File Explorer

/proc/self/root/var/runtime/node_modules/@aws-sdk/node_modules/aws-crt/source
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
1 dir
34 files
auth.c42.7 KB · 1149 lines
1/**2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.3 * SPDX-License-Identifier: Apache-2.0.4 */5 6#include "auth.h"7 8#include "class_binder.h"9#include "http_connection.h"10#include "http_message.h"11#include "io.h"12 13#include <aws/auth/credentials.h>14#include <aws/auth/signable.h>15#include <aws/auth/signing.h>16#include <aws/auth/signing_config.h>17#include <aws/auth/signing_result.h>18 19#include <aws/common/condition_variable.h>20#include <aws/common/mutex.h>21 22#include <aws/io/tls_channel_handler.h>23 24static const char *AWS_NAPI_KEY_ENDPOINT = "endpoint";25static const char *AWS_NAPI_KEY_IDENTITY = "identity";26static const char *AWS_NAPI_KEY_LOGINS = "logins";27static const char *AWS_NAPI_KEY_CUSTOM_ROLE_ARN = "customRoleArn";28static const char *AWS_NAPI_KEY_IDENTITY_PROVIDER_NAME = "identityProviderName";29static const char *AWS_NAPI_KEY_IDENTITY_PROVIDER_TOKEN = "identityProviderToken";30static const char *AWS_NAPI_KEY_THING_NAME = "thingName";31static const char *AWS_NAPI_KEY_ROLE_ALIAS = "roleAlias";32 33static struct aws_napi_class_info s_creds_provider_class_info;34static aws_napi_method_fn s_creds_provider_constructor;35static aws_napi_method_fn s_creds_provider_new_default;36static aws_napi_method_fn s_creds_provider_new_static;37static aws_napi_method_fn s_creds_provider_new_cognito;38static aws_napi_method_fn s_creds_provider_new_x509;39 40static aws_napi_method_fn s_aws_sign_request;41static aws_napi_method_fn s_aws_verify_sigv4a_signing;42 43napi_status aws_napi_auth_bind(napi_env env, napi_value exports) {44    static const struct aws_napi_method_info s_creds_provider_constructor_info = {45        .name = "AwsCredentialsProvider",46        .method = s_creds_provider_constructor,47        .num_arguments = 1,48        .arg_types = {napi_external},49    };50 51    static const struct aws_napi_method_info s_creds_provider_methods[] = {52        {53            .name = "newDefault",54            .method = s_creds_provider_new_default,55            .num_arguments = 1,56            .arg_types = {napi_undefined},57            .attributes = napi_static,58        },59        {60            .name = "newStatic",61            .method = s_creds_provider_new_static,62            .num_arguments = 2,63            .arg_types = {napi_string, napi_string, napi_string},64            .attributes = napi_static,65        },66        {67            .name = "newCognito",68            .method = s_creds_provider_new_cognito,69            .num_arguments = 4,70            .arg_types = {napi_undefined, napi_undefined, napi_undefined, napi_undefined},71            .attributes = napi_static,72        },73        {74            .name = "newX509",75            .method = s_creds_provider_new_x509,76            .num_arguments = 3,77            .arg_types = {napi_undefined, napi_undefined, napi_undefined},78            .attributes = napi_static,79        }};80 81    AWS_NAPI_CALL(82        env,83        aws_napi_define_class(84            env,85            exports,86            &s_creds_provider_constructor_info,87            NULL,88            0,89            s_creds_provider_methods,90            AWS_ARRAY_SIZE(s_creds_provider_methods),91            &s_creds_provider_class_info),92        { return status; });93 94    static struct aws_napi_method_info s_signer_request_method = {95        .name = "aws_sign_request",96        .method = s_aws_sign_request,97        .num_arguments = 3,98        .arg_types = {napi_object, napi_object, napi_function},99    };100 101    AWS_NAPI_CALL(env, aws_napi_define_function(env, exports, &s_signer_request_method), { return status; });102 103    static struct aws_napi_method_info s_verify_sigv4a_signing_method = {104        .name = "aws_verify_sigv4a_signing",105        .method = s_aws_verify_sigv4a_signing,106        .num_arguments = 6,107        .arg_types = {napi_object, napi_object, napi_string, napi_string, napi_string, napi_string},108    };109 110    AWS_NAPI_CALL(env, aws_napi_define_function(env, exports, &s_verify_sigv4a_signing_method), { return status; });111 112    return napi_ok;113}114 115/***********************************************************************************************************************116 * Credentials Provider117 **********************************************************************************************************************/118 119static void s_napi_creds_provider_finalize(napi_env env, void *finalize_data, void *finalize_hint) {120    (void)env;121    (void)finalize_hint;122    aws_credentials_provider_release(finalize_data);123}124 125napi_status aws_napi_credentials_provider_wrap(126    napi_env env,127    struct aws_credentials_provider *creds_provider,128    napi_value *result) {129 130    aws_credentials_provider_acquire(creds_provider);131 132    return aws_napi_wrap(env, &s_creds_provider_class_info, creds_provider, s_napi_creds_provider_finalize, result);133}134 135struct aws_credentials_provider *aws_napi_credentials_provider_unwrap(napi_env env, napi_value js_object) {136    struct aws_credentials_provider *creds_provider = NULL;137    AWS_NAPI_CALL(env, napi_unwrap(env, js_object, (void **)&creds_provider), { return NULL; });138 139    aws_credentials_provider_acquire(creds_provider);140 141    return creds_provider;142}143 144static napi_value s_creds_provider_constructor(napi_env env, const struct aws_napi_callback_info *cb_info) {145 146    (void)env;147 148    /* Don't do any construction, object should be empty except prototype and wrapped value */149    return cb_info->native_this;150}151 152static napi_value