diff --git a/documentation/docs/tutorials/track_an_api_bundle_server.mdx b/documentation/docs/tutorials/track_an_api_bundle_server.mdx index 918ebde6..184df814 100644 --- a/documentation/docs/tutorials/track_an_api_bundle_server.mdx +++ b/documentation/docs/tutorials/track_an_api_bundle_server.mdx @@ -37,9 +37,11 @@ You can configure how the OPAL-server will authenticate itself with the bundle s | Variables | Description | Example | | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | -| POLICY_BUNDLE_SERVER_TYPE | `HTTP` (authenticated with bearer token,or nothing), `AWS-S3`(Authenticated with [AWS REST Auth](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html) | AWS-S3 | -| POLICY_BUNDLE_SERVER_TOKEN_ID | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server. | AKIAIOSFODNN7EXAMPLE | -| POLICY_BUNDLE_SERVER_TOKEN | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server. | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY | +| POLICY_BUNDLE_SERVER_TYPE | `HTTP` (authenticated with bearer token,or nothing), `AWS-S3`(Authenticated with [AWS REST Auth](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html) | AWS-S3 | +| POLICY_BUNDLE_SERVER_TOKEN_ID | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server. | AKIAIOSFODNN7EXAMPLE | +| POLICY_BUNDLE_SERVER_TOKEN | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server. | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY | +| POLICY_BUNDLE_SERVER_TOKEN | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server. | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY | +| POLICY_BUNDLE_SERVER_AWS_REGION| The AWS Region if using `AWS-S3` Defaults to `us-east-1` | us-east-1 | ## Docker compose example diff --git a/packages/opal-common/opal_common/sources/api_policy_source.py b/packages/opal-common/opal_common/sources/api_policy_source.py index 6b04054d..5ab5d34f 100644 --- a/packages/opal-common/opal_common/sources/api_policy_source.py +++ b/packages/opal-common/opal_common/sources/api_policy_source.py @@ -50,6 +50,7 @@ def __init__( polling_interval: int = 0, token: Optional[str] = None, token_id: Optional[str] = None, + region: Optional[str] = None, bundle_server_type: Optional[PolicyBundleServerType] = None, policy_bundle_path=".", policy_bundle_git_add_pattern="*", @@ -62,6 +63,7 @@ def __init__( self.token = token self.token_id = token_id self.server_type = bundle_server_type + self.region = region self.bundle_hash = None self.etag = None self.tmp_bundle_path = Path(policy_bundle_path) @@ -136,7 +138,7 @@ def build_auth_headers(self, token=None, path=None): host = split_url.netloc path = split_url.path + "/" + path - return build_aws_rest_auth_headers(self.token_id, token, host, path) + return build_aws_rest_auth_headers(self.token_id, token, host, path, self.region) else: return {} diff --git a/packages/opal-common/opal_common/utils.py b/packages/opal-common/opal_common/utils.py index 79924559..4da85533 100644 --- a/packages/opal-common/opal_common/utils.py +++ b/packages/opal-common/opal_common/utils.py @@ -56,7 +56,7 @@ def get_authorization_header(token: str) -> Tuple[str, str]: return "Authorization", f"Bearer {token}" -def build_aws_rest_auth_headers(key_id: str, secret_key: str, host: str, path: str): +def build_aws_rest_auth_headers(key_id: str, secret_key: str, host: str, path: str, region: str): """Use the AWS signature algorithm (https://docs.aws.amazon.com/AmazonS3/la test/userguide/RESTAuthentication.html) to generate the hTTP headers. @@ -101,7 +101,9 @@ def getSignatureKey(key, dateStamp, regionName, serviceName): + payload_hash ) - region = "us-east-1" + if not region: + region = "us-east-1" + algorithm = "AWS4-HMAC-SHA256" credential_scope = datestamp + "/" + region + "/" + "s3" + "/" + "aws4_request" diff --git a/packages/opal-server/opal_server/config.py b/packages/opal-server/opal_server/config.py index 0f2a05a0..20d7be78 100644 --- a/packages/opal-server/opal_server/config.py +++ b/packages/opal-server/opal_server/config.py @@ -128,6 +128,11 @@ class OpalServerConfig(Confi): None, description="The id of the secret token to be sent to API bundle server", ) + POLICY_BUNDLE_SERVER_AWS_REGION = confi.str( + "POLICY_BUNDLE_SERVER_AWS_REGION", + None, + description="The AWS region of the S3 bucket", + ) POLICY_BUNDLE_TMP_PATH = confi.str( "POLICY_BUNDLE_TMP_PATH", "/tmp/bundle.tar.gz", diff --git a/packages/opal-server/opal_server/policy/watcher/factory.py b/packages/opal-server/opal_server/policy/watcher/factory.py index dabf8cf7..97c2de77 100644 --- a/packages/opal-server/opal_server/policy/watcher/factory.py +++ b/packages/opal-server/opal_server/policy/watcher/factory.py @@ -27,6 +27,7 @@ def setup_watcher_task( policy_bundle_token: str = None, policy_bundle_token_id: str = None, policy_bundle_server_type: str = None, + policy_bundle_aws_region: str = None, extensions: Optional[List[str]] = None, bundle_ignore: Optional[List[str]] = None, ) -> BasePolicyWatcherTask: @@ -115,6 +116,9 @@ def setup_watcher_task( policy_bundle_server_type = load_conf_if_none( policy_bundle_server_type, opal_server_config.POLICY_BUNDLE_SERVER_TYPE ) + policy_bundle_aws_region = load_conf_if_none( + policy_bundle_aws_region, opal_server_config.POLICY_BUNDLE_SERVER_AWS_REGION + ) watcher = ApiPolicySource( remote_source_url=remote_source_url, local_clone_path=clone_path, @@ -124,6 +128,7 @@ def setup_watcher_task( bundle_server_type=policy_bundle_server_type, policy_bundle_path=opal_server_config.POLICY_BUNDLE_TMP_PATH, policy_bundle_git_add_pattern=opal_server_config.POLICY_BUNDLE_GIT_ADD_PATTERN, + region=policy_bundle_aws_region ) else: raise ValueError("Unknown value for OPAL_POLICY_SOURCE_TYPE")