File Explorer

/var/runtime/node_modules/@aws-sdk/node_modules/aws-crt/lib/native
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
0 dirs
33 files
aws_iot.ts19.5 KB · 522 lines
1/*2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.3 * SPDX-License-Identifier: Apache-2.0.4 */5 6/**7 * Module for AWS IoT configuration and connection establishment8 *9 * @packageDocumentation10 */11 12import { MqttClientConnection, MqttConnectionConfig, MqttWill} from "./mqtt";13import { DEFAULT_RECONNECT_MIN_SEC, DEFAULT_RECONNECT_MAX_SEC} from "../common/mqtt"14import * as io from "./io";15import { TlsContextOptions } from "./io";16import * as platform from '../common/platform';17import { HttpProxyOptions } from "./http";18import { WebsocketOptionsBase } from "../common/auth";19import { CrtError } from "./error";20 21import {22    aws_sign_request,23    AwsCredentialsProvider,24    AwsSignatureType,25    AwsSignedBodyValue,26    AwsSigningAlgorithm,27    AwsSigningConfig28} from "./auth";29import * as iot_shared from "../common/aws_iot_shared"30 31/**32 * Websocket-specific mqtt connection configuration options33 *34 * @category IoT35 */36export interface WebsocketConfig extends WebsocketOptionsBase{37    /** Sources the AWS Credentials used to sign the websocket connection handshake */38    credentials_provider: AwsCredentialsProvider;39 40    /** (Optional) http proxy configuration */41    proxy_options?: HttpProxyOptions;42 43    /** AWS region the websocket connection is being established in.  Must match the region embedded in the44     * endpoint.45     */46    region: string;47 48    /** (Optional)  TLS configuration to use when establishing the connection */49    tls_ctx_options?: TlsContextOptions;50}51 52/**53 * Builder functions to create a {@link MqttConnectionConfig} which can then be used to create54 * a {@link MqttClientConnection}, configured for use with AWS IoT.55 *56 * @category IoT57 */58export class AwsIotMqttConnectionConfigBuilder {59    private params: MqttConnectionConfig60    private is_using_custom_authorizer: boolean61 62    private constructor(private tls_ctx_options: TlsContextOptions) {63        this.params = {64            client_id: '',65            host_name: '',66            socket_options: new io.SocketOptions(),67            port: 8883,68            use_websocket: false,69            clean_session: false,70            keep_alive: undefined,71            will: undefined,72            username: "",73            password: undefined,74            tls_ctx: undefined,75            reconnect_min_sec: DEFAULT_RECONNECT_MIN_SEC,76            reconnect_max_sec: DEFAULT_RECONNECT_MAX_SEC77        };78        this.is_using_custom_authorizer = false79    }80 81    /**82     * Create a new builder with mTLS file paths83     * @param cert_path - Path to certificate, in PEM format84     * @param key_path - Path to private key, in PEM format85     */86    static new_mtls_builder_from_path(cert_path: string, key_path: string) {87        let builder = new AwsIotMqttConnectionConfigBuilder(TlsContextOptions.create_client_with_mtls_from_path(cert_path, key_path));88        builder.params.port = 8883;89 90        if (io.is_alpn_available()) {91            builder.tls_ctx_options.alpn_list.unshift('x-amzn-mqtt-ca');92        }93 94        return builder;95    }96 97    /**98     * Create a new builder with mTLS cert pair in memory99     * @param cert - Certificate, in PEM format100     * @param private_key - Private key, in PEM format101     */102    static new_mtls_builder(cert: string, private_key: string) {103        let builder = new AwsIotMqttConnectionConfigBuilder(TlsContextOptions.create_client_with_mtls(cert, private_key));104        builder.params.port = 8883;105 106        if (io.is_alpn_available()) {107            builder.tls_ctx_options.alpn_list.unshift('x-amzn-mqtt-ca');108        }109 110        return builder;111    }112 113    /**114     * Create a new builder with mTLS using a PKCS#11 library for private key operations.115     *116     * NOTE: This configuration only works on Unix devices.117     * @param pkcs11_options - PKCS#11 options.118     */119    static new_mtls_pkcs11_builder(pkcs11_options: TlsContextOptions.Pkcs11Options) {120        let builder = new AwsIotMqttConnectionConfigBuilder(TlsContextOptions.create_client_with_mtls_pkcs11(pkcs11_options));121        builder.params.port = 8883;122 123        if (io.is_alpn_available()) {124            builder.tls_ctx_options.alpn_list.unshift('x-amzn-mqtt-ca');125        }126 127        return builder;128    }129 130    /**131     * Create a new builder with mTLS using a PKCS#12 file for private key operations.132     *133     * Note: This configuration only works on MacOS devices.134     *135     * @param pkcs12_options - The PKCS#12 options to use in the builder.136     */137    static new_mtls_pkcs12_builder(pkcs12_options: io.Pkcs12Options) {138        let builder = new AwsIotMqttConnectionConfigBuilder(TlsContextOptions.create_client_with_mtls_pkcs12_from_path(139            pkcs12_options.pkcs12_file, pkcs12_options.pkcs12_password));140        builder.params.port = 8883;141 142        if (io.is_alpn_available()) {143            builder.tls_ctx_options.alpn_list.unshift('x-amzn-mqtt-ca');144        }145 146        