s_creds_provider_new_default(napi_env env, const struct aws_napi_callback_info *cb_info) {153 154    AWS_FATAL_ASSERT(cb_info->num_args == 1);155 156    struct aws_allocator *allocator = aws_napi_get_allocator();157    const struct aws_napi_argument *arg = NULL;158 159    aws_napi_method_next_argument(napi_external, cb_info, &arg);160    struct aws_credentials_provider_chain_default_options options;161    AWS_ZERO_STRUCT(options);162 163    if (arg->native.external != NULL) {164        options.bootstrap = aws_napi_get_client_bootstrap(arg->native.external);165    } else {166        options.bootstrap = aws_napi_get_default_client_bootstrap();167    }168 169    struct aws_credentials_provider *provider = aws_credentials_provider_new_chain_default(allocator, &options);170 171    napi_value node_this = NULL;172    AWS_NAPI_CALL(env, aws_napi_credentials_provider_wrap(env, provider, &node_this), {173        napi_throw_error(env, NULL, "Failed to wrap CredentialsProvider");174        return NULL;175    });176 177    /* Reference is now held by the node object */178    aws_credentials_provider_release(provider);179 180    return node_this;181}182 183static napi_value s_creds_provider_new_static(napi_env env, const struct aws_napi_callback_info *cb_info) {184 185    AWS_FATAL_ASSERT(cb_info->num_args >= 2);186 187    struct aws_allocator *allocator = aws_napi_get_allocator();188    const struct aws_napi_argument *arg = NULL;189 190    struct aws_credentials_provider_static_options options;191    AWS_ZERO_STRUCT(options);192 193    aws_napi_method_next_argument(napi_string, cb_info, &arg);194    options.access_key_id = aws_byte_cursor_from_buf(&arg->native.string);195 196    aws_napi_method_next_argument(napi_string, cb_info, &arg);197    options.secret_access_key = aws_byte_cursor_from_buf(&arg->native.string);198 199    if (aws_napi_method_next_argument(napi_string, cb_info, &arg)) {200        options.session_token = aws_byte_cursor_from_buf(&arg->native.string);201    }202 203    struct aws_credentials_provider *provider = aws_credentials_provider_new_static(allocator, &options);204 205    napi_value node_this = NULL;206    AWS_NAPI_CALL(env, aws_napi_credentials_provider_wrap(env, provider, &node_this), {207        napi_throw_error(env, NULL, "Failed to wrap CredentialsProvider");208        return NULL;209    });210 211    /* Reference is now held by the node object */212    aws_credentials_provider_release(provider);213 214    return node_this;215}216 217struct aws_cognito_credentials_provider_config {218    struct aws_byte_buf endpoint;219    struct aws_byte_buf identity;220 221    struct aws_array_list logins;222    struct aws_array_list login_buffers;223 224    struct aws_byte_buf custom_role_arn;225};226 227static void s_aws_cognito_credentials_provider_config_clean_up(struct aws_cognito_credentials_provider_config *config) {228    aws_byte_buf_clean_up(&config->endpoint);229    aws_byte_buf_clean_up(&config->identity);230 231    aws_array_list_clean_up(&config->logins);232 233    for (size_t i = 0; i < aws_array_list_length(&config->login_buffers); ++i) {234        struct aws_byte_buf buffer;235        AWS_ZERO_STRUCT(buffer);236 237        aws_array_list_get_at(&config->login_buffers, &buffer, i);238 239        aws_byte_buf_clean_up(&buffer);240    }241    aws_array_list_clean_up(&config->login_buffers);242 243    aws_byte_buf_clean_up(&config->custom_role_arn);244}245 246static int s_aws_cognito_credentials_provider_config_init(247    struct aws_cognito_credentials_provider_config *config,248    napi_env env,249    napi_value node_config) {250 251    if (env == NULL) {252        return aws_raise_error(AWS_CRT_NODEJS_ERROR_THREADSAFE_FUNCTION_NULL_NAPI_ENV);253    }254 255    int result = AWS_OP_ERR;256    struct aws_byte_buf identity_provider_name_buf;257    AWS_ZERO_STRUCT(identity_provider_name_buf);258    struct aws_byte_buf identity_provider_token_buf;259    AWS_ZERO_STRUCT(identity_provider_token_buf);260 261    struct aws_allocator *allocator = aws_napi_get_allocator();262    if (aws_array_list_init_dynamic(263            &config->logins, allocator, 0, sizeof(struct aws_cognito_identity_provider_token_pair)) ||264        aws_array_list_init_dynamic(&config->login_buffers, allocator, 0, sizeof(struct aws_byte_buf))) {265        return AWS_OP_ERR;266    }267 268    if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(269                                     env, node_config, AWS_NAPI_KEY_ENDPOINT, napi_string, &config->endpoint)) {270        AWS_LOGF_ERROR(271            AWS_LS_NODEJS_CRT_GENERAL,272            "s_aws_cognito_credentials_provider_config_init - required property 'endpoint' could not be extracted from "273            "config");274        return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);275    }276 277    if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(278                                     env, node_config, AWS_NAPI_KEY_IDENTITY, napi_string, &config->identity)) {279        AWS_LOGF_ERROR(280            AWS_LS_NODEJS_CRT_GENERAL,281            "s_aws_cognito_credentials_provider_config_init - required property 'identity' could not be extracted from "282            "config");283        return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);284    }285 286    napi_value napi_logins = NULL;287    if (AWS_NGNPR_VALID_VALUE ==288        aws_napi_get_named_property(env, node_config, AWS_NAPI_KEY_LOGINS, napi_object, &napi_logins)) {289 290        /* how many login entries */291        uint32_t login_count = 0;292        AWS_NAPI_CALL(env, napi_get_array_length(env, napi_logins, &login_count), {293            AWS_LOGF_ERROR(294                AWS_LS_NODEJS_CRT_GENERAL,295                "s_aws_cognito_credentials_provider_config_init - property 'logins' must be an