Adds AWS signing to the client factories (#314)

Signed-off-by: Kim Pepper <kim@pepper.id.au>

Author: kimpepper

CHANGELOG.md

@@ -5,6 +5,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 ## [Unreleased]
 
 ### Added
+- Added `auth_aws` option to GuzzleClientFactory and SymfonyClientFactory ([#314](https://github.com/opensearch-project/opensearch-php/pull/314))
 ### Changed
 - Updated Client constructor to make EndpointFactory and optional parameter.
 ### Deprecated

guides/auth.md

@@ -13,7 +13,7 @@ OpenSearch allows you to use different methods for the authentication.
 ## Basic Auth
 
 ```php
-$endpoint = "https://localhost:9200"
+$endpoint = "http://localhost:9200"
 $username = "admin"
 $password = "..."
 ```
@@ -30,15 +30,21 @@ $client = (new \OpenSearch\ClientBuilder())
 
 ### Using a Psr Client
 
+Using Symfony HTTP Client:
+
 ```php
-$symfonyPsr18Client = (new \Symfony\Component\HttpClient\Psr18Client())->withOptions([
+$client = (new SymfonyClientFactory())->create([
     'base_uri' => $endpoint,
     'auth_basic' => [$username, $password],
-    'verify_peer' => false, // for testing only
-    'headers' => [
-        'Accept' => 'application/json',
-        'Content-Type' => 'application/json',
-    ],
+]);
+```
+
+Using Guzzle:
+
+```php
+$client = (new GuzzleClientFactory())->create([
+    'base_uri' => $endpoint,
+    'auth' => [$username, $password],
 ]);
 ```
 
@@ -72,53 +78,27 @@ $client = (new \OpenSearch\ClientBuilder())
 
