signer base and x509 credentials

Signed-off-by: Nigel Brittain <nbaws@amazon.com>

source/extensions/common/aws/BUILD

@@ -54,6 +54,21 @@ envoy_cc_library(
     ],
 )
 
+envoy_cc_library(
+    name = "iam_roles_anywhere_signer_base",
+    srcs = ["iam_roles_anywhere_signer_base.cc"],
+    hdrs = ["iam_roles_anywhere_signer_base.h"],
+    deps = [
+        ":credentials_provider_interface",
+        ":signer_interface",
+        ":utility_lib",
+        "//source/common/buffer:buffer_lib",
+        "//source/common/common:utility_lib",
+        "//source/common/crypto:utility_lib",
+        "//source/common/http:message_lib",
+    ],
+)
+
 envoy_cc_library(
     name = "credentials_provider_interface",
     srcs = ["credentials_provider.cc"],

source/extensions/common/aws/credentials_provider.h

@@ -4,12 +4,14 @@
 #include <string>
 
 #include "envoy/common/pure.h"
+#include "envoy/common/time.h"
 
 #include "source/common/common/cleanup.h"
 #include "source/common/common/lock_guard.h"
 #include "source/common/common/thread.h"
 
 #include "absl/types/optional.h"
+#include "openssl/evp.h"
 
 namespace Envoy {
 namespace Extensions {
@@ -21,13 +23,14 @@ constexpr char AWS_SECRET_ACCESS_KEY[] = "AWS_SECRET_ACCESS_KEY";
 constexpr char AWS_SESSION_TOKEN[] = "AWS_SESSION_TOKEN";
 
 /**
- * AWS credentials container
+ * AWS credentials containers
  *
  * If a credential component was not found in the execution environment, it's getter method will
  * return absl::nullopt. Credential components with the empty string value are treated as not found.
  */
 class Credentials {
 public:
+  // Access Key Credentials
   explicit Credentials(absl::string_view access_key_id = absl::string_view(),
                        absl::string_view secret_access_key = absl::string_view(),
                        absl::string_view session_token = absl::string_view()) {
@@ -66,7 +69,67 @@ class Credentials {
 
 using CredentialsPendingCallback = std::function<void()>;
 
-/**
+/*
+ * X509 Credentials used for IAM Roles Anywhere
+ */
+
+class X509Credentials {
+public:
+  enum class PublicKeySignatureAlgorithm {
+    RSA,
+    ECDSA,
+  };
+
+  // X509 Credentials
+  X509Credentials(absl::string_view certificate_b64,
+                  PublicKeySignatureAlgorithm certificate_signature_algorithm,
+                  absl::string_view certificate_serial,
+                  absl::optional<absl::string_view> certificate_chain_b64,
+                  absl::string_view certificate_private_key_pem,
+                  SystemTime certificate_expiration_time)
+      : certificate_b64_(certificate_b64),
+        certificate_private_key_pem_(certificate_private_key_pem),
+        certificate_serial_(certificate_serial),
+        certificate_expiration_(certificate_expiration_time),
+        certificate_signature_algorithm_(certificate_signature_algorithm) {
+    if (certificate_chain_b64.has_value()) {
+      certificate_chain_b64_ = certificate_chain_b64.value();
+    }
+  }
+
+  X509Credentials() = default;
+
+  const absl::optional<std::string>& certificateDerB64() const { return certificate_b64_; }
+
+  const absl::optional<std::string>& certificateSerial() const { return certificate_serial_; }
+
+  const absl::optional<SystemTime>& certificateExpiration() const {
+    return certificate_expiration_;
+  }
+
+  const absl::optional<std::string>& certificateChainDerB64() const {
+    return certificate_chain_b64_;
+  }
+
+  const absl::optional<PublicKeySignatureAlgorithm>& publicKeySignatureAlgorithm() const {
+    return certificate_signature_algorithm_;
+  }
+
+  const absl::optional<std::string> certificatePrivateKey() const {
+    return certificate_private_key_pem_;
+  }
+
+private:
+  // RolesAnywhere certificate based credentials
+  absl::optional<std::string> certificate_b64_ = absl::nullopt;
+  absl::optional<std::string> certificate_chain_b64_ = absl::nullopt;
+  absl::optional<std::string> certificate_private_key_pem_ = absl::nullopt;
+  absl::optional<std::string> certificate_serial_ = absl::nullopt;
+  absl::optional<SystemTime> certificate_expiration_ = absl::nullopt;
+  absl::optional<PublicKeySignatureAlgorithm> certificate_signature_algorithm_ = absl::nullopt;
+};
+
+/*
  * Interface for classes able to fetch AWS credentials from the execution environment.
  */
 class CredentialsProvider {
@@ -155,6 +218,23 @@ class CredentialsProviderChain : public CredentialSubscriberCallbacks,
 
 using CredentialsProviderChainSharedPtr = std::shared_ptr<CredentialsProviderChain>;
 
