out_http: add SigV4 authentication options

Signed-off-by: Matthew Fala <[email protected]>
fluent · Mar 23, 2022 · d5bd233 · d5bd233
1 parent e8432c2
commit d5bd233
Show file tree

Hide file tree

Showing 3 changed files with 101 additions and 1 deletion.
diff --git a/plugins/out_http/http.c b/plugins/out_http/http.c
@@ -29,6 +29,13 @@
 #include <fluent-bit/flb_gzip.h>
 #include <msgpack.h>
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+#include <fluent-bit/flb_aws_credentials.h>
+#include <fluent-bit/flb_signv4.h>
+#endif
+#endif
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <assert.h>
@@ -79,6 +86,7 @@ static int http_post(struct flb_out_http *ctx,
     struct flb_config_map_val *mv;
     struct flb_slist_entry *key = NULL;
     struct flb_slist_entry *val = NULL;
+    flb_sds_t signature = NULL;
 
     /* Get upstream context and connection */
     u = ctx->u;
@@ -174,6 +182,30 @@ static int http_post(struct flb_out_http *ctx,
                             val->str, flb_sds_len(val->str));
     }
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    /* AWS SigV4 headers */
+    if (ctx->has_aws_auth == FLB_TRUE) {
+        flb_plg_debug(ctx->ins, "signing request with AWS Sigv4");        
+        signature = flb_signv4_do(c,
+                                  FLB_TRUE,  /* normalize URI ? */
+                                  FLB_TRUE,  /* add x-amz-date header ? */
+                                  time(NULL),
+                                  (char *) ctx->aws_region,
+                                  (char *) ctx->aws_service,
+                                  0,
+                                  ctx->aws_provider);
+
+        if (!signature) {
+            flb_plg_error(ctx->ins, "could not sign request with sigv4");
+            out_ret = FLB_RETRY;
+            goto cleanup;
+        }
+        flb_sds_destroy(signature);
+    }
+#endif
+#endif
+
     ret = flb_http_do(c, &b_sent);
     if (ret == 0) {
         /*
@@ -220,6 +252,7 @@ static int http_post(struct flb_out_http *ctx,
         out_ret = FLB_RETRY;
     }
 
+cleanup:
     /*
      * If the payload buffer is different than incoming records in body, means
      * we generated a different payload and must be freed.
@@ -377,6 +410,21 @@ static struct flb_config_map config_map[] = {
      0, FLB_TRUE, offsetof(struct flb_out_http, http_passwd),
      "Set HTTP auth password"
     },
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS 
+    {
+     FLB_CONFIG_MAP_BOOL, "aws_auth", "false",
+     0, FLB_TRUE, offsetof(struct flb_out_http, has_aws_auth),
+     "Enable AWS SigV4 authentication"
+    },
+    {
+     FLB_CONFIG_MAP_STR, "aws_service", NULL,
+     0, FLB_TRUE, offsetof(struct flb_out_http, aws_service),
+     "AWS destination service code, used by SigV4 authentication"
+    },
+    FLB_AWS_CREDENTIAL_BASE_CONFIG_MAP("aws_"),
+#endif
+#endif
     {
      FLB_CONFIG_MAP_STR, "header_tag", NULL,
      0, FLB_TRUE, offsetof(struct flb_out_http, header_tag),

diff --git a/plugins/out_http/http.h b/plugins/out_http/http.h
@@ -32,6 +32,16 @@ struct flb_out_http {
     char *http_user;
     char *http_passwd;
 
+    /* AWS Auth */
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    int has_aws_auth;
+    struct flb_aws_provider *aws_provider;
+    const char *aws_region;
+    const char *aws_service;
+#endif
+#endif
+
     /* Proxy */
     const char *proxy;
     char *proxy_host;

diff --git a/plugins/out_http/http_conf.c b/plugins/out_http/http_conf.c
@@ -22,7 +22,11 @@
 #include <fluent-bit/flb_pack.h>
 #include <fluent-bit/flb_sds.h>
 #include <fluent-bit/flb_kv.h>
-
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+#include <fluent-bit/flb_aws_credentials.h>
+#endif
+#endif
 #include "http.h"
 #include "http_conf.h"
 
@@ -81,6 +85,36 @@ struct flb_out_http *flb_http_conf_create(struct flb_output_instance *ins,
         flb_output_net_default("127.0.0.1", 80, ins);
     }
 
+    /* Check if AWS SigV4 authentication is enabled */
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    if (ctx->has_aws_auth) {
+        ctx->aws_service = flb_output_get_property("aws_service", ctx->ins);
+        if (!ctx->aws_service) {
+            flb_plg_error(ins, "aws_auth option requires aws_service to be set");
+            flb_free(ctx);
+            return NULL;
+        }
+
+        ctx->aws_provider = flb_managed_chain_provider_create(
+            ins,
+            config,
+            "aws_",
+            NULL,
+            flb_aws_client_generator()
+        );
+        if (!ctx->aws_provider) {
+            flb_plg_error(ins, "failed to create aws credential provider for sigV4 auth");
+            flb_free(ctx);
+            return NULL;
+        }
+
+        /* If managed provider creation succeeds, then region key is present */
+        ctx->aws_region = flb_output_get_property("aws_region", ctx->ins);
+    }
+#endif /* !FLB_HAVE_AWS */
+#endif /* !FLB_HAVE_SIGNV4 */
+
     /* Check if SSL/TLS is enabled */
 #ifdef FLB_HAVE_TLS
     if (ins->use_tls == FLB_TRUE) {
@@ -213,6 +247,14 @@ void flb_http_conf_destroy(struct flb_out_http *ctx)
         flb_upstream_destroy(ctx->u);
     }
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    if (ctx->aws_provider) {
+        flb_aws_provider_destroy(ctx->aws_provider);
+    }
+#endif
+#endif
+
     flb_free(ctx->proxy_host);
     flb_free(ctx->uri);
     flb_free(ctx);