├── NOTICE.txt ├── go.mod ├── CHANGELOG.md ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── sigv4 ├── sigv4_test.go ├── internal │ ├── crypt_test.go │ └── crypt.go └── sigv4.go ├── README.md ├── go.sum └── LICENSE /NOTICE.txt: -------------------------------------------------------------------------------- 1 | AWS SIG4V Plugin for Cassandra Go Driver 2 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin 2 | 3 | go 1.14 4 | 5 | require ( 6 | github.com/aws/aws-sdk-go v1.49.12 7 | github.com/gocql/gocql v0.0.0-20200624222514-34081eda590e 8 | github.com/stretchr/testify v1.6.1 9 | ) 10 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # CHANGELOG 2 | 3 | ## 1.1.0 4 | * Updated sourcing of credentials from AWS SDK's default credential provider chain 5 | * Added new function to accept region as an argument 6 | * Added support for credentials callback 7 | 8 | ## 1.0.0 9 | * Created support for SIGV4 plugin and gocql 10 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *master* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](./LICENSE.txt) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | 61 | We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes. 62 | -------------------------------------------------------------------------------- /sigv4/sigv4_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package sigv4 18 | 19 | import ( 20 | "fmt" 21 | "os" 22 | "testing" 23 | "time" 24 | 25 | "github.com/stretchr/testify/assert" 26 | ) 27 | 28 | var stdNonce = []byte("nonce=91703fdc2ef562e19fbdab0f58e42fe5") 29 | 30 | // We should switch to sigv4 when initially challenged 31 | func TestShouldReturnSigV4iInitially(t *testing.T) { 32 | target := AwsAuthenticator{} 33 | resp, _, _ := target.Challenge(nil) 34 | 35 | assert.Equal(t, "SigV4\000\000", string(resp)) 36 | } 37 | 38 | func TestShouldTranslate(t *testing.T) { 39 | target := buildStdTarget() 40 | _, challenger, _ := target.Challenge(nil) 41 | 42 | resp, _, _ := challenger.Challenge(stdNonce) 43 | expected := "signature=7f3691c18a81b8ce7457699effbfae5b09b4e0714ab38c1292dbdf082c9ddd87,access_key=UserID-1,amzdate=2020-06-09T22:41:51.000Z" 44 | assert.Equal(t, expected, string(resp)) 45 | } 46 | 47 | func TestAssignFallbackRegionEnvironmentVariable(t *testing.T) { 48 | os.Setenv("AWS_DEFAULT_REGION", "us-west-2") 49 | os.Setenv("AWS_REGION", "us-east-2") 50 | 51 | defaultRegionTarget := NewAwsAuthenticator() 52 | 53 | assert.Equal(t, "us-west-2", defaultRegionTarget.Region) 54 | 55 | os.Unsetenv("AWS_DEFAULT_REGION") 56 | 57 | regionTarget := NewAwsAuthenticator() 58 | 59 | assert.Equal(t, "us-east-2", regionTarget.Region) 60 | 61 | os.Unsetenv("AWS_REGION") 62 | } 63 | 64 | func TestNewAwsAuthenticatorWithRegion(t *testing.T) { 65 | region := "us-east-2" 66 | 67 | authenticator := NewAwsAuthenticatorWithRegion(region) 68 | 69 | assert.Equal(t, region, authenticator.Region) 70 | } 71 | 72 | func buildStdTarget() *AwsAuthenticator { 73 | target := AwsAuthenticator{ 74 | Region: "us-west-2", 75 | AccessKeyId: "UserID-1", 76 | SecretAccessKey: "UserSecretKey-1"} 77 | target.currentTime, _ = time.Parse(time.RFC3339, "2020-06-09T22:41:51Z") 78 | return &target 79 | } 80 | 81 | func TestCallback(t *testing.T) { 82 | callback := func() (SigV4Credentials, error) { 83 | return SigV4Credentials{ 84 | AccessKeyId: "UserID-1", 85 | SecretAccessKey: "UserSecretKey-1", 86 | }, nil 87 | } 88 | target := NewAwsAuthenticatorWithCredentialCallback("us-west-2", callback) 89 | target.currentTime, _ = time.Parse(time.RFC3339, "2020-06-09T22:41:51Z") 90 | 91 | _, challenger, _ := target.Challenge(nil) 92 | 93 | resp, _, _ := challenger.Challenge(stdNonce) 94 | expected := "signature=7f3691c18a81b8ce7457699effbfae5b09b4e0714ab38c1292dbdf082c9ddd87,access_key=UserID-1,amzdate=2020-06-09T22:41:51.000Z" 95 | assert.Equal(t, expected, string(resp)) 96 | } 97 | 98 | func TestCallbackError(t *testing.T) { 99 | callback := func() (SigV4Credentials, error) { 100 | return SigV4Credentials{}, fmt.Errorf("bad error") 101 | } 102 | target := NewAwsAuthenticatorWithCredentialCallback("us-west-2", callback) 103 | target.currentTime, _ = time.Parse(time.RFC3339, "2020-06-09T22:41:51Z") 104 | 105 | _, challenger, _ := target.Challenge(nil) 106 | _, _, err := challenger.Challenge(stdNonce) 107 | assert.Error(t, err, "failed to retrieve AWS credentials: bad error") 108 | } 109 | -------------------------------------------------------------------------------- /sigv4/internal/crypt_test.