use of com.amplifyframework.api.aws.sigv4.AppSyncV4Signer in project aws-mobile-appsync-sdk-android by awslabs.
the class SubscriptionAuthorizer method getAuthorizationDetailsForIAM.
private JSONObject getAuthorizationDetailsForIAM(boolean connectionFlag, Subscription subscription) throws JSONException {
DefaultRequest canonicalRequest = new DefaultRequest("appsync");
URI apiUrl;
try {
final String baseUrl = mServerUrl;
final String connectionUrl = connectionFlag ? baseUrl + "/connect" : baseUrl;
apiUrl = new URI(connectionUrl);
} catch (URISyntaxException e) {
throw new RuntimeException("Error constructing canonical URI for IAM request signature", e);
}
canonicalRequest.setEndpoint(apiUrl);
canonicalRequest.addHeader("accept", "application/json, text/javascript");
canonicalRequest.addHeader("content-encoding", "amz-1.0");
canonicalRequest.addHeader("content-type", "application/json; charset=UTF-8");
canonicalRequest.setHttpMethod(HttpMethodName.valueOf("POST"));
if (connectionFlag) {
canonicalRequest.setContent(new ByteArrayInputStream("{}".getBytes()));
} else {
canonicalRequest.setContent(new ByteArrayInputStream(getDataJson(subscription).getBytes()));
}
String apiRegion = apiUrl.getAuthority().split("\\.")[2];
DomainType domainType = DomainType.from(mServerUrl);
if (DomainType.CUSTOM == domainType) {
apiRegion = getApiRegion();
}
if (connectionFlag) {
new AppSyncV4Signer(apiRegion, AppSyncV4Signer.ResourcePath.IAM_CONNECTION_RESOURCE_PATH).sign(canonicalRequest, getCredentialsProvider().getCredentials());
} else {
new AppSyncV4Signer(apiRegion).sign(canonicalRequest, getCredentialsProvider().getCredentials());
}
JSONObject authorizationMessage = new JSONObject();
Map<String, String> signedHeaders = canonicalRequest.getHeaders();
try {
for (Map.Entry headerEntry : signedHeaders.entrySet()) {
if (!headerEntry.getKey().equals("host")) {
authorizationMessage.put((String) headerEntry.getKey(), headerEntry.getValue());
} else {
authorizationMessage.put("host", getHost(mServerUrl));
}
}
} catch (JSONException | MalformedURLException e) {
throw new RuntimeException("Error constructing authorization message json", e);
}
return authorizationMessage;
}
use of com.amplifyframework.api.aws.sigv4.AppSyncV4Signer in project amplify-android by aws-amplify.
the class ApiRequestDecoratorFactory method forAuthType.
/**
* Given a authorization type, it returns the appropriate request decorator.
* @param authorizationType the authorization type to be used for the request.
* @return the appropriate request decorator for the given authorization type.
* @throws ApiAuthException if unable to get a request decorator.
*/
public RequestDecorator forAuthType(@NonNull AuthorizationType authorizationType) throws ApiAuthException {
switch(authorizationType) {
case AMAZON_COGNITO_USER_POOLS:
// Note that if there was no user-provided cognito provider passed in to initialize
// the API plugin, we will try to default to using the DefaultCognitoUserPoolsAuthProvider.
// If that fails, we then have no choice but to bubble up the error.
CognitoUserPoolsAuthProvider cognitoUserPoolsAuthProvider = apiAuthProviders.getCognitoUserPoolsAuthProvider() != null ? apiAuthProviders.getCognitoUserPoolsAuthProvider() : new DefaultCognitoUserPoolsAuthProvider();
// By calling getLatestAuthToken() here instead of inside the lambda block, makes the exception
// handling a little bit cleaner. If getLatestAuthToken() is called from inside the lambda expression
// below, we'd have to surround it with a try catch. By doing it this way, if there's a problem,
// the ApiException will just be bubbled up. Same for OPENID_CONNECT.
