Add a signed websocket url generator

2025-02-22 09:40:49 +00:00 · 2021-02-01 16:08:59 +10:00 · 2021-02-01 16:08:59 +10:00 · f4c92f6599
commit f4c92f6599
parent 5ad39c38cd
3 changed files with 548 additions and 311 deletions
--- a/main.tf
+++ b/main.tf
@ -17,6 +17,7 @@ locals {
 }
 data "aws_caller_identity" "current" {}
 data "aws_iot_endpoint" "endpoint" {}
 resource "aws_iam_role" "IAMRole" {
  path                 = "/"
@ -74,7 +75,7 @@ resource "aws_iam_role" "IAMRole3" {
  path                 = "/service-role/"
  name                 = "CognitoAccessForAmazonES"
  assume_role_policy   = <<EOF
-    {
+{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
@ -92,7 +93,7 @@ resource "aws_iam_role" "IAMRole4" {
  path                 = "/service-role/"
  name                 = "iot-es"
  assume_role_policy   = <<EOF
-    {
+{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
@ -110,7 +111,24 @@ resource "aws_iam_role" "IAMRole5" {
  path                 = "/service-role/"
  name                 = "sonde-api-to-iot-core-role-z9zes3f5"
  assume_role_policy   = <<EOF
-    {
+{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }]
 }
 EOF
  max_session_duration = 3600
 }
 resource "aws_iam_role" "sign_socket" {
  name                 = "sign_socket"
  assume_role_policy   = <<EOF
 {
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
@ -205,12 +223,12 @@ resource "aws_iam_role_policy" "IAMPolicy" {
               {
            "Effect": "Allow",
            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:143841941773:domain/sondes-v2"
+            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2"
        },
        {
            "Effect": "Allow",
            "Action": "es:*",
-            "Resource": "arn:aws:es:us-east-1:143841941773:domain/sondes-v2/*"
+            "Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
        }
    ]
 }
@ -278,6 +296,32 @@ EOF
  role   = aws_iam_role.IAMRole5.name
 }
 resource "aws_iam_role_policy" "sign_socket" {
  policy = <<EOF
 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iot:Connect",
            "Resource": "*"
        },
                {
            "Effect": "Allow",
            "Action": "iot:Subscribe",
            "Resource": "arn:aws:iot:us-east-1:${data.aws_caller_identity.current.account_id}:topicfilter/sondes/*"
        },
                {
            "Effect": "Allow",
            "Action": "iot:Receive",
            "Resource": "arn:aws:iot:us-east-1:${data.aws_caller_identity.current.account_id}:topic/sondes/*"
        }
    ]
 }
 EOF
  role   = aws_iam_role.sign_socket.name
 }
 resource "aws_route53_zone" "Route53HostedZone" {
  name = "${local.domain_name}."
 }
@ -356,6 +400,12 @@ data "archive_file" "api_to_iot" {
  output_path = "${path.module}/build/sonde-api-to-iot-core.zip"
 }
 data "archive_file" "sign_socket" {
  type        = "zip"
  source_file = "sign-websocket/lambda_function.py"
  output_path = "${path.module}/build/sign_socket.zip"
 }
 resource "aws_lambda_function" "LambdaFunction" {
  function_name    = "sonde-api-to-iot-core"
  handler          = "lambda_function.lambda_handler"
@ -369,12 +419,48 @@ resource "aws_lambda_function" "LambdaFunction" {
  tracing_config {
    mode = "Active"
  }
  environment {
    variables = {
      "IOT_ENDPOINT" = data.aws_iot_endpoint.endpoint.endpoint_address
    }
  }
  layers = [
    "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
    "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
  ]
 }
 resource "aws_lambda_function" "sign_socket" {
  function_name    = "sign-websocket"
  handler          = "lambda_function.lambda_handler"
  filename         = "${path.module}/build/sign_socket.zip"
  source_code_hash = data.archive_file.sign_socket.output_base64sha256
  publish          = true
  memory_size      = 128
