Add Amazon Signature Version 4 Support
dhreines opened this issue · 4 comments
We're looking to run pact-provider-verifier against the AWS API Gateway using Amazon's Signature Version 4 signing process for authentication. The current custom Authentication header support does not support this mechanism.
Faraday middleware for AWS Signature Version 4 may be an option for adding this type of support.
Configuration options may include:
--aws-access-key-id--aws-secret-access-key--aws-session-token--aws-service-name--aws-region
There are a couple of options here. Firstly, we could allow some custom Rack middleware to be configured to do this. Or secondly, we could change the request making framework from rack-reverse-proxy to Faraday, which I'm actually ok with.
How do we ensure that the consumer is correctly signing the request though?
I'd imagine creating a class like this one, which takes a rack request, turns it into a Faraday request, then turns the response back in to a rack response. https://github.com/waterlink/rack-reverse-proxy/blob/master/lib/rack_reverse_proxy/roundtrip.rb
How do we ensure that the consumer is correctly signing the request though?
In our case, this wouldn't be necessary. We can modify the consumer library to send unsigned http requests during pact test execution.
The feature we were requesting was to modify the provider verifier to send AWS Sigv4 requests during all provider verification interactions including the provider state setup and teardown requests.
For now, we're working around the issue by deploying an AWS API Gateway Custom Authorizer. The custom authorizer allows us to deploy a custom authentication and authorization scheme during pact verification testing that allows unsigned https requests.
Given we have a workaround in place, this isn't a huge priority for us any longer. But, I imagine it may come up for others at some point.
Thanks for your response and I apologize for the delay in my reply to your questions.
I'm glad you came up with a work around. Dropping the auth is what I would have suggested in a local setup, but I didn't know if it was an option for testing against an API Gateway app. I'll close the issue for now, but we can re-open it if necessary in the future.