File Explorer

1/**2 * Module for AWS Authentication logic - signing http requests, events, chunks, etc...3 *4 * @packageDocumentation5 * @module auth6 * @mergeTarget7 */8import * as auth from '../common/auth';9import crt_native from './binding';10import { HttpRequest, HttpProxyOptions } from './http';11import { ClientBootstrap, ClientTlsContext } from './io';12export { AwsSigningConfigBase } from "../common/auth";13/**14 * A pair defining an identity provider and a valid login token sourced from it.15 *16 * @category Auth17 */18export interface CognitoLoginTokenPair {19    /**20     * Name of an identity provider21     */22    identityProviderName: string;23    /**24     * Valid login token source from the identity provider25     */26    identityProviderToken: string;27}28/**29 * Definition for the configuration needed to create a Cognito-based Credentials Provider30 *31 * @category Auth32 */33export interface CognitoCredentialsProviderConfig {34    /**35     * Cognito service regional endpoint to source credentials from.36     */37    endpoint: string;38    /**39     * Cognito identity to fetch credentials relative to.40     */41    identity: string;42    /**43     * Optional set of identity provider token pairs to allow for authenticated identity access.44     */45    logins?: Array<CognitoLoginTokenPair>;46    /**47     * Optional ARN of the role to be assumed when multiple roles were received in the token from the identity provider.48     */49    customRoleArn?: string;50    /**51     * TLS context for secure socket connections.52     * If undefined, then a default tls context will be created and used.53     */54    tlsContext?: ClientTlsContext;55    /**56     * Client bootstrap to use.  In almost all cases, this can be left undefined.57     */58    bootstrap?: ClientBootstrap;59    /**60     * Proxy configuration if connecting through an HTTP proxy is desired61     */62    httpProxyOptions?: HttpProxyOptions;63}64/**65 * Definition for the configuration needed to create a X509-based Credentials Provider66 *67 * @category Auth68 */69export interface X509CredentialsConfig {70    /**71     * X509 service regional endpoint to source credentials from.72     * This is a per-account value that can be determined via the CLI:73     * `aws iot describe-endpoint --endpoint-type iot:CredentialProvider`74     */75    endpoint: string;76    /**77     * The name of the IoT thing to use to fetch credentials.78     */79    thingName: string;80    /**81     * The name of the role alias to fetch credentials through.82     */83    roleAlias: string;84    /**85     * TLS context for secure socket connections.86     */87    tlsContext: ClientTlsContext;88    /**89     * Proxy configuration if connecting through an HTTP proxy is desired90     */91    httpProxyOptions?: HttpProxyOptions;92}93/**94 * Credentials providers source the AwsCredentials needed to sign an authenticated AWS request.95 *96 * We don't currently expose an interface for fetching credentials from Javascript.97 *98 * @category Auth99 */100export declare class AwsCredentialsProvider extends crt_native.AwsCredentialsProvider {101    /**102     * Creates a new default credentials provider to be used internally for AWS credentials resolution:103     *104     *   The CRT's default provider chain currently sources in this order:105     *106     *     1. Environment107     *     2. Profile108     *     3. (conditional, off by default) ECS109     *     4. (conditional, on by default) EC2 Instance Metadata110     *111     * @param bootstrap (optional) client bootstrap to be used to establish any required network connections112     *113     * @returns a new credentials provider using default credentials resolution rules114     */115    static newDefault(bootstrap?: ClientBootstrap | undefined): AwsCredentialsProvider;116    /**117     * Creates a new credentials provider that returns a fixed set of credentials.118     *119     * @param access_key access key to use in the static credentials120     * @param secret_key secret key to use in the static credentials121     * @param session_token (optional) session token to use in the static credentials122     *123     * @returns a new credentials provider that will return a fixed set of AWS credentials124     */125    static newStatic(access_key: crt_native.StringLike, secret_key: crt_native.StringLike, session_token?: crt_native.StringLike): AwsCredentialsProvider;126    /**127     * Creates a new credentials provider that sources credentials from the AWS Cognito Identity service via the128     * GetCredentialsForIdentity http API.129     *130     * @param config provider configuration necessary to make GetCredentialsForIdentity web requests131     *132     * @returns a new credentials provider that returns credentials sourced from the AWS Cognito Identity service133     */134    static newCognito(config: CognitoCredentialsProviderConfig): AwsCredentialsProvider;135    /**136     * Creates a new credentials provider that sources credentials from the the X509 service on AWS IoT Core.137     *138     * @param config provider configuration necessary to source credentials via X509139     *140     * @returns a new credentials provider that returns credentials sourced from the AWS X509 service141     */142    static newX509(config: X509CredentialsConfig): AwsCredentialsProvider;143}144/**145 * AWS signing algorithm enumeration.146 *147 * @category Auth148 */149export declare enum AwsSigningAlgorithm {150    /** Use the Aws signature version 4 signing process to sign the request */151    SigV4 = 0,152    /** Use the Aws signature version 4 Asymmetric signing process to sign the request */153    SigV4Asymmetric = 1154}155/**156 * AWS signature type enumeration.157 *158 * @category Auth159 */160export declare enum AwsSignatureType {161    /** Sign an http request and apply the signing results as headers */162    HttpRequestViaHeaders = 0,163    /** Sign an http request and apply the signing results as query params */164    HttpRequestViaQueryParams = 1,165    /** Sign an http request payload chunk */166    HttpRequestChunk = 2,167    /** Sign an event stream event */168    HttpRequestEvent = 3169}170/**171 * Values for use with {@link AwsSigningConfig.signed_body_value}.172 *173 * Some services use special values (e.g. 