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package internal 18 | 19 | import ( 20 | "encoding/hex" 21 | "github.com/stretchr/testify/assert" 22 | "testing" 23 | "time" 24 | ) 25 | 26 | const nonce string = "91703fdc2ef562e19fbdab0f58e42fe5" 27 | const region = "us-west-2" 28 | const accessKeyId = "UserID-1" 29 | const secret = "UserSecretKey-1" 30 | 31 | // produce arbitrary time 2020-06-09T22:41:51Z 32 | func buildStdInstant() time.Time { 33 | result, _ := time.Parse(time.RFC3339, "2020-06-09T22:41:51Z") 34 | return result 35 | } 36 | 37 | // We should switch to sigv4 when initially challenged 38 | func TestExtractNonceSuccess(t *testing.T) { 39 | challenge := []byte("nonce=1256") 40 | actualNonce, _ := ExtractNonce(challenge) 41 | assert.Equal(t, actualNonce, "1256") 42 | } 43 | 44 | func TestExtractNonceMissing(t *testing.T) { 45 | challenge := []byte("n1256") 46 | _, err := ExtractNonce(challenge) 47 | assert.Error(t, err) 48 | } 49 | 50 | func TestComputeScope(t *testing.T) { 51 | scope := computeScope(buildStdInstant(), "us-west-2") 52 | assert.Equal(t, "20200609/us-west-2/cassandra/aws4_request", scope) 53 | } 54 | 55 | func TestFormCanonicalRequest(t *testing.T) { 56 | scope := "20200609/us-west-2/cassandra/aws4_request" 57 | canonicalRequest := "PUT\n" + 58 | "/authenticate\n" + 59 | "X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UserID-1%2F20200609%2Fus-west-2%2Fcassandra%2Faws4_request&X-Amz-Date=2020-06-09T22%3A41%3A51.000Z&X-Amz-Expires=900\n" + 60 | "host:cassandra\n\n" + 61 | "host\n" + 62 | "ddf250111597b3f35e51e649f59e3f8b30ff5b247166d709dc1b1e60bd927070" 63 | 64 | actual := formCanonicalRequest("UserID-1", scope, buildStdInstant(), nonce) 65 | assert.Equal(t, canonicalRequest, actual) 66 | } 67 | 68 | func TestDeriveSigningKey(t *testing.T) { 69 | expected := "7fb139473f153aec1b05747b0cd5cd77a1186d22ae895a3a0128e699d72e1aba" 70 | 71 | actual := deriveSigningKey(secret, buildStdInstant(), region) 72 | assert.Equal(t, expected, hex.EncodeToString(actual)) 73 | } 74 | 75 | func TestCreateSignature(t *testing.T) { 76 | signingKey, _ := hex.DecodeString("7fb139473f153aec1b05747b0cd5cd77a1186d22ae895a3a0128e699d72e1aba") 77 | scope := "20200609/us-west-2/cassandra/aws4_request" 78 | canonicalRequest := "PUT\n" + 79 | "/authenticate\n" + 80 | "X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=UserID-1%2F20200609%2Fus-west-2%2Fcassandra%2Faws4_request&X-Amz-Date=2020-06-09T22%3A41%3A51.000Z&X-Amz-Expires=900\n" + 81 | "host:cassandra\n\n" + 82 | "host\n" + 83 | "ddf250111597b3f35e51e649f59e3f8b30ff5b247166d709dc1b1e60bd927070" 84 | 85 | actual := createSignature(canonicalRequest, buildStdInstant(), scope, signingKey) 86 | expected := "7f3691c18a81b8ce7457699effbfae5b09b4e0714ab38c1292dbdf082c9ddd87" 87 | assert.Equal(t, expected, hex.EncodeToString(actual)) 88 | } 89 | 90 | func TestBuildSignedResponse(t *testing.T) { 91 | actual := BuildSignedResponse(region, nonce, accessKeyId, secret, "", buildStdInstant()) 92 | expected := "signature=7f3691c18a81b8ce7457699effbfae5b09b4e0714ab38c1292dbdf082c9ddd87,access_key=UserID-1,amzdate=2020-06-09T22:41:51.000Z" 93 | assert.Equal(t, expected, actual) 94 | 95 | } 96 | 97 | func TestBuildSignedResponseWithSessionToken(t *testing.T) { 98 | sessionToken := "sess-token-1" 99 | actual := BuildSignedResponse(region, nonce, accessKeyId, secret, sessionToken, buildStdInstant()) 100 | expected := "signature=7f3691c18a81b8ce7457699effbfae5b09b4e0714ab38c1292dbdf082c9ddd87,access_key=UserID-1,amzdate=2020-06-09T22:41:51.000Z,session_token=sess-token-1" 101 | assert.Equal(t, expected, actual) 102 | } 103 | -------------------------------------------------------------------------------- /sigv4/internal/crypt.