feat: nginx-lambda-gateway framework

Author: shawnhankim

GNUmakefile renamed to GNUmakefile.old

@@ -18,8 +18,8 @@ submodule:
 	git submodule foreach 'git fetch origin; git checkout $$(git rev-parse --abbrev-ref HEAD); git reset --hard origin/$$(git rev-parse --abbrev-ref HEAD); git submodule update --recursive; git clean -dfx'
 
 start-plus:
-	docker build --file Dockerfile.plus --tag nginx-plus-s3-test --tag nginx-plus-s3-test:plus .
-	docker run --env-file ./settings.test --publish 81:80 --name nginx-plus-s3-test nginx-plus-s3-test:plus
+	# docker build --file Dockerfile.plus --tag nginx-plus-s3-test --tag nginx-plus-s3-test:plus .
+	# docker run --env-file ./settings.test --publish 81:80 --name nginx-plus-s3-test nginx-plus-s3-test:plus
 
 start:
 	docker-compose up -d

Makefile

@@ -48,7 +48,7 @@ const DEFAULT_SIGNED_HEADERS = 'host;x-amz-content-sha256;x-amz-date';
 function signatureV4(r, timestamp, region, service, uri, queryParams, host, credentials) {
     const eightDigitDate = utils.getEightDigitDate(timestamp);
     const amzDatetime = utils.getAmzDatetime(timestamp, eightDigitDate);
-    const canonicalRequest = _buildCanonicalRequest(
+    const canonicalRequest = _buildCanonicalRequest(r,
         r.method, uri, queryParams, host, amzDatetime, credentials.sessionToken);
     const signature = _buildSignatureV4(r, amzDatetime, eightDigitDate,
         credentials, region, service, canonicalRequest);
@@ -73,7 +73,16 @@ function signatureV4(r, timestamp, region, service, uri, queryParams, host, cred
  * @returns {string} string with concatenated request parameters
  * @private
  */
-function _buildCanonicalRequest(method, uri, queryParams, host, amzDatetime, sessionToken) {
+function _buildCanonicalRequest(r,
+    method, uri, queryParams, host, amzDatetime, sessionToken) {
+    r.log('##### ---------------------------- #####')
+    r.log('     _buildCanonicalRequest(): ')
+    r.log('       - uri        : ' + uri)
+    r.log('       - method     : ' + method)
+    r.log('       - queryParams: ' + queryParams)
+    r.log('       - host       : ' + host)
+    r.log('       - amzDatetime: ' + amzDatetime)
+
     let canonicalHeaders = 'host:' + host + '\n' +
         'x-amz-content-sha256:' + EMPTY_PAYLOAD_HASH + '\n' +
         'x-amz-date:' + amzDatetime + '\n';