return builder;147    }148 149    /**150     * Create a new builder with mTLS using a certificate in a Windows certificate store.151     *152     * NOTE: This configuration only works on Windows devices.153     * @param certificate_path - Path to certificate in a Windows certificate store.154     *      The path must use backslashes and end with the certificate's thumbprint.155     *      Example: `CurrentUser\MY\A11F8A9B5DF5B98BA3508FBCA575D09570E0D2C6`156     */157     static new_mtls_windows_cert_store_path_builder(certificate_path: string) {158        let builder = new AwsIotMqttConnectionConfigBuilder(TlsContextOptions.create_client_with_mtls_windows_cert_store_path(certificate_path));159        builder.params.port = 8883;160 161        if (io.is_alpn_available()) {162            builder.tls_ctx_options.alpn_list.unshift('x-amzn-mqtt-ca');163        }164 165        return builder;166    }167 168    /**169     * Creates a new builder with default Tls options. This requires setting the connection details manually.170     */171    static new_default_builder() {172        let ctx_options = new io.TlsContextOptions();173        let builder = new AwsIotMqttConnectionConfigBuilder(ctx_options);174        return builder;175    }176 177    static new_websocket_builder(...args: any[]) {178        return this.new_with_websockets(...args);179    }180 181    private static configure_websocket_handshake(builder: AwsIotMqttConnectionConfigBuilder, options?: WebsocketConfig) {182        if (options) {183            if (builder == null || builder == undefined) {184                throw new CrtError("AwsIotMqttConnectionConfigBuilder configure_websocket_handshake: builder not defined");185            }186 187            builder.params.websocket_handshake_transform = async (request, done) => {188                const signing_config = options.create_signing_config?.()189                    ?? {190                    algorithm: AwsSigningAlgorithm.SigV4,191                    signature_type: AwsSignatureType.HttpRequestViaQueryParams,192                    provider: options.credentials_provider,193                    region: options.region,194                    service: options.service ?? "iotdevicegateway",195                    signed_body_value: AwsSignedBodyValue.EmptySha256,196                    omit_session_token: true,197                };198 199                try {200                    await aws_sign_request(request, signing_config as AwsSigningConfig);201                    done();202                } catch (error) {203                    if (error instanceof CrtError) {204                        done(error.error_code);205                    } else {206                        done(3); /* TODO: AWS_ERROR_UNKNOWN */207                    }208                }209            };210        }211 212        return builder;213    }214 215    /**216     * Configures the connection to use MQTT over websockets. Forces the port to 443.217     */218    static new_with_websockets(options?: WebsocketConfig) {219        let tls_ctx_options = options?.tls_ctx_options;220 221        if (!tls_ctx_options) {222            tls_ctx_options = new TlsContextOptions();223            tls_ctx_options.alpn_list = [];224        }225 226        let builder = new AwsIotMqttConnectionConfigBuilder(tls_ctx_options);227 228        builder.params.use_websocket = true;229        builder.params.proxy_options = options?.proxy_options;230 231        if (builder.tls_ctx_options) {232            builder.params.port = 443;233        }234 235        this.configure_websocket_handshake(builder, options);236 237        return builder;238    }239 240    /**241     * For API compatibility with the browser version. Alias for {@link new_with_websockets}.242     *243     * @returns a new websocket connection builder object with default TLS configuration244     */245    static new_builder_for_websocket() {246        return this.new_with_websockets();247    }248 249    /**250     * Overrides the default system trust store.251     * @param ca_dirpath - Only used on Unix-style systems where all trust anchors are252     * stored in a directory (e.g. /etc/ssl/certs).253     * @param ca_filepath - Single file containing all trust CAs, in PEM format254     */255    with_certificate_authority_from_path(ca_dirpath?: string, ca_filepath?: string) {256        this.tls_ctx_options.override_default_trust_store_from_path(ca_dirpath, ca_filepath);257        return this;258    }259 260    /**261     * Overrides the default system trust store.262     * @param ca - Buffer containing all trust CAs, in PEM format263     */264    with_certificate_authority(ca: string) {265        this.tls_ctx_options.override_default_trust_store(ca);266        return this;267    }268 269    /**270     * Configures which TLS cipher preference should be used when establishing connections271     *272     * @param tls_cipher_preference cipher preference to use273     */274    with_tls_cipher_preference(tls_cipher_preference: io.TlsCipherPreference) : AwsIotMqttConnectionConfigBuilder {275        this.tls_ctx_options.tls_cipher_preference = tls_cipher_preference;276        return this;277    }278 279    /**280     * Configures the IoT endpoint for this connection281     * @param endpoint The IoT endpoint to connect to282     */283    with_endpoint(endpoint: string) {284        this.params.host_name = endpoint;285        return this;286    }287 288    /**289     * The port to connect to on the IoT endpoint290     * @param port The port to connect to on the IoT endpoint. Usually 8883 for MQTT, or 443 for websockets291     */292    with_port(port: number) {293        this.params.port = port;294        return this;295    }296 297    /**298     * Configures the client_id to use to connect to the IoT Core service299     * @param client_id The client id for this connection. Needs to be unique across all devices/clients.300     */301    with_client_id(client_id: string) {302        this.params.client_id = client_id;303        return this;304    }305 306    /**307     * Determines whether or not the service should try to resume prior subscriptions, if it has any308     * @param clean_session true if the session should drop prior subscriptions when this client connects, false to resume the session309     */310    with_clean_session(clean_session: boolean) {311        this.params.clean_session = clean_session;312        return this;313    }314 315    /**316     * Configures MQTT keep-alive via PING messages. Note that this is not TCP keepalive.317     * @param keep_alive How often in seconds to send an MQTT PING message to the service to keep the connection alive318     */319    with_keep_alive_seconds(keep_alive: number) {320        this.params.keep_alive = keep_alive;321        return this;322    }323 324    /**325     * Configures the TCP socket timeout (in milliseconds)326     * @param timeout_ms TCP socket timeout327     * @deprecated328     */329    with_timeout_ms(timeout_ms: number) {330        this.with_ping_timeout_ms(timeout_ms);331        return this;332    }333 334    /**335     * Configures the PINGREQ response timeout (in milliseconds)336     * @param ping_timeout PINGREQ response timeout337     */338    with_ping_timeout_ms(ping_timeout: number) {339        this.params.ping_timeout = ping_timeout;340        return this;341    }342 343    /**344     * Configures the protocol operation timeout (in milliseconds)345     * @param protocol_operation_timeout protocol operation timeout346     */347    with_protocol_operation_timeout_ms(protocol_operation_timeout: number) {348        this.params.protocol_operation_timeout = protocol_operation_timeout;349        return this;350    }351 352    /**353     * Configures the will message to be sent when this client disconnects354     * @param will The will topic, qos, and message355     */356    with_will(will: MqttWill) {357        this.params.will = will;358        return this;359    }360 361    /**362     * Configures the common settings for the socket to use when opening a connection to the server363     * @param socket_options The socket settings364     */365    with_socket_options(socket_options: io.SocketOptions) {366        this.params.socket_options = socket_options;367        return this;368    }369 370    /**371     * Configures AWS credentials (usually from Cognito) for this connection372     * @param aws_region The service region to connect to373     * @param aws_access_id IAM Access ID374     * @param aws_secret_key IAM Secret Key375     * @param aws_sts_token STS token from Cognito (optional)376     */377    with_credentials(aws_region: string, aws_access_id: string, aws_secret_key: string, aws_sts_token?: string) {378        return AwsIotMqttConnectionConfigBuilder.configure_websocket_handshake(this, {379            credentials_provider: AwsCredentialsProvider.newStatic(aws_access_id, aws_secret_key, aws_sts_token),380            region: aws_region,381            service: "iotdevicegateway",382        });383    }384 385    /**386     * Configure the http proxy options to use to establish the connection387     * @param proxy_options proxy options to use to establish the mqtt connection388     */389    with_http_proxy_options(proxy_options: HttpProxyOptions) {390        this.params.proxy_options = proxy_options;391        return this;392    }393 394    /**395     * Sets the custom authorizer settings. This function will modify the username, port, and TLS options.396     *397     * @param username The username to use with the custom authorizer. If an empty string is passed, it will398     *                 check to see if a username has already been set (via WithUsername function). If no399     *                 username is set then no username will be passed with the MQTT connection.400     * @param authorizer_name The name of the custom authorizer. If an empty string is passed, then401     *                       'x-amz-customauthorizer-name' will not be added with the MQTT connection.  It is strongly402     *                       recommended to URL-encode this value; the SDK will not do so for you.403     * @param authorizer_signature The signature of the custom authorizer. If an empty string is passed, then404     *                            'x-amz-customauthorizer-signature' will not be added with the MQTT connection.405     *                            The signature must be based on the private key associated with the custom authorizer.406     *                            The signature must be base64 encoded.407     *                            Required if the custom authorizer has signing enabled.408     * @param password The password to use with the custom authorizer. If null is passed, then no password will409     *                 be set.410     * @param token_key_name Key used to extract the custom authorizer token from MQTT username query-string properties.411     *                       Required if the custom authorizer has signing enabled.  It is strongly suggested to URL-encode412     *                       this value; the SDK will not do so for you.413     * @param token_value An opaque token value.414     *                    Required if the custom authorizer has signing enabled. This value must be signed by the private415     *                    key associated with the custom authorizer and the result placed in the token_signature argument.416     */417    with_custom_authorizer(username : string, authorizer_name : string, authorizer_signature : string, password : string, token_key_name? : string, token_value? : string) {418        this.is_using_custom_authorizer = true;419        let uri_encoded_signature = iot_shared.canonicalizeCustomAuthTokenSignature(authorizer_signature);420        let username_string = iot_shared.populate_username_string_with_custom_authorizer(421            "", username, authorizer_name, uri_encoded_signature, this.params.username, token_key_name, token_value);422        this.params.username = username_string;423        this.params.password = password;424        if (!this.params.use_websocket) {425            this.tls_ctx_options.alpn_list = ["mqtt"];426        }427        this.params.port = 443;428        return this;429    }430 431    /**432     * Sets username for the connection433     *434     * @param username the username that will be passed with the MQTT connection435     */436    with_username(username : string) {437        this.params.username = username;438        return this;439    }440 441    /**442     * Sets password for the connection443     *444     * @param password the password that will be passed with the MQTT connection445     */446    with_password(password : string) {447        this.params.password = password;448        return this;449    }450 451    /**452     * Configure the max reconnection period (in second). The reonnection period will453     * be set in range of [reconnect_min_sec,reconnect_max_sec].454     * @param max_sec max reconnection period455     */456    with_reconnect_max_sec(max_sec: number) {457        this.params.reconnect_max_sec = max_sec;458        return this;459    }460 461    /**462     * Configure the min reconnection period (in second). The reonnection period will463     * be set in range of [reconnect_min_sec,reconnect_max_sec].464     * @param min_sec min reconnection period465     */466    with_reconnect_min_sec(min_sec: number) {467        this.params.reconnect_min_sec = min_sec;468        return this;469    }470 471    /**472     * Returns the configured MqttConnectionConfig.  On the first invocation of this function, the TLS context is cached473     * and re-used on all subsequent calls to build().474     * @returns The configured MqttConnectionConfig475     */476    build() {477        if (this.params.client_id === undefined || this.params.host_name === undefined) {478            throw 'client_id and endpoint are required';479        }480 481        // Check to see if a custom authorizer is being used but not through the builder482        if (this.is_using_custom_authorizer == false) {483            if (iot_shared.is_string_and_not_empty(this.params.username)) {484                if (this.params.username?.indexOf("x-amz-customauthorizer-name=") != -1 || this.params.username?.indexOf("x-amz-customauthorizer-signature=") != -1) {485                    this.is_using_custom_authorizer = true;486                }487            }488        }489 490        // Is the user trying to connect using a custom authorizer?491        if (this.is_using_custom_authorizer == true) {492            if (this.params.port != 443) {493                console.log("Warning: Attempting to connect to authorizer with unsupported port. Port is not 443...");494            }495        }496 497        /*498         * By caching and reusing the TLS context we get an enormous memory savings on a per-connection basis.499         * The tradeoff is that you can't modify TLS options in between calls to build.500         * Previously we were making a new one with every single connection which had a huge negative impact on large501         * scale tests.502         */503        if (this.params.tls_ctx === undefined) {504            this.params.tls_ctx = new io.ClientTlsContext(this.tls_ctx_options);505        }506 507        // Add the metrics string508        if (iot_shared.is_string_and_not_empty(this.params.username) == false) {509            this.params.username = "?SDK=NodeJSv2&Version="510        } else {511            if (this.params.username?.indexOf("?") != -1) {512                this.params.username += "&SDK=NodeJSv2&Version="513            } else {514                this.params.username += "?SDK=NodeJSv2&Version="515            }516        }517        this.params.username += platform.crt_version()518 519        return this.params;520    }521}522