feat: support sigv4 signing #169
Conversation
- Added Tripper to enable signing requests - Added Signer to implement the aws sigv4 signing standard Signed-off-by: obanby <obanby@gmail.com>
obanby
requested review from
olegbespalov and
joanlopez
and removed request for
a team
|
|
|
This is great, enables easy export to Amazon Managed Prometheus. 👍 |
|
Can I buy someone a coffee / beer / etc to get this reviewed and merged? |
|
Hey @mike-sol ! The pull request is on our radar, but the team is busy with the upcoming K6 release. We'll return to it once we finish. Sorry for the delay! |
There was a problem hiding this comment.
Hi @obanby!
Thanks for the PR, and sorry for the delay in reviewing!
First of all, I'd like to say that, like you, I don't have a deep knowledge of sigv4. That's why I checked the AWS Go SDK to familiarize myself with it and made some of my comments based on the logic that I found implemented there.
Another question is, have you tested these changes if they work?
Thanks @olegbespalov, yes I have tested with our aws managed prometheus. |
- Ported code from aws-sdk-go for proper query string handling - Refactored code to reduce methods - Added validations for tripper
obanby
force-pushed
the
feateure-sigv4
branch
from
f3e0598 to
4ac35b2
Compare
obanby
force-pushed
the
feateure-sigv4
branch
2 times, most recently
from
16523ee to
f36001e
Compare
obanby
force-pushed
the
feateure-sigv4
branch
from
f36001e to
5db2ad7
Compare
- Added config validations for tripper - Added comment for aps - Removed noEscape to signer internal state
obanby
force-pushed
the
feateure-sigv4
branch
from
5db2ad7 to
7e10b47
Compare
There was a problem hiding this comment.
Hey @obanby, thanks for your contribution! 🙌🏻
I have reviewed this PR as well, and I don't have any other comments beyond what @olegbespalov has already mentioned. So, feel free to try to address them all and I'll be happy to give my 👍🏻 once ready!
|
Thanks @olegbespalov @joanlopez, I addressed all the comments. One thing I noticed, but didn't know how to go about it is: erroring out if only partial config is passed in. Say a user sets the the SIGV4_REGION without setting the access key. Any ideas how to fail with an informative message? |
|
Hey @obanby Thanks for the update; I'll go through it at the beginning of next week!
You could try collecting the validation errors in the slice, something like: errs := make([]string, 0)
if len(strings.TrimSpace(config.Region)) == 0 {
errs = append(errs, "sigV4 config `Region` must be set")
}
if len(strings.TrimSpace(config.AwsSecretAccessKey)) == 0 {
errs = append(errs, "sigV4 config `AwsSecretAccessKey` must be set")
}
if len(strings.TrimSpace(config.AwsAccessKeyID)) == 0 {
errs = append(errs, "sigV4 config `AwsAccessKeyID` must be set")
}
if len(errs) > 0 {
return nil, errors.New("can't initialize a sigv4 round tripper:" + strings.Join(errs, ", "))
} |
|
Thanks @olegbespalov, but to clarify. The current error handling should have caught that |
|
Right, then I believe we should add validation somewhere around sigvcfg := &sigv4.Config{
Region: conf.SigV4Region.String,
AwsAccessKeyID: conf.SigV4AccessKey.String,
AwsSecretAccessKey: conf.SigV4SecretKey.String,
}
err := sigvcfg.Validate()
if err != nil {
return nil, err
}
hc.SigV4 = sigvcfg |
|
Sounds good, I will try that. I will leave it till your review next week and address it then with any other comments you have :) |
|
Hey @obanby ! Just in case, I've reviewed the rest of the changes, and it looks good; maybe the only missing part is the validation that we discussed before to advise customers faster about misconfiguration. So, thanks for implementing that! |
|
Thanks @olegbespalov was just taking sometime to see how to go about it. My last commit I addressed the partial config issue, that's kinda what I was pointing out, see if you like that and we can go from there :) |
There was a problem hiding this comment.
Looks good to me! 🚀 Thanks for the contribution! 🙇
Let's wait till @joanlopez will give a final look/feedback!
|
I addressed some of the issues flagged by the CI lint job. @olegbespalov @joanlopez please have a look. I hope we can get this in soon :) |
|
@olegbespalov @joanlopez, when will we be able to merge this please? |
|
Hey @obanby, you have my approval, but we still need the review from @joanlopez for merging. In the meantime, could you please address comments from the linter? Most of them look like auto-fixes, so it's just a matter of running |
|
Thanks all, I have address the changes flagged by There are two missing, one is not related to my changes, and the other will require adding another function to breeak down the method, but doesn't seem like the approach to take. |
|
@obanby, no worries. We will take care of these linter issues. We'll merge this PR soon. Thanks again for your contribution! 🙇 🎉 |
|
Thank you @obanby for your contribution! 🙇🏻 |
I based my PR on this comment #161 (comment) and https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
Note: I don't have deep knowledge about the sigv4, so please provide as much feedback as possible, and I will be happy to address it :)
Addresses: #93