+/*
+ * X509 credential provider used for IAM Roles Anywhere
+ */
+class X509CredentialsProvider {
+public:
+  virtual ~X509CredentialsProvider() = default;
+
+  /**
+   * Get credentials from the environment.
+   *
+   * @return AWS credentials
+   */
+  virtual X509Credentials getCredentials() PURE;
+};
+
+using X509CredentialsProviderSharedPtr = std::shared_ptr<X509CredentialsProvider>;
+
 } // namespace Aws
 } // namespace Common
 } // namespace Extensions

source/extensions/common/aws/iam_roles_anywhere_signer_base.cc

@@ -0,0 +1,154 @@
+#include "source/extensions/common/aws/iam_roles_anywhere_signer_base.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace Common {
+namespace Aws {
+
+absl::Status IAMRolesAnywhereSignerBaseImpl::sign(Http::RequestMessage& message, bool sign_body,
+                                                  const absl::string_view override_region) {
+  const auto content_hash = createContentHash(message, sign_body);
+  auto& headers = message.headers();
+  return sign(headers, content_hash, override_region);
+}
+
+absl::Status
+IAMRolesAnywhereSignerBaseImpl::signEmptyPayload(Http::RequestHeaderMap& headers,
+                                                 const absl::string_view override_region) {
+  headers.setReference(IAMRolesAnywhereSignatureHeaders::get().ContentSha256,
+                       IAMRolesAnywhereSignatureConstants::HashedEmptyString);
+  return sign(headers, std::string(IAMRolesAnywhereSignatureConstants::HashedEmptyString),
+              override_region);
+}
+
+absl::Status
+IAMRolesAnywhereSignerBaseImpl::signUnsignedPayload(Http::RequestHeaderMap& headers,
+                                                    const absl::string_view override_region) {
+  headers.setReference(IAMRolesAnywhereSignatureHeaders::get().ContentSha256,
+                       IAMRolesAnywhereSignatureConstants::UnsignedPayload);
+  return sign(headers, std::string(IAMRolesAnywhereSignatureConstants::UnsignedPayload),
+              override_region);
+}
+
+bool IAMRolesAnywhereSignerBaseImpl::addCallbackIfCredentialsPending(
+    CredentialsPendingCallback&& cb) {
+  return credentials_provider_chain_->addCallbackIfChainCredentialsPending(std::move(cb));
+}
+
+absl::Status IAMRolesAnywhereSignerBaseImpl::sign(Http::RequestHeaderMap& headers,
+                                                  const std::string& content_hash,
+                                                  const absl::string_view override_region) {
+
+  const auto& x509_credentials = x509_credentials_provider_->getCredentials();
+
+  ASSERT(credentials_provider_chain_ == nullptr);
+  ASSERT(x509_credentials_provider_ != nullptr);
+
+  if (!x509_credentials.certificateDerB64().has_value() ||
+      !x509_credentials.certificatePrivateKey().has_value() ||
+      !x509_credentials.publicKeySignatureAlgorithm().has_value()) {
+    return absl::Status{absl::StatusCode::kInvalidArgument,
+                        "Unable to sign IAM Roles Anywhere payload - no x509 credentials found"};
+  }
+
+  if (headers.Method() == nullptr) {
+    return absl::Status{absl::StatusCode::kInvalidArgument, "Message is missing :method header"};
+  }
+  if (headers.Path() == nullptr) {
+    return absl::Status{absl::StatusCode::kInvalidArgument, "Message is missing :path header"};
+  }
+
+  ENVOY_LOG(debug, "Begin IAM Roles Anywhere signing");
+
+  const auto long_date = long_date_formatter_.now(time_source_);
+  const auto short_date = short_date_formatter_.now(time_source_);
+
+  if (!content_hash.empty()) {
+    headers.setReferenceKey(IAMRolesAnywhereSignatureHeaders::get().ContentSha256, content_hash);
+  }
+
+  addRequiredHeaders(headers, long_date);
+  addRequiredCertHeaders(headers, x509_credentials);
+
+  const auto canonical_headers =
