1 //
2 // Copyright 2020 gRPC authors.
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //     http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_AWS_REQUEST_SIGNER_H
18 #define GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_AWS_REQUEST_SIGNER_H
19 
20 #include <grpc/support/port_platform.h>
21 
22 #include <map>
23 #include <string>
24 
25 #include "src/core/lib/iomgr/error.h"
26 #include "src/core/lib/uri/uri_parser.h"
27 
28 namespace grpc_core {
29 
30 // Implements an AWS API request signer based on the AWS Signature Version 4
31 // signing process.
32 // https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
33 // To retrieve the subject token in AwsExternalAccountCredentials, we need to
34 // sign an AWS request server and use the signed request as the subject token.
35 // This class is a utility to sign an AWS request.
36 class AwsRequestSigner {
37  public:
38   // Construct a signer with the necessary information to sign a request.
39   // `access_key_id`, `secret_access_key` and `token` are the AWS credentials
40   // required for signing. `method` and `url` are the HTTP method and url of the
41   // request. `region` is the region of the AWS environment. `request_payload`
42   // is the payload of the HTTP request. `additional_headers` are additional
43   // headers to be inject into the request.
44   AwsRequestSigner(std::string access_key_id, std::string secret_access_key,
45                    std::string token, std::string method, std::string url,
46                    std::string region, std::string request_payload,
47                    std::map<std::string, std::string> additional_headers,
48                    grpc_error** error);
49 
50   // This method triggers the signing process then returns the headers of the
51   // signed request as a map. In case there is an error, the input `error`
52   // parameter will be updated and an empty map will be returned if there is
53   // error.
54   std::map<std::string, std::string> GetSignedRequestHeaders();
55 
56  private:
57   std::string access_key_id_;
58   std::string secret_access_key_;
59   std::string token_;
60   std::string method_;
61   URI url_;
62   std::string region_;
63   std::string request_payload_;
64   std::map<std::string, std::string> additional_headers_;
65 
66   std::string static_request_date_;
67   std::map<std::string, std::string> request_headers_;
68 };
69 
70 }  // namespace grpc_core
71 
72 #endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_EXTERNAL_AWS_REQUEST_SIGNER_H
73