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | package internal 18 | 19 | import ( 20 | "crypto/hmac" 21 | "crypto/sha256" 22 | "encoding/hex" 23 | "errors" 24 | "fmt" 25 | "net/url" 26 | "sort" 27 | "strings" 28 | "time" 29 | ) 30 | 31 | // extract the nonce from a request payload 32 | // needed for calls from payload returned by Amazon Keyspaces. 33 | func ExtractNonce(req []byte) (string, error) { 34 | text := string(req) 35 | if !strings.HasPrefix(text, "nonce=") { 36 | return "", errors.New("request does not contain nonce property") 37 | } 38 | nonce := strings.Split(text, "nonce=")[1] 39 | 40 | return nonce, nil 41 | } 42 | 43 | // Convert time to an aws credential timestamp 44 | // such as 2020-06-09T22:41:51.000Z -> '20200609' 45 | func toCredDateStamp(t time.Time) string { 46 | return fmt.Sprintf("%d%02d%02d", t.Year(), t.Month(), t.Day()) 47 | } 48 | 49 | // compute the scope to be used in the request 50 | func computeScope(t time.Time, region string) string { 51 | a := []string{ 52 | toCredDateStamp(t), 53 | region, 54 | "cassandra", 55 | "aws4_request"} 56 | return strings.Join(a, "/") 57 | } 58 | 59 | func formCanonicalRequest(accessKeyId string, scope string, t time.Time, nonce string) string { 60 | nonceHash := sha256.Sum256([]byte(nonce)) 61 | headers := []string{ 62 | "X-Amz-Algorithm=AWS4-HMAC-SHA256", 63 | fmt.Sprintf("X-Amz-Credential=%s%%2F%s", accessKeyId, url.QueryEscape(scope)), 64 | fmt.Sprintf("X-Amz-Date=%s", url.QueryEscape(t.Format("2006-01-02T15:04:05.000Z"))), 65 | "X-Amz-Expires=900"} 66 | sort.Strings(headers) 67 | queryString := strings.Join(headers, "&") 68 | 69 | return fmt.Sprintf("PUT\n/authenticate\n%s\nhost:cassandra\n\nhost\n%s", queryString, hex.EncodeToString(nonceHash[:])) 70 | } 71 | 72 | // applies hmac with given string 73 | // useful as our protocol requires lots of iterative hmacs 74 | func applyHmac(data string, hashSecret []byte) []byte { 75 | h := hmac.New(sha256.New, hashSecret) 76 | h.Write([]byte(data)) 77 | return h.Sum(nil) 78 | } 79 | 80 | func deriveSigningKey(secret string, t time.Time, region string) []byte { 81 | // we successively apply the hmac secret in multiple iterations rather then simply 82 | // write it once (as per the Amazon Keyspaces protocol) 83 | s := "AWS4" + secret 84 | h := applyHmac(toCredDateStamp(t), []byte(s)) 85 | h = applyHmac(region, h) 86 | h = applyHmac("cassandra", h) 87 | h = applyHmac("aws4_request", h) 88 | return h 89 | } 90 | 91 | func createSignature(canonicalRequest string, t time.Time, signingScope string, signingKey []byte) []byte { 92 | digest := sha256.Sum256([]byte(canonicalRequest)) 93 | s := fmt.Sprintf("AWS4-HMAC-SHA256\n%s\n%s\n%s", t.Format("2006-01-02T15:04:05.000Z"), signingScope, hex.EncodeToString(digest[:])) 94 | 95 | return applyHmac(s, []byte(signingKey)) 96 | } 97 | 98 | // creates response that can be sent for a SigV4 challenge 99 | // this includes both the signature and the metadata supporting signature. 100 | func BuildSignedResponse(region string, nonce string, accessKeyId string, secret string, sessionToken string, t time.Time) string { 101 | scope := computeScope(t, region) 102 | canonicalRequest := formCanonicalRequest(accessKeyId, scope, t, nonce) 103 | signingKey := deriveSigningKey(secret, t, region) 104 | 105 | signature := createSignature(canonicalRequest, t, scope, signingKey) 106 | 107 | result := fmt.Sprintf("signature=%s,access_key=%s,amzdate=%s", hex.EncodeToString(signature), accessKeyId, t.Format("2006-01-02T15:04:05.000Z")) 108 | 109 | if sessionToken != "" { 110 | result += fmt.Sprintf(",session_token=%s", sessionToken) 111 | } 112 | return result 113 | } 114 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # IMPORTANT: Latest Version 2 | 3 | The current version is 1.0.0. Please see the [changelog](./CHANGELOG.md) for details on version history. 