common/etc/nginx/include/awssig4.js

@@ -0,0 +1,236 @@
+/*
+ *  Copyright 2023 F5, Inc.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+import awscred from "./awscredentials.js";
+import awssig4 from "./awssig4.js";
+import utils from "./utils.js";
+
+/**
+ * Constant defining the service requests are being signed for.
+ * @type {string}
+ */
+const SERVICE = 'lambda';
+
+utils.requireEnvVar('LAMBDA_SERVER');
+utils.requireEnvVar('LAMBDA_SERVER_PROTO');
+utils.requireEnvVar('LAMBDA_SERVER_PORT');
+utils.requireEnvVar('LAMBDA_REGION');
+
+
+/**
+ * Creates an AWS authentication signature based on the global settings and
+ * the passed request parameter.
+ *
+ * @param r {Request} HTTP request object
+ * @returns {string} AWS authentication signature
+ */
+function lambdaAuth(r) {
+    const host = process.env['LAMBDA_SERVER'];
+    const region = process.env['LAMBDA_REGION'];
+    // const uri = '/2015-03-31/' + r.variables.request_uri + '/invocations';
+    r.log('#### URI for lambdaAuth(): ' + r.variables.request_uri)
+    const queryParams = '';
+    const credentials = awscred.readCredentials(r);
+
+    let signature = awssig4.signatureV4(
+        r, awscred.getNow(), region, SERVICE, 
+        r.variables.request_uri, queryParams, host, credentials
+    );
+    return signature;
+}
+
+/**
+ * Redirects the request to the appropriate location. 
+ *
+ * @param r {Request} HTTP request object
+ */
+function redirectToLambda(r) {
+    r.internalRedirect("@lambda");
+}
+
+/**
+ * Returns the Lambda path given the incoming request
+ *
+ * @param r HTTP request
+ * @returns {string} uri for Lambda request
+ */
+function lambdaURI(r) {
+    let uriPath = r.variables.uri_path;
+    let path = _escapeURIPath(uriPath);
+    utils.debug_log(r, 'AWS Lambda Request URI: ' + path);
+    return path;
+}
+
+/**
+ * Flag indicating debug mode operation. If true, additional information
+ * about signature generation will be logged.
+ * @type {boolean}
+ */
+
+const ADDITIONAL_HEADER_PREFIXES_TO_STRIP = utils.parseArray(process.env['HEADER_PREFIXES_TO_STRIP']);
+
+/**
+ * Default filename for index pages to be read off of the backing object store.
+ * @type {string}
+ */
+const INDEX_PAGE = "index.html";
+
+/**
+ * Transform the headers returned from Lambda such that there isn't information
+ * leakage about Lambda and do other tasks needed for appropriate gateway output.
+ * @param r HTTP request
+ */
+function editHeaders(r) {
+    /* Strips all x-amz- headers from the output HTTP headers so that the
+     * requesters to the gateway will not know you are proxying Lambda. */
+    if ('headersOut' in r) {
+        for (const key in r.headersOut) {
+            if (_isHeaderToBeStripped(
+                key.toLowerCase(), ADDITIONAL_HEADER_PREFIXES_TO_STRIP)) {
+                delete r.headersOut[key];
+            }
+        }
+    }
+}
+
+/**
+ * Determines if a given HTTP header should be removed before being
+ * sent on to the requesting client.
+ * @param headerName {string} Lowercase HTTP header name
+ * @param additionalHeadersToStrip {Array[string]} array of additional headers to remove
+ * @returns {boolean} true if header should be removed
+ */
+function _isHeaderToBeStripped(headerName, additionalHeadersToStrip) {
+    if (headerName.indexOf('x-amz-', 0) >= 0) {
+        return true;
+    }
+
+    for (let i = 0; i < additionalHeadersToStrip.length; i++) {
+        const headerToStrip = additionalHeadersToStrip[i];
+        if (headerName.indexOf(headerToStrip, 0) >= 0) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+/**
+ * Outputs the timestamp used to sign the request, so that it can be added to
+ * the 'Date' header and sent by NGINX.
+ *
+ * @param r {Request} HTTP request object (not used, but required for NGINX configuration)
+ * @returns {string} RFC2616 timestamp
+ */
+function lambdaDate(r) {
+    return awscred.getNow().toUTCString();
+}
+
+/**
+ * Outputs the timestamp used to sign the request, so that it can be added to
+ * the 'x-amz-date' header and sent by NGINX. The output format is
+ * ISO 8601: YYYYMMDD'T'HHMMSS'Z'.
+ * @see {@link https://docs.aws.amazon.com/general/latest/gr/sigv4-date-handling.html | Handling dates in Signature Version 4}
+ *
+ * @param r {Request} HTTP request object (not used, but required for NGINX configuration)
+ * @returns {string} ISO 8601 timestamp
+ */
+function awsHeaderDate(r) {
+    return utils.getAmzDatetime(
+        awscred.getNow(), 
+        utils.getEightDigitDate(awscred.getNow())
+    );
+}
+
+function trailslashControl(r) {
+    if (APPEND_SLASH) {
+        const hasExtension = /\/[^.\/]+\.[^.]+$/;
+        if (!hasExtension.test(r.variables.uri_path)  && !_isDirectory(r.variables.uri_path)){
+            return r.internalRedirect("@trailslash");
+        }
+    }
+    r.internalRedirect("@error404");
+}
+
+/**
+ * Adds additional encoding to a URI component
+ *
+ * @param string {string} string to encode
+ * @returns {string} an encoded string
+ * @private
+ */
+function _encodeURIComponent(string) {
+    return encodeURIComponent(string)
+        .replace(/[!*'()]/g, (c) =>
+            `%${c.charCodeAt(0).toString(16).toUpperCase()}`);
+}
+
+/**
+ * Escapes the path portion of a URI without escaping the path separator
+ * characters (/).
+ *
+ * @param uri {string} unescaped URI
+ * @returns {string} URI with each path component separately escaped
+ * @private
+ */
+function _escapeURIPath(uri) {
+    // Check to see if the URI path was already encoded. If so, we decode it.
+    let decodedUri = (uri.indexOf('%') >= 0) ? decodeURIComponent(uri) : uri;
+    let components = [];
+
+    decodedUri.split('/').forEach(function (item, i) {
+        components[i] = _encodeURIComponent(item);
+    });
+
+    return components.join('/');
+}
+
+/**
+ * Determines if a given path is a directory based on whether or not the last
+ * character in the path is a forward slash (/).
+ *
+ * @param path {string} path to parse
+ * @returns {boolean} true if path is a directory
+ * @private
+ */
+function _isDirectory(path) {
+    if (path === undefined) {
+        return false;
+    }
+    const len = path.length;
+
+    if (len < 1) {
+        return false;
+    }
+
+    return path.charAt(len - 1) === '/';
+}
+
+
+export default {
+    awsHeaderDate,
+    editHeaders,
+    lambdaAuth,
+    lambdaDate,
+    lambdaURI,
+    redirectToLambda,
+    trailslashControl,
+    // These functions do not need to be exposed, but they are exposed so that
+    // unit tests can run against them.
+    _encodeURIComponent,
+    _escapeURIPath,
+    _isHeaderToBeStripped
+};

common/etc/nginx/include/lambdagateway.js

@@ -127,11 +127,27 @@ function getEightDigitDate(timestamp) {
         padWithLeadingZeros(day,2));
 }
 
+
+/**
+ * Checks to see if the given environment variable is present. If not, an error
+ * is thrown.
+ * @param envVarName {string} environment variable to check for
+ * @private
+ */
+function requireEnvVar(envVarName) {
+    const isSet = envVarName in process.env;
+
+    if (!isSet) {
+        throw('Required environment variable ' + envVarName + ' is missing');
+    }
+}
+
 export default {
     debug_log,
     getAmzDatetime,
     getEightDigitDate,
     padWithLeadingZeros,
     parseArray,
-    parseBoolean
+    parseBoolean,
+    requireEnvVar
 }

common/etc/nginx/include/utils.js

@@ -1,5 +1,6 @@
 js_import /etc/nginx/include/awscredentials.js;
 js_import /etc/nginx/include/s3gateway.js;
+js_import /etc/nginx/include/lambdagateway.js;
 
 # We include only the variables needed for the authentication signatures that
 # we plan to use.
@@ -18,12 +19,20 @@ map $S3_STYLE $s3_host_hdr {
     default "${S3_BUCKET_NAME}.${S3_SERVER}";
 }
 
+map $host $lambda_host {
+    default "https://lambda.us-east-2.amazonaws.com";
+}
+
 js_var $indexIsEmpty true;
+
 # This creates the HTTP authentication header to be sent to S3
 js_set $s3auth s3gateway.s3auth;
 js_set $awsSessionToken awscredentials.sessionToken;
 js_set $s3uri s3gateway.s3uri;
 
+js_set $lambdaAuth lambdagateway.lambdaAuth;
+js_set $lambdaURI  lambdagateway.lambdaURI;
+
 server {
     include /etc/nginx/conf.d/gateway/server_variables.conf;
 
@@ -83,7 +92,8 @@ server {
         # Redirect to the proper location based on the client request - either
         # @s3, @s3Listing or @error405.
 
-        js_content s3gateway.redirectToS3;
+        #js_content s3gateway.redirectToS3;
+        js_content lambdagateway.redirectToLambda;
     }
 
     location /aws/credentials/retrieve {
@@ -93,6 +103,57 @@ server {
         include /etc/nginx/conf.d/gateway/js_fetch_trusted_certificate.conf;
     }
 
+    location @lambda {
+        # We include only the headers needed for the authentication signatures that
+        # we plan to use.
+        include /etc/nginx/conf.d/gateway/v${AWS_SIGS_VERSION}_headers.conf;
+
+        # The CORS configuration needs to be imported in several places in order for
+        # it to be applied within different contexts.
+        # include /etc/nginx/conf.d/gateway/cors.conf;
+
+        # Don't allow any headers from the client - we don't want them messing
+        # with Lambda at all.
+        proxy_pass_request_headers off;
+
+        # Enable passing of the server name through TLS Server Name Indication extension.
+        proxy_ssl_server_name on;
+        #proxy_ssl_name ${LAMBDA_SERVER};
+
+        # Set the Authorization header to the AWS Signatures credentials
+        proxy_set_header Authorization $lambdaAuth;
+        proxy_set_header X-Amz-Security-Token $awsSessionToken;
+
+        # We set the host as the bucket name to inform the S3 API of the bucket
+        #proxy_set_header Host $s3_host_hdr;
+
+        # Use keep alive connections in order to improve performance
+        proxy_http_version 1.1;
+        proxy_set_header Connection '';
+        proxy_method POST;
+
+        # We strip off all of the AWS specific headers from the server so that
+        # there is nothing identifying the object as having originated in an
+        # object store.
+        #js_header_filter s3gateway.editHeaders;
+
+        # Catch all errors from S3 and sanitize them so that the user can't
+        # gain intelligence about the S3 bucket being proxied.
+        proxy_intercept_errors on;
+
+        # Comment out this line to receive the error messages returned by Lambda
+        #error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 =404 @error404;
+
+        #error_page 404 @trailslashControl;
+
+        #proxy_pass ${S3_SERVER_PROTO}://storage_urls$s3uri;
+        #proxy_pass ${LAMBDA_SERVER_PROTO}://lambda_urls$lambdaURI;
+        proxy_pass $lambda_host$lambdaURI;
+        #proxy_pass https://lambda.us-east-2.amazonaws.com/2015-03-31/functions/nginx-serverless/invocations;
+
+        #include /etc/nginx/conf.d/gateway/s3_location.conf;
+    }
+
     location @s3 {
         # We include only the headers needed for the authentication signatures that
         # we plan to use.