ExternalVendorCode/sondehub-infra
1
0
Fork 0
mirror of https://github.com/projecthorus/sondehub-infra.git synced 2025-02-21 17:26:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add a signed websocket url generator

Browse Source
This commit is contained in:
Michaela 2021-02-01 16:08:59 +10:00
parent 5ad39c38cd
commit f4c92f6599
3 changed files with 548 additions and 311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
main.tf
View File

@ -17,6 +17,7 @@ locals {
}
data "aws_caller_identity" "current" {}
data "aws_iot_endpoint" "endpoint" {}
resource "aws_iam_role" "IAMRole" {
path = "/"
@ -74,7 +75,7 @@ resource "aws_iam_role" "IAMRole3" {
path = "/service-role/"
name = "CognitoAccessForAmazonES"
assume_role_policy = <<EOF
{
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
@ -92,7 +93,7 @@ resource "aws_iam_role" "IAMRole4" {
path = "/service-role/"
name = "iot-es"
assume_role_policy = <<EOF
{
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
@ -110,7 +111,24 @@ resource "aws_iam_role" "IAMRole5" {
path = "/service-role/"
name = "sonde-api-to-iot-core-role-z9zes3f5"
assume_role_policy = <<EOF
{
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
EOF
max_session_duration = 3600
}
resource "aws_iam_role" "sign_socket" {
name = "sign_socket"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
@ -205,12 +223,12 @@ resource "aws_iam_role_policy" "IAMPolicy" {
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:143841941773:domain/sondes-v2"
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2"
},
{
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:143841941773:domain/sondes-v2/*"
"Resource": "arn:aws:es:us-east-1:${data.aws_caller_identity.current.account_id}:domain/sondes-v2/*"
}
]
}
@ -278,6 +296,32 @@ EOF
role = aws_iam_role.IAMRole5.name
}
resource "aws_iam_role_policy" "sign_socket" {
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iot:Connect",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iot:Subscribe",
"Resource": "arn:aws:iot:us-east-1:${data.aws_caller_identity.current.account_id}:topicfilter/sondes/*"
},
{
"Effect": "Allow",
"Action": "iot:Receive",
"Resource": "arn:aws:iot:us-east-1:${data.aws_caller_identity.current.account_id}:topic/sondes/*"
}
]
}
EOF
role = aws_iam_role.sign_socket.name
}
resource "aws_route53_zone" "Route53HostedZone" {
name = "${local.domain_name}."
}
@ -356,6 +400,12 @@ data "archive_file" "api_to_iot" {
output_path = "${path.module}/build/sonde-api-to-iot-core.zip"
}
data "archive_file" "sign_socket" {
type = "zip"
source_file = "sign-websocket/lambda_function.py"
output_path = "${path.module}/build/sign_socket.zip"
}
resource "aws_lambda_function" "LambdaFunction" {
function_name = "sonde-api-to-iot-core"
handler = "lambda_function.lambda_handler"
@ -369,12 +419,48 @@ resource "aws_lambda_function" "LambdaFunction" {
tracing_config {
mode = "Active"
}
environment {
variables = {
"IOT_ENDPOINT" = data.aws_iot_endpoint.endpoint.endpoint_address
}
}
layers = [
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
]
}
resource "aws_lambda_function" "sign_socket" {
function_name = "sign-websocket"
handler = "lambda_function.lambda_handler"
filename = "${path.module}/build/sign_socket.zip"
source_code_hash = data.archive_file.sign_socket.output_base64sha256
publish = true
memory_size = 128
role = aws_iam_role.sign_socket.arn