  role             = aws_iam_role.sign_socket.arn
  runtime          = "python3.7"
  timeout          = 10
  tracing_config {
    mode = "Active"
  }
  environment {
    variables = {
      "IOT_ENDPOINT" = data.aws_iot_endpoint.endpoint.endpoint_address
    }
  }
  layers = [
    "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
    "arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
  ]
 }
 resource "aws_lambda_permission" "sign_socket" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.sign_socket.arn
  principal     = "apigateway.amazonaws.com"
  source_arn    = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/websocket"
 }
 resource "aws_lambda_permission" "LambdaPermission2" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.LambdaFunction.arn
@ -422,11 +508,13 @@ resource "aws_apigatewayv2_api" "ApiGatewayV2Api" {
 resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage" {
  name          = "$default"
  api_id        = aws_apigatewayv2_api.ApiGatewayV2Api.id
    deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment3.id
  default_route_settings {
    detailed_metrics_enabled = false
  }
  auto_deploy = true
  lifecycle {
    ignore_changes = ["deployment_id"]
  }
 }
 resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage2" {
@ -454,6 +542,24 @@ resource "aws_apigatewayv2_route" "ApiGatewayV2Route" {
  target             = "integrations/${aws_apigatewayv2_integration.ApiGatewayV2Integration.id}"
 }
 resource "aws_apigatewayv2_route" "sign_socket" {
  api_id             = aws_apigatewayv2_api.ApiGatewayV2Api.id
  api_key_required   = false
  authorization_type = "NONE"
  route_key          = "GET /sondes/websocket"
  target             = "integrations/${aws_apigatewayv2_integration.sign_socket.id}"
 }
 resource "aws_apigatewayv2_integration" "sign_socket" {
  api_id                 = aws_apigatewayv2_api.ApiGatewayV2Api.id
  connection_type        = "INTERNET"
  integration_method     = "POST"
  integration_type       = "AWS_PROXY"
  integration_uri        = aws_lambda_function.sign_socket.arn
  timeout_milliseconds   = 30000
  payload_format_version = "2.0"
 }
 resource "aws_apigatewayv2_integration" "ApiGatewayV2Integration" {
  api_id                 = aws_apigatewayv2_api.ApiGatewayV2Api.id
  connection_type        = "INTERNET"
@ -632,7 +738,7 @@ resource "aws_cognito_user_pool_client" "CognitoUserPoolClient" {
  user_pool_id                         = aws_cognito_user_pool.CognitoUserPool.id
  name                                 = "AWSElasticsearch-sondes-v2-us-east-1-hiwdpmnjbuckpbwfhhx65mweee"
  refresh_token_validity               = 30
-    allowed_oauth_flows                  = [ "code" ]
+  allowed_oauth_flows                  = ["code"]
  allowed_oauth_flows_user_pool_client = true
  allowed_oauth_scopes                 = ["email", "openid", "phone", "profile"]
  callback_urls                        = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]
--- a/sign-websocket/lambda_function.py
+++ b/sign-websocket/lambda_function.py
@ -0,0 +1,118 @@
 import boto3
 import time
 import uuid
 import urllib.parse
 import hmac, datetime, hashlib
 import os
 #todo this will need an iam role that has iot connection privs
 def aws_sign(key, msg):
    return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
 def aws_getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = aws_sign(("AWS4" + key).encode("utf-8"), dateStamp)
    kRegion = aws_sign(kDate, regionName)
    kService = aws_sign(kRegion, serviceName)
    kSigning = aws_sign(kService, "aws4_request")
    return kSigning
 def aws_presign(
    access_key=None,
    secret_key=None,
    session_token=None,
    host=None,
    region=None,
    method=None,
    protocol=None,
    uri=None,
    service=None,
    expires=3600,
    payload_hash=None,
 ):
