This repository has been archived by the owner on Feb 12, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add IoT cert/key authentication method
- Loading branch information
Pavlo Kolomiiets
committed
Mar 16, 2021
1 parent
ad90140
commit 635c0e3
Showing
5 changed files
with
215 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
kinesis_video_streamer/config/node_sample_configuration.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
kinesis_video_streamer/include/kinesis_video_streamer/credentials.h
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
#pragma once | ||
|
||
#include <aws/core/auth/AWSCredentialsProviderChain.h> | ||
#include <aws_common/sdk_utils/auth/service_credentials_provider.h> | ||
#include <kinesis-video-producer/Auth.h> | ||
|
||
namespace Aws | ||
{ | ||
namespace Auth | ||
{ | ||
/** | ||
* Creates an AWSCredentialsProviderChain which uses in order IotRoleCredentialsProvider and EnvironmentAWSCredentialsProvider. | ||
*/ | ||
class CustomAWSCredentialsProviderChain : public AWSCredentialsProviderChain | ||
{ | ||
public: | ||
CustomAWSCredentialsProviderChain() = default; | ||
|
||
/** | ||
* Initializes the provider chain with IotRoleCredentialsProvider and EnvironmentAWSCredentialsProvider in that order. | ||
* | ||
* @param config Configuration for available credential providers | ||
*/ | ||
CustomAWSCredentialsProviderChain(const ServiceAuthConfig &config); | ||
}; | ||
|
||
} // namespace Auth | ||
} // namespace Aws | ||
|
||
|
||
namespace Aws { | ||
namespace Kinesis { | ||
/** | ||
* Credentials provider which uses the AWS SDK's default credential provider chain. | ||
* @note You need to have called Aws::InitAPI before using this provider. | ||
*/ | ||
class CustomProducerSdkAWSCredentialsProvider : public com::amazonaws::kinesis::video::CredentialProvider | ||
{ | ||
public: | ||
CustomProducerSdkAWSCredentialsProvider(std::shared_ptr<Aws::Auth::AWSCredentialsProvider> | ||
aws_credentials_provider = nullptr); | ||
private: | ||
std::shared_ptr<Aws::Auth::AWSCredentialsProvider> aws_credentials_provider_; | ||
|
||
void updateCredentials(com::amazonaws::kinesis::video::Credentials & producer_sdk_credentials) override; | ||
}; | ||
|
||
} // namespace Kinesis | ||
} // namespace Aws |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
#include <aws/core/platform/Environment.h> | ||
#include <aws/core/utils/logging/LogMacros.h> | ||
|
||
#include <kinesis_video_streamer/credentials.h> | ||
|
||
using namespace Aws::Auth; | ||
|
||
/// Logging tag used for all messages emitting from this module | ||
static const char AWS_LOG_TAG[] = "CustomAWSCredentialsProviderChain"; | ||
static const char AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI[] = "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"; | ||
static const char AWS_ECS_CONTAINER_CREDENTIALS_FULL_URI[] = "AWS_CONTAINER_CREDENTIALS_FULL_URI"; | ||
static const char AWS_ECS_CONTAINER_AUTHORIZATION_TOKEN[] = "AWS_CONTAINER_AUTHORIZATION_TOKEN"; | ||
static const char AWS_EC2_METADATA_DISABLED[] = "AWS_EC2_METADATA_DISABLED"; | ||
|
||
namespace Aws | ||
{ | ||
namespace Auth | ||
{ | ||
|
||
/** | ||
* \brief Validates an instance of an IotRoleConfig struct | ||
* @param config The struct to validate | ||
* @return True if the struct is valid, meaning all the config needed to connect is there | ||
*/ | ||
static bool IsIotConfigValid(const IotRoleConfig & config) | ||
{ | ||
return config.cafile.length() > 0 && config.certfile.length() > 0 && | ||
config.keyfile.length() > 0 && config.host.length() > 0 && config.role.length() > 0 && | ||
config.name.length() > 0 && config.connect_timeout_ms > 0 && config.total_timeout_ms > 0; | ||
} | ||
|
||
CustomAWSCredentialsProviderChain::CustomAWSCredentialsProviderChain(const ServiceAuthConfig &config): | ||
AWSCredentialsProviderChain() | ||
{ | ||
// Add IoT credentials provider if valid | ||
if (IsIotConfigValid(config.iot)) { | ||
AWS_LOG_INFO(AWS_LOG_TAG, "Found valid IoT auth config, adding IotRoleCredentialsProvider"); | ||