4 | 5 | # What 6 | 7 | This package implements an authentication plugin for the open-source [Gocql Driver](https://github.com/gocql/gocql) for Apache Cassandra. The driver enables you to add authentication information to your API requests using the AWS Signature Version 4 Process (SigV4). Using the plugin, you can provide users and applications short-term credentials to access Amazon Keyspaces (for Apache Cassandra) using AWS Identity and Access Management (IAM) users and roles. 8 | 9 | The plugin depends on the AWS SDK for Go. It uses the default credential provider chain to obtain credentials. 10 | 11 | You must specify the service endpoint to use for the connection. You can provide the region as a function argument programmatically or via the `AWS_DEFAULT_REGION` environment variable. 12 | 13 | The full documentation for the plugin is available at AWS Docs: 14 | [Creating Credentials to Access Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.credentials.html#programmatic.credentials.SigV4_KEYSPACES) 15 | 16 | # Using the Plugin 17 | The following sections describe how to use the authentication plugin for the open-source gocql Driver for Cassandra to access Amazon Keyspaces. 18 | 19 | To install the plugin: 20 | ```bash 21 | $ go get github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin 22 | ``` 23 | 24 | ## SSL Configuration 25 | 26 | Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients. To connect to Amazon Keyspaces using TLS, you need to download an Amazon digital certificate and configure the Go driver to use TLS. 27 | 28 | Download the Starfield digital certificate using the following command and save sf-class2-root.crt locally or in your home directory. 29 | 30 | ``` 31 | curl https://certs.secureserver.net/repository/sf-class2-root.crt -O 32 | ``` 33 | 34 | ## Region Configuration 35 | 36 | Before you can start using the plugin, you must configure the AWS Region that the plugin will use when authenticating. This is required because SigV4 signatures are Region-specific. For example, if you are connecting to the `cassandra.us-east-2.amazonaws.com` endpoint, the Region must be `us-east-2`. For a list of available AWS Regions and endpoints, see [Service Endpoints for Amazon Keyspaces](https://docs.aws.amazon.com/keyspaces/latest/devguide/programmatic.endpoints.html). 37 | 38 | You can specify the Region using one of the following four methods: 39 | 40 | * Environment Variable 41 | * Configuration 42 | * Function Argument 43 | 44 | ### Environment Variable 45 | You can use the `AWS_DEFAULT_REGION` environment variable to match the endpoint that you are communicating with by setting it as part of your application start-up. 46 | If `AWS_DEFAULT_REGION` environment variable is not set, falls back to the `AWS_REGION` environment variable. 47 | ``` 48 | $ export AWS_DEFAULT_REGION=us-east-1 49 | ``` 50 | 51 | ### Function Argument 52 | 53 | One of the functions takes a String representing the Region as an argument, that will be used for that instance. 54 | 55 | ```go 56 | func NewAwsAuthenticatorWithRegion(region string) AwsAuthenticator { 57 | 58 | } 59 | ``` 60 | 61 | ## How to use the Authentication Plugin 62 | 63 | When using the open-source gocql driver, the connection to your Amazon Keyspaces endpoint is represented by the `Cluster` class. 64 | Simply use AwsAuthenticator for the authenticator property of the cluster. 65 | 66 | Here is a simple example of use: 67 | 68 | ```go 69 | package main 70 | 71 | import ( 72 | "fmt" 73 | "github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin/sigv4" 74 | "github.com/gocql/gocql" 75 | "log" 76 | ) 77 | 78 | func main() { 79 | // configuring the cluster options 80 | cluster := gocql.NewCluster("cassandra.us-west-2.amazonaws.com:9142") 81 | var auth sigv4.AwsAuthenticator = sigv4.NewAwsAuthenticator() 82 | auth.Region = "us-west-2" 83 | auth.AccessKeyId = "AKIAIOSFODNN7EXAMPLE" 84 | auth.SecretAccessKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" 85 | 86 | cluster.Authenticator = auth 87 | 