Add AWS IAM authorization support (mghoneimy#64)

viktor-zinchenko · web-flow · commit caadeba3e8af · 2021-08-10T08:39:57.000-04:00
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -37,3 +37,7 @@ jobs:
 
     - name: Run test suite
       run: composer run test
+      env:
+        AWS_ACCESS_KEY_ID: key
+        AWS_SECRET_ACCESS_KEY: secret
+        AWS_SESSION_TOKEN: token
diff --git a/composer.json b/composer.json
@@ -36,8 +36,9 @@
         "guzzlehttp/guzzle": "^6.3|^7.0.1"
     },
     "require-dev": {
-        "phpunit/phpunit": "^7.5|^8.0",
-        "codacy/coverage": "^1.4"
+        "phpunit/phpunit": "^7.5|^8.0|^9.0",
+        "codacy/coverage": "^1.4",
+        "aws/aws-sdk-php": "^3.186"
     },
     "conflict": {
         "guzzlehttp/psr7": "< 1.7.0"
@@ -46,6 +47,7 @@
         "test": "phpunit tests/ --whitelist src/ --coverage-clover build/coverage/xml"
     },
     "suggest": {
+        "aws/aws-sdk-php": "Move this package to require section to use AWS IAM authorization",
         "gmostafa/php-graphql-oqm": "To have object-to-query mapping support"
     }
 }
diff --git a/src/Auth/AuthInterface.php b/src/Auth/AuthInterface.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace GraphQL\Auth;
+
+use GuzzleHttp\Psr7\Request;
+
+interface AuthInterface
+{
+    /**
+     * @param Request $request
+     * @param array $options
+     * @return Request
+     */
+    public function run(Request $request, array $options = []): Request;
+}
diff --git a/src/Auth/AwsIamAuth.php b/src/Auth/AwsIamAuth.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace GraphQL\Auth;
+
+use Aws\Credentials\Credentials;
+use Aws\Credentials\CredentialProvider;
+use Aws\Signature\SignatureV4;
+use GraphQL\Exception\AwsRegionNotSetException;
+use GraphQL\Exception\MissingAwsSdkPackageException;
+use GuzzleHttp\Psr7\Request;
+
+class AwsIamAuth implements AuthInterface
+{
+    protected const SERVICE_NAME = 'appsync';
+
+    /**
+     * @codeCoverageIgnore
+     *
+     * AwsIamAuth constructor.
+     */
+    public function __construct()
+    {
+        if (!class_exists('\Aws\Signature\SignatureV4')) {
+            throw new MissingAwsSdkPackageException();
+        }
+    }
+
+    /**
+     * @param Request $request
+     * @param array $options
+     * @return Request
+     */
+    public function run(Request $request, array $options = []): Request
+    {
+        $region = $options['aws_region'] ?? null;
+        if ($region === null) {
+            throw new AwsRegionNotSetException();
+        }
+        return $this->getSignature($region)->signRequest(
+            $request, $this->getCredentials(),
+            self::SERVICE_NAME
+        );
+    }
+
+    /**
+     * @param string $region
+     * @return SignatureV4
+     */
+    protected function getSignature(string $region): SignatureV4
+    {
+        return new SignatureV4(self::SERVICE_NAME, $region);
+    }
+
+    /**
+     * @return Credentials
+     */
+    protected function getCredentials(): Credentials
+    {
+        $provider = CredentialProvider::defaultProvider();
+        return $provider()->wait();
+    }
+}
diff --git a/src/Client.php b/src/Client.php
@@ -2,6 +2,8 @@
 
 namespace GraphQL;
 
+use GraphQL\Auth\AuthInterface;
+use GraphQL\Auth\HeaderAuth;
 use GraphQL\Exception\QueryError;
 use GraphQL\Exception\MethodNotSupportedException;
 use GraphQL\QueryBuilder\QueryBuilderInterface;
@@ -34,39 +36,54 @@ class Client
      */
     protected $httpHeaders;
 
+    /**
+     * @var array
+     */
+    protected $options;
+
     /**
      * @var string
      */
     protected $requestMethod;
 
+    /**
+     * @var AuthInterface
+     */
+    protected $auth;
+
     /**
      * Client constructor.
      *
      * @param string $endpointUrl
      * @param array $authorizationHeaders
      * @param array $httpOptions
-     * @param ClientInterface $httpClient
+     * @param ClientInterface|null $httpClient
      * @param string $requestMethod
+     * @param AuthInterface|null $auth
      */
     public function __construct(
         string $endpointUrl,
         array $authorizationHeaders = [],
         array $httpOptions = [],
         ClientInterface $httpClient = null,
-        string $requestMethod = 'POST'
+        string $requestMethod = 'POST',
+        AuthInterface $auth = null
     ) {
         $headers = array_merge(
             $authorizationHeaders,
             $httpOptions['headers'] ?? [],
             ['Content-Type' => 'application/json']
         );
-
         /**
          * All headers will be set on the request objects explicitly,
          * Guzzle doesn't have to care about them at this point, so to avoid any conflicts
          * we are removing the headers from the options
          */
         unset($httpOptions['headers']);
+        $this->options = $httpOptions;
+        if ($auth) {
+            $this->auth = $auth;
+        }
 
         $this->endpointUrl          = $endpointUrl;
         $this->httpClient           = $httpClient ?? new GuzzleAdapter(new \GuzzleHttp\Client($httpOptions));
@@ -121,6 +138,10 @@ public function runRawQuery(string $queryString, $resultsAsArray = false, array
         $bodyArray = ['query' => (string) $queryString, 'variables' => $variables];
         $request = $request->withBody(Utils::streamFor(json_encode($bodyArray)));
 
+        if ($this->auth) {
+            $request = $this->auth->run($request, $this->options);
+        }
+
         // Send api request and get response
         try {
             $response = $this->httpClient->sendRequest($request);
diff --git a/src/Exception/AwsRegionNotSetException.php b/src/Exception/AwsRegionNotSetException.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace GraphQL\Exception;
+
+use RunTimeException;
+
+/**
+ * Class AwsRegionNotSetException
+ *
+ * @package GraphQL\Exception
+ */
+class AwsRegionNotSetException extends RunTimeException
+{
+    public function __construct()
+    {
+        parent::__construct("AWS region not set.");
+    }
+}
diff --git a/src/Exception/MissingAwsSdkPackageException.php b/src/Exception/MissingAwsSdkPackageException.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace GraphQL\Exception;
+
+use RunTimeException;
+
+/**
+ * Class MissingAwsSdkPackageException
+ *
+ * @package GraphQL\Exception
+ */
+class MissingAwsSdkPackageException extends RunTimeException
+{
+    /**
+     * @codeCoverageIgnore
+     *
+     * MissingAwsSdkPackageException constructor.
+     */
+    public function __construct()
+    {
+        parent::__construct(
+            'To be able to use AWS IAM authorization you should 
+            install "aws/aws-sdk-php" as a project dependency.'
+        );
+    }
+}
diff --git a/tests/Auth/AwsIamAuthTest.php b/tests/Auth/AwsIamAuthTest.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace GraphQL\Tests\Auth;
+
+use GraphQL\Auth\AwsIamAuth;
+use GraphQL\Exception\AwsRegionNotSetException;
+use GuzzleHttp\Psr7\Request;
+use PHPUnit\Framework\TestCase;
+
+class AwsIamAuthTest extends TestCase
+{
+    /**
+     * @var AwsIamAuth
+     */
+    protected $auth;
+
+    protected function setUp(): void
+    {
+        $this->auth = new AwsIamAuth();
+    }
+
+    /**
+     * @covers \GraphQL\Auth\AwsIamAuth::run
+     * @covers \GraphQL\Exception\AwsRegionNotSetException::__construct
+     */
+    public function testRunMissingRegion()
+    {
+        $this->expectException(AwsRegionNotSetException::class);
+        $request = new Request('POST', '');
+        $this->auth->run($request, []);
+    }
+
+    /**
+     * @covers \GraphQL\Auth\AwsIamAuth::run
+     * @covers \GraphQL\Auth\AwsIamAuth::getSignature
+     * @covers \GraphQL\Auth\AwsIamAuth::getCredentials
+     */
+    public function testRunSuccess()
+    {
+        $request = $this->auth->run(
+            new Request('POST', ''),
+            ['aws_region' => 'us-east-1']
+        );
+        $headers = $request->getHeaders();
+        $this->assertArrayHasKey('X-Amz-Date', $headers);
+        $this->assertArrayHasKey('X-Amz-Security-Token', $headers);
+        $this->assertArrayHasKey('Authorization', $headers);
+    }
+}
