Skip to content

feat(sandbox): proxy-side AWS SigV4 credential signing for CONNECT tunnels #1638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
jhjaggars wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

feat(sandbox): proxy-side AWS SigV4 credential signing for CONNECT tunnels #1638

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f9180ee
feat(sandbox): proxy-side AWS SigV4 credential signing (POC)
jhjaggars May 28, 2026
1477f21
refactor(sandbox): replace hand-rolled SigV4 with aws-sigv4 crate
jhjaggars May 28, 2026
32b2b36
feat(sandbox): add signing_service policy field, remove signing name …
jhjaggars May 28, 2026
181af80
fix(sandbox): sign only minimal headers and include payload checksum
jhjaggars May 29, 2026
37f0499
feat(sandbox): support AWS session tokens in SigV4 signing
jhjaggars May 29, 2026
95ef1f8
test(sandbox): add SigV4 integration test against real Bedrock
jhjaggars May 29, 2026
bec3afc
style(sandbox): fix clippy and rustfmt warnings in SigV4 code
jhjaggars May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
259 changes: 220 additions & 39 deletions Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions crates/openshell-policy/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,10 @@ struct NetworkEndpointDef {
graphql_persisted_queries: BTreeMap<String, GraphqlOperationDef>,
#[serde(default, skip_serializing_if = "is_zero_u32")]
graphql_max_body_bytes: u32,
#[serde(default, skip_serializing_if = "String::is_empty")]
credential_signing: String,
#[serde(default, skip_serializing_if = "String::is_empty")]
signing_service: String,
}

// Signature dictated by serde's `skip_serializing_if`, which requires `&T`.
Expand Down Expand Up @@ -344,6 +348,8 @@ fn to_proto(raw: PolicyFile) -> SandboxPolicy {
})
.collect(),
graphql_max_body_bytes: e.graphql_max_body_bytes,
credential_signing: e.credential_signing,
signing_service: e.signing_service,
}
})
.collect(),
Expand Down Expand Up @@ -509,6 +515,8 @@ fn from_proto(policy: &SandboxPolicy) -> PolicyFile {
})
.collect(),
graphql_max_body_bytes: e.graphql_max_body_bytes,
credential_signing: e.credential_signing.clone(),
signing_service: e.signing_service.clone(),
}
})
.collect(),
Expand Down
2 changes: 2 additions & 0 deletions crates/openshell-providers/src/profiles.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -595,6 +595,8 @@ fn endpoint_to_proto(endpoint: &EndpointProfile) -> NetworkEndpoint {
.collect(),
graphql_max_body_bytes: endpoint.graphql_max_body_bytes,
path: endpoint.path.clone(),
credential_signing: String::new(),
signing_service: String::new(),
}
}

Expand Down
11 changes: 10 additions & 1 deletion crates/openshell-sandbox/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,14 @@ clap = { workspace = true }
miette = { workspace = true }
thiserror = { workspace = true }
anyhow = { workspace = true }
hmac = "0.12"
sha2 = { workspace = true }
hex = "0.4"
http = { workspace = true }

# AWS SigV4 request signing
aws-sigv4 = { version = "1", features = ["sign-http", "http1"] }
aws-credential-types = { version = "1", features = ["hardcoded-credentials"] }
aws-smithy-runtime-api = { version = "1", features = ["client"] }
russh = "0.57"
rand_core = "0.6"

Expand Down Expand Up @@ -89,6 +94,10 @@ seccompiler = "0.5"
tempfile = "3"
uuid = { version = "1", features = ["v4"] }

[[test]]
name = "sigv4_signing"
path = "tests/sigv4_signing.rs"

[dev-dependencies]
tempfile = "3"
temp-env = "0.3"
Expand Down
22 changes: 22 additions & 0 deletions crates/openshell-sandbox/src/l7/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,14 @@ pub enum TlsMode {
Skip,
}

/// Credential signing mode for proxy-side request signing.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
pub enum CredentialSigning {
#[default]
None,
SigV4,
}

/// Enforcement mode for L7 policy decisions.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
pub enum EnforcementMode {
Expand Down Expand Up @@ -88,6 +96,11 @@ pub struct L7EndpointConfig {
/// When true, client-to-server GraphQL-over-WebSocket operation messages
/// are classified with the same operation policy used by GraphQL-over-HTTP.
pub websocket_graphql_policy: bool,
/// Proxy-side credential signing mode for this endpoint.
pub credential_signing: CredentialSigning,
/// AWS signing service name (e.g. `"bedrock"`). Required when
/// `credential_signing` is `SigV4`.
pub signing_service: String,
}

/// Result of an L7 policy decision for a single request.
Expand Down Expand Up @@ -165,6 +178,13 @@ pub fn parse_l7_config(val: &regorus::Value) -> Option<L7EndpointConfig> {
.filter(|v| *v > 0)
.unwrap_or(graphql::DEFAULT_MAX_BODY_BYTES);

let credential_signing = match get_object_str(val, "credential_signing").as_deref() {
Some("sigv4") => CredentialSigning::SigV4,
_ => CredentialSigning::None,
};

let signing_service = get_object_str(val, "signing_service").unwrap_or_default();

