nlansing/DedicatedServerCourse
Template
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Lesson 35 - Get Compute Auth Token Working

Browse Source
This commit is contained in:
Norman Lansing
2026-02-28 12:32:28 -05:00
parent 1d477ee42a
commit 4fde462bce
7743 changed files with 1397833 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
Plugins/GameLiftPlugin/Source/AWSSDK/Include/smithy/identity/signer/AwsSignerBase.h Normal file
View File

@@ -0,0 +1,52 @@
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
#pragma once
#include <atomic>
#include <smithy/identity/identity/AwsIdentity.h>
#include <aws/crt/Variant.h>
#include <aws/core/client/AWSError.h>
#include <aws/core/http/HttpRequest.h>
#include <aws/core/utils/FutureOutcome.h>
#include <aws/core/utils/memory/stl/AWSMap.h>
namespace smithy {
class AwsSignerCommon {
public:
virtual ~AwsSignerCommon() = default;
/**
* This handles detection of clock skew between clients and the server and adjusts the clock so that the next request will not
* fail on the timestamp check.
*/
virtual void SetClockSkew(const std::chrono::milliseconds& clockSkew) { m_clockSkew = clockSkew; }
/**
* Gets the timestamp being used by the signer. This may include a clock skew if a clock skew has been detected.
*/
virtual Aws::Utils::DateTime GetSigningTimestamp() const { return Aws::Utils::DateTime::Now() + GetClockSkewOffset(); }
protected:
virtual std::chrono::milliseconds GetClockSkewOffset() const { return m_clockSkew.load(); }
std::atomic<std::chrono::milliseconds> m_clockSkew = {};
};
template<typename IDENTITY_T>
class AwsSignerBase : public AwsSignerCommon {
public:
using IdentityT = IDENTITY_T;
static_assert(std::is_base_of<AwsIdentity, IDENTITY_T>::value, "Identity type should inherit AwsIdentity");
using SigningProperties = Aws::UnorderedMap<Aws::String, Aws::Crt::Variant<Aws::String, bool>>;
using AdditionalParameters = Aws::UnorderedMap<Aws::String, Aws::Crt::Variant<Aws::String, bool>>;
using HttpRequest = Aws::Http::HttpRequest;
using SigningError = Aws::Client::AWSError<Aws::Client::CoreErrors>;
using SigningFutureOutcome = Aws::Utils::FutureOutcome<std::shared_ptr<HttpRequest>, SigningError>;
// signer may copy the original httpRequest or create a new one
virtual SigningFutureOutcome sign(std::shared_ptr<HttpRequest> httpRequest, const IdentityT& identity, SigningProperties properties) = 0;
virtual ~AwsSignerBase() {};
};
}

68
Plugins/GameLiftPlugin/Source/AWSSDK/Include/smithy/identity/signer/built-in/BearerTokenSigner.h Normal file
View File

@@ -0,0 +1,68 @@
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
#pragma once
#include <smithy/identity/identity/AwsBearerTokenIdentityBase.h>
#include <smithy/identity/signer/AwsSignerBase.h>
#include <aws/core/auth/signer/AWSAuthSignerHelper.h>
#include <aws/core/http/HttpRequest.h>
#include <aws/crt/http/HttpConnection.h>
#include <aws/crt/http/HttpRequestResponse.h>
namespace smithy
{
static const char AUTHORIZATION_HEADER[] = "authorization";
class BearerTokenSigner : public AwsSignerBase<AwsBearerTokenIdentityBase>
{
public:
static const char LOGGING_TAG[];
using BearerTokenAuthSchemeParameters =
smithy::DefaultAuthSchemeResolverParameters;
explicit BearerTokenSigner(const Aws::String &serviceName,
const Aws::String &region)
: m_serviceName(serviceName), m_region(region)
{
}
SigningFutureOutcome
sign(std::shared_ptr<HttpRequest> httpRequest,
const smithy::AwsBearerTokenIdentityBase &identity,
SigningProperties properties) override
{
AWS_UNREFERENCED_PARAM(properties);
if (Aws::Http::Scheme::HTTPS != httpRequest->GetUri().GetScheme())
{
// Clients MUST always use TLS (https) or equivalent transport
// security when making requests with bearer tokens.
// https://datatracker.ietf.org/doc/html/rfc6750
AWS_LOGSTREAM_ERROR(
LOGGING_TAG,
"HTTPS scheme must be used with a bearer token authorization");
return SigningError(
Aws::Client::CoreErrors::INVALID_PARAMETER_VALUE, "",
"Failed to sign the request with bearer", false);
}
httpRequest->SetHeaderValue(AUTHORIZATION_HEADER,
"Bearer " + identity.token());
return SigningFutureOutcome(std::move(httpRequest));
}
virtual ~BearerTokenSigner(){};
protected:
Aws::String m_serviceName;
Aws::String m_region;
};
const char BearerTokenSigner::LOGGING_TAG[] = "BearerTokenSigner";
} // namespace smithy

64
Plugins/GameLiftPlugin/Source/AWSSDK/Include/smithy/identity/signer/built-in/SigV4Signer.h Normal file
View File

@@ -0,0 +1,64 @@
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
#pragma once
#include <smithy/identity/signer/AwsSignerBase.h>
#include <smithy/identity/identity/AwsCredentialIdentityBase.h>
#include <aws/core/auth/signer/AWSAuthV4Signer.h>
#include <aws/core/auth/AWSCredentials.h>
namespace smithy {
/**
* A smithy SigV4 signer wrapper on top of legacy SDK SigV4 signer
* TODO: refactor into own signer using smithy design
*/
class AwsSigV4Signer : public AwsSignerBase<AwsCredentialIdentityBase> {
public:
using SigV4AuthSchemeParameters = DefaultAuthSchemeResolverParameters;
explicit AwsSigV4Signer(const Aws::String& serviceName, const Aws::String& region)
: m_serviceName(serviceName),
m_region(region),
legacySigner(nullptr, serviceName.c_str(), region, Aws::Client::AWSAuthV4Signer::PayloadSigningPolicy::Always)
{
}
SigningFutureOutcome sign(std::shared_ptr<HttpRequest> httpRequest, const AwsCredentialIdentityBase& identity, SigningProperties properties) override
{
const auto legacyCreds = [&identity]() -> Aws::Auth::AWSCredentials {
if(identity.sessionToken().has_value() && identity.expiration().has_value())
{
return {identity.accessKeyId(), identity.secretAccessKey(), *identity.sessionToken(), *identity.expiration()};
}
if(identity.sessionToken().has_value())
{
return {identity.accessKeyId(), identity.secretAccessKey(), *identity.sessionToken()};
}
return {identity.accessKeyId(), identity.secretAccessKey()};
}();
auto signPayloadIt = properties.find("SignPayload");
bool signPayload = signPayloadIt != properties.end() ? signPayloadIt->second.get<Aws::String>() == "true" : false;
assert(httpRequest);
bool success = legacySigner.SignRequestWithCreds(*httpRequest, legacyCreds, m_region.c_str(), m_serviceName.c_str(), signPayload);
if (success)
{
return SigningFutureOutcome(std::move(httpRequest));
}
return SigningError(Aws::Client::CoreErrors::MEMORY_ALLOCATION, "", "Failed to sign the request with sigv4", false);
}
virtual ~AwsSigV4Signer() {};
protected:
Aws::String m_serviceName;
Aws::String m_region;
Aws::Client::AWSAuthV4Signer legacySigner;
};
}

219
Plugins/GameLiftPlugin/Source/AWSSDK/Include/smithy/identity/signer/built-in/SigV4aSigner.h Normal file
View File

@@ -0,0 +1,219 @@
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0.
*/
#pragma once
#include <smithy/identity/signer/AwsSignerBase.h>
#include <smithy/identity/identity/AwsCredentialIdentityBase.h>
#include <aws/core/auth/AWSCredentials.h>
#include <aws/crt/auth/Credentials.h>
#include <aws/core/http/HttpRequest.h>
#include <aws/core/auth/signer/AWSAuthSignerHelper.h>
#include <aws/crt/http/HttpConnection.h>
#include <aws/crt/http/HttpRequestResponse.h>
#include <condition_variable>
#include <mutex>
namespace smithy {
static const char* UNSIGNED_PAYLOAD = "UNSIGNED-PAYLOAD";
static const char* EMPTY_STRING_SHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
static const char v4AsymmetricLogTag[] = "AWSAuthSymmetricV4Signer";
static const char* USER_AGENT = "user-agent";
static const char* X_AMZN_TRACE_ID = "x-amzn-trace-id";
/**
* A smithy SigV4 signer wrapper on top of legacy SDK SigV4 signer
* TODO: refactor into own signer using smithy design
*/
class AwsSigV4aSigner : public AwsSignerBase<AwsCredentialIdentityBase> {
public:
using SigV4aAuthSchemeParameters = smithy::DefaultAuthSchemeResolverParameters;
explicit AwsSigV4aSigner(const Aws::String& serviceName, const Aws::String& region)
: m_serviceName(serviceName), m_region(region)
{
}
SigningFutureOutcome sign(std::shared_ptr<HttpRequest> httpRequest, const AwsCredentialIdentityBase& identity, SigningProperties properties) override
{
auto signPayloadIt = properties.find("SignPayload");
bool signPayload = signPayloadIt != properties.end() ? signPayloadIt->second.get<Aws::String>() == "true" : false;
assert(httpRequest);
assert(identity.expiration().has_value());
auto &request = *httpRequest;
auto crtCredentials = Aws::MakeShared<Aws::Crt::Auth::Credentials>(v4AsymmetricLogTag,
Aws::Crt::ByteCursorFromCString(identity.accessKeyId().c_str()),
Aws::Crt::ByteCursorFromCString(identity.secretAccessKey().c_str()),
Aws::Crt::ByteCursorFromCString((*identity.sessionToken()).c_str()),
(*identity.expiration()).Seconds());
Aws::Crt::Auth::AwsSigningConfig awsSigningConfig;
bool success = createAwsSigningConfig(crtCredentials, request, awsSigningConfig, signPayload);
if(!success)
{
AWS_LOGSTREAM_ERROR(v4AsymmetricLogTag, "Failed to get Auth configuration");
return SigningError(Aws::Client::CoreErrors::MEMORY_ALLOCATION, "", "Failed to get Auth configuration", false);
}
std::shared_ptr<Aws::Crt::Http::HttpRequest> crtHttpRequest = request.ToCrtHttpRequest();
auto sigv4HttpRequestSigner = Aws::MakeShared<Aws::Crt::Auth::Sigv4HttpRequestSigner>(v4AsymmetricLogTag);
//This is an async call, so we need to wait till we have received an outcome
Aws::String errorMessage;
bool processed = false;
//producer function
sigv4HttpRequestSigner->SignRequest(crtHttpRequest, awsSigningConfig,
[&request, &success, &errorMessage, &processed, this](const std::shared_ptr<Aws::Crt::Http::HttpRequest>& signedCrtHttpRequest, int errorCode) {
std::unique_lock<std::mutex> lock(m_mutex);
m_cv.wait(lock, [&]{ return !processed; });
success = (errorCode == AWS_ERROR_SUCCESS);
if (success)
{
if (m_signatureType == Aws::Crt::Auth::SignatureType::HttpRequestViaHeaders)
{
for (size_t i = 0; i < signedCrtHttpRequest->GetHeaderCount(); i++)
{
Aws::Crt::Optional<Aws::Crt::Http::HttpHeader> httpHeader = signedCrtHttpRequest->GetHeader(i);
request.SetHeaderValue(Aws::String(reinterpret_cast<const char*>(httpHeader->name.ptr), httpHeader->name.len),
Aws::String(reinterpret_cast<const char*>(httpHeader->value.ptr), httpHeader->value.len));
}
}
else if (m_signatureType == Aws::Crt::Auth::SignatureType::HttpRequestViaQueryParams)
{
Aws::Http::URI newPath(reinterpret_cast<const char*>(signedCrtHttpRequest->GetPath()->ptr));
request.GetUri().SetQueryString(newPath.GetQueryString());
}
else
{
errorMessage = "No action to take when signature type is neither \"HttpRequestViaHeaders\" nor \"HttpRequestViaQueryParams\"";
AWS_LOGSTREAM_ERROR(v4AsymmetricLogTag, errorMessage);
success = false;
}
}
else
{
Aws::OStringStream errStream;
errStream << "Encountered internal error during signing process with AWS signature version 4 (Asymmetric):" << aws_error_str(errorCode);
errorMessage = errStream.str();
AWS_LOGSTREAM_ERROR(v4AsymmetricLogTag, errorMessage);
}
processed = true;
m_cv.notify_all();
}
);
//consumer
{
std::unique_lock<std::mutex> lock(m_mutex);
m_cv.wait(lock, [&]{ return processed; });
}
return success? SigningFutureOutcome(std::move(httpRequest)) : SigningError(Aws::Client::CoreErrors::MEMORY_ALLOCATION, "", "Failed to sign the request with sigv4", false);
}
virtual ~AwsSigV4aSigner() {};
protected:
bool createAwsSigningConfig(
std::shared_ptr<Aws::Crt::Auth::Credentials>& crtCredentials,
const Aws::Http::HttpRequest& request,
Aws::Crt::Auth::AwsSigningConfig& awsSigningConfig,
bool signBody) const
{
awsSigningConfig.SetSigningAlgorithm(static_cast<Aws::Crt::Auth::SigningAlgorithm>(Aws::Auth::AWSSigningAlgorithm::ASYMMETRIC_SIGV4));
awsSigningConfig.SetSignatureType(m_signatureType);
awsSigningConfig.SetRegion(m_region.c_str());
awsSigningConfig.SetService(m_region.c_str());
awsSigningConfig.SetSigningTimepoint(GetSigningTimestamp().UnderlyingTimestamp());
awsSigningConfig.SetUseDoubleUriEncode(m_urlEscape);
awsSigningConfig.SetShouldNormalizeUriPath(true);
awsSigningConfig.SetOmitSessionToken(false);
awsSigningConfig.SetShouldSignHeaderUserData(reinterpret_cast<void*>(const_cast<Aws::Set<Aws::String>*>(&m_unsignedHeaders)));
awsSigningConfig.SetShouldSignHeaderCallback([](const Aws::Crt::ByteCursor *name, void *user_data) {
Aws::Set<Aws::String>* unsignedHeaders = static_cast<Aws::Set<Aws::String>*>(user_data);
Aws::String headerKey(reinterpret_cast<const char*>(name->ptr), name->len);
return unsignedHeaders->find(Aws::Utils::StringUtils::ToLower(headerKey.c_str())) == unsignedHeaders->cend();
});
if (m_signatureType == Aws::Crt::Auth::SignatureType::HttpRequestViaHeaders)
{
Aws::String payloadHash(UNSIGNED_PAYLOAD);
if(signBody || request.GetUri().GetScheme() != Aws::Http::Scheme::HTTPS)
{
if (!request.GetContentBody())
{
AWS_LOGSTREAM_DEBUG(v4AsymmetricLogTag, "Using cached empty string sha256 " << EMPTY_STRING_SHA256 << " because payload is empty.");
payloadHash = EMPTY_STRING_SHA256;
}
else
{
// The hash will be calculated from the payload during signing.
payloadHash = {};
}
}
else
{
AWS_LOGSTREAM_DEBUG(v4AsymmetricLogTag, "Note: Http payloads are not being signed. signPayloads=" << signBody
<< " http scheme=" << Aws::Http::SchemeMapper::ToString(request.GetUri().GetScheme()));
}
awsSigningConfig.SetSignedBodyValue(payloadHash.c_str());
awsSigningConfig.SetSignedBodyHeader(m_includeSha256HashHeader ? Aws::Crt::Auth::SignedBodyHeaderType::XAmzContentSha256 : Aws::Crt::Auth::SignedBodyHeaderType::None);
}
else if (m_signatureType == Aws::Crt::Auth::SignatureType::HttpRequestViaQueryParams)
{
if (ServiceRequireUnsignedPayload(m_serviceName))
{
awsSigningConfig.SetSignedBodyValue(UNSIGNED_PAYLOAD);
}
else
{
awsSigningConfig.SetSignedBodyValue(EMPTY_STRING_SHA256);
}
}
else
{
AWS_LOGSTREAM_ERROR(v4AsymmetricLogTag, "The signature type should be either \"HttpRequestViaHeaders\" or \"HttpRequestViaQueryParams\"");
return false;
}
awsSigningConfig.SetExpirationInSeconds(static_cast<uint64_t>(m_expirationTimeInSeconds));
awsSigningConfig.SetCredentials(crtCredentials);
return true;
}
bool ServiceRequireUnsignedPayload(const Aws::String& serviceName) const
{
// S3 uses a magic string (instead of the empty string) for its body hash for presigned URLs as outlined here:
// https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
// this is true for PUT, POST, GET, DELETE and HEAD operations.
// However, other services (for example RDS) implement the specification as outlined here:
// https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
// which states that body-less requests should use the empty-string SHA256 hash.
return "s3" == serviceName || "s3-object-lambda" == serviceName;
}
Aws::String m_serviceName;
Aws::String m_region;
//params that can be exposed later
long long m_expirationTimeInSeconds{0};
const bool m_includeSha256HashHeader{true};
const bool m_urlEscape{true};
const Aws::Set<Aws::String> m_unsignedHeaders{USER_AGENT,X_AMZN_TRACE_ID};
const Aws::Crt::Auth::SignatureType m_signatureType{Aws::Crt::Auth::SignatureType::HttpRequestViaQueryParams};
std::condition_variable m_cv;
std::mutex m_mutex;
};
}