Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWS sigv4 support for subgraph requests #134 #3365

Merged
merged 58 commits into from
Aug 7, 2023
Merged
Show file tree
Hide file tree
Changes from 50 commits
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
f20a7d8
wip
o0Ignition0o Jul 4, 2023
7cb2b59
add subgraph_authentication plugin to the list of apollo optional plu…
o0Ignition0o Jul 4, 2023
4b5109d
typo...
o0Ignition0o Jul 4, 2023
8ae25fd
add placeholder comments to see how ci behaves
o0Ignition0o Jul 4, 2023
8d4f74a
add snap
o0Ignition0o Jul 4, 2023
d8b328f
wip
o0Ignition0o Jul 5, 2023
c433d65
wip
o0Ignition0o Jul 5, 2023
b8b5d7f
wip
o0Ignition0o Jul 5, 2023
ce00838
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 7, 2023
b9cab88
early wip, but getting there
o0Ignition0o Jul 7, 2023
1ce3581
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 10, 2023
dbd0fc2
wip
o0Ignition0o Jul 10, 2023
95de342
wip
o0Ignition0o Jul 10, 2023
d253dc7
wip
o0Ignition0o Jul 11, 2023
c8fc74e
wip
o0Ignition0o Jul 11, 2023
cba2268
wip
o0Ignition0o Jul 11, 2023
3852cd9
wip
o0Ignition0o Jul 11, 2023
baedc8e
wip
o0Ignition0o Jul 11, 2023
32c3b69
wip
o0Ignition0o Jul 11, 2023
d53f635
tests, wipi
o0Ignition0o Jul 11, 2023
96821e9
wip
o0Ignition0o Jul 11, 2023
2b656ea
first working test \o/
o0Ignition0o Jul 11, 2023
243dce6
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 11, 2023
f3ed5e8
session -> session_name, role -> role_arn, service -> service_name
o0Ignition0o Jul 12, 2023
6ef1fac
move assumerole to respective configurations
o0Ignition0o Jul 12, 2023
7da2b86
refactor make signing params
o0Ignition0o Jul 12, 2023
f8234c1
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 13, 2023
ac8400b
start documenting configuration
o0Ignition0o Jul 13, 2023
e62a035
update documentation
o0Ignition0o Jul 13, 2023
4ed37d1
changeset
o0Ignition0o Jul 13, 2023
8dda1a7
update remaining documentation + remove an unwrap
o0Ignition0o Jul 13, 2023
550b003
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 24, 2023
9a6795e
mention that aws-* dependency versions should remain the same
o0Ignition0o Jul 24, 2023
e467769
update comments
o0Ignition0o Jul 24, 2023
7509a06
more docs update
o0Ignition0o Jul 24, 2023
5771292
refactor credentials chain
o0Ignition0o Jul 24, 2023
3b1e524
if we don't have credentials to work with, warn and fail plugin startup
o0Ignition0o Jul 25, 2023
20763ec
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 27, 2023
dc15f32
move the plugin to auth
o0Ignition0o Jul 27, 2023
a5a1f9e
update docs and config path
o0Ignition0o Jul 27, 2023
972f604
nope, authorization doesnt have a router key
o0Ignition0o Jul 27, 2023
6b665d9
update snapshots
o0Ignition0o Jul 28, 2023
20011a4
add a couple of unit tests around payload signing and settings
o0Ignition0o Jul 31, 2023
e3c362c
Add documentation and refactor configuration. Add deny_unknown_fields…
o0Ignition0o Jul 31, 2023
757a58a
rework docs a bit more
o0Ignition0o Jul 31, 2023
f27d5e8
more deny_unknown_fields
o0Ignition0o Jul 31, 2023
170b091
log as error instead of warning if request signing failed
o0Ignition0o Jul 31, 2023
5c3ee56
add counters, and a test
o0Ignition0o Jul 31, 2023
f0214b6
rename subgraph service key
o0Ignition0o Jul 31, 2023
f1322c9
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Jul 31, 2023
704de54
update changelog
o0Ignition0o Jul 31, 2023
89e0d0a
return an error if signing failed
o0Ignition0o Jul 31, 2023
ba41128
hmm cargo xtask dev doesnt run example tests for some reason
o0Ignition0o Aug 1, 2023
c50cbe8
wip
o0Ignition0o Aug 1, 2023
607c9f9
Apply suggestions from code review
o0Ignition0o Aug 4, 2023
d6b6aa0
use a table for default chain auth methods
o0Ignition0o Aug 4, 2023
f4f323e
Merge branch 'dev' into igni/subgraph_auth
o0Ignition0o Aug 7, 2023
d01ab75
docs polish
o0Ignition0o Aug 7, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .changesets/feat_igni_subgraph_auth.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
### Configure AWS sigv4 authentication for subgraph requests ([PR #3365](https://github.com/apollographql/router/pull/3365))

