Merge pull request #519 from kbalthaser/kb-518-main

Add missing `x-amz-content-sha256` header when generating headers for…
permitio · Mar 21, 2024 · ae4765d · ae4765d
2 parents 4cceee8 + c175db2
commit ae4765d
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 6 deletions.
diff --git a/documentation/docs/tutorials/track_an_api_bundle_server.mdx b/documentation/docs/tutorials/track_an_api_bundle_server.mdx
@@ -39,9 +39,10 @@ You can configure how the OPAL-server will authenticate itself with the bundle s
 
 | Variables                     | Description                                                                                                                                                                     | Example                                  |
 | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- |
-| POLICY_BUNDLE_SERVER_TYPE     | `HTTP` (authenticated with bearer token,or nothing), `AWS-S3`(Authenticated with [AWS REST Auth](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html) | AWS-S3                                   |
-| POLICY_BUNDLE_SERVER_TOKEN_ID | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.                                                                                                | AKIAIOSFODNN7EXAMPLE                     |
-| POLICY_BUNDLE_SERVER_TOKEN    | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server.                                                                                                  | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
+| POLICY_BUNDLE_SERVER_TYPE      | `HTTP` (authenticated with bearer token,or nothing), `AWS-S3`(Authenticated with [AWS REST Auth](https://docs.aws.amazon.com/AmazonS3/latest/userguide/RESTAuthentication.html) | AWS-S3                                   |
+| POLICY_BUNDLE_SERVER_TOKEN_ID  | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server.                                                                                                | AKIAIOSFODNN7EXAMPLE                     |
+| POLICY_BUNDLE_SERVER_TOKEN     | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server.                                                                                                  | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
+| POLICY_BUNDLE_SERVER_AWS_REGION| The AWS Region if using `AWS-S3`  Defaults to `us-east-1`                                                                                                                       | us-east-1                                |
 
 ## <a name="compose-example"></a>Docker compose example
 

diff --git a/packages/opal-common/opal_common/sources/api_policy_source.py b/packages/opal-common/opal_common/sources/api_policy_source.py
@@ -50,6 +50,7 @@ def __init__(
         polling_interval: int = 0,
         token: Optional[str] = None,
         token_id: Optional[str] = None,
+        region: Optional[str] = None,
         bundle_server_type: Optional[PolicyBundleServerType] = None,
         policy_bundle_path=".",
         policy_bundle_git_add_pattern="*",
@@ -62,6 +63,7 @@ def __init__(
         self.token = token
         self.token_id = token_id
         self.server_type = bundle_server_type
+        self.region = region
         self.bundle_hash = None
         self.etag = None
         self.tmp_bundle_path = Path(policy_bundle_path)
@@ -136,7 +138,9 @@ def build_auth_headers(self, token=None, path=None):
             host = split_url.netloc
             path = split_url.path + "/" + path
 
-            return build_aws_rest_auth_headers(self.token_id, token, host, path)
+            return build_aws_rest_auth_headers(
+                self.token_id, token, host, path, self.region
+            )
         else:
             return {}
 

diff --git a/packages/opal-common/opal_common/utils.py b/packages/opal-common/opal_common/utils.py
@@ -56,7 +56,9 @@ def get_authorization_header(token: str) -> Tuple[str, str]:
     return "Authorization", f"Bearer {token}"
 
 
-def build_aws_rest_auth_headers(key_id: str, secret_key: str, host: str, path: str):
+def build_aws_rest_auth_headers(
+    key_id: str, secret_key: str, host: str, path: str, region: str
+):
     """Use the AWS signature algorithm (https://docs.aws.amazon.com/AmazonS3/la
     test/userguide/RESTAuthentication.html) to generate the hTTP headers.
 
@@ -79,6 +81,9 @@ def getSignatureKey(key, dateStamp, regionName, serviceName):
         kSigning = sign(kService, "aws4_request")
         return kSigning
 
+    # SHA256 of empty string.  This is needed when S3 request payload is empty.
+    SHA256_EMPTY = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+
     t = datetime.utcnow()
     amzdate = t.strftime("%Y%m%dT%H%M%SZ")
     datestamp = t.strftime("%Y%m%d")
@@ -101,7 +106,6 @@ def getSignatureKey(key, dateStamp, regionName, serviceName):
         + payload_hash
     )
 
-    region = "us-east-1"
     algorithm = "AWS4-HMAC-SHA256"
     credential_scope = datestamp + "/" + region + "/" + "s3" + "/" + "aws4_request"
 
@@ -136,6 +140,7 @@ def getSignatureKey(key, dateStamp, regionName, serviceName):
 
     return {
         "x-amz-date": amzdate,
+        "x-amz-content-sha256": SHA256_EMPTY,
         "Authorization": authorization_header,
     }
 

diff --git a/packages/opal-server/opal_server/config.py b/packages/opal-server/opal_server/config.py
@@ -128,6 +128,11 @@ class OpalServerConfig(Confi):
         None,
         description="The id of the secret token to be sent to API bundle server",
     )
+    POLICY_BUNDLE_SERVER_AWS_REGION = confi.str(
+        "POLICY_BUNDLE_SERVER_AWS_REGION",
+        "us-east-1",
+        description="The AWS region of the S3 bucket",
+    )
     POLICY_BUNDLE_TMP_PATH = confi.str(
         "POLICY_BUNDLE_TMP_PATH",
         "/tmp/bundle.tar.gz",

diff --git a/packages/opal-server/opal_server/policy/watcher/factory.py b/packages/opal-server/opal_server/policy/watcher/factory.py
@@ -27,6 +27,7 @@ def setup_watcher_task(
     policy_bundle_token: str = None,
     policy_bundle_token_id: str = None,
     policy_bundle_server_type: str = None,
+    policy_bundle_aws_region: str = None,
     extensions: Optional[List[str]] = None,
     bundle_ignore: Optional[List[str]] = None,
 ) -> BasePolicyWatcherTask:
@@ -115,6 +116,9 @@ def setup_watcher_task(
         policy_bundle_server_type = load_conf_if_none(
             policy_bundle_server_type, opal_server_config.POLICY_BUNDLE_SERVER_TYPE
         )
+        policy_bundle_aws_region = load_conf_if_none(
+            policy_bundle_aws_region, opal_server_config.POLICY_BUNDLE_SERVER_AWS_REGION
+        )
         watcher = ApiPolicySource(
             remote_source_url=remote_source_url,
             local_clone_path=clone_path,
@@ -124,6 +128,7 @@ def setup_watcher_task(
             bundle_server_type=policy_bundle_server_type,
             policy_bundle_path=opal_server_config.POLICY_BUNDLE_TMP_PATH,
             policy_bundle_git_add_pattern=opal_server_config.POLICY_BUNDLE_GIT_ADD_PATTERN,
+            region=policy_bundle_aws_region,
         )
     else:
         raise ValueError("Unknown value for OPAL_POLICY_SOURCE_TYPE")