runtime = "python3.7"
timeout = 10
tracing_config {
mode = "Active"
}
environment {
variables = {
"IOT_ENDPOINT" = data.aws_iot_endpoint.endpoint.endpoint_address
}
}
layers = [
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:xray-python:1",
"arn:aws:lambda:us-east-1:${data.aws_caller_identity.current.account_id}:layer:iot:3"
]
}
resource "aws_lambda_permission" "sign_socket" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.sign_socket.arn
principal = "apigateway.amazonaws.com"
source_arn = "arn:aws:execute-api:us-east-1:${data.aws_caller_identity.current.account_id}:r03szwwq41/*/*/sondes/websocket"
}
resource "aws_lambda_permission" "LambdaPermission2" {
action = "lambda:InvokeFunction"
function_name = aws_lambda_function.LambdaFunction.arn
@ -422,11 +508,13 @@ resource "aws_apigatewayv2_api" "ApiGatewayV2Api" {
resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage" {
name = "$default"
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
deployment_id = aws_apigatewayv2_deployment.ApiGatewayV2Deployment3.id
default_route_settings {
detailed_metrics_enabled = false
}
auto_deploy = true
lifecycle {
ignore_changes = ["deployment_id"]
}
}
resource "aws_apigatewayv2_stage" "ApiGatewayV2Stage2" {
@ -454,6 +542,24 @@ resource "aws_apigatewayv2_route" "ApiGatewayV2Route" {
target = "integrations/${aws_apigatewayv2_integration.ApiGatewayV2Integration.id}"
}
resource "aws_apigatewayv2_route" "sign_socket" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
api_key_required = false
authorization_type = "NONE"
route_key = "GET /sondes/websocket"
target = "integrations/${aws_apigatewayv2_integration.sign_socket.id}"
}
resource "aws_apigatewayv2_integration" "sign_socket" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
connection_type = "INTERNET"
integration_method = "POST"
integration_type = "AWS_PROXY"
integration_uri = aws_lambda_function.sign_socket.arn
timeout_milliseconds = 30000
payload_format_version = "2.0"
}
resource "aws_apigatewayv2_integration" "ApiGatewayV2Integration" {
api_id = aws_apigatewayv2_api.ApiGatewayV2Api.id
connection_type = "INTERNET"
@ -632,7 +738,7 @@ resource "aws_cognito_user_pool_client" "CognitoUserPoolClient" {
user_pool_id = aws_cognito_user_pool.CognitoUserPool.id
name = "AWSElasticsearch-sondes-v2-us-east-1-hiwdpmnjbuckpbwfhhx65mweee"
refresh_token_validity = 30
allowed_oauth_flows = [ "code" ]
allowed_oauth_flows = ["code"]
allowed_oauth_flows_user_pool_client = true
allowed_oauth_scopes = ["email", "openid", "phone", "profile"]
callback_urls = ["https://es.${local.domain_name}/_plugin/kibana/app/kibana"]

118
sign-websocket/lambda_function.py Normal file
View File

@ -0,0 +1,118 @@
import boto3
import time
import uuid
import urllib.parse
import hmac, datetime, hashlib
import os
#todo this will need an iam role that has iot connection privs
def aws_sign(key, msg):
return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
def aws_getSignatureKey(key, dateStamp, regionName, serviceName):
kDate = aws_sign(("AWS4" + key).encode("utf-8"), dateStamp)
kRegion = aws_sign(kDate, regionName)
kService = aws_sign(kRegion, serviceName)
kSigning = aws_sign(kService, "aws4_request")
return kSigning
def aws_presign(
access_key=None,
secret_key=None,
session_token=None,
host=None,
region=None,
method=None,
protocol=None,
uri=None,
service=None,
expires=3600,
payload_hash=None,
):
