tmp

Author: Water-Melon

a.lua

@@ -0,0 +1,46 @@
+setmetatable(_G, nil)
+local AWS = require("resty.aws")
+local AWS_global_config = require("resty.aws.config").global
+local aws = AWS { region = AWS_global_config.region }
+local cache = aws:ElastiCache()
+local redis = require "resty.redis"
+
+local hostname = "test-cache-ppl9c2.serverless.apne1.cache.amazonaws.com"
+local cachename = "test-cache"
+local port = 6379
+local name = "nik-test"
+
+local signer = cache:Signer {  -- create a signer instance
+  hostname = cachename,
+  port = port,
+  username = name,
+  is_serverless = true,
+  region = nil,              -- will be inherited from `aws`
+  credentials = nil,         -- will be inherited from `aws`
+}
+
+-- use the 'signer' to generate the token, whilst overriding some options
+local auth_token, err = signer:getAuthToken()
+
+if err then
+  ngx.log(ngx.ERR, "Failed to build auth token: ", err)
+  return
+end
+print(auth_token)
+
+local red = redis:new()
+--red:set_timeouts(1000, 1000, 1000)
+
+local ok, err = red:connect(hostname, port, { ssl = true })
+if not ok then
+  print("failed to connect: ", err)
+  return 
+end
+
+local res, err = red:auth(name, auth_token)
+if not res then
+  print("failed to authenticate: ", err)
+  return
+end
+
+print("OK")

lua-resty-aws-dev-1.rockspec.template

@@ -44,7 +44,8 @@ build = {
     ["resty.aws.request.signatures.v4"]                       = "src/resty/aws/request/signatures/v4.lua",
     ["resty.aws.request.signatures.presign"]                  = "src/resty/aws/request/signatures/presign.lua",
     ["resty.aws.request.signatures.none"]                     = "src/resty/aws/request/signatures/none.lua",
-    ["resty.aws.service.rds.signer"]                           = "src/resty/aws/service/rds/signer.lua",
+    ["resty.aws.service.rds.signer"]                          = "src/resty/aws/service/rds/signer.lua",
+    ["resty.aws.service.elasticache.signer"]                  = "src/resty/aws/service/elasticache/signer.lua",
     ["resty.aws.credentials.Credentials"]                     = "src/resty/aws/credentials/Credentials.lua",
     ["resty.aws.credentials.ChainableTemporaryCredentials"]   = "src/resty/aws/credentials/ChainableTemporaryCredentials.lua",
     ["resty.aws.credentials.CredentialProviderChain"]         = "src/resty/aws/credentials/CredentialProviderChain.lua",

src/resty/aws/init.lua

@@ -498,12 +498,19 @@ function AWS:new(config)
         service_config[k] = service_config[k] or v
       end
 
+      local signer
+      if service_id == "RDS" then
+        signer = require("resty.aws.service.rds.signer")
+      elseif service_id == "ElastiCache" then
+        signer = require("resty.aws.service.elasticache.signer")
+      end
+
       local service_instance = {
         aws = aws_instance,
         config = service_config,
         api = api,
         -- Add service specific methods:
-        Signer = (service_id == "RDS") and require("resty.aws.service.rds.signer") or nil
+        Signer = signer
       }
 
       AWS.configureEndpoint(service_instance)

src/resty/aws/service/elasticache/signer.lua

@@ -0,0 +1,77 @@
+--- Signer class for Elasticache tokens for Valkey and Redis OSS access.
+
+-- Elasticache services created will get a `Signer` method to create an instance.
+-- The `Signer` will inherit its configuration from the `AWS` instance.
+
+local httpc = require("resty.luasocket.http")
+local presign_awsv4_request = require("resty.aws.request.signatures.presign")
+
+local ELASTICACHE_IAM_AUTH_EXPIRE_TIME = 15 * 60
+
+local function getAuthToken(self, opts) --endpoint, region, username, is_serverless)
+  opts = setmetatable(opts or {}, { __index = self.config }) -- lookup missing params in inherited config
+
+  local region = assert(opts.region, "parameter 'region' not set")
+  local hostname = assert(opts.hostname, "parameter 'hostname' not set")
+  local port = assert(opts.port, "parameter 'port' not set")
+  local username = assert(opts.username, "parameter 'username' not set")
+
+  local endpoint = hostname
+  if endpoint:sub(1,7) ~= "http://" then
+    endpoint = "http://" .. endpoint
+  end
+
+  local query_args = "Action=connect"
+  if opts.is_serverless then
+    query_args = query_args .. "&ResourceType=ServerlessCache"
+  end
+
+  local query_args = query_args .. "&User=" .. username
+
+  local canonical_request_url = endpoint .. "/?" .. query_args
+  local scheme, host, port, path, query = unpack(httpc:parse_uri(canonical_request_url, false))
+  local req_data = {
+    method = "GET",
+    scheme = scheme,
+    tls = scheme == "https",
+    host = host,
+    port = port,
+    path = path,
+    query = query,
+    headers = {
+      ["Host"] = host,
+    },
+  }
+
+  local presigned_request, err = presign_awsv4_request(self.config, req_data, opts.signingName, region, ELASTICACHE_IAM_AUTH_EXPIRE_TIME)
+  if err then
+    return nil, err
+  end
+
+  return presigned_request.host .. presigned_request.path .. "?" .. presigned_request.query
+end
+
+
+-- signature: intended to be a method on the Elasticache service object, cache_instance == self in that case
+return function(cache_instance, config)
+  local token_instance = {
+    config = {},
+    getAuthToken = getAuthToken,  -- injected method for token generation
+  }
+
+  -- first copy the inherited config elements NOTE: inherits from AWS, not the cache_instance!!!
+  for k,v in pairs(cache_instance.aws.config) do
+    token_instance.config[k] = v
+  end
+
+  -- service specifics
+  token_instance.config.signatureVersion = "v4"
+  token_instance.config.signingName = "elasticache"
+
+  -- then add/overwrite with provided config
+  for k,v in pairs(config or {}) do
+    token_instance.config[k] = v
+  end
+
+  return token_instance
+end