88 | cluster.SslOpts = &gocql.SslOptions{ 89 | CaPath: "/Users/user1/.cassandra/AmazonRootCA1.pem", 90 | } 91 | cluster.Consistency = gocql.LocalQuorum 92 | cluster.DisableInitialHostLookup = true 93 | 94 | session, err := cluster.CreateSession() 95 | if err != nil { 96 | fmt.Println("err>", err) 97 | return 98 | } 99 | defer session.Close() 100 | 101 | // doing the query 102 | var text string 103 | iter := session.Query("SELECT keyspace_name FROM system_schema.tables;").Iter() 104 | for iter.Scan(&text) { 105 | fmt.Println("keyspace_name:", text) 106 | } 107 | if err := iter.Close(); err != nil { 108 | log.Fatal(err) 109 | } 110 | } 111 | ``` 112 | 113 | When using AwsAuthenticator from an AWS Lambda function, the Lambda runtimes will initialize all the needed environment variables. 114 | All you need to do is assign the authenticator. 115 | 116 | ```go 117 | cluster.Authenticator = sigv4.NewAwsAuthenticator() 118 | ``` 119 | -------------------------------------------------------------------------------- /sigv4/sigv4.go: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | * 4 | * Licensed under the Apache License, Version 2.0 (the "License"). 5 | * You may not use this file except in compliance with the License. 6 | * You may obtain a copy of the License at 7 | * 8 | * http://www.apache.org/licenses/LICENSE-2.0 9 | * 10 | * Unless required by applicable law or agreed to in writing, software 11 | * distributed under the License is distributed on an "AS IS" BASIS, 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | * See the License for the specific language governing permissions and 14 | * limitations under the License. 15 | */ 16 | 17 | // provides sigv4 extensions to connect to Amazon Keyspaces 18 | package sigv4 19 | 20 | import ( 21 | "fmt" 22 | "os" 23 | "time" 24 | 25 | "github.com/aws/aws-sdk-go/aws/session" 26 | "github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin/sigv4/internal" 27 | "github.com/gocql/gocql" 28 | ) 29 | 30 | type SigV4Credentials struct { 31 | AccessKeyId string 32 | SecretAccessKey string 33 | SessionToken string 34 | } 35 | 36 | // Callback used to retrieve V4 credentials, can be used with refreshable credentials 37 | type SigV4CredentialsCallback func() (SigV4Credentials, error) 38 | 39 | // Authenticator for AWS Integration 40 | // these are exposed publicly to allow for easy initialization and go standard changing after the fact. 41 | type AwsAuthenticator struct { 42 | Region string 43 | AccessKeyId string 44 | SecretAccessKey string 45 | SessionToken string 46 | CredentialsCallback SigV4CredentialsCallback 47 | currentTime time.Time // this is mainly used for testing and not exposed 48 | } 49 | 50 | // looks up AWS_DEFAULT_REGION, and falls back to AWS_REGION for Lambda compatibility 51 | func getRegionEnvironment() string { 52 | region := os.Getenv("AWS_DEFAULT_REGION") 53 | 54 | if len(region) == 0 { 55 | region = os.Getenv("AWS_REGION") 56 | } 57 | 58 | return region 59 | } 60 | 61 | // initializes authenticator with credentials loaded from AWS SDK's default credential provider chain. 62 | // region can be specified though environment variable or configuration. 63 | func NewAwsAuthenticator() AwsAuthenticator { 64 | sess := session.Must(session.NewSession()) 65 | creds, _ := sess.Config.Credentials.Get() 66 | 67 | return AwsAuthenticator{ 68 | Region: getRegionEnvironment(), 69 | AccessKeyId: creds.AccessKeyID, 70 | SecretAccessKey: creds.SecretAccessKey, 71 | SessionToken: creds.SessionToken} 72 | } 73 | 74 | // initializes authenticator with credentials loaded from AWS SDK's default credential provider chain. 75 | // region is accepted as an argument. 