out_opentelemetry: add AWS authentication support

plugins/out_opentelemetry/opentelemetry.c

@@ -41,6 +41,11 @@
 #include <cprofiles/cprofiles.h>
 #include <cprofiles/cprof_decode_msgpack.h>
 #include <cprofiles/cprof_encode_opentelemetry.h>
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+#include <fluent-bit/flb_signv4.h>
+#endif
+#endif
 
 extern cfl_sds_t cmt_encode_opentelemetry_create(struct cmt *cmt);
 extern void cmt_encode_opentelemetry_destroy(cfl_sds_t text);
@@ -87,6 +92,7 @@ int opentelemetry_legacy_post(struct opentelemetry_context *ctx,
     struct flb_slist_entry    *val;
     struct flb_config_map_val *mv;
     struct flb_http_client    *c;
+    flb_sds_t                 signature = NULL;
 
     compressed = FLB_FALSE;
 
@@ -183,6 +189,30 @@ int opentelemetry_legacy_post(struct opentelemetry_context *ctx,
                             val->str, flb_sds_len(val->str));
     }
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    if (ctx->has_aws_auth == FLB_TRUE) {
+        flb_plg_debug(ctx->ins, "signing request with AWS SigV4");
+        signature = flb_signv4_do(c,
+                                  FLB_TRUE,
+                                  FLB_TRUE,
+                                  time(NULL),
+                                  (char *) ctx->aws_region,
+                                  (char *) ctx->aws_service,
+                                  0, NULL,
+                                  ctx->aws_provider);
+
+        if (!signature) {
+            flb_plg_error(ctx->ins, "could not sign request with sigv4");
+            out_ret = FLB_RETRY;
+            goto cleanup;
+        }
+        flb_sds_destroy(signature);
+        signature = NULL;
+    }
+#endif
+#endif
+
     if (compressed) {
         if (ctx->compress_gzip) {
             flb_http_set_content_encoding_gzip(c);
@@ -256,6 +286,7 @@ int opentelemetry_legacy_post(struct opentelemetry_context *ctx,
         out_ret = FLB_RETRY;
     }
 
+cleanup:
     if (compressed) {
         flb_free(final_body);
     }
@@ -411,6 +442,22 @@ int opentelemetry_post(struct opentelemetry_context *ctx,
                                            ctx->http_passwd);
     }
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    if (ctx->has_aws_auth == FLB_TRUE) {
+        result = flb_http_request_perform_signv4_signature(request,
+                                                          ctx->aws_region,
+                                                          ctx->aws_service,
+                                                          ctx->aws_provider);
+        if (result != 0) {
+            flb_plg_error(ctx->ins, "could not sign request with sigv4");
+            flb_http_client_request_destroy(request, FLB_TRUE);
+            return FLB_RETRY;
+        }
+    }
+#endif
+#endif
+
     response = flb_http_client_request_execute(request);
     if (response == NULL) {
         flb_plg_warn(ctx->ins, "error performing HTTP request, remote host=%s:%i connection error",
@@ -876,6 +923,21 @@ static struct flb_config_map config_map[] = {
      0, FLB_TRUE, offsetof(struct opentelemetry_context, http_passwd),
      "Set HTTP auth password"
     },
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    {
+     FLB_CONFIG_MAP_BOOL, "aws_auth", "false",
+     0, FLB_TRUE, offsetof(struct opentelemetry_context, has_aws_auth),
+     "Enable AWS SigV4 authentication",
+    },
+    {
+     FLB_CONFIG_MAP_STR, "aws_service", "logs",
+     0, FLB_TRUE, offsetof(struct opentelemetry_context, aws_service),
+     "AWS destination service code, used by SigV4 authentication",
+    },
+    FLB_AWS_CREDENTIAL_BASE_CONFIG_MAP(FLB_OPENTELEMETRY_AWS_CREDENTIAL_PREFIX),
+#endif
+#endif
     {
      FLB_CONFIG_MAP_SLIST_1, "header", NULL,
      FLB_CONFIG_MAP_MULT, FLB_TRUE, offsetof(struct opentelemetry_context, headers),

plugins/out_opentelemetry/opentelemetry.h

@@ -24,6 +24,12 @@
 #include <fluent-bit/flb_record_accessor.h>
 #include <fluent-bit/flb_ra_key.h>
 #include <fluent-bit/flb_http_client.h>
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+#include <fluent-bit/flb_aws_credentials.h>
+#define FLB_OPENTELEMETRY_AWS_CREDENTIAL_PREFIX "aws_"
+#endif
+#endif
 
 #define FLB_OPENTELEMETRY_CONTENT_TYPE_HEADER_NAME "Content-Type"
 #define FLB_OPENTELEMETRY_MIME_PROTOBUF_LITERAL    "application/x-protobuf"
@@ -52,6 +58,16 @@ struct opentelemetry_context {
     char *http_user;
     char *http_passwd;
 
+    /* AWS Auth */
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    int has_aws_auth;
+    struct flb_aws_provider *aws_provider;
+    const char *aws_region;
+    const char *aws_service;
+#endif
+#endif
+
     /* Proxy */
     const char *proxy;
     char *proxy_host;

plugins/out_opentelemetry/opentelemetry_conf.c

@@ -23,6 +23,11 @@
 #include <fluent-bit/flb_sds.h>
 #include <fluent-bit/flb_kv.h>
 #include <fluent-bit/flb_record_accessor.h>
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+#include <fluent-bit/flb_aws_credentials.h>
+#endif
+#endif
 
 #include "opentelemetry.h"
 #include "opentelemetry_conf.h"
@@ -299,6 +304,34 @@ struct opentelemetry_context *flb_opentelemetry_context_create(struct flb_output
         return NULL;
     }
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    if (ctx->has_aws_auth) {
+        if (!ctx->aws_service) {
+            flb_plg_error(ins, "aws_auth option requires " FLB_OPENTELEMETRY_AWS_CREDENTIAL_PREFIX "service to be set");
+            flb_opentelemetry_context_destroy(ctx);
+            return NULL;
+        }
+
+        ctx->aws_provider = flb_managed_chain_provider_create(
+            ins,
+            config,
+            FLB_OPENTELEMETRY_AWS_CREDENTIAL_PREFIX,
+            NULL,
+            flb_aws_client_generator()
+        );
+        if (!ctx->aws_provider) {
+            flb_plg_error(ins, "failed to create aws credential provider for sigv4 auth");
+            flb_opentelemetry_context_destroy(ctx);
+            return NULL;
+        }
+
+        ctx->aws_region = flb_output_get_property(FLB_OPENTELEMETRY_AWS_CREDENTIAL_PREFIX
+                                                  "region", ctx->ins);
+    }
+#endif
+#endif
+
     /* Check if SSL/TLS is enabled */
 #ifdef FLB_HAVE_TLS
     if (ins->use_tls == FLB_TRUE) {
@@ -762,6 +795,14 @@ void flb_opentelemetry_context_destroy(struct opentelemetry_context *ctx)
         flb_ra_destroy(ctx->ra_log_meta_otlp_trace_flags);
     }
 
+#ifdef FLB_HAVE_SIGNV4
+#ifdef FLB_HAVE_AWS
+    if (ctx->aws_provider) {
+        flb_aws_provider_destroy(ctx->aws_provider);
+    }
+#endif
+#endif
+
     flb_free(ctx->proxy_host);
     flb_free(ctx);
 }