Skip to content

Commit

Permalink
out_http: add SigV4 authentication options
Browse files Browse the repository at this point in the history
Signed-off-by: Matthew Fala <[email protected]>
  • Loading branch information
matthewfala committed Mar 23, 2022
1 parent e8432c2 commit 9045ca6
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 1 deletion.
48 changes: 48 additions & 0 deletions plugins/out_http/http.c
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@
#include <fluent-bit/flb_gzip.h>
#include <msgpack.h>

#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
#include <fluent-bit/flb_aws_credentials.h>
#include <fluent-bit/flb_signv4.h>
#endif
#endif

#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
Expand Down Expand Up @@ -79,6 +86,7 @@ static int http_post(struct flb_out_http *ctx,
struct flb_config_map_val *mv;
struct flb_slist_entry *key = NULL;
struct flb_slist_entry *val = NULL;
flb_sds_t signature = NULL;

/* Get upstream context and connection */
u = ctx->u;
Expand Down Expand Up @@ -174,6 +182,30 @@ static int http_post(struct flb_out_http *ctx,
val->str, flb_sds_len(val->str));
}

#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
/* AWS SigV4 headers */
if (ctx->has_aws_auth == FLB_TRUE) {
flb_plg_debug(ctx->ins, "signing request with AWS Sigv4");
signature = flb_signv4_do(c,
FLB_TRUE, /* normalize URI ? */
FLB_TRUE, /* add x-amz-date header ? */
time(NULL),
(char *) ctx->aws_region,
(char *) ctx->aws_service,
0,
ctx->aws_provider);

if (!signature) {
flb_plg_error(ctx->ins, "could not sign request with sigv4");
out_ret = FLB_RETRY;
goto cleanup;
}
flb_sds_destroy(signature);
}
#endif
#endif

ret = flb_http_do(c, &b_sent);
if (ret == 0) {
/*
Expand Down Expand Up @@ -220,6 +252,7 @@ static int http_post(struct flb_out_http *ctx,
out_ret = FLB_RETRY;
}

cleanup:
/*
* If the payload buffer is different than incoming records in body, means
* we generated a different payload and must be freed.
Expand Down Expand Up @@ -377,6 +410,21 @@ static struct flb_config_map config_map[] = {
0, FLB_TRUE, offsetof(struct flb_out_http, http_passwd),
"Set HTTP auth password"
},
#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
{
FLB_CONFIG_MAP_BOOL, "aws_auth", "false",
0, FLB_TRUE, offsetof(struct flb_out_http, has_aws_auth),
"Enable AWS Sigv4 authentication"
},
{
FLB_CONFIG_MAP_STR, "aws_service", "",
0, FLB_TRUE, offsetof(struct flb_out_http, aws_service),
"AWS destination service code, used by SigV4 authentication"
},
FLB_AWS_CREDENTIAL_BASE_CONFIG_MAP("aws_"),
#endif
#endif
{
FLB_CONFIG_MAP_STR, "header_tag", NULL,
0, FLB_TRUE, offsetof(struct flb_out_http, header_tag),
Expand Down
10 changes: 10 additions & 0 deletions plugins/out_http/http.h
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,16 @@ struct flb_out_http {
char *http_user;
char *http_passwd;

/* AWS Auth */
#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
int has_aws_auth;
struct flb_aws_provider *aws_provider;
const char *aws_region;
const char *aws_service;
#endif
#endif

/* Proxy */
const char *proxy;
char *proxy_host;
Expand Down
44 changes: 43 additions & 1 deletion plugins/out_http/http_conf.c
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,11 @@
#include <fluent-bit/flb_pack.h>
#include <fluent-bit/flb_sds.h>
#include <fluent-bit/flb_kv.h>

#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
#include <fluent-bit/flb_aws_credentials.h>
#endif
#endif
#include "http.h"
#include "http_conf.h"

Expand Down Expand Up @@ -81,6 +85,36 @@ struct flb_out_http *flb_http_conf_create(struct flb_output_instance *ins,
flb_output_net_default("127.0.0.1", 80, ins);
}

/* Check if AWS SigV4 authentication is enabled */
#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
if (ctx->has_aws_auth) {
ctx->aws_service = flb_output_get_property("aws_service", ctx->ins);
if (!ctx->aws_service) {
flb_plg_error(ins, "aws_auth option requires aws_service to be set");
flb_free(ctx);
return NULL;
}

ctx->aws_provider = flb_managed_chain_provider_create(
ins,
config,
"aws_",
NULL,
flb_aws_client_generator()
);
if (!ctx->aws_provider) {
flb_plg_error(ins, "failed to create aws credential provider for sigV4 auth");
flb_free(ctx);
return NULL;
}

/* If managed provider creation succeeds, then region key is present */
ctx->aws_region = flb_output_get_property("aws_region", ctx->ins);
}
#endif /* !FLB_HAVE_AWS */
#endif /* !FLB_HAVE_SIGNV4 */

/* Check if SSL/TLS is enabled */
#ifdef FLB_HAVE_TLS
if (ins->use_tls == FLB_TRUE) {
Expand Down Expand Up @@ -213,6 +247,14 @@ void flb_http_conf_destroy(struct flb_out_http *ctx)
flb_upstream_destroy(ctx->u);
}

#ifdef FLB_HAVE_SIGNV4
#ifdef FLB_HAVE_AWS
if (ctx->aws_provider) {
flb_aws_provider_destroy(ctx->aws_provider);
}
#endif
#endif

flb_free(ctx->proxy_host);
flb_free(ctx->uri);
flb_free(ctx);
Expand Down

0 comments on commit 9045ca6

Please sign in to comment.