    # method=GET, protocol=wss, uri=/mqtt service=iotdevicegateway
    assert 604800 >= expires >= 1, "Invalid expire time 604800 >= %s >= 1" % expires
    # Date stuff, first is datetime, second is just date.
    t = datetime.datetime.utcnow()
    date_time = t.strftime("%Y%m%dT%H%M%SZ")
    date = t.strftime("%Y%m%d")
    # Signing algorithm used
    algorithm = "AWS4-HMAC-SHA256"
    # Scope of credentials, date + region (eu-west-1) + service (iot gateway hostname) + signature version
    credential_scope = date + "/" + region + "/" + service + "/" + "aws4_request"
    # Start building the query-string
    canonical_querystring = "X-Amz-Algorithm=" + algorithm
    canonical_querystring += "&X-Amz-Credential=" + urllib.parse.quote_plus(
        access_key + "/" + credential_scope
    )
    canonical_querystring += "&X-Amz-Date=" + date_time
    canonical_querystring += "&X-Amz-Expires=" + str(expires)
    canonical_querystring += "&X-Amz-SignedHeaders=host"
    if payload_hash is None:
        if service == "iotdevicegateway":
            payload_hash = hashlib.sha256(b"").hexdigest()
        else:
            payload_hash = "UNSIGNED-PAYLOAD"
    canonical_headers = "host:" + host + "\n"
    canonical_request = (
        method
        + "\n"
        + uri
        + "\n"
        + canonical_querystring
        + "\n"
        + canonical_headers
        + "\nhost\n"
        + payload_hash
    )
    string_to_sign = (
        algorithm
        + "\n"
        + date_time
        + "\n"
        + credential_scope
        + "\n"
        + hashlib.sha256(canonical_request.encode()).hexdigest()
    )
    signing_key = aws_getSignatureKey(secret_key, date, region, service)
    signature = hmac.new(
        signing_key, string_to_sign.encode("utf-8"), hashlib.sha256
    ).hexdigest()
    canonical_querystring += "&X-Amz-Signature=" + signature
    if session_token:
        canonical_querystring += "&X-Amz-Security-Token=" + urllib.parse.quote(
            session_token
        )
    return protocol + "://" + host + uri + "?" + canonical_querystring
 def lambda_handler(event, context):
    #get aws creds
    session = boto3.Session()
    credentials = session.get_credentials()
    current_credentials = credentials.get_frozen_credentials()
    url = aws_presign(
        access_key=current_credentials.access_key,
        secret_key=current_credentials.secret_key,
        session_token=current_credentials.token,
        method="GET",
        protocol="wss",
        uri="/mqtt",
        service="iotdevicegateway",
        host=os.getenv("IOT_ENDPOINT"),
        region=session.region_name,
    )
    return {"statusCode": 200, "body": url}
 if __name__ == "__main__":
    print(lambda_handler({}, {}))
--- a/sonde-api-to-iot-core/lambda_function.py
+++ b/sonde-api-to-iot-core/lambda_function.py
@ -12,6 +12,7 @@ from awsiot import mqtt_connection_builder
 import uuid
 import threading
 from email.utils import parsedate
 import os
 # this needs a bunch of refactor but the general approach is
 # connect to mqtt via websockets during init
@ -38,29 +39,33 @@ event_loop_group = io.EventLoopGroup(1)
 host_resolver = io.DefaultHostResolver(event_loop_group)
-io.init_logging(io.LogLevel.Error, 'stderr')
+io.init_logging(io.LogLevel.Error, "stderr")
 def connect():
    global connect_future, mqtt_connection
    session = boto3.session.Session()
    client_bootstrap = io.ClientBootstrap(event_loop_group, host_resolver)
-    credentials_provider = auth.AwsCredentialsProvider.new_default_chain(client_bootstrap)
