Add AwsSigV4 signing functionality

README.md

@@ -152,6 +152,94 @@ async function search() {
 search().catch(console.log);
 ```
 
+### With AWS SigV4 signing
+```javascript
+const endpoint = ""; // OpenSearch domain URL e.g. https://search-xxx.region.es.amazonaws.com
+const { Client } = require('@opensearch-project/opensearch');
+const AwsV4Signer = require('@opensearch-project/opensearch/AwsV4Signer');
+const { defaultProvider } = require("@aws-sdk/credential-provider-node");
+
+async function getClient() {
+  const credentials = await defaultProvider()();
+  var client = new Client({
+    ...AwsV4Signer({
+      credentials: credentials,
+      region: "us-west-2",
+    }),
+    node: endpoint,
+  });
+  return client;
+}
+
+async function search() {
+
+  var client = await getClient();
+
+  var index_name = "books-test-1";
+  var settings = {
+    settings: {
+      index: {
+        number_of_shards: 4,
+        number_of_replicas: 3,
+      },
+    },
+  };
+
+  var response = await client.indices.create({
+    index: index_name,
+    body: settings,
+  });
+
+  console.log("Creating index:");
+  console.log(response.body);
+
+  // Add a document to the index.
+  var document = {
+    title: "The Outsider",
+    author: "Stephen King",
+    year: "2018",
+    genre: "Crime fiction",
+  };
+
+  var id = "1";
+
+  var response = await client.index({
+    id: id,
+    index: index_name,
+    body: document,
+    refresh: true,
+  });
+
+  console.log("Adding document:");
+  console.log(response.body);
+
+  var response = await client.bulk({ body: bulk_documents });
+  console.log(response.body);
+
+  // Search for the document.
+  var query = {
+    query: {
+      match: {
+        title: {
+          query: "The Outsider",
+        },
+      },
+    },
+  };
+
+  var response = await client.search({
+    index: index_name,
+    body: query,
+  });
+
+  console.log("Search results:");
+  console.log(response.body.hits);
+}
+
+search().catch(console.log);
+```
+
+
 ## Project Resources
 
 - [Project Website](https://opensearch.org/)

lib/aws/AwsV4Signer.d.ts

@@ -0,0 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+import { Credentials } from '@aws-sdk/types';
+import Connection from '../Connection';
+import * as http from 'http';
+
+interface AwsV4SignerOptions {
+  credentials: Credentials;
+  region: string;
+}
+
+export interface AwsV4SignerResponse {
+  Connection: Connection;
+  buildSignedRequestObject(request: any): http.ClientRequestArgs;
+}
+
+export default function AwsV4Signer(opts: AwsV4SignerOptions): AwsV4SignerResponse;
+
+export {};

lib/aws/AwsV4Signer.js

@@ -0,0 +1,43 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+'use strict';
+const Connection = require('../Connection');
+const aws4 = require('aws4');
+const { AwsV4SignerError } = require('./errors');
+
+function AwsV4Signer(opts) {
+  if (opts && (!opts.region || opts.region === null || opts.region === '')) {
+    throw new AwsV4SignerError('Region cannot be empty');
+  }
+  if (opts && (!opts.credentials || opts.credentials === null || opts.credentials === '')) {
+    throw new AwsV4SignerError('Credentials cannot be empty');
+  }
+
+  function buildSignedRequestObject(request = {}) {
+    request.service = 'es';
+    request.region = opts.region;
+    request.headers = request.headers || {};
+    request.headers['host'] = request.hostname;
+    return aws4.sign(request, opts.credentials);
+  }
+  class AwsV4SignedConnection extends Connection {
+    buildRequestObject(params) {
+      const request = super.buildRequestObject(params);
+      return buildSignedRequestObject(request);
+    }
+  }
+  return {
+    Connection: AwsV4SignedConnection,
+    buildSignedRequestObject,
+  };
+}
+module.exports = AwsV4Signer;

lib/aws/errors.d.ts

@@ -0,0 +1,18 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+import { OpenSearchClientError } from '../errors';
+
+export declare class AwsV4SignerError extends OpenSearchClientError {
+  name: string;
+  message: string;
+  data: any;
+  constructor(message: string, data: any);
+}

lib/aws/errors.js

@@ -0,0 +1,27 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+'use strict';
+const { OpenSearchClientError } = require('../errors');
+
+class AwsV4SignerError extends OpenSearchClientError {
+  constructor(message, data) {
+    super(message, data);
+    Error.captureStackTrace(this, AwsV4SignerError);
+    this.name = 'AwsV4SignerError';
+    this.message = message || 'AwsV4Signer Error';
+    this.data = data;
+  }
+}
+
+module.exports = {
+  AwsV4SignerError,
+};

package.json

@@ -8,6 +8,7 @@
       "require": "./index.js",
       "import": "./index.mjs"
     },
+    "./awsV4Signer": "./lib/aws/AwsV4Signer.js",
     "./": "./"
   },
   "homepage": "https://www.opensearch.org/",
@@ -77,6 +78,8 @@
     "xmlbuilder2": "^2.4.1"
   },
   "dependencies": {
+    "@aws-sdk/credential-provider-node": "^3.154.0",
+    "aws4": "^1.11.0",
     "debug": "^4.3.1",
     "hpagent": "^0.1.1",
     "ms": "^2.1.3",

test/types/awsv4signer.test-d.ts

@@ -0,0 +1,48 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+
+/*
+ * Licensed to Elasticsearch B.V. under one or more contributor
+ * license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright
+ * ownership. Elasticsearch B.V. licenses this file to you under
+ * the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import { expectType } from 'tsd';
+const { v4: uuidv4 } = require('uuid');
+import AwsV4Signer, { AwsV4SignerResponse } from '../../lib/aws/AwsV4Signer';
+
+const mockCreds = {
+  accessKeyId: uuidv4(),
+  secretAccessKey: uuidv4(),
+};
+
+const mockRegion = 'us-west-2';
+
+{
+  const AwsV4SignerOptions = { credentials: mockCreds, region: mockRegion };
+
+  const auth = AwsV4Signer(AwsV4SignerOptions);
+
+  expectType<AwsV4SignerResponse>(auth);
+}

test/types/connection.test-d.ts

@@ -42,8 +42,8 @@ import { ConnectionOptions } from '../../lib/Connection';
     agent: { keepAlive: false },
     status: 'alive',
     roles: {},
-    auth: { username: 'username', password: 'password' }
-  })
+    auth: { username: 'username', password: 'password' },
+  });
 
   expectType<Connection>(conn);
   expectType<URL>(conn.url);

test/unit/awsv4.test.js

@@ -0,0 +1,81 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ *
+ * Modifications Copyright OpenSearch Contributors. See
+ * GitHub history for details.
+ */
+const { test } = require('tap');
+const { URL } = require('url');
+const { v4: uuidv4 } = require('uuid');
+const AwsV4Signer = require('../../lib/aws/AwsV4Signer');
+const { AwsV4SignerError } = require('../../lib/aws/errors');
+const { Connection } = require('../../index');
+
+test('Sign with SigV4', (t) => {
+  t.plan(2);
+
+  const mockCreds = {
+    accessKeyId: uuidv4(),
+    secretAccessKey: uuidv4(),
+  };
+
+  const mockRegion = 'us-west-2';
+
+  const AwsV4SignerOptions = { credentials: mockCreds, region: mockRegion };
+
+  const auth = AwsV4Signer(AwsV4SignerOptions);
+
+  const connection = new Connection({
+    url: new URL('https://localhost:9200'),
+  });
+
+  const request = connection.buildRequestObject({
+    path: '/hello',
+    method: 'GET',
+    headers: {
+      'X-Custom-Test': true,
+    },
+  });
+  const signedRequest = auth.buildSignedRequestObject(request);
+  t.hasProp(signedRequest.headers, 'X-Amz-Date');
+  t.hasProp(signedRequest.headers, 'Authorization');
+});
+
+test('Sign with SigV4 failure (with empty region)', (t) => {
+  t.plan(2);
+
+  const mockCreds = {
+    accessKeyId: uuidv4(),
+    secretAccessKey: uuidv4(),
+  };
+
+  const AwsV4SignerOptions = { credentials: mockCreds };
+
+  try {
+    AwsV4Signer(AwsV4SignerOptions);
+    t.fail('Should fail');
+  } catch (err) {
+    t.ok(err instanceof AwsV4SignerError);
+    t.equal(err.message, 'Region cannot be empty');
+  }
+});
+
+test('Sign with SigV4 failure (with empty credentials)', (t) => {
+  t.plan(2);
+
+  const mockRegion = 'us-west-2';
+
+  const AwsV4SignerOptions = { region: mockRegion };
+
+  try {
+    AwsV4Signer(AwsV4SignerOptions);
+    t.fail('Should fail');
+  } catch (err) {
+    t.ok(err instanceof AwsV4SignerError);
+    t.equal(err.message, 'Credentials cannot be empty');
+  }
+});