 ### Using a Psr Client
 
+We can use the `AwsSigningHttpClientFactory` to create an HTTP Client to sign the requests using the AWS SDK for PHP.
+
+Require a PSR-18 client (e.g. Symfony) and the AWS SDK for PHP:
+
+```bash
+composer require symfony/http-client aws/aws-sdk-php
+```
+
+Create an OpenSearch Client using the Symfony HTTP Client and the AWS SDK for PHP:
+
 ```php
-$symfonyPsr18Client = (new \Symfony\Component\HttpClient\Psr18Client())->withOptions([
+$client = (new SymfonyClientFactory())->create([
     'base_uri' => $endpoint,
-    'headers' => [
-        'Accept' => 'application/json',
-        'Content-Type' => 'application/json',
+    'auth_aws' => [
+        'region' => $region,
+        'service' => 'es',
+        'credentials' => [
+            'access_key' => $aws_access_key_id,
+            'secret_key' => $aws_secret_access_key,
+            'session_token' => $aws_session_token,
+        ],
     ],
 ]);
-
-$serializer = new \OpenSearch\Serializers\SmartSerializer();
-$endpointFactory = new \OpenSearch\EndpointFactory();
-
-$signer = new Aws\Signature\SignatureV4(
-    $service,
-    $region
-);
-
-$credentials = new Aws\Credentials\Credentials(
-    $aws_access_key_id,
-    $aws_secret_access_key,
-    $aws_session_token
-);
-
-$signingClient = new \OpenSearch\Aws\SigningClientDecorator(
-    $symfonyPsr18Client,
-    $credentials,
-    $signer, 
-    [
-        'Host' => parse_url(getenv("ENDPOINT"))['host']
-    ]
-);
-
-$requestFactory = new \OpenSearch\RequestFactory(
-    $symfonyPsr18Client,
-    $symfonyPsr18Client,
-    $symfonyPsr18Client,
-    $serializer,
-);
-
-$transport = (new \OpenSearch\TransportFactory())
-    ->setHttpClient($signingClient)
-    ->setRequestFactory($requestFactory)
-    ->create();
-
-$client = new \OpenSearch\Client(
-    $transport,
-    $endpointFactory,
-    []
-);
-```
+```

src/OpenSearch/Aws/SigningClientFactory.php

@@ -0,0 +1,115 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OpenSearch\Aws;
+
+use Aws\Credentials\CredentialProvider;
+use Aws\Credentials\Credentials;
+use Aws\Exception\CredentialsException;
+use Aws\Signature\SignatureInterface;
+use Aws\Signature\SignatureV4;
+use Psr\Http\Client\ClientInterface;
+use Psr\Log\LoggerInterface;
+
+/**
+ * A factory for creating an HTTP Client that signs requests using AWS credentials.
+ */
+class SigningClientFactory
+{
+    /**
+     * The allowed AWS services.
+     */
+    public const ALLOWED_SERVICES = ['es', 'aoss'];
+
+    public function __construct(
+        protected ?SignatureInterface $signer = null,
+        protected ?CredentialProvider $provider = null,
+        protected ?LoggerInterface $logger = null,
+    ) {
+    }
+
+    /**
+     * Creates a new signing client.
+     *
+     * @param ClientInterface $innerClient
+     *   The decorated inner HTTP client.
+     * @param array<string,string> $options
+     *   The AWS auth options.
+     */
+    public function create(ClientInterface $innerClient, array $options): ClientInterface
+    {
+        if (!isset($options['host'])) {
+            throw new \InvalidArgumentException('The host option is required.');
+        }
+
+        // Get the credentials.
+        $provider = $this->getCredentialProvider($options);
+        $promise = $provider();
+        try {
+            $credentials = $promise->wait();
+        } catch (CredentialsException $e) {
+            $this->logger?->error('Failed to get AWS credentials: @message', ['@message' => $e->getMessage()]);
+            $credentials = new Credentials('', '');
+        }
+
+        // Get the signer.
+        $signer = $this->getSigner($options);
+
+        return new SigningClientDecorator($innerClient, $credentials, $signer, ['host' => $options['host']]);
+    }
+
+    /**
+     * Gets the credential provider.
+     *
+     * @param array<string,mixed> $options
+     *   The options array.
+     */
+    protected function getCredentialProvider(array $options): CredentialProvider|\Closure|null|callable
+    {
+        // Check for a provided credential provider.
+        if ($this->provider) {
+            return $this->provider;
+        }
+
+        // Check for provided access key and secret.
+        if (isset($options['credentials'])) {
+            return CredentialProvider::fromCredentials(
+                new Credentials(
+                    $options['credentials']['access_key'] ?? '',
+                    $options['credentials']['secret_key'] ?? '',
+                    $options['credentials']['session_token'] ?? null,
+                )
+            );
+        }
+
+        // Fallback to the default provider.
+        return CredentialProvider::defaultProvider();
+    }
+
+    /**
+     * Gets the request signer.
+     *
+     * @param array<string,string> $options
+     *   The options.
+     */
+    protected function getSigner(array $options): SignatureInterface
+    {
+        if ($this->signer) {
+            return $this->signer;
+        }
+
+        if (!isset($options['region'])) {
+            throw new \InvalidArgumentException('The region option is required.');
+        }
+
+        $service = $options['service'] ?? 'es';
+
+        if (!in_array($service, self::ALLOWED_SERVICES, true)) {
+            throw new \InvalidArgumentException('The service option must be either "es" or "aoss".');
+        }
+
+        return new SignatureV4($service, $options['region'], $options);
+    }
+
+}

src/OpenSearch/GuzzleClientFactory.php

@@ -4,6 +4,7 @@
 
 namespace OpenSearch;
 
+use OpenSearch\Aws\SigningClientFactory;
 use OpenSearch\HttpClient\GuzzleHttpClientFactory;
 use Psr\Log\LoggerInterface;
 use GuzzleHttp\Psr7\HttpFactory;
@@ -17,6 +18,7 @@ class GuzzleClientFactory implements ClientFactoryInterface
     public function __construct(
         protected int $maxRetries = 0,
         protected ?LoggerInterface $logger = null,
+        protected ?SigningClientFactory $awsSigningHttpClientFactory = null,
     ) {
     }
 
@@ -26,7 +28,22 @@ public function __construct(
      */
     public function create(array $options): Client
     {
+        // Clean up the options array for the Guzzle HTTP Client.
+        if (isset($options['auth_aws'])) {
+            $awsAuth = $options['auth_aws'];
+            unset($options['auth_aws']);
+        }
+
         $httpClient = (new GuzzleHttpClientFactory($this->maxRetries, $this->logger))->create($options);
+
+        if (isset($awsAuth)) {
+            if (!isset($awsAuth['host'])) {
+                // Get the host from the base URI.
+                $awsAuth['host'] = parse_url($options['base_uri'], PHP_URL_HOST);
+            }
+            $httpClient = $this->getSigningClientFactory()->create($httpClient, $awsAuth);
+        }
+
         $httpFactory = new HttpFactory();
 
         $serializer = new SmartSerializer();
@@ -45,4 +62,16 @@ public function create(array $options): Client
 
         return new Client($transport, new EndpointFactory($serializer), []);
     }
+
+    /**
+     * Gets the AWS signing client factory.
+     */
+    protected function getSigningClientFactory(): SigningClientFactory
+    {
+        if ($this->awsSigningHttpClientFactory === null) {
+            $this->awsSigningHttpClientFactory = new SigningClientFactory();
+        }
+        return $this->awsSigningHttpClientFactory;
+    }
+
 }

src/OpenSearch/SymfonyClientFactory.php

@@ -2,6 +2,7 @@
 
 namespace OpenSearch;
 
+use OpenSearch\Aws\SigningClientFactory;
 use OpenSearch\HttpClient\SymfonyHttpClientFactory;
 use OpenSearch\Serializers\SmartSerializer;
 use Psr\Log\LoggerInterface;
@@ -14,6 +15,7 @@ class SymfonyClientFactory implements ClientFactoryInterface
     public function __construct(
         protected int $maxRetries = 0,
         protected ?LoggerInterface $logger = null,
+        protected ?SigningClientFactory $awsSigningHttpClientFactory = null,
     ) {
     }
 
@@ -25,8 +27,13 @@ public function __construct(
      */
     public function create(array $options): Client
     {
-        $httpClient = (new SymfonyHttpClientFactory($this->maxRetries, $this->logger))->create($options);
+        // Clean up the options array for the Symfony HTTP Client.
+        if (isset($options['auth_aws'])) {
+            $awsAuth = $options['auth_aws'];
+            unset($options['auth_aws']);
+        }
 
+        $httpClient = (new SymfonyHttpClientFactory($this->maxRetries, $this->logger))->create($options);
         $serializer = new SmartSerializer();
 
         $requestFactory = new RequestFactory(
@@ -36,12 +43,30 @@ public function create(array $options): Client
             $serializer,
         );
 
-        $transport = (new TransportFactory())
-            ->setHttpClient($httpClient)
-            ->setRequestFactory($requestFactory)
-            ->create();
+        $transportFactory = (new TransportFactory())
+            ->setRequestFactory($requestFactory);
+
+        if (isset($awsAuth)) {
+            if (!isset($awsAuth['host'])) {
+                $awsAuth['host'] = parse_url($options['base_uri'], PHP_URL_HOST);
+            }
+            $signingClient = $this->getSigningClientFactory()->create($httpClient, $awsAuth);
+            $transportFactory->setHttpClient($signingClient);
+        } else {
+            $transportFactory->setHttpClient($httpClient);
+        }
+
+        return new Client($transportFactory->create(), new EndpointFactory($serializer));
+    }
 
-        $endpointFactory = new EndpointFactory();
-        return new Client($transport, $endpointFactory, []);
+    /**
+     * Gets the AWS signing client factory.
+     */
+    protected function getSigningClientFactory(): SigningClientFactory
+    {
+        if ($this->awsSigningHttpClientFactory === null) {
+            $this->awsSigningHttpClientFactory = new SigningClientFactory();
+        }
+        return $this->awsSigningHttpClientFactory;
     }
 }