHelperUnderTest.SetDateAndHostHeaders(new RestRequest(), TestHost));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void TestInitializeHeadersSetsUtcNowXAmzDateHeader()
|
||||
{
|
||||
IRestRequest request = new RestRequest();
|
||||
awsSignerHelperUnderTest.InitializeHeaders(request, TestHost);
|
||||
awsSignerHelperUnderTest.SetDateAndHostHeaders(request, TestHost);
|
||||
|
||||
Parameter actualParameter = request.Parameters.Find(parameter =>
|
||||
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.XAmzDateHeaderName);
|
||||
|
@ -190,7 +194,7 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
IRestRequest request = new RestRequest();
|
||||
request.AddHeader(AWSSignerHelper.XAmzDateHeaderName, "foobar");
|
||||
|
||||
awsSignerHelperUnderTest.InitializeHeaders(request, TestHost);
|
||||
awsSignerHelperUnderTest.SetDateAndHostHeaders(request, TestHost);
|
||||
|
||||
Parameter actualParameter = request.Parameters.Find(parameter =>
|
||||
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.XAmzDateHeaderName);
|
||||
|
@ -243,7 +247,7 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
{
|
||||
IRestRequest restRequest = new RestRequest();
|
||||
|
||||
awsSignerHelperUnderTest.InitializeHeaders(restRequest, TestHost);
|
||||
awsSignerHelperUnderTest.SetDateAndHostHeaders(restRequest, TestHost);
|
||||
|
||||
Parameter actualParamter = restRequest.Parameters.Find(parameter =>
|
||||
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.HostHeaderName);
|
||||
|
@ -258,12 +262,27 @@ namespace Amazon.SellingPartnerAPIAATests
|
|||
|
||||
restRequest.AddHeader(AWSSignerHelper.HostHeaderName, "foobar");
|
||||
|
||||
awsSignerHelperUnderTest.InitializeHeaders(restRequest, TestHost);
|
||||
awsSignerHelperUnderTest.SetDateAndHostHeaders(restRequest, TestHost);
|
||||
|
||||
Parameter actualParamter = restRequest.Parameters.Find(parameter =>
|
||||
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.HostHeaderName);
|
||||
|
||||
Assert.Equal(TestHost, actualParamter.Value);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void TestSetSessionHeader()
|
||||
{
|
||||
IRestRequest restRequest = new RestRequest();
|
||||
|
||||
restRequest.AddHeader(AWSSignerHelper.SecurityTokenHeaderName, "testName");
|
||||
|
||||
awsSignerHelperUnderTest.SetSessionTokenHeader(restRequest, TestSessionToken);
|
||||
|
||||
Parameter actualParameter = restRequest.Parameters.Find(parameter =>
|
||||
ParameterType.HttpHeader.Equals(parameter.Type) && parameter.Name == AWSSignerHelper.SecurityTokenHeaderName);
|
||||
|
||||
Assert.Equal(TestSessionToken, actualParameter.Value);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue