-
Notifications
You must be signed in to change notification settings - Fork 9
/
AwsRestClient.qm
560 lines (476 loc) · 23.2 KB
/
AwsRestClient.qm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
# -*- mode: qore; indent-tabs-mode: nil -*-
#! @file AwsRestClient.qm Qore user module for calling AWS REST services
/* AwsRestClient.qm Copyright (C) 2019 - 2022 Qore Technologies, s.r.o.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
to deal in the Software without restriction, including without limitation
the rights to use, copy, modify, merge, publish, distribute, sublicense,
and/or sell copies of the Software, and to permit persons to whom the
Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
*/
# minimum qore version
%requires qore >= 1.10
# require type definitions everywhere
%require-types
# enable all warnings
%enable-all-warnings
# don't use "$" for vars, members, and methods, assume local variable scope
%new-style
# do not ignore argument errors
%strict-args
%requires(reexport) Mime >= 1.3
%requires(reexport) RestClient >= 1.3.1
%requires(reexport) ConnectionProvider >= 1.4
module AwsRestClient {
version = "1.2";
desc = "user module for calling AWS REST services";
author = "David Nichols <david@qore.org>";
url = "http://qore.org";
license = "MIT";
init = sub () {
ConnectionSchemeCache::registerScheme("awsrests", AwsRestConnection::ConnectionScheme);
};
}
/** @mainpage AwsRestClient Module
@tableofcontents
@section awsrestclientintro AwsRestClient Introduction
The %AwsRestClient module provides an API for calling AWS REST services.
To use this module, use \c "%requires AwsRestClient" in your code.
All the public symbols in the module are defined in the AwsRestClient namespace.
The main classes are:
- @ref AwsRestClient::AwsRestClient "AwsRestClient": this class provides the REST client API for communuication
with the AWS REST API; it also automates authentication and authorization
- @ref AwsRestClient::AwsRestConnection "AwsRestConnection": provides a REST connection object to a the AWS server
(based on the @ref connectionproviderintro "ConnectionProvider" module)
@par Example:
@code{.py}
#!/usr/bin/env qore
%new-style
%strict-args
%require-types
%enable-all-warnings
%requires AwsRestClient
hash<auto> opts = {
"url": "https://iam.amazonaws.com",
"aws_keyid": ENV.AWS_KEY_ID,
"aws_secret": ENV.AWS_SECRET,
"aws_region": "eu-central-1",
"aws_service": "iotevents",
};
AwsRestClient rest(opts);
hash<auto> ans = rest.get(...);
printf("%N\n", ans.body);
@endcode
@section Awsrestclientrelnotes Release Notes
@subsection awsrestclientv2_0 AwsRestClient v1.2
- added support for the DataProvider API
(<a href="https://github.com/qorelanguage/qore/issues/4564">issue 4564</a>)
@subsection awsrestclientv1_1 AwsRestClient v1.1
- implemented support for a data provider scheme cache and rich option information for connections
(<a href="https://github.com/qorelanguage/qore/issues/4025">issue 4025</a>)
@subsection awsrestclientv1_0 AwsRestClient v1.0
- the initial version of the %AwsRestClient module
*/
#! the AwsRestClient namespace contains all the objects in the AwsRestClient module
public namespace AwsRestClient {
#! this class provides the REST client API for communication with AWS
/** This class requires the following options:
- \c aws_keyid
- \c aws_secret
- \c aws_region
- \c aws_service
*/
public class AwsRestClient inherits RestClient::RestClient {
public {
#! default send encoding
const DefaultSendEncoding = "gzip";
#! required options
const RequiredOptions = (
"aws_keyid",
"aws_secret",
"aws_region",
"aws_service",
);
#! Qore digest algorithm to use for HMAC calculations; must match AwsSignatureAlgorithm
const QoreDigest = CRYPTO_DIGEST_SHA256;
#! AWS signature algorithm used; must match QoreDigest
const AwsSignatureAlgorithm = "AWS4-HMAC-SHA256";
#! Fixed termination string
const AwsTermination = "aws4_request";
}
private:internal {
# the AWS access key ID
string aws_keyid;
# the AWS secret access key
string aws_secret;
# the AWS region
string aws_region;
# the AWS service
string aws_service;
# is this request for AWS S3?
bool aws_s3 = False;
# temporary session token
string aws_token;
# credential scope suffix
string credential_scope_suffix;
}
#! creates the object with the given options
/**
@par Example:
@code{.py}
AwsRestClient rest({
"url": "https://apigateway.eu-central-1.amazonaws.com",
"aws_keyid": aws_keyid,
"aws_secret": aws_secret.
});
@endcode
@param opts valid options are:
- \c additional_methods: Optional hash with more but not-HTTP-standardized methods to handle. It allows
HTTP extensions like e.g. WebDAV to work. The hash takes the method name as a key, and the value is a
boolean @ref True "True" or @ref False "False": indicating if the method requires a message
body as well. Example:
@code{.py}
# add new HTTP methods for WebDAV. Both of them require body posting to the server
{"additional_methods": {"PROPFIND": True, "MKCOL": True}};
@endcode
- \c aws_keyid: (required) the AWS key ID
- \c aws_region: the AWS region to use (ex: \c "us-east-1"); if it cannot be derived from the URL then it
is a required option
- \c was_service: the AWS service to use (ex: \c "iam"); if it cannot be derived from the URL then it is a
required option
- \c aws_secret: (required) the AWS secret access key value
- \c aws_token: a temporary session token from AWS Security Token Service for this HTTP session
- \c content_encoding: for possible values, see @ref EncodingSupport; this sets the send encoding (if the
\c "send_encoding" option is not set) and the requested response encoding (note that the
@ref RestClient::RestClient "RestClient" class will only compress outgoing message bodies over
@ref RestClient::RestClient::CompressionThreshold "CompressionThreshold" bytes in size)
- \c default_path: The default path to use for new connections if a path is not otherwise specified in the
connection URL
- \c default_port: The default port number to connect to if none is given in the URL
- \c error_passthru: if @ref True "True" then HTTP status codes indicating errors will not cause a
\c REST-RESPONSE-ERROR exception to be raised, rather such responses will be passed through to the caller
like any other response
- \c headers: an optional hash of headers to send with every request, these can also be overridden in
request method calls
- \c http_version: Either '1.0' or '1.1' (default) for the claimed HTTP protocol version compliancy in
outgoing message headers
- \c max_redirects: The maximum number of redirects before throwing an exception (the default is 5)
- \c proxy: The proxy URL for connecting through a proxy
- \c redirect_passthru: if @ref True "True" then redirect responses will be passed to the caller
instead of processed
- \c aws_s3: set to True to flag this object for use with AWS aws_s3, which requires special message encoding
- \c send_encoding: a @ref EncodingSupport "send data encoding option" or the value \c "auto" which means
to use automatic encoding; if not present defaults to \c "gzip" content encoding on sent message bodies
(note that the @ref RestClient::RestClient "RestClient" class will only compress outgoing message bodies
over @ref RestClient::RestClient::CompressionThreshold "CompressionThreshold" bytes in size)
- \c swagger: the path to a <a href="https://swagger.io/">Swagger 2.0</a> REST schema file for API
validation; only used if \a validator not provided (see the @ref swaggerintro "Swagger" module)
- \c timeout: The timeout value in milliseconds (also can be a relative date-time value for clarity, ex:
\c 30s)
- \c url: a string giving the URL to connect to; if not given then the target URL will be taken from any
\c validator option, if given by calling
@ref RestSchemaValidator::AbstractRestSchemaValidator::getTargetUrl() "AbstractRestSchemaValidator::getTargetUrl()"
- \c validator: an @ref RestSchemaValidator::AbstractRestSchemaValidator "AbstractRestSchemaValidator"
object to validate request and response messages; overrides \a swagger
@param do_not_connect if \c False (the default), then a connection will be immediately established to the
remote server
@throw RESTCLIENT-ERROR invalid option passed to constructor, unsupported data serialization, etc
@throw AWSRESTCLIENT-ERROR missing or invalid required option for AWS REST authentication or communication
@note the \c data option is always set to \c "json"
*/
constructor(hash<auto> opts, *softbool do_not_connect) : RestClient(opts + {"data": "json"}, do_not_connect) {
# AWS does not support basic authentication
hash<UrlInfo> url_info = parse_url(opts.url);
if (url_info{"username", "password"}) {
throw "AWSRESTCLIENT-ERROR", sprintf("AWS URL must not contain a username or password; URL: %y",
get_safe_url(opts.url));
}
# set the region automatically from the URL if not provided in an option
*list<string> url_components = (url_info.host =~ x/([^\.]+)/g);
if (url_components.size() != 4 || url_components[2] != "amazonaws" || url_components[3] != "com") {
url_components = ();
}
if (!opts.aws_service && url_components) {
opts.aws_service = url_components[0];
}
if (!opts.aws_region && url_components) {
opts.aws_region = url_components[1];
}
# check required options
foreach string key in (RequiredOptions) {
auto v = opts{key};
if (!exists v || v == "") {
throw "AWSRESTCLIENT-ERROR", sprintf("missing required option %y in option argument", key);
}
if (v.typeCode() != NT_STRING) {
throw "AWSRESTCLIENT-ERROR", sprintf("required option %y was passed as a %s (%y); expecting "
"\"string\"", key, v.type(), v);
}
self{key} = v;
}
# get credential scope suffix
credential_scope_suffix = sprintf("%s/%s/%s", aws_region, aws_service, AwsTermination);
if (exists opts.aws_s3 && parse_boolean(opts.aws_s3)) {
aws_s3 = True;
}
if (opts.aws_token) {
aws_token = opts.aws_token;
headers."X-Amz-Security-Token" = aws_token;
}
}
hash<auto> sendAndDecodeResponse(*data body, string m, string path, hash<auto> hdr, *reference<hash<auto>> info,
*softbool decode_errors) {
# get request time
date gmtime = Qore::gmtime();
# get credential scope
string scope = sprintf("%s/%s", gmtime.format("YYYYMMDD"), credential_scope_suffix);
# get signature and signed header string
string signed_headers;
# add configured headers without overriding
hdr = headers + hdr;
# get signature
string sig = getSignature(m, path, \hdr, body, gmtime, scope, \signed_headers);
# add authorization header
hdr.Authorization = sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s",
AwsSignatureAlgorithm, aws_keyid, scope, signed_headers, sig);
return RestClient::sendAndDecodeResponse(body, m, path, hdr, \info, decode_errors);
}
string getSignature(string http_method, string path, reference<hash<auto>> hdr, *data body, date gmtime,
string scope, reference<string> signed_headers) {
string req_string = getRequestString(http_method, path, \hdr, body, gmtime, scope, \signed_headers);
# calculate a signature
string gmdate = gmtime.format("YYYYMMDD");
# 1: key, date
binary signing_key = hmac(QoreDigest, gmdate, "AWS4" + aws_secret);
# 2: hash, region
signing_key = hmac(QoreDigest, aws_region, signing_key);
# 3: hash, service
signing_key = hmac(QoreDigest, aws_service, signing_key);
# 4: hash, termination
signing_key = hmac(QoreDigest, AwsTermination, signing_key);
string sig = hmac(QoreDigest, req_string, signing_key).toHex();
return sig;
}
private string getRequestString(string http_method, string path, reference<hash<auto>> hdr, *data body,
date gmtime, string scope, reference<string> signed_headers) {
# get AWS date value
string aws_date = gmtime.format("YYYYMMDDTHHmmSS") + "Z";
hdr."X-Amz-Date" = aws_date;
string csig = getCanonicalSignature(http_method, path, hdr, body, \signed_headers);
string msg = AwsSignatureAlgorithm + "\n"
+ aws_date + "\n"
+ scope + "\n"
+ csig;
return msg;
}
private string getCanonicalSignature(string http_method, string path, hash<auto> hdr, *data body,
reference<string> signed_headers) {
# create the canonical string
# 1: HTTP request method
string cstr = http_method + "\n";
# make canonical URI
hash<UriQueryInfo> uri_info = parse_uri_query(path);
# 2: canonical URI parameter
string uri = uri_info.method ?? "/";
# normalize the path if not an S3 request
if (!aws_s3) {
uri = normalize_dir_unix(uri, "/");
}
# URI-encode the path
uri = encode_url(uri, False);
# non-AWS-S3 requests must be URI-encoded twice
# https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
if (!aws_s3) {
uri = encode_url(uri, False);
}
# add to canonical string
cstr += uri + "\n";
# 3: canonical query string
if (uri_info.params) {
# process sorted query parameters in order
cstr += (
foldl $1 + "&" + $2, (
map
sprintf("%s=%s", encode_url($1, True),
uri_info.params{$1} === True ? "" : encode_url(uri_info.params{$1}, True)),
sort(keys uri_info.params)
)
);
}
cstr += "\n";
# 4: canonical headers
# convert header keys to lowercase
hdr = map {$1.key.lwr(): $1.value}, hdr.pairIterator();
# add host header
hdr += {"host": getHostHeaderValue()};
# sort headers
hdr = map {$1: hdr{$1}}, sort(keys hdr);
cstr += (
foldl $1 + $2, (
map
sprintf("%s:%s\n", $1, trimall(hdr.$1)),
sort(keys hdr)
)
) + "\n";
# 5: signed headers
signed_headers = (foldl $1 + ";" + $2, keys hdr);
cstr += signed_headers + "\n";
# 6: digest
cstr += digest(QoreDigest, body ?? "").toHex();
#printf("CSTR:\n%s\n", cstr);
return digest(QoreDigest, cstr).toHex();
}
static private:internal string trimall(string str) {
# remove leading and trailing whitespace
trim str;
# collapse multiple spaces to a single space
str =~ s/ +/ /g;
return str;
}
}
#! class for AWS REST connections; returns @ref AwsRestClient::AwsRestClient objects
/** supports the following options:
- \c "aws_keyid": (required) AWS key ID
- \c "aws_region": (required) the AWS region to use (ex: \c "us-east-1")
- \c "aws_s3": (optional) set to True to flag this object for use with AWS S3, which requires special message
encoding
- \c "aws_secret": (required) the AWS secret access key value
- \c "aws_service": (required) the AWS service to use (ex: \c "iam")
- \c "aws_token": (optional) a temporary session token from AWS Security Token Service for this HTTP session
- \c "connect_timeout": connection timeout to use in milliseconds
- \c "content_encoding": this sets the send encoding (if the \c "send_encoding" option is not set) and the
requested response encoding; for possible values, see
@ref RestClient::RestClient::EncodingSupport "EncodingSupport"
- \c "error_passthru": if @ref True "True" then HTTP status codes indicating errors will not cause a
\c REST-RESPONSE-ERROR exception to be raised, rather such responses will be passed through to the caller
like any other response
- \c "http_version": HTTP version to use (\c "1.0" or \c "1.1", defaults to \c "1.1")
- \c "max_redirects": maximum redirects to support
- \c "proxy": proxy URL to use
- \c "redirect_passthru": if @ref True "True" then redirect responses will be passed to the caller
instead of processed
- \c "send_encoding": a @ref RestClient::RestClient::EncodingSupport "send data encoding option" or the value
\c "auto" which means to use automatic encoding; if not present defaults to no content-encoding on sent
message bodies
- \c "timeout": transfer timeout to use in milliseconds
@note the \c data option is always set to \c "json"
@see @ref AwsRestClient::AwsRestClient::constructor() "AwsRestClient::constructor()" for more information on
the above options
*/
public class AwsRestConnection inherits RestClient::RestConnection {
public {
#! Connection entry info
const ConnectionScheme = <ConnectionSchemeInfo>{
"cls": Class::forName("AwsRestConnection"),
"options": RestConnection::ConnectionScheme.options + {
"data": <ConnectionOptionInfo>{
"type": "string",
"desc": "data serialization options are limited to `json` with this object",
"allowed_values": (
<AllowedValueInfo>{
"value": "json",
"desc": "use JSON serialization",
},
),
"default_value": "json",
},
"aws_keyid": <ConnectionOptionInfo>{
"type": "string",
"desc": "AWS key ID",
},
"aws_secret": <ConnectionOptionInfo>{
"type": "string",
"desc": "the AWS secret access key value",
"sensitive": True,
},
"aws_region": <ConnectionOptionInfo>{
"type": "string",
"desc": "the AWS region to use (ex: `us-east-1`)",
},
"aws_service": <ConnectionOptionInfo>{
"type": "string",
"desc": "the AWS service to use (ex: `iam`)",
},
"aws_s3": <ConnectionOptionInfo>{
"type": "bool",
"desc": "set to `True` to flag this object for use with AWS S3, which requires special "
"message encoding",
"default_value": False,
},
"aws_token": <ConnectionOptionInfo>{
"type": "string",
"desc": "a temporary session token from AWS Security Token Service for this HTTP session",
},
},
"required_options": foldl $1 + "," + $2, AwsRestClient::RequiredOptions,
};
}
#! creates the AwsRestConnection object
/** @param name the name of the connection
@param description connection description
@param url connection URL (potentially with password info)
@param attributes various attributes. See below
@param options connection options
See @ref AbstractConnection::constructor() for \c attributes and \c options reference.
@throw CONNECTION-OPTION-ERROR missing or invalid connection option
*/
constructor(string name, string description, string url, hash<auto> attributes = {}, hash<auto> options = {})
: RestConnection(name, description, url, attributes, options) {
real_opts = {"url": real_url} + urlh.("username", "password") + self.opts;
}
#! returns \c "awsrest"
string getType() {
return "awsrest";
}
#! returns a data provider object for this connection
/** @return a data provider object for this connection; the data provider is:
- \c SwaggerDataProvider: if an appropriate schema is configured
- \c RestClientDataProvider: if there is no schema configured
@throw DATA-PROVIDER-ERROR this object does not support the data provider API
*/
DataProvider::AbstractDataProvider getDataProvider() {
if (opts.validator || opts.swagger) {
# get a REST client object without connecting
AwsRestClient rest = get(False);
# get any validator
*AbstractRestSchemaValidator validator = rest.getValidator();
if (validator) {
# if there's a validator, return the provider
return validator.getDataProvider(rest);
}
}
# to avoid circular dependencies, this object loads the RestClientDataProvider and creates the data provider
# object dynamically
load_module("AwsRestClientDataProvider");
return create_object("AwsRestClientDataProvider", get());
}
#! returns @ref True, as this connection always returns a data provider with the @ref getDataProvider() method
/** @return @ref True, as this connection always returns a data provider with the @ref getDataProvider() method
@see @ref getDataProvider()
*/
bool hasDataProvider() {
return True;
}
#! returns a @ref AwsRestClient::AwsRestClient object
/** @param connect if @ref True "True", then the connection is returned already connected
@param rtopts this connection type does not accept any runtime options, so this parameter is ignored
@return a @ref AwsRestClient::AwsRestClient "AwsRestClient" object
*/
private AwsRestClient getImpl(bool connect = True, *hash<auto> rtopts) {
return new AwsRestClient(real_opts, !connect);
}
#! Returns the ConnectionSchemeInfo hash for this object
private hash<ConnectionSchemeInfo> getConnectionSchemeInfoImpl() {
return ConnectionScheme;
}
}
}