76 | func NewAwsAuthenticatorWithRegion(region string) AwsAuthenticator { 77 | sess := session.Must(session.NewSession()) 78 | creds, _ := sess.Config.Credentials.Get() 79 | 80 | return AwsAuthenticator{ 81 | Region: region, 82 | AccessKeyId: creds.AccessKeyID, 83 | SecretAccessKey: creds.SecretAccessKey, 84 | SessionToken: creds.SessionToken} 85 | } 86 | 87 | // initializes authenticator with the provided region and credentials callback 88 | func NewAwsAuthenticatorWithCredentialCallback(region string, callback SigV4CredentialsCallback) AwsAuthenticator { 89 | return AwsAuthenticator{ 90 | Region: region, 91 | CredentialsCallback: callback} 92 | } 93 | 94 | func (p AwsAuthenticator) Challenge(req []byte) ([]byte, gocql.Authenticator, error) { 95 | var resp []byte = []byte("SigV4\000\000") 96 | 97 | // copy these rather than use a reference due to how gocql creates connections (it's just 98 | // safer if everything is a fresh copy). 99 | auth := signingAuthenticator{region: p.Region, 100 | accessKeyId: p.AccessKeyId, 101 | secretAccessKey: p.SecretAccessKey, 102 | sessionToken: p.SessionToken, 103 | credentialsCallback: p.CredentialsCallback, 104 | currentTime: p.currentTime} 105 | return resp, auth, nil 106 | } 107 | 108 | func (p AwsAuthenticator) Success(data []byte) error { 109 | return nil 110 | } 111 | 112 | // this is the internal private authenticator we actually use 113 | type signingAuthenticator struct { 114 | region string 115 | accessKeyId string 116 | secretAccessKey string 117 | sessionToken string 118 | credentialsCallback SigV4CredentialsCallback 119 | currentTime time.Time 120 | } 121 | 122 | func (p signingAuthenticator) Challenge(req []byte) ([]byte, gocql.Authenticator, error) { 123 | nonce, err := internal.ExtractNonce(req) 124 | if err != nil { 125 | return nil, nil, err 126 | } 127 | 128 | // init the time if not provided. 129 | var t time.Time = p.currentTime 130 | if t.IsZero() { 131 | t = time.Now().UTC() 132 | } 133 | 134 | accessKeyId := p.accessKeyId 135 | secretAccessKey := p.secretAccessKey 136 | sessionToken := p.sessionToken 137 | if p.credentialsCallback != nil { 138 | credentials, err := p.credentialsCallback() 139 | if err != nil { 140 | return nil, nil, fmt.Errorf("failed to retrieve AWS credentials: %w", err) 141 | } 142 | accessKeyId = credentials.AccessKeyId 143 | secretAccessKey = credentials.SecretAccessKey 144 | sessionToken = credentials.SessionToken 145 | } 146 | 147 | signedResponse := internal.BuildSignedResponse(p.region, nonce, accessKeyId, 148 | secretAccessKey, sessionToken, t) 149 | 150 | // copy this to a sepearte byte array to prevent some slicing corruption with how the framer object works 151 | resp := make([]byte, len(signedResponse)) 152 | copy(resp, []byte(signedResponse)) 153 | 154 | return resp, nil, nil 155 | } 156 | 157 | func (p signingAuthenticator) Success(data []byte) error { 158 | return nil 159 | } 160 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | github.com/aws/aws-sdk-go v1.49.12 h1:SbGHDdMjtuTL8zpRXKjvIvQHLt9cCqcxcHoJps23WxI= 2 | github.com/aws/aws-sdk-go v1.49.12/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= 3 | github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932 h1:mXoPYz/Ul5HYEDvkta6I8/rnYM5gSdSV2tJ6XbZuEtY= 4 | github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932/go.mod h1:NOuUCSz6Q9T7+igc/hlvDOUdtWKryOrtFyIVABv/p7k= 5 | github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 h1:DDGfHa7BWjL4YnC6+E63dPcxHo2sUxDIu8g3QgEJdRY= 6 | github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= 7 | github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= 8 | github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= 9 | github.com/gocql/gocql v0.0.0-20200624222514-34081eda590e h1:SroDcndcOU9BVAduPf/PXihXoR2ZYTQYLXbupbqxAyQ= 10 | github.com/gocql/gocql v0.0.0-20200624222514-34081eda590e/go.mod h1:DL0ekTmBSTdlNF25Orwt/JMzqIq3EJ4MVa/J/uK64OY= 11 | github.com/golang/snappy v0.0.0-20170215233205-553a64147049 h1:K9KHZbXKpGydfDN0aZrsoHpLJlZsBrGMFWbgLDGnPZk= 12 | github.com/golang/snappy v0.0.0-20170215233205-553a64147049/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= 13 | github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8= 14 | github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4= 15 | github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= 16 | github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= 17 | github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= 18 | github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= 19 | github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= 20 | github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= 21 | github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= 22 | github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= 23 | github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= 24 | github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= 25 | github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= 26 | github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= 27 | github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= 28 | github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= 29 | github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= 30 | github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= 31 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 32 | golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= 33 | golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= 34 | golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= 35 | golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= 36 | golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= 37 | golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= 38 | golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= 39 | golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= 40 | golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= 41 | golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= 42 | golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= 43 | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 44 | golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 45 | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 46 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 47 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 48 | golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 49 | golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 50 | golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 51 | golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 52 | golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 53 | golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 54 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 55 | golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= 56 | golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= 57 | golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= 58 | golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= 59 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 60 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 61 | golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= 62 | golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= 63 | golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= 64 | golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= 65 | golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= 66 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 67 | golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= 68 | golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= 69 | golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= 70 | golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 71 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= 72 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 73 | gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= 74 | gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= 75 | gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= 76 | gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 77 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo= 78 | gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= 79 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | --------------------------------------------------------------------------------