+      Utility::canonicalizeHeaders(headers, std::vector<Matchers::StringMatcherPtr>{});
+
+  // Phase 1: Create a canonical request
+  const auto credential_scope = createCredentialScope(short_date, override_region);
+
+  // Handle query string parameters by appending them all to the path. Case is important for these
+  // query parameters.
+  auto query_params =
+      Envoy::Http::Utility::QueryParamsMulti::parseQueryString(headers.getPathValue());
+
+  auto canonical_request = Utility::createCanonicalRequest(
+      headers.Method()->value().getStringView(), headers.Path()->value().getStringView(),
+      canonical_headers,
+      content_hash.empty() ? IAMRolesAnywhereSignatureConstants::HashedEmptyString : content_hash,
+      Utility::shouldNormalizeUriPath(service_name_), Utility::useDoubleUriEncode(service_name_));
+  ENVOY_LOG(debug, "Canonical request:\n{}", canonical_request);
+
+  // Phase 2: Create a string to sign
+  std::string string_to_sign =
+      createStringToSign(x509_credentials, canonical_request, long_date, credential_scope);
+  ENVOY_LOG(debug, "String to sign:\n{}", string_to_sign);
+
+  // Phase 3: Create a signature
+  std::string signature = createSignature(x509_credentials, string_to_sign);
+  // Phase 4: Sign request
+
+  std::string authorization_header =
+      createAuthorizationHeader(x509_credentials, credential_scope, canonical_headers, signature);
+
+  headers.setCopy(Http::CustomHeaders::get().Authorization, authorization_header);
+
+  // Sanitize logged authorization header
+  std::vector<std::string> sanitised_header =
+      absl::StrSplit(authorization_header, absl::ByString("Signature="));
+  ENVOY_LOG(debug, "Header signing - Authorization header (sanitised): {}Signature=*****",
+            sanitised_header[0]);
+  return absl::OkStatus();
+}
+
+void IAMRolesAnywhereSignerBaseImpl::addRequiredCertHeaders(Http::RequestHeaderMap& headers,
+                                                            X509Credentials x509_credentials) {
+  headers.setCopy(IAMRolesAnywhereSignatureHeaders::get().X509,
+                  x509_credentials.certificateDerB64().value());
+  if (x509_credentials.certificateChainDerB64().has_value()) {
+    headers.setCopy(IAMRolesAnywhereSignatureHeaders::get().X509Chain,
+                    x509_credentials.certificateChainDerB64().value());
+  }
+}
+
+void IAMRolesAnywhereSignerBaseImpl::addRequiredHeaders(Http::RequestHeaderMap& headers,
+                                                        const std::string long_date) {
+  // Explicitly remove Authorization and security token header if present
+  headers.remove(Http::CustomHeaders::get().Authorization);
+
+  headers.setCopy(IAMRolesAnywhereSignatureHeaders::get().Date, long_date);
+  // addRegionHeader(headers, override_region);
+}
+
+std::string IAMRolesAnywhereSignerBaseImpl::createAuthorizationCredential(
+    const X509Credentials x509_credentials, absl::string_view credential_scope) const {
+  return fmt::format(IAMRolesAnywhereSignatureConstants::AuthorizationCredentialFormat,
+                     x509_credentials.certificateSerial().value(), credential_scope);
+}
+
+std::string IAMRolesAnywhereSignerBaseImpl::createContentHash(Http::RequestMessage& message,
+                                                              bool sign_body) const {
+  if (!sign_body) {
+    return std::string(IAMRolesAnywhereSignatureConstants::HashedEmptyString);
+  }
+  auto& crypto_util = Envoy::Common::Crypto::UtilitySingleton::get();
+  const auto content_hash =
+      message.body().length() > 0
+          ? Hex::encode(crypto_util.getSha256Digest(message.body()))
+          : std::string(IAMRolesAnywhereSignatureConstants::HashedEmptyString);
+  return content_hash;
+}
+
+} // namespace Aws
+} // namespace Common
+} // namespace Extensions
+} // namespace Envoy