# method=GET, protocol=wss, uri=/mqtt service=iotdevicegateway
assert 604800 >= expires >= 1, "Invalid expire time 604800 >= %s >= 1" % expires
# Date stuff, first is datetime, second is just date.
t = datetime.datetime.utcnow()
date_time = t.strftime("%Y%m%dT%H%M%SZ")
date = t.strftime("%Y%m%d")
# Signing algorithm used
algorithm = "AWS4-HMAC-SHA256"
# Scope of credentials, date + region (eu-west-1) + service (iot gateway hostname) + signature version
credential_scope = date + "/" + region + "/" + service + "/" + "aws4_request"
# Start building the query-string
canonical_querystring = "X-Amz-Algorithm=" + algorithm
canonical_querystring += "&X-Amz-Credential=" + urllib.parse.quote_plus(
access_key + "/" + credential_scope
)
canonical_querystring += "&X-Amz-Date=" + date_time
canonical_querystring += "&X-Amz-Expires=" + str(expires)
canonical_querystring += "&X-Amz-SignedHeaders=host"
if payload_hash is None:
if service == "iotdevicegateway":
payload_hash = hashlib.sha256(b"").hexdigest()
else:
payload_hash = "UNSIGNED-PAYLOAD"
canonical_headers = "host:" + host + "\n"
canonical_request = (
method
+ "\n"
+ uri
+ "\n"
+ canonical_querystring
+ "\n"
+ canonical_headers
+ "\nhost\n"
+ payload_hash
)
string_to_sign = (
algorithm
+ "\n"
+ date_time
+ "\n"
+ credential_scope
+ "\n"
+ hashlib.sha256(canonical_request.encode()).hexdigest()
)
signing_key = aws_getSignatureKey(secret_key, date, region, service)
signature = hmac.new(
signing_key, string_to_sign.encode("utf-8"), hashlib.sha256
).hexdigest()
canonical_querystring += "&X-Amz-Signature=" + signature
if session_token:
canonical_querystring += "&X-Amz-Security-Token=" + urllib.parse.quote(
session_token
)
return protocol + "://" + host + uri + "?" + canonical_querystring
def lambda_handler(event, context):
#get aws creds
session = boto3.Session()
credentials = session.get_credentials()
current_credentials = credentials.get_frozen_credentials()
url = aws_presign(
access_key=current_credentials.access_key,
secret_key=current_credentials.secret_key,
session_token=current_credentials.token,
method="GET",
protocol="wss",
uri="/mqtt",
service="iotdevicegateway",
host=os.getenv("IOT_ENDPOINT"),
region=session.region_name,
)
return {"statusCode": 200, "body": url}
if __name__ == "__main__":
print(lambda_handler({}, {}))

51
sonde-api-to-iot-core/lambda_function.py
View File

@ -12,6 +12,7 @@ from awsiot import mqtt_connection_builder
import uuid
import threading
from email.utils import parsedate
import os
# this needs a bunch of refactor but the general approach is
# connect to mqtt via websockets during init
@ -38,29 +39,33 @@ event_loop_group = io.EventLoopGroup(1)
host_resolver = io.DefaultHostResolver(event_loop_group)
io.init_logging(io.LogLevel.Error, 'stderr')
io.init_logging(io.LogLevel.Error, "stderr")
def connect():
global connect_future, mqtt_connection
session = boto3.session.Session()
client_bootstrap = io.ClientBootstrap(event_loop_group, host_resolver)
credentials_provider = auth.AwsCredentialsProvider.new_default_chain(client_bootstrap)