'UNSIGNED-PAYLOAD') when the body174 * is not being signed in the usual way.175 *176 * @category Auth177 */178export declare enum AwsSignedBodyValue {179    /** Use the SHA-256 of the empty string as the canonical request payload value */180    EmptySha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",181    /** Use the literal string 'UNSIGNED-PAYLOAD' as the canonical request payload value  */182    UnsignedPayload = "UNSIGNED-PAYLOAD",183    /** Use the literal string 'STREAMING-AWS4-HMAC-SHA256-PAYLOAD' as the canonical request payload value  */184    StreamingAws4HmacSha256Payload = "STREAMING-AWS4-HMAC-SHA256-PAYLOAD",185    /** Use the literal string 'STREAMING-AWS4-HMAC-SHA256-EVENTS' as the canonical request payload value  */186    StreamingAws4HmacSha256Events = "STREAMING-AWS4-HMAC-SHA256-EVENTS"187}188/**189 * AWS signed body header enumeration.190 *191 * @category Auth192 */193export declare enum AwsSignedBodyHeaderType {194    /** Do not add a header containing the canonical request payload value */195    None = 0,196    /** Add the X-Amz-Content-Sha256 header with the canonical request payload value */197    XAmzContentSha256 = 1198}199/**200 * Configuration for use in AWS-related signing.201 * AwsSigningConfig is immutable.202 * It is good practice to use a new config for each signature, or the date might get too old.203 *204 * @category Auth205 */206export interface AwsSigningConfig extends auth.AwsSigningConfigBase {207    /** Which signing process to invoke */208    algorithm: AwsSigningAlgorithm;209    /** What kind of signature to compute */210    signature_type: AwsSignatureType;211    /** Credentials provider to fetch signing credentials with */212    provider: AwsCredentialsProvider;213    /**214     * Headers to skip when signing.215     *216     * Skipping auth-required headers will result in an unusable signature.217     * Headers injected by the signing process are not skippable.218     * This function does not override the internal check function219     * (x-amzn-trace-id, user-agent), but rather supplements it.220     * In particular, a header will get signed if and only if it returns221     * true to both the internal check (skips x-amzn-trace-id, user-agent)222     * and is found in this list (if defined)223     */224    header_blacklist?: string[];225    /**226     * Set true to double-encode the resource path when constructing the227     * canonical request. By default, all services except S3 use double encoding.228     */229    use_double_uri_encode?: boolean;230    /**231     * Whether the resource paths are normalized when building the canonical request.232     */233    should_normalize_uri_path?: boolean;234    /**235     * Should the session token be omitted from the signing process?  This should only be236     * true when making a websocket handshake with IoT Core.237     */238    omit_session_token?: boolean;239    /**240     * Value to use as the canonical request's body value.241     *242     * Typically, this is the SHA-256 of the payload, written as lowercase hex.243     * If this has been precalculated, it can be set here.244     * Special values used by certain services can also be set (see {@link AwsSignedBodyValue}).245     * If undefined (the default), the typical value will be calculated from the payload during signing.246     */247    signed_body_value?: string;248    /** Controls what header, if any, should be added to the request, containing the body value */249    signed_body_header?: AwsSignedBodyHeaderType;250    /** Query param signing only: how long the pre-signed URL is valid for */251    expiration_in_seconds?: number;252}253/**254 * Perform AWS HTTP request signing.255 *256 * The {@link HttpRequest} is transformed asynchronously,257 * according to the {@link AwsSigningConfig}.258 *259 * When signing:260 *  1.  It is good practice to use a new config for each signature,261 *      or the date might get too old.262 *263 *  2.  Do not add the following headers to requests before signing, they may be added by the signer:264 *      x-amz-content-sha256,265 *      X-Amz-Date,266 *      Authorization267 *268 *  3.  Do not add the following query params to requests before signing, they may be added by the signer:269 *      X-Amz-Signature,270 *      X-Amz-Date,271 *      X-Amz-Credential,272 *      X-Amz-Algorithm,273 *      X-Amz-SignedHeaders274 * @param request The HTTP request to sign.275 * @param config Configuration for signing.276 * @returns A promise whose result will be the signed277 *       {@link HttpRequest}. The future will contain an exception278 *       if the signing process fails.279 *280 * @category Auth281 */282export declare function aws_sign_request(request: HttpRequest, config: AwsSigningConfig): Promise<HttpRequest>;283/**284 *285 * @internal286 *287 * Test only.288 * Verifies:289 *  (1) The canonical request generated during sigv4a signing of the request matches what is passed in290 *  (2) The signature passed in is a valid ECDSA signature of the hashed string-to-sign derived from the291 *  canonical request292 *293 * @param request The HTTP request to sign.294 * @param config Configuration for signing.295 * @param expected_canonical_request String type of expected canonical request. Refer to XXX(link to doc?)296 * @param signature The generated signature string from {@link aws_sign_request}, which is verified here.297 * @param ecc_key_pub_x the x coordinate of the public part of the ecc key to verify the signature.298 * @param ecc_key_pub_y the y coordinate of the public part of the ecc key to verify the signature299 * @returns True, if the verification succeed. Otherwise, false.300 */301export declare function aws_verify_sigv4a_signing(request: HttpRequest, config: AwsSigningConfig, expected_canonical_request: crt_native.StringLike, signature: crt_native.StringLike, ecc_key_pub_x: crt_native.StringLike, ecc_key_pub_y: crt_native.StringLike): boolean;302