Some(L7EndpointConfig {
protocol,
path: get_object_str(val, "path").unwrap_or_default(),
Expand All @@ -175,6 +195,8 @@ pub fn parse_l7_config(val: &regorus::Value) -> Option<L7EndpointConfig> {
websocket_credential_rewrite,
request_body_credential_rewrite,
websocket_graphql_policy,
credential_signing,
signing_service,
})
}

Expand Down
12 changes: 12 additions & 0 deletions crates/openshell-sandbox/src/l7/relay.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,9 @@ where
websocket_extensions: websocket_extension_mode(config),
request_body_credential_rewrite: config.protocol == L7Protocol::Rest
&& config.request_body_credential_rewrite,
credential_signing: config.credential_signing,
signing_service: config.signing_service.clone(),
host: ctx.host.clone(),
},
)
.await?;
Expand Down Expand Up @@ -769,6 +772,9 @@ where
websocket_extensions: websocket_extension_mode(config),
request_body_credential_rewrite: config.protocol == L7Protocol::Rest
&& config.request_body_credential_rewrite,
credential_signing: config.credential_signing,
signing_service: config.signing_service.clone(),
host: ctx.host.clone(),
},
)
.await?;
Expand Down Expand Up @@ -1417,6 +1423,8 @@ network_policies:
websocket_credential_rewrite: true,
request_body_credential_rewrite: false,
websocket_graphql_policy: false,
credential_signing: crate::l7::CredentialSigning::None,
signing_service: String::new(),
}];
let ctx = L7EvalContext {
host: "gateway.example.test".into(),
Expand Down Expand Up @@ -1517,6 +1525,8 @@ network_policies:
websocket_credential_rewrite: true,
request_body_credential_rewrite: false,
websocket_graphql_policy: false,
credential_signing: crate::l7::CredentialSigning::None,
signing_service: String::new(),
}];
let (child_env, resolver) = SecretResolver::from_provider_env(
std::iter::once(("DISCORD_BOT_TOKEN".to_string(), "real-token".to_string())).collect(),
Expand Down Expand Up @@ -1634,6 +1644,8 @@ network_policies:
websocket_credential_rewrite: true,
request_body_credential_rewrite: false,
websocket_graphql_policy: true,
credential_signing: crate::l7::CredentialSigning::None,
signing_service: String::new(),
}];
let (child_env, resolver) = SecretResolver::from_provider_env(
std::iter::once(("T".to_string(), "real-token".to_string())).collect(),
Expand Down
93 changes: 90 additions & 3 deletions crates/openshell-sandbox/src/l7/rest.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,6 +377,9 @@ where
generation_guard,
websocket_extensions: WebSocketExtensionMode::Preserve,
request_body_credential_rewrite: false,
credential_signing: crate::l7::CredentialSigning::None,
signing_service: String::new(),
host: String::new(),
},
)
.await
Expand All @@ -389,12 +392,15 @@ pub(crate) enum WebSocketExtensionMode {
PermessageDeflate,
}

#[derive(Clone, Copy, Default)]
#[derive(Clone, Default)]
pub(crate) struct RelayRequestOptions<'a> {
pub(crate) resolver: Option<&'a SecretResolver>,
pub(crate) generation_guard: Option<&'a PolicyGenerationGuard>,
pub(crate) websocket_extensions: WebSocketExtensionMode,
pub(crate) request_body_credential_rewrite: bool,
pub(crate) credential_signing: crate::l7::CredentialSigning,
pub(crate) signing_service: String,
pub(crate) host: String,
}

pub(crate) async fn relay_http_request_with_options_guarded<C, U>(
Expand All @@ -421,8 +427,19 @@ where
parse_websocket_upgrade_request(&req.raw_header[..header_end])?
};

// When SigV4 signing is configured, strip AWS auth headers before credential
// rewriting so the fail-closed placeholder scan doesn't reject the SigV4
// Authorization header (which embeds placeholder strings).
let raw_for_rewrite;
let header_source = if options.credential_signing == crate::l7::CredentialSigning::SigV4 {
raw_for_rewrite = crate::sigv4::strip_aws_headers(&req.raw_header[..header_end]);
&raw_for_rewrite[..]
} else {
&req.raw_header[..header_end]
};

let (header_bytes, expected_websocket_extension) = rewrite_websocket_extensions_for_mode(
&req.raw_header[..header_end],
header_source,
options.websocket_extensions,
websocket_request.is_some(),
)?;
Expand All @@ -442,7 +459,77 @@ where
guard.ensure_current()?;
}

