Add new configuration option to allow setting the AWS region when tra…

…cking a bundle from an S3 bucket. Originally was hard-coded to `us-east-1`. For backwards compatibility, if the new option is not provided, we will default back to `us-east-1`.
permitio · Nov 28, 2023 · 1117010 · 1117010
1 parent 469b115
commit 1117010
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 6 deletions.
diff --git a/documentation/docs/tutorials/track_an_api_bundle_server.mdx b/documentation/docs/tutorials/track_an_api_bundle_server.mdx
@@ -37,9 +37,11 @@ You can configure how the OPAL-server will authenticate itself with the bundle s
 
 | Variables                     | Description                                                                                                                                                                     | Example                                  |
 | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- |
-| POLICY_BUNDLE_SERVER_TYPE     | `HTTP` (authenticated with bearer token,or nothing), `AWS-S3`(Authenticated with [AWS REST Auth](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html) | AWS-S3                                   |
-| POLICY_BUNDLE_SERVER_TOKEN_ID | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.                                                                                                | AKIAIOSFODNN7EXAMPLE                     |
-| POLICY_BUNDLE_SERVER_TOKEN    | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server.                                                                                                  | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
+| POLICY_BUNDLE_SERVER_TYPE      | `HTTP` (authenticated with bearer token,or nothing), `AWS-S3`(Authenticated with [AWS REST Auth](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html) | AWS-S3                                   |
+| POLICY_BUNDLE_SERVER_TOKEN_ID  | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.                                                                                                | AKIAIOSFODNN7EXAMPLE                     |
+| POLICY_BUNDLE_SERVER_TOKEN     | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server.                                                                                                  | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
+| POLICY_BUNDLE_SERVER_TOKEN     | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server.                                                                                                  | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
+| POLICY_BUNDLE_SERVER_AWS_REGION| The AWS Region if using `AWS-S3`  Defaults to `us-east-1`                                                                                                                       | us-east-1                                |
 
 ## <a name="compose-example"></a>Docker compose example
 

diff --git a/packages/opal-common/opal_common/sources/api_policy_source.py b/packages/opal-common/opal_common/sources/api_policy_source.py
@@ -50,6 +50,7 @@ def __init__(
         polling_interval: int = 0,
         token: Optional[str] = None,
         token_id: Optional[str] = None,
+        region: Optional[str] = None,
         bundle_server_type: Optional[PolicyBundleServerType] = None,
         policy_bundle_path=".",
         policy_bundle_git_add_pattern="*",
@@ -62,6 +63,7 @@ def __init__(
         self.token = token
         self.token_id = token_id
         self.server_type = bundle_server_type
+        self.region = region
         self.bundle_hash = None
         self.etag = None
         self.tmp_bundle_path = Path(policy_bundle_path)
@@ -136,7 +138,7 @@ def build_auth_headers(self, token=None, path=None):
             host = split_url.netloc
             path = split_url.path + "/" + path
 
-            return build_aws_rest_auth_headers(self.token_id, token, host, path)
+            return build_aws_rest_auth_headers(self.token_id, token, host, path, self.region)
         else:
             return {}
 

diff --git a/packages/opal-common/opal_common/utils.py b/packages/opal-common/opal_common/utils.py
@@ -56,7 +56,7 @@ def get_authorization_header(token: str) -> Tuple[str, str]:
     return "Authorization", f"Bearer {token}"
 
 
-def build_aws_rest_auth_headers(key_id: str, secret_key: str, host: str, path: str):
+def build_aws_rest_auth_headers(key_id: str, secret_key: str, host: str, path: str, region: str):
     """Use the AWS signature algorithm (https://docs.aws.amazon.com/AmazonS3/la
     test/userguide/RESTAuthentication.html) to generate the hTTP headers.
 
@@ -101,7 +101,9 @@ def getSignatureKey(key, dateStamp, regionName, serviceName):
         + payload_hash
     )
 
-    region = "us-east-1"
+    if not region:
+        region = "us-east-1"
+
     algorithm = "AWS4-HMAC-SHA256"
     credential_scope = datestamp + "/" + region + "/" + "s3" + "/" + "aws4_request"
 

diff --git a/packages/opal-server/opal_server/config.py b/packages/opal-server/opal_server/config.py
@@ -128,6 +128,11 @@ class OpalServerConfig(Confi):
         None,
         description="The id of the secret token to be sent to API bundle server",
     )
+    POLICY_BUNDLE_SERVER_AWS_REGION = confi.str(
+        "POLICY_BUNDLE_SERVER_AWS_REGION",
+        None,
+        description="The AWS region of the S3 bucket",
+    )
     POLICY_BUNDLE_TMP_PATH = confi.str(
         "POLICY_BUNDLE_TMP_PATH",
         "/tmp/bundle.tar.gz",

diff --git a/packages/opal-server/opal_server/policy/watcher/factory.py b/packages/opal-server/opal_server/policy/watcher/factory.py
@@ -27,6 +27,7 @@ def setup_watcher_task(
     policy_bundle_token: str = None,
     policy_bundle_token_id: str = None,
     policy_bundle_server_type: str = None,
+    policy_bundle_aws_region: str = None,
     extensions: Optional[List[str]] = None,
     bundle_ignore: Optional[List[str]] = None,
 ) -> BasePolicyWatcherTask:
@@ -115,6 +116,9 @@ def setup_watcher_task(
         policy_bundle_server_type = load_conf_if_none(
             policy_bundle_server_type, opal_server_config.POLICY_BUNDLE_SERVER_TYPE
         )
+        policy_bundle_aws_region = load_conf_if_none(
+            policy_bundle_aws_region, opal_server_config.POLICY_BUNDLE_SERVER_AWS_REGION
+        )
         watcher = ApiPolicySource(
             remote_source_url=remote_source_url,
             local_clone_path=clone_path,
@@ -124,6 +128,7 @@ def setup_watcher_task(
             bundle_server_type=policy_bundle_server_type,
             policy_bundle_path=opal_server_config.POLICY_BUNDLE_TMP_PATH,
             policy_bundle_git_add_pattern=opal_server_config.POLICY_BUNDLE_GIT_ADD_PATTERN,
+            region=policy_bundle_aws_region
         )
     else:
         raise ValueError("Unknown value for OPAL_POLICY_SOURCE_TYPE")