+    credentials_provider = auth.AwsCredentialsProvider.new_default_chain(
        client_bootstrap
    )
    mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
-    endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
+        endpoint=os.getenv("IOT_ENDPOINT"),
        client_bootstrap=client_bootstrap,
        region="us-east-1",
        credentials_provider=credentials_provider,
        client_id=str(uuid.uuid4()),
        clean_session=False,
-    keep_alive_secs=6)
+        keep_alive_secs=6,
    )
    connect_future = mqtt_connection.connect()
    connect_future.result()
 connect()
 def lambda_handler(event, context):
 def lambda_handler(event, context):
    # Future.result() waits until a result is available
    try:
@ -71,13 +76,19 @@ def lambda_handler(event, context):
    print(json.dumps(event))
    if "isBase64Encoded" in event and event["isBase64Encoded"] == True:
        event["body"] = base64.b64decode(event["body"])
-    if "content-encoding" in event["headers"] and event["headers"]["content-encoding"] == "gzip":
+    if (
-        event["body"] = zlib.decompress(event["body"], 16+zlib.MAX_WBITS)
+        "content-encoding" in event["headers"]
        and event["headers"]["content-encoding"] == "gzip"
    ):
        event["body"] = zlib.decompress(event["body"], 16 + zlib.MAX_WBITS)
    time_delta = None
    if "date" in event["headers"]:
        try:
            time_delta_header = event["headers"]["date"]
-            time_delta = (datetime.datetime(*parsedate(time_delta_header)[:7]) - datetime.datetime.utcnow()).total_seconds()
+            time_delta = (
                datetime.datetime(*parsedate(time_delta_header)[:7])
                - datetime.datetime.utcnow()
            ).total_seconds()
        except:
            pass
    payloads = json.loads(event["body"])
@ -95,11 +106,15 @@ def lambda_handler(event, context):
            if not payload["uploader_position"]:
                payload.pop("uploader_position")
            else:
-                (payload["uploader_alt"], payload["uploader_position"]) = payload["uploader_position"][2], f"{payload['uploader_position'][0]},{payload['uploader_position'][1]}"
+                (payload["uploader_alt"], payload["uploader_position"]) = (
                    payload["uploader_position"][2],
                    f"{payload['uploader_position'][0]},{payload['uploader_position'][1]}",
                )
        (msg, x) = mqtt_connection.publish(
            topic=f'sondes/{payload["serial"]}',
            payload=json.dumps(payload),
-            qos=mqtt.QoS.AT_MOST_ONCE)
+            qos=mqtt.QoS.AT_MOST_ONCE,
        )
        try:
            msg.result()
        except (RuntimeError, AwsCrtError):
@ -107,14 +122,12 @@ def lambda_handler(event, context):
            (msg, x) = mqtt_connection.publish(
                topic=f'sondes/{payload["serial"]}',
                payload=json.dumps(payload),
-            qos=mqtt.QoS.AT_MOST_ONCE)
+                qos=mqtt.QoS.AT_MOST_ONCE,
            )
            msg.result()
    return {"statusCode": 200, "body": "^v^ telm logged"}
    return {
        'statusCode': 200,
        'body': "^v^ telm logged"
    }
 if __name__ == "__main__":
    payload = {
@ -134,7 +147,7 @@ if __name__ == "__main__":
            "x-forwarded-for": "103.107.130.22",
            "x-forwarded-port": "443",
            "x-forwarded-proto": "https",
-            "date": "Sun, 31 Jan 2021 00:21:45 GMT"
+            "date": "Sun, 31 Jan 2021 00:21:45 GMT",
        },
        "requestContext": {