auto provider = Aws::MakeShared<IotRoleCredentialsProvider>(__func__, config.iot); | ||
AddProvider(provider); | ||
} else { | ||
AWS_LOG_INFO(AWS_LOG_TAG, "No valid IoT auth config, skipping IotRoleCredentialsProvider"); | ||
} | ||
|
||
// Add environment credentials provider | ||
AddProvider(Aws::MakeShared<EnvironmentAWSCredentialsProvider>(AWS_LOG_TAG)); | ||
AddProvider(Aws::MakeShared<ProfileConfigFileAWSCredentialsProvider>(AWS_LOG_TAG)); | ||
|
||
//ECS TaskRole Credentials only available when ENVIRONMENT VARIABLE is set | ||
const auto relativeUri = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI); | ||
AWS_LOGSTREAM_DEBUG(AWS_LOG_TAG, "The environment variable value " << AWS_ECS_CONTAINER_CREDENTIALS_RELATIVE_URI | ||
<< " is " << relativeUri); | ||
|
||
const auto absoluteUri = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_CREDENTIALS_FULL_URI); | ||
AWS_LOGSTREAM_DEBUG(AWS_LOG_TAG, "The environment variable value " << AWS_ECS_CONTAINER_CREDENTIALS_FULL_URI | ||
<< " is " << absoluteUri); | ||
|
||
const auto ec2MetadataDisabled = Aws::Environment::GetEnv(AWS_EC2_METADATA_DISABLED); | ||
AWS_LOGSTREAM_DEBUG(AWS_LOG_TAG, "The environment variable value " << AWS_EC2_METADATA_DISABLED | ||
<< " is " << ec2MetadataDisabled); | ||
|
||
if (!relativeUri.empty()) | ||
{ | ||
AddProvider(Aws::MakeShared<TaskRoleCredentialsProvider>(AWS_LOG_TAG, relativeUri.c_str())); | ||
AWS_LOGSTREAM_INFO(AWS_LOG_TAG, "Added ECS metadata service credentials provider with relative path: [" | ||
<< relativeUri << "] to the provider chain."); | ||
} | ||
else if (!absoluteUri.empty()) | ||
{ | ||
const auto token = Aws::Environment::GetEnv(AWS_ECS_CONTAINER_AUTHORIZATION_TOKEN); | ||
AddProvider(Aws::MakeShared<TaskRoleCredentialsProvider>(AWS_LOG_TAG, | ||
absoluteUri.c_str(), token.c_str())); | ||
|
||
//DO NOT log the value of the authorization token for security purposes. | ||
AWS_LOGSTREAM_INFO(AWS_LOG_TAG, "Added ECS credentials provider with URI: [" | ||
<< absoluteUri << "] to the provider chain with a" << (token.empty() ? "n empty " : " non-empty ") | ||
<< "authorization token."); | ||
} | ||
else if (Aws::Utils::StringUtils::ToLower(ec2MetadataDisabled.c_str()) != "true") | ||
{ | ||
AddProvider(Aws::MakeShared<InstanceProfileCredentialsProvider>(AWS_LOG_TAG)); | ||
AWS_LOGSTREAM_INFO(AWS_LOG_TAG, "Added EC2 metadata service credentials provider to the provider chain."); | ||
} | ||
} | ||
|
||
} // namespace Auth | ||
} // namespace Aws | ||
|
||
namespace Aws { | ||
namespace Kinesis { | ||
/** | ||
* Credentials provider which uses the AWS SDK's default credential provider chain. | ||
* @note You need to have called Aws::InitAPI before using this provider. | ||
*/ | ||
CustomProducerSdkAWSCredentialsProvider::CustomProducerSdkAWSCredentialsProvider( | ||
std::shared_ptr<Aws::Auth::AWSCredentialsProvider> aws_credentials_provider) | ||
{ | ||
if (aws_credentials_provider) { | ||
aws_credentials_provider_ = aws_credentials_provider; | ||
} else { | ||
aws_credentials_provider_ = | ||
Aws::MakeShared<Aws::Auth::DefaultAWSCredentialsProviderChain>(__func__); | ||
} | ||
} | ||
|
||
void CustomProducerSdkAWSCredentialsProvider::updateCredentials( | ||
com::amazonaws::kinesis::video::Credentials & producer_sdk_credentials) | ||
{ | ||
Aws::Auth::AWSCredentials aws_sdk_credentials = | ||
aws_credentials_provider_->GetAWSCredentials(); | ||
producer_sdk_credentials.setAccessKey(aws_sdk_credentials.GetAWSAccessKeyId().c_str()); | ||
producer_sdk_credentials.setSecretKey(aws_sdk_credentials.GetAWSSecretKey().c_str()); | ||
producer_sdk_credentials.setSessionToken(aws_sdk_credentials.GetSessionToken().c_str()); | ||
auto now = std::chrono::duration_cast<std::chrono::seconds>( | ||
std::chrono::system_clock::now().time_since_epoch()); | ||
auto refresh_interval = std::chrono::duration_cast<std::chrono::seconds>( | ||
std::chrono::milliseconds(Aws::Auth::REFRESH_THRESHOLD)); | ||
producer_sdk_credentials.setExpiration(now + refresh_interval); | ||
} | ||
|
||
} // namespace Kinesis | ||
} // namespace Aws |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters