adobe-apiplatform
diff --git a/Diff for: ‎README.md
+124-16 b/Diff for: ‎README.md
+124-16
diff --git a/Diff for: ‎src/lua/api-gateway/aws/AWSBasicCredentials.lua
+42 b/Diff for: ‎src/lua/api-gateway/aws/AWSBasicCredentials.lua
+42
diff --git a/Diff for: ‎src/lua/api-gateway/aws/AWSIAMCredentials.lua
+1-2 b/Diff for: ‎src/lua/api-gateway/aws/AWSIAMCredentials.lua
+1-2
diff --git a/Diff for: ‎src/lua/api-gateway/aws/AWSSTSCredentials.lua
+176 b/Diff for: ‎src/lua/api-gateway/aws/AWSSTSCredentials.lua
+176
@@ -29,24 +29,77 @@ the [ngx_lua module](http://wiki.nginx.org/HttpLuaModule), [LuaJIT 2.0](http://l
 [api-gateway-hmac](https://github.com/adobe-apiplatform/api-gateway-hmac) module, and
 [lua-resty-http](https://github.com/pintsized/lua-resty-http) module.
 
-### AWS V4 Signature
-This library supports the latest AWS V4 signature which means you can use any of the latest AWS APIs without any problem.
+### AWS Credentials Provider
+Requests to AWS Services must supply valid credentials and this library provides a few credentials providers for signing AWS Requests.
+`aws_credentials` config option specifies which provider to use. 
+
+If no `aws_credentials` is provided then the library will try to find one using the following order:
+ 
+1. if `aws_access_key` and `aws_secret_key` are provided then Basic Credentials Provider is used. 
+2. Otherwise the IAM Credentials Provider is used. 
+   
+>INFO: This library supports the latest AWS V4 signature which means you can use any of the latest AWS APIs without any problem.
+
+
+
+#### Basic Credentials
+Basic credentials work with `secret_key` and `access_key`.
+```lua
+aws_credentials = {
+    provider = "api-gateway.aws.AWSBasicCredentials",
+    access_key = "replace-me",
+    secret_key = "replace-me"
+}
+```
+>INFO: For better security inside the AWS environment use IAM or STS credentials.
+
+#### IAM Credentials
+This is probably the most popular credentials provider to be used inside the AWS environment. 
+To learn more about IAM Credentials see [IAM Roles for Amazon EC2](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).
+
+This credentials provider discovers automatically the `IAM Role` associated to the EC2 instance retrieving its credentials and caching them.
+  This is a more secure method for signing AWS requests as credentials are short lived and the NGINX configuration doesn't need to maintain any `access_key` or `secret_key` nor worry about rotating the keys. 
+
+```lua
+aws_credentials = {
+    provider = "api-gateway.aws.AWSIAMCredentials",
+    shared_cache_dict = "my_dict"    -- the name of a shared dictionary used for caching IAM Credentials
+}
+```
+
+#### STS Credentials
+AWS Security Token Service(STS) provides a great way to get limited-privilege credentials for accessing AWS Services.
+ To learn more about STS Credentials see [Getting Temporary Credentials with STS](http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/prog-services-sts.html) and the [STS](#sts) section bellow.
+```lua
+aws_credentials = {
+    provider = "api-gateway.aws.AWSSTSCredentials",
+    role_ARN = "arn:aws:iam::111111:role/assumed_role_kinesis", -- ARN of the role to assume
+    role_session_name = "kinesis-session",                      -- a name for this session
+    shared_cache_dict = "shared_cache"                          -- shared dict for caching the credentials
+}    
+```
+Unlike IAM Credentials that exposes a single IAM Role for each EC2 instance, STS Credentials allows an EC2 instance to assume multiple roles each with its own access policy.
+
+This credentials provider uses [SecurityTokenService](src/lua/api-gateway/aws/sts/SecurityTokenService.lua) for making requests to STS and SecurityTokenService uses the IAM Credentials provider for making the call.
+ It is strongly recommended to provide the `shared_cache_dict` in order to improve performance. The temporary credentials obtained from STS are stored in the `shared_cache_dict` for up to 60 minutes.
 
 ### AwsService wrapper
-`AwsService` is a generic Lua class to interact with any AWS API. All the actual implementations extend form this class.
- It's very straight forward to configure it:
-
- ```lua
- local service = AwsService:new({
-         aws_service = "sns",
-         aws_region = "us-east-1",
-         aws_secret_key = "--replace--me",
-         aws_access_key = "--replace--me",
-         aws_debug = true,              -- print warn level messages on the nginx logs. useful for debugging
-         aws_conn_keepalive = 60000,    -- how long to keep the sockets used for AWS open
-         aws_conn_pool = 100            -- the connection pool size for sockets used to connect to AWS
-     })
- ```
+[AwsService](src/lua/api-gateway/aws/AwsService.lua) is a generic Lua class to interact with any AWS API. The actual implementations extend this class.
+ Its configuration is straight forward:
+ 
+```lua
+local service = AwsService:new({
+     aws_service = "sns",
+     aws_region = "us-east-1",
+     aws_credentials = {
+        provider = "api-gateway.aws.AWSIAMCredentials",
+        shared_cache_dict = "my_dict" -- the name of a shared dictionary used for caching IAM Credentials
+     }
+     aws_debug = true,              -- print warn level messages on the nginx logs. useful for debugging
+     aws_conn_keepalive = 60000,    -- how long to keep the sockets used for AWS open
+     aws_conn_pool = 100            -- the connection pool size for sockets used to connect to AWS
+})
+```
 
 
 Synopsis
@@ -215,6 +268,61 @@ aws lambda get-policy --function-name hello-world-lambda-fn --region=us-east-1
 
 ```
 
+### STS
+
+The AWS Security Token Service (STS) provides access to temporary, limited-privilege credentials for AWS Identity and IAM users. 
+This can be useful for communicating with a a third party AWS account, without having access to some long-term credentials. (ex. IAM user's access key).
+
+The [SecurityTokenService](src/lua/api-gateway/aws/sts/SecurityTokenService.lua) is a AWS STS API wrapper and it provides support for the `AssumeRole` requests. It can be used as follows:
+
+```lua
+
+       local SecuriyTokenService = require "api-gateway.aws.sts.SecuriyTokenService"
+
+       local service = SecuriyTokenService:new({
+           aws_region = ngx.var.aws_region,
+           aws_secret_key = ngx.var.aws_secret_key,
+           aws_access_key = ngx.var.aws_access_key
+       })
+       
+       local response, code, headers, status, body = sts:assumeRole(role_ARN,
+                role_session_name,
+                policy,
+                security_credentials_timeout,
+                external_id)       
+```
+
+These are the steps that need to be followed in order to be able to generate temporary credentials:
+ 
+Let's say that the AWS account `A` needs to send records to a Kinesis stream in account `B`.
+
+* Create a role in account `B` that grants permission to write to Kinesis and update the `Trust Relationship` as follows:
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::{A-account-number}:root"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}    
+```
+* The role from account `A` should be allowed to perform `sts:AssumeRole` actions. 
+* Call AWS STS AssumeRole API to obtain temporary credentials.
+```lua 
+       local response, code, headers, status, body = sts:assumeRole(role_ARN,
+                role_session_name,
+                policy,
+                security_credentials_timeout,
+                external_id)       
+```
+
+>INFO: For more information on how to configure the accounts see [How to Use an External ID When Granting Access to Your AWS Resources to a Third Party](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html).
+
 [Back to TOC](#table-of-contents)
 
 Developer guide
 
@@ -0,0 +1,42 @@
+--[[
+  Copyright 2016 Adobe Systems Incorporated. All rights reserved.
+
+  This file is licensed to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR RESPRESENTATIONS OF ANY KIND, either express or implied.  See the License for the specific language governing permissions and limitations under the License.
+  ]]
+
+--
+-- Basic Credentials provider using access_key and secret.
+-- User: ddascal
+-- Date: 4/10/16
+-- Time: 21:26
+--
+
+local _M = {}
+
+---
+-- @param o Init object
+-- o.access_key                       -- required. AWS Access Key Id
+-- o.secret_key                       -- required. AWS Secret Access Key
+--
+function _M:new(o)
+    o = o or {}
+    setmetatable(o, self)
+    self.__index = self
+    if (o ~= nil) then
+        self.aws_secret_key = o.secret_key
+        self.aws_access_key = o.access_key
+    end
+    return o
+end
+
+function _M:getSecurityCredentials()
+    return self.aws_access_key, self.aws_secret_key
+end
+
+return _M
+
@@ -18,7 +18,7 @@ local DEFAULT_SECURITY_CREDENTIALS_URL = "/latest/meta-data/iam/security-credent
 -- use GET /latest/meta-data/iam/security-credentials/ to auto-discover the IAM Role
 local DEFAULT_TOKEN_EXPIRATION = 60*60*24 -- in seconds
 
--- configur cache Manager for IAM crendentials
+-- configure cache Manager for IAM crendentials
 local iamCache = cacheCls:new()
 
 -- per nginx process cache to store IAM credentials
@@ -45,7 +45,6 @@ local function initIamCache(shared_cache_dict)
         dict = shared_cache_dict,
         ttl = function (value)
             local value_o = cjson.decode(value)
-            ngx.log(ngx.DEBUG, "ExpireAt=", tostring(value_o.ExpireAt))
             local expiryTimeUTC = value.ExpireAtTimestamp or awsDate.convertDateStringToTimestamp(value_o.ExpireAt, true)
             local expiryTimeInSeconds = expiryTimeUTC - os.time()
             return math.min(DEFAULT_TOKEN_EXPIRATION, expiryTimeInSeconds)
 
@@ -0,0 +1,176 @@
+--[[
+  Copyright 2016 Adobe Systems Incorporated. All rights reserved.
+
+  This file is licensed to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance with the License.  You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR RESPRESENTATIONS OF ANY KIND, either express or implied.  See the License for the specific language governing permissions and limitations under the License.
+  ]]
+
+--
+-- STS Credentials provider
+-- User: ddascal
+-- Date: 19/03/16
+-- Time: 21:26
+--
+local cjson = require "cjson"
+local SecurityTokenService = require "api-gateway.aws.sts.SecurityTokenService"
+local awsDate = require "api-gateway.aws.AwsDateConverter"
+local cacheCls = require "api-gateway.cache.cache"
+
+local _M = {}
+
+
+local IAM_DEFAULT_SECURITY_CREDENTIALS_HOST = "169.254.169.254" -- used by IAM
+local IAM_DEFAULT_SECURITY_CREDENTIALS_PORT = "80" -- used by IAM
+local IAM_DEFAULT_SECURITY_CREDENTIALS_URL = "/latest/meta-data/iam/security-credentials/" -- used by IAM
+
+---
+-- default expiration for the STS token
+local DEFAULT_TOKEN_EXPIRATION = 60 * 60 * 1 -- in seconds
+
+-- configure cache Manager for IAM crendentials
+local stsCache = cacheCls:new()
+
+local function initStsCache(shared_cache_dict)
+    local localCache = require "api-gateway.cache.store.localCache":new({
+        dict = shared_cache_dict,
+        ttl = function (value)
+            local value_o = cjson.decode(value)
+            local expiryTimeUTC = value.ExpireAtTimestamp or value_o.ExpireAt -- ExpireAt is already an epoch time awsDate.convertDateStringToTimestamp(value_o.ExpireAt, true)
+            local expiryTimeInSeconds = expiryTimeUTC - os.time()
+            return math.min(DEFAULT_TOKEN_EXPIRATION, expiryTimeInSeconds)
+        end
+    })
+
+    stsCache:addStore(localCache)
+end
+
+---
+-- @param o Init object
+-- o.role_ARN                       -- required. The Amazon Resource Name (ARN) of the role to assume.
+-- o.role_session_name              -- required. An identifier for the assumed role session.
+-- o.policy                         -- optional. An IAM policy in JSON format.
+-- o.security_credentials_timeout   -- optional. specifies when the token should expire. Defaults to 1 hour.
+-- o.external_id                    -- optional. A unique identifier used by third parties
+-- o.iam_user                       -- optional. iam_user. if not defined it'll be auto-discovered
+-- o.security_credentials_host      -- optional. AWS Host to read IAM credentials from. Defaults to "169.254.169.254"
+-- o.security_credentials_port      -- optional. AWS Port to read IAM credentials. Defaults to 80.
+-- o.security_credentials_url       -- optional. AWS URI to read IAM credentials. Defaults to "/latest/meta-data/iam/security-credentials/"
+-- o.shared_cache_dict              -- optional. For performance improvements the credentials may be stored in a share dict.
+--
+function _M:new(o)
+    o = o or {}
+    setmetatable(o, self)
+    self.__index = self
+    if (o ~= nil) then
+        -- config options specific to STS
+        self.security_credentials_timeout = o.security_credentials_timeout or DEFAULT_TOKEN_EXPIRATION
+        self.role_ARN = o.role_ARN
+        self.role_session_name = o.role_session_name
+        self.policy = o.policy
+        self.external_id = o.external_id
+
+        -- config options specific to IAM User
+        self.iam_user = o.iam_user
+        self.iam_security_credentials_host = o.iam_security_credentials_host or IAM_DEFAULT_SECURITY_CREDENTIALS_HOST
+        self.iam_security_credentials_port = o.iam_security_credentials_port or IAM_DEFAULT_SECURITY_CREDENTIALS_PORT
+        self.iam_security_credentials_url = o.iam_security_credentials_url or IAM_DEFAULT_SECURITY_CREDENTIALS_URL
+
+        -- config options for static AWS Credetials
+        self.aws_region = o.aws_region or "us-east-1" -- TBD: when aws_region is not provided should it go to sts.amazonaws.com ?
+        self.aws_secret_key = o.aws_secret_key
+        self.aws_access_key = o.aws_access_key
+
+        -- shared dict used to cache STS and IAM credentials
+        self.shared_cache_dict = o.shared_cache_dict
+        if (self.shared_cache_dict) then
+            initStsCache(self.shared_cache_dict)
+        end
+    end
+    return o
+end
+
+---
+-- Return credentials from AWS' Security Token Service
+-- Sample response from STS :
+
+--    {
+--        "AssumeRoleResponse": {
+--            "AssumeRoleResult": {
+--                    "AssumedRoleUser": {
+--                        "Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example",
+--                        "AssumedRoleId": "AROAJEMMODNR6NAEO0000:s3-access-example"
+--                     },
+--                     "Credentials": {
+--                           "AccessKeyId": "access-key",
+--                           "Expiration": 1460355675,
+--                           "SecretAccessKey": "some-secret",
+--                           "SessionToken": "session-token"
+--                    },
+--                    "PackedPolicySize": null
+--            },
+--            "ResponseMetadata": {
+--                    "RequestId": "91609a0a-ffa2-11e5-97e6-bbbbbbbbb"
+--            }
+--       }
+--}
+
+function _M:getCredentialsFromSTS()
+    local sts = SecurityTokenService:new({
+        shared_cache_dict = self.shared_cache_dict,
+        security_credentials_host = self.iam_security_credentials_host,
+        security_credentials_port = self.iam_security_credentials_port,
+        aws_debug = self.aws_debug,
+        aws_region = self.aws_region,
+        aws_conn_keepalive = 60000, -- how long to keep the sockets used for AWS alive
+        aws_conn_pool = 10 -- the connection pool size for sockets used to connect to AWS
+    })
+    local response, code, headers, status, body = sts:assumeRole(self.role_ARN,
+        self.role_session_name,
+        self.policy,
+        self.security_credentials_timeout,
+        self.external_id)
+
+    if (code ~= ngx.HTTP_OK) then
+        ngx.log(ngx.WARN, "Could not get STS credentials. Response Code=", tostring(code), ", response body=", tostring(body))
+        return nil
+    end
+
+    local stsCreds = response.AssumeRoleResponse.AssumeRoleResult.Credentials
+    stsCreds.ExpireAt = tostring(stsCreds["Expiration"])
+    stsCreds.ExpireAtTimestamp = stsCreds["Expiration"]
+    -- stsCreds.Expiration is already an epoch time
+--    stsCreds.ExpireAtTimestamp = awsDate.convertDateStringToTimestamp(stsCreds.ExpireAt, true)
+
+    -- store it in cache
+    stsCache:put("sts_" .. tostring(self.role_ARN) .. "_" .. tostring(self.role_session_name), cjson.encode(stsCreds))
+    return stsCreds
+end
+
+function _M:getSecurityCredentials()
+    --1. try to read it from the local cache
+    local stsCreds = stsCache:get("sts_" .. tostring(self.role_ARN) .. "_" .. tostring(self.role_session_name))
+    if (stsCreds ~= nil) then
+        local sts = cjson.decode(stsCreds)
+        -- check to see if the cached credentials are still valid
+        local now_in_secs = ngx.time()
+        local expireAtTimestamp = sts.ExpireAtTimestamp or now_in_secs
+        if (now_in_secs >= expireAtTimestamp) then
+            ngx.log(ngx.WARN, "Current STS token expired " .. tostring(expireAtTimestamp - now_in_secs) .. " seconds ago. Obtaining a new token.")
+        else
+            return sts.AccessKeyId, sts.SecretAccessKey, sts.SessionToken, sts.ExpireAt, sts.ExpireAtTimestamp
+        end
+    end
+    --2. get credentials from SecurityTokenService
+    stsCreds = self:getCredentialsFromSTS()
+    if (stsCreds == nil) then
+        return "",""
+    end
+    return stsCreds.AccessKeyId, stsCreds.SecretAccessKey, stsCreds.SessionToken, stsCreds.ExpireAt, stsCreds.ExpireAtTimestamp
+end
+
+return _M
+