array");296            return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);297        });298 299        for (size_t i = 0; i < login_count; ++i) {300 301            napi_value napi_token_pair = NULL;302            AWS_NAPI_CALL(env, napi_get_element(env, napi_logins, (uint32_t)i, &napi_token_pair), {303                AWS_LOGF_ERROR(304                    AWS_LS_NODEJS_CRT_GENERAL,305                    "s_aws_cognito_credentials_provider_config_init - could not access property 'logins' array "306                    "element");307                aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);308                goto done;309            });310 311            if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(312                                             env,313                                             napi_token_pair,314                                             AWS_NAPI_KEY_IDENTITY_PROVIDER_NAME,315                                             napi_string,316                                             &identity_provider_name_buf)) {317                AWS_LOGF_ERROR(318                    AWS_LS_NODEJS_CRT_GENERAL,319                    "s_aws_cognito_credentials_provider_config_init - required property 'identityProviderName' missing "320                    "from login token pair");321                aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);322                goto done;323            }324 325            if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(326                                             env,327                                             napi_token_pair,328                                             AWS_NAPI_KEY_IDENTITY_PROVIDER_TOKEN,329                                             napi_string,330                                             &identity_provider_token_buf)) {331                AWS_LOGF_ERROR(332                    AWS_LS_NODEJS_CRT_GENERAL,333                    "s_aws_cognito_credentials_provider_config_init - required property 'identityProviderToken' "334                    "missing from login token pair");335                aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);336                goto done;337            }338 339            struct aws_byte_cursor identity_provider_name_cursor =340                aws_byte_cursor_from_buf(&identity_provider_name_buf);341            if (aws_array_list_push_back(&config->login_buffers, &identity_provider_name_buf)) {342                goto done;343            }344 345            AWS_ZERO_STRUCT(identity_provider_name_buf);346 347            struct aws_byte_cursor identity_provider_token_cursor =348                aws_byte_cursor_from_buf(&identity_provider_token_buf);349            if (aws_array_list_push_back(&config->login_buffers, &identity_provider_token_buf)) {350                goto done;351            }352 353            AWS_ZERO_STRUCT(identity_provider_token_buf);354 355            struct aws_cognito_identity_provider_token_pair config_token_pair = {356                .identity_provider_name = identity_provider_name_cursor,357                .identity_provider_token = identity_provider_token_cursor,358            };359 360            if (aws_array_list_push_back(&config->logins, &config_token_pair)) {361                goto done;362            }363        }364    }365 366    if (AWS_NGNPR_INVALID_VALUE ==367        aws_napi_get_named_property_as_bytebuf(368            env, node_config, AWS_NAPI_KEY_CUSTOM_ROLE_ARN, napi_string, &config->custom_role_arn)) {369        AWS_LOGF_ERROR(370            AWS_LS_NODEJS_CRT_GENERAL,371            "s_aws_cognito_credentials_provider_config_init - optional property 'customRoleArn' could not be extracted "372            "from "373            "config");374        aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);375        goto done;376    }377 378    result = AWS_OP_SUCCESS;379 380done:381 382    /* we carefully ensure that we only hit here with buffers that failed to be added to the login_buffers array */383    aws_byte_buf_clean_up(&identity_provider_name_buf);384    aws_byte_buf_clean_up(&identity_provider_token_buf);385 386    return result;387}388 389static napi_value s_creds_provider_new_cognito(napi_env env, const struct aws_napi_callback_info *cb_info) {390 391    AWS_FATAL_ASSERT(cb_info->num_args == 4);392 393    napi_value node_provider = NULL;394    struct aws_allocator *allocator = aws_napi_get_allocator();395    struct aws_credentials_provider *provider = NULL;396    struct aws_cognito_credentials_provider_config provider_config;397    AWS_ZERO_STRUCT(provider_config);398 399    struct aws_credentials_provider_cognito_options options;400    AWS_ZERO_STRUCT(options);401 402    const struct aws_napi_argument *arg = NULL;403 404    aws_napi_method_next_argument(napi_undefined, cb_info, &arg);405    napi_value first_argument = arg->node;406 407    if (s_aws_cognito_credentials_provider_config_init(&provider_config, env, first_argument)) {408        napi_throw_error(env, NULL, "Failed to initialize cognito provider configuration from node config");409        goto done;410    }411 412    options.endpoint = aws_byte_cursor_from_buf(&provider_config.endpoint);413    options.identity = aws_byte_cursor_from_buf(&provider_config.identity);414    options.login_count = aws_array_list_length(&provider_config.logins);415    options.logins = provider_config.logins.data;416 417    struct aws_byte_cursor custom_role_arn_cursor;418    AWS_ZERO_STRUCT(custom_role_arn_cursor);419    if (provider_config.custom_role_arn.len > 0) {420        custom_role_arn_cursor = aws_byte_cursor_from_buf(&provider_config.custom_role_arn);421        options.custom_role_arn = &custom_role_arn_cursor;422    }423 424    aws_napi_method_next_argument(napi_external, cb_info, &arg);425    AWS_NAPI_CALL(env, napi_get_value_external(env, arg->node, (void **)&options.tls_ctx), {426        napi_throw_error(env, NULL, "Failed to extract tls_ctx from external");427        goto done;428    });429 430    aws_napi_method_next_argument(napi_external, cb_info, &arg);431    if (arg->native.external != NULL) {432        options.bootstrap = aws_napi_get_client_bootstrap(arg->native.external);433    } else {434        options.bootstrap = aws_napi_get_default_client_bootstrap();435    }436 437    aws_napi_method_next_argument(napi_external, cb_info, &arg);438    if (arg->native.external != NULL) {439        options.http_proxy_options = aws_napi_get_http_proxy_options(arg->native.external);440    }441 442    provider = aws_credentials_provider_new_cognito_caching(allocator, &options);443    if (provider == NULL) {444        napi_throw_error(env, NULL, "Failed to create native Cognito Credentials Provider");445        goto done;446    }447 448    AWS_NAPI_CALL(env, aws_napi_credentials_provider_wrap(env, provider, &node_provider), {449        napi_throw_error(env, NULL, "Failed to wrap CognitoCredentialsProvider");450        goto done;451    });452 453done:454 455    s_aws_cognito_credentials_provider_config_clean_up(&provider_config);456 457    aws_credentials_provider_release(provider);458 459    return node_provider;460}461 462struct aws_x509_credentials_provider_config {463    struct aws_byte_buf endpoint;464    struct aws_byte_buf thing_name;465    struct aws_byte_buf role_alias;466};467 468static void s_aws_x509_credentials_provider_config_clean_up(struct aws_x509_credentials_provider_config *config) {469    aws_byte_buf_clean_up(&config->endpoint);470    aws_byte_buf_clean_up(&config->thing_name);471    aws_byte_buf_clean_up(&config->role_alias);472}473 474static int s_aws_x509_credentials_provider_config_init(475    struct aws_x509_credentials_provider_config *config,476    napi_env env,477    napi_value node_config) {478 479    if (env == NULL) {480        return aws_raise_error(AWS_CRT_NODEJS_ERROR_THREADSAFE_FUNCTION_NULL_NAPI_ENV);481    }482 483    if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(484                                     env, node_config, AWS_NAPI_KEY_ENDPOINT, napi_string, &config->endpoint)) {485        AWS_LOGF_ERROR(486            AWS_LS_NODEJS_CRT_GENERAL,487            "s_aws_x509_credentials_provider_config_init - required property 'endpoint' could not be extracted from "488            "config");489        return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);490    }491 492    if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(493                                     env, node_config, AWS_NAPI_KEY_THING_NAME, napi_string, &config->thing_name)) {494        AWS_LOGF_ERROR(495            AWS_LS_NODEJS_CRT_GENERAL,496            "s_aws_x509_credentials_provider_config_init - required property 'thing_name' could not be extracted from "497            "config");498        return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);499    }500 501    if (AWS_NGNPR_VALID_VALUE != aws_napi_get_named_property_as_bytebuf(502                                     env, node_config, AWS_NAPI_KEY_ROLE_ALIAS, napi_string, &config->role_alias)) {503        AWS_LOGF_ERROR(504            AWS_LS_NODEJS_CRT_GENERAL,505            "s_aws_x509_credentials_provider_config_init - required property 'role_alias' could not be extracted from "506            "config");507        return aws_raise_error(AWS_ERROR_INVALID_ARGUMENT);508    }509 510    return AWS_OP_SUCCESS;511}512 513static napi_value s_creds_provider_new_x509(napi_env env, const struct aws_napi_callback_info *cb_info) {514 515    AWS_FATAL_ASSERT(cb_info->num_args == 3);516 517    napi_value node_provider = NULL;518    struct aws_allocator *allocator = aws_napi_get_allocator();519    struct aws_credentials_provider *provider = NULL;520    struct aws_x509_credentials_provider_config provider_config;521    AWS_ZERO_STRUCT(provider_config);522    struct aws_tls_connection_options tls_connection_options;523    AWS_ZERO_STRUCT(tls_connection_options);524 525    struct aws_credentials_provider_x509_options options;526    AWS_ZERO_STRUCT(options);527 528    const struct aws_napi_argument *arg = NULL;529 530    aws_napi_method_next_argument(napi_undefined, cb_info, &arg);531    napi_value first_argument = arg->node;532 533    if (s_aws_x509_credentials_provider_config_init(&provider_config, env, first_argument)) {534        napi_throw_error(env, NULL, "Failed to initialize x509 provider configuration from node config");535        goto done;536    }537 538    options.endpoint = aws_byte_cursor_from_buf(&provider_config.endpoint);539    options.thing_name = aws_byte_cursor_from_buf(&provider_config.thing_name);540    options.role_alias = aws_byte_cursor_from_buf(&provider_config.role_alias);541 542    struct aws_tls_ctx *tls_context = NULL;543    aws_napi_method_next_argument(napi_external, cb_info, &arg);544    AWS_NAPI_CALL(env, napi_get_value_external(env, arg->node, (void **)&tls_context), {545        napi_throw_error(env, NULL, "Failed to extract tls_ctx from external");546        goto done;547    });548    if (tls_context != NULL) {549        aws_tls_connection_options_init_from_ctx(&tls_connection_options, tls_context);550        options.tls_connection_options = &tls_connection_options;551    } else {552        napi_throw_error(env, NULL, "Failed to extract and set tls_ctx from external");553        goto done;554    }555 556    /* Always use the default bootstrap */557    options.bootstrap = aws_napi_get_default_client_bootstrap();558 559    aws_napi_method_next_argument(napi_external, cb_info, &arg);560    if (arg->native.external != NULL) {561        options.proxy_options = aws_napi_get_http_proxy_options(arg->native.external);562    }563 564    provider = aws_credentials_provider_new_x509(allocator, &options);565    if (provider == NULL) {566        napi_throw_error(env, NULL, "Failed to create native X509 Credentials Provider");567        goto done;568    }569 570    AWS_NAPI_CALL(env, aws_napi_credentials_provider_wrap(env, provider, &node_provider), {571        napi_throw_error(env, NULL, "Failed to wrap X509CredentialsProvider");572        goto done;573    });574 575done:576    aws_tls_connection_options_clean_up(&tls_connection_options);577    s_aws_x509_credentials_provider_config_clean_up(&provider_config);578    aws_credentials_provider_release(provider);579    return node_provider;580}581 582/***********************************************************************************************************************583 * Signing584 **********************************************************************************************************************/585 586struct signer_sign_request_state {587    napi_ref node_request;588    struct aws_http_message *request;589    struct aws_signable *signable;590 591    /**592     * aws_string *593     * this exists so that when should_sign_param is called from off thread, we don't have to hit Node every single594     * time595     */596    struct aws_array_list header_blacklist;597 598    napi_threadsafe_function on_complete;599 600    int error_code;601};602 603static bool s_should_sign_header(const struct aws_byte_cursor *name, void *userdata) {604    struct signer_sign_request_state *state = userdata;605 606    /* If there are params in the black_list, check them all */607    if (state->header_blacklist.length) {608        const size_t num_blacklisted = aws_array_list_length(&state->header_blacklist);609        for (size_t i = 0; i < num_blacklisted; ++i) {610            struct aws_string *blacklisted = NULL;611            aws_array_list_get_at(&state->header_blacklist, &blacklisted, i);612            AWS_ASSUME(blacklisted);613 614            if (aws_string_eq_byte_cursor_ignore_case(blacklisted, name)) {615                return false;616            }617        }618    }619 620    return true;621}622 623static void s_destroy_signing_binding(624    napi_env env,625    struct aws_allocator *allocator,626    struct signer_sign_request_state *binding) {627    if (binding == NULL) {628        return;629    }630 631    /* Release references */632    napi_delete_reference(env, binding->node_request);633 634    const size_t num_blacklisted = binding->header_blacklist.length;635    for (size_t i = 0; i < num_blacklisted; ++i) {636        struct aws_string *blacklisted = NULL;637        aws_array_list_get_at(&binding->header_blacklist, &blacklisted, i);638        aws_string_destroy(blacklisted);639    }640    aws_array_list_clean_up(&binding->header_blacklist);641 642    aws_signable_destroy(binding->signable);643 644    AWS_NAPI_ENSURE(env, aws_napi_release_threadsafe_function(binding->on_complete, napi_tsfn_abort));645    aws_mem_release(allocator, binding);646}647 648static void s_aws_sign_request_complete_call(napi_env env, napi_value on_complete, void *context, void *user_data) {649 650    struct signer_sign_request_state *state = context;651    struct aws_allocator *allocator = user_data;652 653    napi_value args[1];654    AWS_NAPI_ENSURE(env, napi_create_int32(env, state->error_code, &args[0]));655 656    AWS_NAPI_ENSURE(657        env,658        aws_napi_dispatch_threadsafe_function(env, state->on_complete, NULL, on_complete, AWS_ARRAY_SIZE(args), args));659 660    s_destroy_signing_binding(env, allocator, state);661}662 663static void s_aws_sign_request_complete(struct aws_signing_result *result, int error_code, void *userdata) {664 665    struct signer_sign_request_state *state = userdata;666    struct aws_allocator *allocator = aws_napi_get_allocator();667 668    state->error_code = error_code;669    if (error_code == AWS_ERROR_SUCCESS) {670        aws_apply_signing_result_to_http_request(state->request, allocator, result);671    }672 673    AWS_NAPI_ENSURE(NULL, aws_napi_queue_threadsafe_function(state->on_complete, allocator));674}675 676static int s_get_config_from_js_config(677    napi_env env,678    struct aws_signing_config_aws *config,679    napi_value js_config,680    struct aws_byte_buf *region_buf,681    struct aws_byte_buf *service_buf,682    struct aws_byte_buf *signed_body_value_buf,683    struct signer_sign_request_state *state,684    struct aws_allocator *allocator) {685 686    config->config_type = AWS_SIGNING_CONFIG_AWS;687    int result = AWS_OP_SUCCESS;688 689    napi_value current_value = NULL;690    /* Get algorithm */691    if (aws_napi_get_named_property(env, js_config, "algorithm", napi_number, &current_value) ==692        AWS_NGNPR_VALID_VALUE) {693        int32_t algorithm_int = 0;694        napi_get_value_int32(env, current_value, &algorithm_int);695        if (algorithm_int < 0) {696            napi_throw_error(env, NULL, "Signing algorithm value out of acceptable range");697            result = AWS_OP_ERR;698            goto done;699        }700 701        config->algorithm = (enum aws_signing_algorithm)algorithm_int;702    }703 704    /* Get signature type */705    if (aws_napi_get_named_property(env, js_config, "signature_type", napi_number, &current_value) ==706        AWS_NGNPR_VALID_VALUE) {707        int32_t signature_type_int = 0;708        napi_get_value_int32(env, current_value, &signature_type_int);709        if (signature_type_int < 0) {710            napi_throw_error(env, NULL, "Signing signature type value out of acceptable range");711            result = AWS_OP_ERR;712            goto done;713        }714 715        config->signature_type = (enum aws_signature_type)signature_type_int;716    }717 718    /* Get provider */719    if (aws_napi_get_named_property(env, js_config, "provider", napi_object, &current_value) != AWS_NGNPR_VALID_VALUE ||720        NULL == (config->credentials_provider = aws_napi_credentials_provider_unwrap(env, current_value))) {721 722        napi_throw_type_error(env, NULL, "Credentials Provider is required");723        result = AWS_OP_ERR;724        goto done;725    }726 727    /* Get region */728    if (aws_napi_get_named_property(env, js_config, "region", napi_string, &current_value) != AWS_NGNPR_VALID_VALUE) {729        napi_throw_type_error(env, NULL, "Region string is required");730        result = AWS_OP_ERR;731        goto done;732    }733    if (aws_byte_buf_init_from_napi(region_buf, env, current_value)) {734        napi_throw_error(env, NULL, "Failed to build region buffer");735        result = AWS_OP_ERR;736        goto done;737    }738    config->region = aws_byte_cursor_from_buf(region_buf);739 740    /* Get service */741    if (aws_napi_get_named_property(env, js_config, "service", napi_string, &current_value) == AWS_NGNPR_VALID_VALUE) {742        if (aws_byte_buf_init_from_napi(service_buf, env, current_value)) {743            napi_throw_error(env, NULL, "Failed to build service buffer");744            result = AWS_OP_ERR;745            goto done;746        }747 748        config->service = aws_byte_cursor_from_buf(service_buf);749    }750 751    /* Get date */752    /* #TODO eventually check for napi_date type (node v11) */753    if (aws_napi_get_named_property(env, js_config, "date", napi_object, &current_value) == AWS_NGNPR_VALID_VALUE) {754        napi_value prototype = NULL;755        AWS_NAPI_CALL(env, napi_get_prototype(env, current_value, &prototype), {756            napi_throw_type_error(env, NULL, "Date param must be a Date object");757            result = AWS_OP_ERR;758            goto done;759        });760 761        napi_value valueOfFn = NULL;762        AWS_NAPI_CALL(env, napi_get_named_property(env, prototype, "getTime", &valueOfFn), {763            napi_throw_type_error(env, NULL, "Date param must be a Date object");764            result = AWS_OP_ERR;765            goto done;766        });767 768        napi_value node_result = NULL;769        AWS_NAPI_CALL(env, napi_call_function(env, current_value, valueOfFn, 0, NULL, &node_result), {770            napi_throw_type_error(env, NULL, "Date param must be a Date object");771            result = AWS_OP_ERR;772            goto done;773        });774 775        int64_t ms_since_epoch = 0;776        AWS_NAPI_CALL(env, napi_get_value_int64(env, node_result, &ms_since_epoch), {777            napi_throw_type_error(env, NULL, "Date param must be a Date object");778            result = AWS_OP_ERR;779            goto done;780        });781 782        aws_date_time_init_epoch_millis(&config->date, (uint64_t)ms_since_epoch);783    } else {784        aws_date_time_init_now(&config->date);785    }786 787    /* Get param blacklist */788    if (aws_napi_get_named_property(env, js_config, "header_blacklist", napi_object, &current_value) ==789        AWS_NGNPR_VALID_VALUE) {790        bool is_array = false;791        AWS_NAPI_CALL(env, napi_is_array(env, current_value, &is_array), {792            napi_throw_error(env, NULL, "Failed to check if header blacklist is an array");793            result = AWS_OP_ERR;794            goto done;795        });796 797        if (!is_array) {798            napi_throw_type_error(env, NULL, "header blacklist must be an array of strings");799            result = AWS_OP_ERR;800            goto done;801        }802 803        uint32_t blacklist_length = 0;804        AWS_NAPI_CALL(env, napi_get_array_length(env, current_value, &blacklist_length), {805            napi_throw_error(env, NULL, "Failed to get the length of node_header_blacklist");806            result = AWS_OP_ERR;807            goto done;808        });809 810        /* Initialize the string array */811        int err = aws_array_list_init_dynamic(812            &state->header_blacklist, allocator, blacklist_length, sizeof(struct aws_string *));813        if (err == AWS_OP_ERR) {814            aws_napi_throw_last_error(env);815            result = AWS_OP_ERR;816            goto done;817        }818 819        /* Start copying the strings */820        for (uint32_t i = 0; i < blacklist_length; ++i) {821            napi_value header = NULL;822            AWS_NAPI_CALL(env, napi_get_element(env, current_value, i, &header), {823                napi_throw_error(env, NULL, "Failed to get element from param blacklist");824                result = AWS_OP_ERR;825                goto done;826            });827 828            struct aws_string *header_name = aws_string_new_from_napi(env, header);829            if (!header_name) {830                napi_throw_error(env, NULL, "header blacklist must be array of strings");831                result = AWS_OP_ERR;832                goto done;833            }834 835            if (aws_array_list_push_back(&state->header_blacklist, &header_name)) {836                aws_string_destroy(header_name);837                aws_napi_throw_last_error(env);838                result = AWS_OP_ERR;839                goto done;840            }841        }842 843        config->should_sign_header = s_should_sign_header;844        config->should_sign_header_ud = state;845    }846 847    /* Get bools */848    if (aws_napi_get_named_property(env, js_config, "use_double_uri_encode", napi_boolean, &current_value) ==849        AWS_NGNPR_VALID_VALUE) {850        bool property_value = true;851        napi_get_value_bool(env, current_value, &property_value);852        config->flags.use_double_uri_encode = property_value;853    } else {854        config->flags.use_double_uri_encode = true;855    }856 857    if (aws_napi_get_named_property(env, js_config, "should_normalize_uri_path", napi_boolean, &current_value) ==858        AWS_NGNPR_VALID_VALUE) {859        bool property_value = true;860        napi_get_value_bool(env, current_value, &property_value);861        config->flags.should_normalize_uri_path = property_value;862    } else {863        config->flags.should_normalize_uri_path = true;864    }865 866    if (aws_napi_get_named_property(env, js_config, "omit_session_token", napi_boolean, &current_value) ==867        AWS_NGNPR_VALID_VALUE) {868        bool property_value = true;869        napi_get_value_bool(env, current_value, &property_value);870        config->flags.omit_session_token = property_value;871    } else {872        config->flags.omit_session_token = false;873    }874 875    /* Get signed body value */876    if (aws_napi_get_named_property(env, js_config, "signed_body_value", napi_string, &current_value) ==877        AWS_NGNPR_VALID_VALUE) {878        if (aws_byte_buf_init_from_napi(signed_body_value_buf, env, current_value)) {879            napi_throw_error(env, NULL, "Failed to build signed_body_value buffer");880            result = AWS_OP_ERR;881            goto done;882        }883        config->signed_body_value = aws_byte_cursor_from_buf(signed_body_value_buf);884    }885 886    /* Get signed body header */887    if (aws_napi_get_named_property(env, js_config, "signed_body_header", napi_number, &current_value) ==888        AWS_NGNPR_VALID_VALUE) {889        int32_t signed_body_header = 0;890        napi_get_value_int32(env, current_value, &signed_body_header);891        config->signed_body_header = (enum aws_signed_body_header_type)signed_body_header;892    } else {893        config->signed_body_header = AWS_SBHT_NONE;894    }895 896    /* Get expiration time */897    if (aws_napi_get_named_property(env, js_config, "expiration_in_seconds", napi_number, &current_value) ==898        AWS_NGNPR_VALID_VALUE) {899        int64_t expiration_in_seconds = 0;900        napi_get_value_int64(env, current_value, &expiration_in_seconds);901        if (expiration_in_seconds < 0) {902            napi_throw_error(env, NULL, "Signing expiration time in seconds must be non-negative");903            result = AWS_OP_ERR;904            goto done;905        }906        config->expiration_in_seconds = (uint64_t)expiration_in_seconds;907    }908 909done:910    return result;911}912 913static napi_value s_aws_sign_request(napi_env env, const struct aws_napi_callback_info *cb_info) {914 915    struct aws_allocator *allocator = aws_napi_get_allocator();916    const struct aws_napi_argument *arg = NULL;917 918    struct signer_sign_request_state *state = aws_mem_calloc(allocator, 1, sizeof(struct signer_sign_request_state));919    if (!state) {920        return NULL;921    }922 923    /* Temp buffers */924    struct aws_byte_buf region_buf;925    AWS_ZERO_STRUCT(region_buf);926    struct aws_byte_buf service_buf;927    AWS_ZERO_STRUCT(service_buf);928    struct aws_byte_buf signed_body_value_buf;929    AWS_ZERO_STRUCT(signed_body_value_buf);930 931    /* Get request */932    aws_napi_method_next_argument(napi_object, cb_info, &arg);933    napi_create_reference(env, arg->node, 1, &state->node_request);934    state->request = aws_napi_http_message_unwrap(env, arg->node);935    state->signable = aws_signable_new_http_request(allocator, state->request);936 937    /* Populate config */938    struct aws_signing_config_aws config;939    AWS_ZERO_STRUCT(config);940 941    aws_napi_method_next_argument(napi_object, cb_info, &arg);942    napi_value js_config = arg->node;943 944    if (s_get_config_from_js_config(945            env, &config, js_config, &region_buf, &service_buf, &signed_body_value_buf, state, allocator)) {946        /* error already raised */947        goto error;948    }949    aws_napi_method_next_argument(napi_function, cb_info, &arg);950    AWS_NAPI_CALL(951        env,952        aws_napi_create_threadsafe_function(953            env,954            arg->node,955            "aws_signer_on_signing_complete",956            s_aws_sign_request_complete_call,957            state,958            &state->on_complete),959        {960            napi_throw_type_error(env, NULL, "on_shutdown must be a valid callback or undefined");961            goto error;962        });963 964    if (aws_sign_request_aws(965            allocator,966            state->signable,967            (struct aws_signing_config_base *)&config,968            s_aws_sign_request_complete,969            state)) {970        aws_napi_throw_last_error(env);971        AWS_NAPI_ENSURE(env, aws_napi_release_threadsafe_function(state->on_complete, napi_tsfn_abort));972    }973 974    goto done;975 976error:977    // Additional cleanup needed when we didn't successfully bind the on_complete function978    s_destroy_signing_binding(env, allocator, state);979 980done:981    // Shared cleanup982    aws_credentials_provider_release(config.credentials_provider);983 984    aws_byte_buf_clean_up(&region_buf);985    aws_byte_buf_clean_up(&service_buf);986    aws_byte_buf_clean_up(&signed_body_value_buf);987 988    return NULL;989}990 991struct sigv4a_credentail_getter_state {992    struct aws_allocator *allocator;993    struct aws_condition_variable cvar;994    struct aws_mutex lock;995    bool completed;996 997    struct aws_signing_config_aws *config;998};999 1000static void s_aws_signv4a_on_get_credentials(struct aws_credentials *credentials, int error_code, void *user_data) {1001    (void)error_code;1002    struct sigv4a_credentail_getter_state *state = user_data;1003 1004    aws_mutex_lock(&state->lock);1005    state->completed = true;1006    if (credentials) {1007        state->config->credentials = credentials;1008    }1009    aws_mutex_unlock(&state->lock);1010    