aws: Implementation of IAM Roles anywhere support in aws request signing - part 2#39025
aws: Implementation of IAM Roles anywhere support in aws request signing - part 2#39025adisuissa merged 105 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
|
@adisuissa have addressed all feedback previously provided. |
|
/retest |
|
/retest |
| namespace Aws { | ||
|
|
||
| // Example certificates generated for test cases | ||
| std::string server_root_cert_rsa_pem = R"EOF( |
There was a problem hiding this comment.
I'm not an expert, but just want to make sure these certificates won't expire in the future, and some tests will fail.
If that's possible, I suggest decoupling the certificates from the test (please see other places where certificates testing is being done).
Please also consider future maintenance of this - say one wants to change the certificate, how can that be done in a safe way so it doesn't break the current tests?
There was a problem hiding this comment.
These tests are just validating signature generation. Whilst the certificates have to be valid enough to pass through our certificate loading algorithms, the expiration of the certificate is only taken into account during the credential refresh process and not during signature generation.
We should not need to rotate these certificates at all, as the only output that we care about are the raw signature bytes.
Certificate expiration is validated server side, however we don't currently validate that in this code apart from using it to determine when to refresh the certificates. I will add some extra code to reject already expired certificates on envoy side - thank you for pointing this out.
There was a problem hiding this comment.
Regarding the certificates expiring in the future, because the tests are dependent on the system time to generate a repeatable signature, we hardwire the systemtime in each test case. The certificates will not expire in our test scenarios, because the system time is always set to a fixed (earlier) value.
test/extensions/common/aws/credential_providers/iam_roles_anywhere_credentials_provider_test.cc
Show resolved
Hide resolved
| << TestUtility::addLeftAndRightPadding("") // line full of padding | ||
| << "\n"; | ||
| } | ||
| } |
There was a problem hiding this comment.
Just to validate: no need to compare trailers in this case, correct?
There was a problem hiding this comment.
correct - this is just checking headers and body for the correct iam roles anywhere payload
| Http::RequestMessageImpl message(std::move(headers)); | ||
| message.headers().setCopy( | ||
| Http::LowerCaseString("authorization"), | ||
| "AWS4-X509-RSA-SHA256 " |
There was a problem hiding this comment.
IMHO this somewhat fragile, and it may cause an issue if one wants to change the certificates in the future.
I suggest at least an explanation of how these were created so one can change it in the future.
There was a problem hiding this comment.
This is actually by design - it's validating that given a known input that our output signatures are accurate.
I generated the test signatures with a tool based on https://github.com/awslabs/iam-roles-anywhere-session
I have included this tool as test/extensions/common/aws/credential_providers/iam_roles_anywhere_test_generator.py now and added a comment to refer to using this tool.
There was a problem hiding this comment.
Can you add the comments at the beginning of this file?
IMHO there should be a way to map which of the things generated by the python file need to be copied to each of these fields.
If this was a core Envoy code I would probably suggest to make this more maintainable-friendly (just for the sake of the future person that will need to adjust these tests), but as this is an AWS only extension, I'll let you decide how to maintain that.
...e/extensions/common/aws/credential_providers/iam_roles_anywhere_x509_credentials_provider.cc
Outdated
Show resolved
Hide resolved
source/common/tls/utility.cc
Outdated
| }(); | ||
| return *e; | ||
| const ASN1_TIME& Utility::epochASN1Time() { | ||
| static thread_local CSmartPtr<ASN1_TIME, ASN1_TIME_free> epoch([]() -> ASN1_TIME* { |
There was a problem hiding this comment.
As far as I understand it, originally this was a static object that was initialized once and used by all threads until the entire process goes out of context. The idea behind this internal function is probably to follow the CONSTRUCT_ON_FIRST_USE pattern.
I guess it can "leak" only if the program (and the main thread) exists, but the question is whether duplicating it to all worker threads makes sense or not. If there's a case for per-thread duplication, I think we may need to address it in many places in Envoy (or maybe introduce CONSTRUCT_THREAD_LOCAL_ON_FIRST_USE. cc @agrawroh to see if this should be followed up.
Taking a step back, I don't think this function should be exposed as part of the API. I've added a comment in the place of usage, describing an alternative.
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
|
@adisuissa please note I changed |
...e/extensions/common/aws/credential_providers/iam_roles_anywhere_x509_credentials_provider.cc
Show resolved
Hide resolved
| Http::RequestMessageImpl message(std::move(headers)); | ||
| message.headers().setCopy( | ||
| Http::LowerCaseString("authorization"), | ||
| "AWS4-X509-RSA-SHA256 " |
There was a problem hiding this comment.
Can you add the comments at the beginning of this file?
IMHO there should be a way to map which of the things generated by the python file need to be copied to each of these fields.
If this was a core Envoy code I would probably suggest to make this more maintainable-friendly (just for the sake of the future person that will need to adjust these tests), but as this is an AWS only extension, I'll let you decide how to maintain that.
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
| boto3.set_stream_logger('', logging.DEBUG) | ||
|
|
||
| if sys.argv[1] == "1": | ||
| # used for StandardRSASigning test |
There was a problem hiding this comment.
Comments added here to indicate which test case the generator is for
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
Signed-off-by: Nigel Brittain <nbaws@amazon.com>
adisuissa
left a comment
There was a problem hiding this comment.
LGTM thanks!
/lgtm api
|
extension-only code changes by code-owner, merging. |
…ing - part 2 (envoyproxy#39025) Signed-off-by: Nigel Brittain <nbaws@amazon.com> Signed-off-by: Peter Leng <yleng@pinterest.com>
|
@niax @agrawroh @adisuissa thank you for all the time and attention to this PR, it is greatly appreciated! |
…ing - part 2 (envoyproxy#39025) Signed-off-by: Nigel Brittain <nbaws@amazon.com> Signed-off-by: Ting Pan <panting@google.com>
…ing - part 3 (#39521) Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing - part 3 Additional Description: Part 3 of 3 patches to implement IAM Roles anywhere capability. Integrates the previously added components with the credential chain and unhides the IAM Roles Anywhere credential provider definition in the API. Also reverts the coverage limit created in #39138 back to default coverage requirements. Design brief: #37440 Part 2 of this patch: #39025 (https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) Risk Level: Low - extension only changes Testing: Unit Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain <nbaws@amazon.com>
…ing - part 3 (#39521) Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing - part 3 Additional Description: Part 3 of 3 patches to implement IAM Roles anywhere capability. Integrates the previously added components with the credential chain and unhides the IAM Roles Anywhere credential provider definition in the API. Also reverts the coverage limit created in envoyproxy/envoy#39138 back to default coverage requirements. Design brief: envoyproxy/envoy#37440 Part 2 of this patch: envoyproxy/envoy#39025 (https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) Risk Level: Low - extension only changes Testing: Unit Docs Changes: N/A Release Notes: N/A Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: Nigel Brittain <nbaws@amazon.com> Mirrored from https://github.com/envoyproxy/envoy @ 1ed3da6fe3c72d15008d8abb110573db3b3e5091
Commit Message: aws: Implementation of IAM Roles anywhere support in aws request signing - part 2
Additional Description:
Part 2 of 3 patches to implement IAM Roles anywhere capability. Adds IAM Roles Anywhere credential provider, x509 credential provider and the IAM Roles Anywhere Signer.
Design brief: #37440
Previous PR: #37193
Part 1 of this patch: #38786
(https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)
Risk Level: Negligible - code currently unlinked
Testing: Unit
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]