            "accountId": "143841941773",
@ -146,15 +159,15 @@ if __name__ == "__main__":
                "path": "/sondes/telemetry",
                "protocol": "HTTP/1.1",
                "sourceIp": "103.107.130.22",
-                "userAgent": "autorx-1.4.1-beta4"
+                "userAgent": "autorx-1.4.1-beta4",
            },
            "requestId": "Z_NJvh0RoAMEJaw=",
            "routeKey": "PUT /sondes/telemetry",
            "stage": "$default",
            "time": "31/Jan/2021:00:10:25 +0000",
-            "timeEpoch": 1612051825409
+            "timeEpoch": 1612051825409,
        },
        "body": "H4sIAHD1FWAC/8WbX2/byBXFv0rg5/Vg7v87eduHYh8LJNui2KIwlFjZGHDsVJbTLop+996hszVHXpECKI7hJ1GURiR/vnPOmTt//8/Fw+OH/W9ftxdv31y8e89w+f6nix/eXOy3X77GoUvDVOLll83d46fNx/3jbrurZ/51c/Owud3UMx+2u5vNbT34HpAyKNSjt5t9/ThxMs/OceTTbvOljsLKVj92V78IOEG8+La9vfpW30uGkOvZ15v9dn8zfOACM8JlhkuCn3N+C/lt5pQz5Jx/qUN92OzrWJiGr73/tP/XZre9unsa7WK3ub65f7i/u95ebR7391e7f18MP2b7z8ft3cff6qAZkuT6Mz5v4+S7X+OYSyoqWr/x8+OXm+ubfT3Tk8aBzW0dDoyLpWwu/v0CPtejORURpTj0+PX2fnO93V193NzePtz8eld/zY/v/vTT1Y9/+fnPV+/+Nty8zf4hjtdxbu/rGUAlgZfSXMu37e7hZnj7AlLcscsP2/2Gh2t/3D3sr+qNqndTRUjqwxs9z+FhxvtXu+3H7c237fXLO5rLW/YU912h/HLx3x/e9IGCWij8GBSe4lYjzUIhq0OhiXPJ5RAKG0EhmVKxLDSGAhI+XcACJkoeBu7JRIwKQCKvx0R5ZsIbJiiRGJRZJvQPmfCzMuGifIiENEiU5BnxsE4UEF3KBEJfJiQHE04Mr8aE5GNMlFQgyvEsE7Z2nSg5sRr4JBQQaAoUaKFwRFgMBVFnKKK+ocSTOhUKOzsU8AwFDpP071BgEmHzWSi8AxQU8/oLKHgMBWIoipg9DiaPbAWXQsHSGQpMQKgsrwcFHlMUFrzSvMosqzMR0xiY6SET1DBR65UXbpmIp4plKRPSWWUK1d+tjKcyoWdngsZMeKMoOP79ZlVm1Oj1oWBGmYaCIGRHztbOHiI2TCiLoNDOMlPiW9lyplOhkHP7UeFnKKSBIlwgC8/KzPh/XFlmFklmBodMQMNESFF4AmesKNSGB7OICe+MhCQQRuSOSEiLhDwjYYlGSGgq7jw7eYQMWR8JRi0vIgocM8FRccPClXbyIAspspSJQZL0hEJTPDgi6AiFtlDoMSh4SE9wFgpaffIIaUMmk3WCPVm2gzIhmGFpQvGU3PVEwgIJx9ONxxmQ8BaJUZQZhq5JrbyIzk8dq0eZpcY4eRDDx5moFRcdxqlVSTEx0lI5AdDbd8SVGZeipzLBy5koLRM+ZmLsO6BO4jTPxOpJZgm7W1ym64TmhOrSMmEU9WUpE6idmQgn52Deceo4QKIcQ8KTepbZ0Ap0bSQgjqH44IAmmAgdKiZj3xGFjtmWhlZAPZmo7j4ncA+c+9WJQTE9Q6F5bDu08aI59O+8xrS1NSbkkLEiRSdFpoX9CbVeGiiIoggvhaJraFWhgBhVXE42HrQcijagUBhXCm6MB0fN1lkofP1KkWveizpZKSy8s/FBpYjJAxdXCuHOUGCKY+X0NY8zQNG6UcVjUIQADmDnK8X6UWZMayAEk6mVx5AAhg0TJX4WL2VCqTMT4atzMT959sjLmWjNqDZJprZNFApoc0xg7mBGTc18sk547TxQ54YJycSLJw/DzkzEt4LF32lMwBlWPA6ZOBpkhsOnImU2oUBYHYowNwh0sGJuw0Lx/6GIk0ifnNJIZpaSly6DgfeGYjDWRfVUKHA5FNZCIcegqKtPJc8qCsQOTDDyYaGwpttK43PsTZJZEokPfUOLkCi9kYipkjTu/KlIwHIk2tRKdYwEtamVUpnVE0irp9tcF7helokWiZA/XA4SiuIOS5nA3JuJeiXop/bf5TP01ZQ2otBRkknJ2haKKGHzZWL9JJMTm2WbZAJiyLCs2qZWhrqYCeitMb3Szcqvx4SP60RpzGgIt+HxTDMhHZhwwMPU6pAJC+/s1K540BmSTMTeXjRGFYWOTEBLxHOQGf5Bm6XyzEizjVaoHZwomTEcEjHu0tU6gRk5tkjE1crSBQ+kzplV/O6wv9mlHxK5hcLycSiETWebatA6lImiXnAaijCe8tT0P4Iii+JS24HcOd2uHWKWKXesE7lNtw2OLXmEbOenNbNpKHx1jQmpEM9AQcGwFm71BIdxWqwnunbfPbWkQAihUxut1mACjzFBdY8HzxeK9XPMuPmWdVpPMIToKGgNE8IkSzsoUHszEfNg+KxTV8vXYOJoR2ZJITfybGRFq+eYbuGKRWGaCU+Y2ds6kUNRL22+Q/POTISRK3El8npMNDmmNF7098bnaSagwwZBA+LpyEpqwiYibYyZwRYz4b3rhATdYJxPZcLPLjLl2NxhQ2Y1iwR2QCKTwAs5IQ0SlgpIaZc7yCkvXRbF0hsJDSQcvfRDogVCjwGBCUV4tqeGqMPmwO+txMeB0BjRm7gqSgQuXxJ9IqonD3UtmuPjp/JgZ+bBjvEQr7DML4gSr85DlKqC05m2Wt035QdLX7WRcikQ0BsIj/sO+fWA8GObAuu/peNsok3SQVkWIPBJB2pUUxRop4zamLnUgRL2jqpiVDSR0o2Iw0TbyniVg5uuCTHKs/klaQcHGhdSaJqJUnMpxdZt+FOn3iImeseXmKPexaj8SlXC89h/SuM/UVFn1zjIOiTaHFcCUy0TUQ/CWZC0mYTL8u3k1LsJE7/vbj3Zf+q5vYbDMSbqLlHP89LSO+wSrcvUNslEwbpaxN7mVLp4PyBJZymBcSGs2TtKiUMkms3kuSkTwjq/m5xKhzUOLPzSbrRIeG21Odjno8ulhPYmIvgXLIAdi0QbUjkdKxKYxGG+KZdzByKgiL3Y0pFHRFhtW6TcJBIlFV7uN6xzIIHxrSGA2AKJf/wPWvB/4NlMAAA=",
-        "isBase64Encoded": True
+        "isBase64Encoded": True,
    }
    lambda_handler(payload, {})