aws_condition_variable_notify_one(&state->cvar);1011}1012 1013static bool s_get_credential_completed(void *arg) {1014    struct sigv4a_credentail_getter_state *state = arg;1015    return state->completed;1016}1017 1018static void s_wait_for_get_credential_to_complete(struct sigv4a_credentail_getter_state *state) {1019    aws_mutex_lock(&state->lock);1020    aws_condition_variable_wait_pred(&state->cvar, &state->lock, s_get_credential_completed, state);1021    aws_mutex_unlock(&state->lock);1022}1023 1024/* wrap of the signing verification tests */1025static napi_value s_aws_verify_sigv4a_signing(napi_env env, const struct aws_napi_callback_info *cb_info) {1026 1027    napi_value result = NULL;1028 1029    AWS_NAPI_ENSURE(env, napi_get_boolean(env, false, &result));1030 1031    struct aws_allocator *allocator = aws_napi_get_allocator();1032    const struct aws_napi_argument *arg = NULL;1033 1034    struct signer_sign_request_state *state = aws_mem_calloc(allocator, 1, sizeof(struct signer_sign_request_state));1035    if (!state) {1036        return result;1037    }1038 1039    /* Temp buffers */1040    struct aws_byte_buf region_buf;1041    AWS_ZERO_STRUCT(region_buf);1042    struct aws_byte_buf service_buf;1043    AWS_ZERO_STRUCT(service_buf);1044    struct aws_byte_buf signed_body_value_buf;1045    AWS_ZERO_STRUCT(signed_body_value_buf);1046    struct aws_byte_buf expected_canonical_request_buf;1047    AWS_ZERO_STRUCT(expected_canonical_request_buf);1048    struct aws_byte_buf signature_buf;1049    AWS_ZERO_STRUCT(signature_buf);1050    struct aws_byte_buf ecc_key_pub_x_buf;1051    AWS_ZERO_STRUCT(ecc_key_pub_x_buf);1052    struct aws_byte_buf ecc_key_pub_y_buf;1053    AWS_ZERO_STRUCT(ecc_key_pub_y_buf);1054 1055    /* Get request */1056    aws_napi_method_next_argument(napi_object, cb_info, &arg);1057    state->request = aws_napi_http_message_unwrap(env, arg->node);1058    state->signable = aws_signable_new_http_request(allocator, state->request);1059 1060    /* Populate config */1061    struct aws_signing_config_aws config;1062    AWS_ZERO_STRUCT(config);1063 1064    aws_napi_method_next_argument(napi_object, cb_info, &arg);1065    napi_value js_config = arg->node;1066 1067    if (s_get_config_from_js_config(1068            env, &config, js_config, &region_buf, &service_buf, &signed_body_value_buf, state, allocator)) {1069        /* error already raised */1070        goto done;1071    }1072 1073    aws_napi_method_next_argument(napi_string, cb_info, &arg);1074    napi_value node_expected_canonical_request = arg->node;1075    if (aws_byte_buf_init_from_napi(&expected_canonical_request_buf, env, node_expected_canonical_request)) {1076        napi_throw_type_error(env, NULL, "The expected canonical request must be a string");1077        goto done;1078    }1079 1080    aws_napi_method_next_argument(napi_string, cb_info, &arg);1081    napi_value node_signature = arg->node;1082    if (aws_byte_buf_init_from_napi(&signature_buf, env, node_signature)) {1083        napi_throw_type_error(env, NULL, "The signature must be a string");1084        goto done;1085    }1086 1087    aws_napi_method_next_argument(napi_string, cb_info, &arg);1088    napi_value node_ecc_key_pub_x = arg->node;1089    if (aws_byte_buf_init_from_napi(&ecc_key_pub_x_buf, env, node_ecc_key_pub_x)) {1090        napi_throw_type_error(env, NULL, "The public ecc key must be a string");1091        goto done;1092    }1093 1094    aws_napi_method_next_argument(napi_string, cb_info, &arg);1095    napi_value node_ecc_key_pub_y = arg->node;1096    if (aws_byte_buf_init_from_napi(&ecc_key_pub_y_buf, env, node_ecc_key_pub_y)) {1097        napi_throw_type_error(env, NULL, "The public ecc key must be a string");1098        goto done;1099    }1100 1101    struct sigv4a_credentail_getter_state credential_state;1102    AWS_ZERO_STRUCT(credential_state);1103    credential_state.allocator = allocator;1104    credential_state.config = &config;1105    aws_condition_variable_init(&credential_state.cvar);1106    aws_mutex_init(&credential_state.lock);1107    /* get credential from provider for the verification */1108    if (aws_credentials_provider_get_credentials(1109            config.credentials_provider, s_aws_signv4a_on_get_credentials, &credential_state)) {1110        goto done;1111    }1112    /* wait for credential provider getting the credential */1113    s_wait_for_get_credential_to_complete(&credential_state);1114    if (!config.credentials) {1115        napi_throw_type_error(env, NULL, "Failed to get credentials from credential provider");1116        goto done;1117    }1118 1119    if (aws_verify_sigv4a_signing(1120            allocator,1121            state->signable,1122            (struct aws_signing_config_base *)&config,1123            aws_byte_cursor_from_buf(&expected_canonical_request_buf),1124            aws_byte_cursor_from_buf(&signature_buf),1125            aws_byte_cursor_from_buf(&ecc_key_pub_x_buf),1126            aws_byte_cursor_from_buf(&ecc_key_pub_y_buf))) {1127        /* Verification failed, the signature result is wrong. */1128        aws_napi_throw_last_error(env);1129        goto done;1130    }1131 1132    /* verification succeed */1133    AWS_NAPI_ENSURE(env, napi_get_boolean(env, true, &result));1134 1135done:1136    s_destroy_signing_binding(env, allocator, state);1137 1138    aws_credentials_provider_release(config.credentials_provider);1139    aws_byte_buf_clean_up(&region_buf);1140    aws_byte_buf_clean_up(&service_buf);1141    aws_byte_buf_clean_up(&signed_body_value_buf);1142    aws_byte_buf_clean_up(&expected_canonical_request_buf);1143    aws_byte_buf_clean_up(&signature_buf);1144    aws_byte_buf_clean_up(&ecc_key_pub_x_buf);1145    aws_byte_buf_clean_up(&ecc_key_pub_y_buf);1146 1147    return result;1148}1149