final String token;
try {
token = cognitoUserPoolsAuthProvider.getLatestAuthToken();
} catch (ApiException exception) {
throw new ApiAuthException("Failed to retrieve auth token from Cognito provider.", exception, "Check the application logs for details.");
}
return new TokenRequestDecorator(() -> token);
case OPENID_CONNECT:
if (apiAuthProviders.getOidcAuthProvider() == null) {
throw new ApiAuthException("Attempting to use OPENID_CONNECT authorization " + "without an OIDC provider.", "Configure an OidcAuthProvider when initializing " + "the API plugin.");
}
final String oidcToken;
try {
oidcToken = apiAuthProviders.getOidcAuthProvider().getLatestAuthToken();
} catch (ApiException exception) {
throw new ApiAuthException("Failed to retrieve auth token from OIDC provider.", exception, "Check the application logs for details.");
}
return new TokenRequestDecorator(() -> oidcToken);
case AWS_LAMBDA:
if (apiAuthProviders.getFunctionAuthProvider() == null) {
throw new ApiAuthException("Attempting to use AWS_LAMBDA authorization " + "without a provider implemented.", "Configure a FunctionAuthProvider when initializing the API plugin.");
}
final String functionToken;
try {
functionToken = apiAuthProviders.getFunctionAuthProvider().getLatestAuthToken();
} catch (ApiException exception) {
throw new ApiAuthException("Failed to retrieve auth token from function auth provider.", exception, "Check the application logs for details.");
}
return new TokenRequestDecorator(() -> functionToken);
case API_KEY:
if (apiAuthProviders.getApiKeyAuthProvider() != null) {
return new ApiKeyRequestDecorator(apiAuthProviders.getApiKeyAuthProvider());
} else if (apiKey != null) {
return new ApiKeyRequestDecorator(() -> apiKey);
} else {
throw new ApiAuthException("Attempting to use API_KEY authorization without " + "an API key provider or an API key in the config file", "Verify that an API key is in the config file or an " + "ApiKeyAuthProvider is setup during the API " + "plugin initialization.");
}
case AWS_IAM:
AWSCredentialsProvider credentialsProvider = apiAuthProviders.getAWSCredentialsProvider() != null ? apiAuthProviders.getAWSCredentialsProvider() : getDefaultCredentialsProvider();
final AWS4Signer signer;
final String serviceName;
if (endpointType == EndpointType.GRAPHQL) {
signer = new AppSyncV4Signer(region);
serviceName = APP_SYNC_SERVICE_NAME;
} else {
signer = new ApiGatewayIamSigner(region);
serviceName = API_GATEWAY_SERVICE_NAME;
}
return new IamRequestDecorator(signer, credentialsProvider, serviceName);
case NONE:
default:
return NO_OP_REQUEST_DECORATOR;
}
}
use of com.amplifyframework.api.aws.sigv4.AppSyncV4Signer in project amplify-android by aws-amplify.
the class SubscriptionAuthorizer method forIam.
private JSONObject forIam(AWSCredentialsProvider credentialsProvider, GraphQLRequest<?> request, boolean connectionFlag) throws ApiException {
final URI apiUrl = getRequestEndpoint(connectionFlag);
final String apiRegion = configuration.getRegion();
final String requestContent = request != null ? request.getContent() : "{}";
// Construct a request to be signed
DefaultRequest<?> canonicalRequest = new DefaultRequest<>("appsync");
canonicalRequest.setEndpoint(apiUrl);
canonicalRequest.addHeader("accept", "application/json, text/javascript");
canonicalRequest.addHeader("content-encoding", "amz-1.0");
canonicalRequest.addHeader("content-type", "application/json; charset=UTF-8");
canonicalRequest.setHttpMethod(HttpMethodName.valueOf("POST"));
canonicalRequest.setContent(new ByteArrayInputStream(requestContent.getBytes()));
// Sign with AppSync's SigV4 signer that also considers connection resource path
new AppSyncV4Signer(apiRegion, connectionFlag).sign(canonicalRequest, credentialsProvider.getCredentials());
// Extract header from signed request and return
Map<String, String> signedHeaders = canonicalRequest.getHeaders();
return new JSONObject(signedHeaders);
}
Aggregations