Secure your router to subgraph communication on AWS by using Sigv4!
o0Ignition0o marked this conversation as resolved.
Show resolved Hide resolved
This changeset provides you with a way to set up Hardcoded credentials, as well as a Default provider chain.
o0Ignition0o marked this conversation as resolved.
Show resolved Hide resolved
We recommend using the DefaultChain configuration.
o0Ignition0o marked this conversation as resolved.
Show resolved Hide resolved

By [@o0Ignition0o](https://github.com/o0Ignition0o) and [@BlenderDude](https://github.com/BlenderDude) in https://github.com/apollographql/router/pull/3365
300 changes: 300 additions & 0 deletions Cargo.lock
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,10 @@ dependencies = [
"async-compression",
"async-trait",
"atty",
"aws-config",
"aws-credential-types",
"aws-sigv4",
"aws-types",
"axum",
"base64 0.20.0",
"brotli",
Expand Down Expand Up @@ -638,6 +642,296 @@ version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"

[[package]]
name = "aws-config"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bcdcf0d683fe9c23d32cf5b53c9918ea0a500375a9fb20109802552658e576c9"
dependencies = [
"aws-credential-types",
"aws-http",
"aws-sdk-sso",
"aws-sdk-sts",
"aws-smithy-async",
"aws-smithy-client",
"aws-smithy-http",
"aws-smithy-http-tower",
"aws-smithy-json",
"aws-smithy-types",
"aws-types",
"bytes",
"fastrand",
"hex",
"http",
"hyper",
"ring",
"time",
"tokio",
"tower",
"tracing",
"zeroize",
]

[[package]]
name = "aws-credential-types"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1fcdb2f7acbc076ff5ad05e7864bdb191ca70a6fd07668dc3a1a8bcd051de5ae"
dependencies = [
"aws-smithy-async",
"aws-smithy-types",
"fastrand",
"tokio",
"tracing",
"zeroize",
]

[[package]]
name = "aws-endpoint"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8cce1c41a6cfaa726adee9ebb9a56fcd2bbfd8be49fd8a04c5e20fd968330b04"
dependencies = [
"aws-smithy-http",
"aws-smithy-types",
"aws-types",
"http",
"regex",
"tracing",
]

[[package]]
name = "aws-http"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "aadbc44e7a8f3e71c8b374e03ecd972869eb91dd2bc89ed018954a52ba84bc44"
dependencies = [
"aws-credential-types",
"aws-smithy-http",
"aws-smithy-types",
"aws-types",
"bytes",
"http",
"http-body",
"lazy_static",
"percent-encoding",
"pin-project-lite",
"tracing",
]

[[package]]
name = "aws-sdk-sso"
version = "0.28.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8b812340d86d4a766b2ca73f740dfd47a97c2dff0c06c8517a16d88241957e4"
dependencies = [
"aws-credential-types",
"aws-endpoint",
"aws-http",
"aws-sig-auth",
"aws-smithy-async",
"aws-smithy-client",
"aws-smithy-http",
"aws-smithy-http-tower",
"aws-smithy-json",
"aws-smithy-types",
"aws-types",
"bytes",
"http",
"regex",
"tokio-stream",
"tower",
"tracing",
]

[[package]]
name = "aws-sdk-sts"
version = "0.28.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "265fac131fbfc188e5c3d96652ea90ecc676a934e3174eaaee523c6cec040b3b"
dependencies = [
"aws-credential-types",
"aws-endpoint",
"aws-http",
"aws-sig-auth",
"aws-smithy-async",
"aws-smithy-client",
"aws-smithy-http",
"aws-smithy-http-tower",
"aws-smithy-json",
"aws-smithy-query",
"aws-smithy-types",
"aws-smithy-xml",
"aws-types",
"bytes",
"http",
"regex",
"tower",
"tracing",
]

[[package]]
name = "aws-sig-auth"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3b94acb10af0c879ecd5c7bdf51cda6679a0a4f4643ce630905a77673bfa3c61"
dependencies = [
"aws-credential-types",
"aws-sigv4",
"aws-smithy-http",
"aws-types",
"http",
"tracing",
]