credentials_provider = auth.AwsCredentialsProvider.new_default_chain(
client_bootstrap
)
mqtt_connection = mqtt_connection_builder.websockets_with_default_aws_signing(
endpoint="a2sgq5szfqum7p-ats.iot.us-east-1.amazonaws.com",
endpoint=os.getenv("IOT_ENDPOINT"),
client_bootstrap=client_bootstrap,
region="us-east-1",
credentials_provider=credentials_provider,
client_id=str(uuid.uuid4()),
clean_session=False,
keep_alive_secs=6)
keep_alive_secs=6,
)
connect_future = mqtt_connection.connect()
connect_future.result()
connect()
def lambda_handler(event, context):
def lambda_handler(event, context):
# Future.result() waits until a result is available
try:
@ -71,13 +76,19 @@ def lambda_handler(event, context):
print(json.dumps(event))
if "isBase64Encoded" in event and event["isBase64Encoded"] == True:
event["body"] = base64.b64decode(event["body"])
if "content-encoding" in event["headers"] and event["headers"]["content-encoding"] == "gzip":
event["body"] = zlib.decompress(event["body"], 16+zlib.MAX_WBITS)
if (
"content-encoding" in event["headers"]
and event["headers"]["content-encoding"] == "gzip"
):
event["body"] = zlib.decompress(event["body"], 16 + zlib.MAX_WBITS)
time_delta = None
if "date" in event["headers"]:
try:
time_delta_header = event["headers"]["date"]
time_delta = (datetime.datetime(*parsedate(time_delta_header)[:7]) - datetime.datetime.utcnow()).total_seconds()
time_delta = (
datetime.datetime(*parsedate(time_delta_header)[:7])
- datetime.datetime.utcnow()
).total_seconds()
except:
pass
payloads = json.loads(event["body"])
@ -95,11 +106,15 @@ def lambda_handler(event, context):
if not payload["uploader_position"]:
payload.pop("uploader_position")
else:
(payload["uploader_alt"], payload["uploader_position"]) = payload["uploader_position"][2], f"{payload['uploader_position'][0]},{payload['uploader_position'][1]}"
(payload["uploader_alt"], payload["uploader_position"]) = (
payload["uploader_position"][2],
f"{payload['uploader_position'][0]},{payload['uploader_position'][1]}",
)
(msg, x) = mqtt_connection.publish(
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE)
qos=mqtt.QoS.AT_MOST_ONCE,
)
try:
msg.result()
except (RuntimeError, AwsCrtError):
@ -107,14 +122,12 @@ def lambda_handler(event, context):
(msg, x) = mqtt_connection.publish(
topic=f'sondes/{payload["serial"]}',
payload=json.dumps(payload),
qos=mqtt.QoS.AT_MOST_ONCE)
qos=mqtt.QoS.AT_MOST_ONCE,
)
msg.result()
return {"statusCode": 200, "body": "^v^ telm logged"}
return {
'statusCode': 200,
'body': "^v^ telm logged"
}
if __name__ == "__main__":
payload = {
@ -134,7 +147,7 @@ if __name__ == "__main__":
"x-forwarded-for": "103.107.130.22",
"x-forwarded-port": "443",
"x-forwarded-proto": "https",
"date": "Sun, 31 Jan 2021 00:21:45 GMT"
"date": "Sun, 31 Jan 2021 00:21:45 GMT",
},
"requestContext": {
"accountId": "143841941773",
@ -146,15 +159,15 @@ if __name__ == "__main__":
"path": "/sondes/telemetry",
"protocol": "HTTP/1.1",
"sourceIp": "103.107.130.22",
"userAgent": "autorx-1.4.1-beta4"
"userAgent": "autorx-1.4.1-beta4",
},
"requestId": "Z_NJvh0RoAMEJaw=",
"routeKey": "PUT /sondes/telemetry",
"stage": "$default",
"time": "31/Jan/2021:00:10:25 +0000",
"timeEpoch": 1612051825409
"timeEpoch": 1612051825409,
},
"body": "H4sIAHD1FWAC/8WbX2/byBXFv0rg5/Vg7v87eduHYh8LJNui2KIwlFjZGHDsVJbTLop+996hszVHXpECKI7hJ1GURiR/vnPOmTt//8/Fw+OH/W9ftxdv31y8e89w+f6nix/eXOy3X77GoUvDVOLll83d46fNx/3jbrurZ/51c/Owud3UMx+2u5vNbT34HpAyKNSjt5t9/ThxMs/OceTTbvOljsLKVj92V78IOEG8+La9vfpW30uGkOvZ15v9dn8zfOACM8JlhkuCn3N+C/lt5pQz5Jx/qUN92OzrWJiGr73/tP/XZre9unsa7WK3ub65f7i/u95ebR7391e7f18MP2b7z8ft3cff6qAZkuT6Mz5v4+S7X+OYSyoqWr/x8+OXm+ubfT3Tk8aBzW0dDoyLpWwu/v0CPtejORURpTj0+PX2fnO93V193NzePtz8eld/zY/v/vTT1Y9/+fnPV+/+Nty8zf4hjtdxbu/rGUAlgZfSXMu37e7hZnj7AlLcscsP2/2Gh2t/3D3sr+qNqndTRUjqwxs9z+FhxvtXu+3H7c237fXLO5rLW/YU912h/HLx3x/e9IGCWij8GBSe4lYjzUIhq0OhiXPJ5RAKG0EhmVKxLDSGAhI+XcACJkoeBu7JRIwKQCKvx0R5ZsIbJiiRGJRZJvQPmfCzMuGifIiENEiU5BnxsE4UEF3KBEJfJiQHE04Mr8aE5GNMlFQgyvEsE7Z2nSg5sRr4JBQQaAoUaKFwRFgMBVFnKKK+ocSTOhUKOzsU8AwFDpP071BgEmHzWSi8AxQU8/oLKHgMBWIoipg9DiaPbAWXQsHSGQpMQKgsrwcFHlMUFrzSvMosqzMR0xiY6SET1DBR65UXbpmIp4plKRPSWWUK1d+tjKcyoWdngsZMeKMoOP79ZlVm1Oj1oWBGmYaCIGRHztbOHiI2TCiLoNDOMlPiW9lyplOhkHP7UeFnKKSBIlwgC8/KzPh/XFlmFklmBodMQMNESFF4AmesKNSGB7OICe+MhCQQRuSOSEiLhDwjYYlGSGgq7jw7eYQMWR8JRi0vIgocM8FRccPClXbyIAspspSJQZL0hEJTPDgi6AiFtlDoMSh4SE9wFgpaffIIaUMmk3WCPVm2gzIhmGFpQvGU3PVEwgIJx9ONxxmQ8BaJUZQZhq5JrbyIzk8dq0eZpcY4eRDDx5moFRcdxqlVSTEx0lI5AdDbd8SVGZeipzLBy5koLRM+ZmLsO6BO4jTPxOpJZgm7W1ym64TmhOrSMmEU9WUpE6idmQgn52Deceo4QKIcQ8KTepbZ0Ap0bSQgjqH44IAmmAgdKiZj3xGFjtmWhlZAPZmo7j4ncA+c+9WJQTE9Q6F5bDu08aI59O+8xrS1NSbkkLEiRSdFpoX9CbVeGiiIoggvhaJraFWhgBhVXE42HrQcijagUBhXCm6MB0fN1lkofP1KkWveizpZKSy8s/FBpYjJAxdXCuHOUGCKY+X0NY8zQNG6UcVjUIQADmDnK8X6UWZMayAEk6mVx5AAhg0TJX4WL2VCqTMT4atzMT959sjLmWjNqDZJprZNFApoc0xg7mBGTc18sk547TxQ54YJycSLJw/DzkzEt4LF32lMwBlWPA6ZOBpkhsOnImU2oUBYHYowNwh0sGJuw0Lx/6GIk0ifnNJIZpaSly6DgfeGYjDWRfVUKHA5FNZCIcegqKtPJc8qCsQOTDDyYaGwpttK43PsTZJZEokPfUOLkCi9kYipkjTu/KlIwHIk2tRKdYwEtamVUpnVE0irp9tcF7helokWiZA/XA4SiuIOS5nA3JuJeiXop/bf5TP01ZQ2otBRkknJ2haKKGHzZWL9JJMTm2WbZAJiyLCs2qZWhrqYCeitMb3Szcqvx4SP60RpzGgIt+HxTDMhHZhwwMPU6pAJC+/s1K540BmSTMTeXjRGFYWOTEBLxHOQGf5Bm6XyzEizjVaoHZwomTEcEjHu0tU6gRk5tkjE1crSBQ+kzplV/O6wv9mlHxK5hcLycSiETWebatA6lImiXnAaijCe8tT0P4Iii+JS24HcOd2uHWKWKXesE7lNtw2OLXmEbOenNbNpKHx1jQmpEM9AQcGwFm71BIdxWqwnunbfPbWkQAihUxut1mACjzFBdY8HzxeK9XPMuPmWdVpPMIToKGgNE8IkSzsoUHszEfNg+KxTV8vXYOJoR2ZJITfybGRFq+eYbuGKRWGaCU+Y2ds6kUNRL22+Q/POTISRK3El8npMNDmmNF7098bnaSagwwZBA+LpyEpqwiYibYyZwRYz4b3rhATdYJxPZcLPLjLl2NxhQ2Y1iwR2QCKTwAs5IQ0SlgpIaZc7yCkvXRbF0hsJDSQcvfRDogVCjwGBCUV4tqeGqMPmwO+txMeB0BjRm7gqSgQuXxJ9IqonD3UtmuPjp/JgZ+bBjvEQr7DML4gSr85DlKqC05m2Wt035QdLX7WRcikQ0BsIj/sO+fWA8GObAuu/peNsok3SQVkWIPBJB2pUUxRop4zamLnUgRL2jqpiVDSR0o2Iw0TbyniVg5uuCTHKs/klaQcHGhdSaJqJUnMpxdZt+FOn3iImeseXmKPexaj8SlXC89h/SuM/UVFn1zjIOiTaHFcCUy0TUQ/CWZC0mYTL8u3k1LsJE7/vbj3Zf+q5vYbDMSbqLlHP89LSO+wSrcvUNslEwbpaxN7mVLp4PyBJZymBcSGs2TtKiUMkms3kuSkTwjq/m5xKhzUOLPzSbrRIeG21Odjno8ulhPYmIvgXLIAdi0QbUjkdKxKYxGG+KZdzByKgiL3Y0pFHRFhtW6TcJBIlFV7uN6xzIIHxrSGA2AKJf/wPWvB/4NlMAAA=",
"isBase64Encoded": True
"isBase64Encoded": True,
}
lambda_handler(payload, {})