[[package]]
name = "aws-sigv4"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d2ce6f507be68e968a33485ced670111d1cbad161ddbbab1e313c03d37d8f4c"
dependencies = [
"aws-smithy-http",
"form_urlencoded",
"hex",
"hmac",
"http",
"once_cell",
"percent-encoding",
"regex",
"sha2",
"time",
"tracing",
]

[[package]]
name = "aws-smithy-async"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "13bda3996044c202d75b91afeb11a9afae9db9a721c6a7a427410018e286b880"
dependencies = [
"futures-util",
"pin-project-lite",
"tokio",
"tokio-stream",
]

[[package]]
name = "aws-smithy-client"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0a86aa6e21e86c4252ad6a0e3e74da9617295d8d6e374d552be7d3059c41cedd"
dependencies = [
"aws-smithy-async",
"aws-smithy-http",
"aws-smithy-http-tower",
"aws-smithy-types",
"bytes",
"fastrand",
"http",
"http-body",
"hyper",
"hyper-rustls 0.23.2",
"lazy_static",
"pin-project-lite",
"rustls 0.20.8",
"tokio",
"tower",
"tracing",
]

[[package]]
name = "aws-smithy-http"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2b3b693869133551f135e1f2c77cb0b8277d9e3e17feaf2213f735857c4f0d28"
dependencies = [
"aws-smithy-types",
"bytes",
"bytes-utils",
"futures-core",
"http",
"http-body",
"hyper",
"once_cell",
"percent-encoding",
"pin-project-lite",
"pin-utils",
"tracing",
]

[[package]]
name = "aws-smithy-http-tower"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3ae4f6c5798a247fac98a867698197d9ac22643596dc3777f0c76b91917616b9"
dependencies = [
"aws-smithy-http",
"aws-smithy-types",
"bytes",
"http",
"http-body",
"pin-project-lite",
"tower",
"tracing",
]

[[package]]
name = "aws-smithy-json"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "23f9f42fbfa96d095194a632fbac19f60077748eba536eb0b9fecc28659807f8"
dependencies = [
"aws-smithy-types",
]

[[package]]
name = "aws-smithy-query"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "98819eb0b04020a1c791903533b638534ae6c12e2aceda3e6e6fba015608d51d"
dependencies = [
"aws-smithy-types",
"urlencoding",
]

[[package]]
name = "aws-smithy-types"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "16a3d0bf4f324f4ef9793b86a1701d9700fbcdbd12a846da45eed104c634c6e8"
dependencies = [
"base64-simd",
"itoa",
"num-integer",
"ryu",
"time",
]

[[package]]
name = "aws-smithy-xml"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1b9d12875731bd07e767be7baad95700c3137b56730ec9ddeedb52a5e5ca63b"
dependencies = [
"xmlparser",
]

[[package]]
name = "aws-types"
version = "0.55.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6dd209616cc8d7bfb82f87811a5c655dc97537f592689b18743bddf5dc5c4829"
dependencies = [
"aws-credential-types",
"aws-smithy-async",
"aws-smithy-client",
"aws-smithy-http",
"aws-smithy-types",
"http",
"rustc_version 0.4.0",
"tracing",
]

[[package]]
name = "axum"
version = "0.6.19"
Expand Down Expand Up @@ -7267,6 +7561,12 @@ dependencies = [
"zeroize",
]

[[package]]
name = "xmlparser"
version = "0.13.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4d25c75bf9ea12c4040a97f829154768bbbce366287e2dc044af160cd79a13fd"

[[package]]
name = "yaml-rust"
version = "0.4.5"
Expand Down
5 changes: 5 additions & 0 deletions apollo-router/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,11 @@ brotli = "3.3.4"
zstd = "0.12.3"
zstd-safe = "6.0.5"
rand_core = "0.6.4"
# note: AWS dependencies should always use the same version
aws-sigv4 = "0.55.3"
aws-credential-types = "0.55.3"
aws-config = "0.55.3"
aws-types = "0.55.3"
o0Ignition0o marked this conversation as resolved.
Show resolved Hide resolved

[target.'cfg(macos)'.dependencies]
uname = "0.1.1"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
description: Move jwt configuration to authentication.router
actions:
- type: move
from: authentication.jwt
to: authentication.router.jwt
Loading