if options.request_body_credential_rewrite {
// Apply SigV4 signing if configured. We need the full request (headers + body)
// to compute the signature, so for SigV4 we always buffer the body first.
if options.credential_signing == crate::l7::CredentialSigning::SigV4 {
if let Some(resolver) = options.resolver {
let access_key_placeholder =
crate::secrets::placeholder_for_env_key("AWS_ACCESS_KEY_ID");
let secret_key_placeholder =
crate::secrets::placeholder_for_env_key("AWS_SECRET_ACCESS_KEY");
let session_token_placeholder =
crate::secrets::placeholder_for_env_key("AWS_SESSION_TOKEN");

match (
resolver.resolve_placeholder(&access_key_placeholder),
resolver.resolve_placeholder(&secret_key_placeholder),
) {
(Some(access_key), Some(secret_key)) => {
let session_token = resolver.resolve_placeholder(&session_token_placeholder);
let region = crate::sigv4::extract_aws_region(&options.host)
.unwrap_or_else(|| "us-east-1".to_string());
let service = &options.signing_service;
if service.is_empty() {
return Err(miette!(
"SigV4 signing configured but signing_service not set in policy"
));
}
tracing::warn!(
host = %options.host,
region = %region,
service = %service,
"applying SigV4 signing to CONNECT tunnel request"
);

// Collect body from overflow + stream
let overflow = &req.raw_header[header_end..];
let mut full_request = rewrite_result.rewritten.clone();
full_request.extend_from_slice(overflow);
// Read remaining body based on content-length
if let BodyLength::ContentLength(body_len) = parse_body_length(header_str)? {
let already_have = overflow.len() as u64;
if body_len > already_have {
let remaining =
usize::try_from(body_len - already_have).unwrap_or(usize::MAX);
let mut body_buf = vec![0u8; remaining];
client.read_exact(&mut body_buf).await.into_diagnostic()?;
full_request.extend_from_slice(&body_buf);
}
}

let signed = crate::sigv4::apply_sigv4_to_request(
&full_request,
&options.host,
&region,
service,
access_key,
secret_key,
session_token,
);
upstream.write_all(&signed).await.into_diagnostic()?;
}
_ => {
return Err(miette!(
"SigV4 signing configured but AWS credentials not found in provider"
));
}
}
} else {
return Err(miette!(
"SigV4 signing configured but no secret resolver available"
));
}
} else if options.request_body_credential_rewrite {
let body = collect_and_rewrite_request_body(
req,
client,
Expand Down
1 change: 1 addition & 0 deletions crates/openshell-sandbox/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ mod provider_credentials;
pub mod proxy;
mod sandbox;
mod secrets;
pub mod sigv4;
mod skills;
mod ssh;
mod supervisor_session;
Expand Down
65 changes: 65 additions & 0 deletions crates/openshell-sandbox/src/opa.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1067,6 +1067,12 @@ fn proto_to_opa_data_json(proto: &ProtoSandboxPolicy, entrypoint_pid: u32) -> St
if e.request_body_credential_rewrite {
ep["request_body_credential_rewrite"] = true.into();
}
if !e.credential_signing.is_empty() {
ep["credential_signing"] = e.credential_signing.clone().into();
}
if !e.signing_service.is_empty() {
ep["signing_service"] = e.signing_service.clone().into();
}
if !e.persisted_queries.is_empty() {
ep["persisted_queries"] = e.persisted_queries.clone().into();
}
Expand Down Expand Up @@ -2658,6 +2664,65 @@ network_policies:
assert!(l7.websocket_credential_rewrite);
}

#[test]
fn l7_endpoint_config_preserves_proto_credential_signing() {
let mut network_policies = std::collections::HashMap::new();
network_policies.insert(
"bedrock".to_string(),
NetworkPolicyRule {
name: "bedrock".to_string(),
endpoints: vec![NetworkEndpoint {
host: "bedrock-runtime.us-east-2.amazonaws.com".to_string(),
port: 443,
protocol: "rest".to_string(),
enforcement: "enforce".to_string(),
access: "read-write".to_string(),
credential_signing: "sigv4".to_string(),
signing_service: "bedrock".to_string(),
..Default::default()
}],
binaries: vec![NetworkBinary {
path: "/usr/local/bin/claude".to_string(),
..Default::default()
}],
},
);
let proto = ProtoSandboxPolicy {
version: 1,
filesystem: Some(ProtoFs {
include_workdir: true,
read_only: vec![],
read_write: vec![],
}),
landlock: Some(openshell_core::proto::LandlockPolicy {
compatibility: "best_effort".to_string(),
}),
process: Some(ProtoProc {
run_as_user: "sandbox".to_string(),
run_as_group: "sandbox".to_string(),
}),
network_policies,
};

let engine = OpaEngine::from_proto(&proto).expect("engine from proto");
let input = NetworkInput {
host: "bedrock-runtime.us-east-2.amazonaws.com".into(),
port: 443,
binary_path: PathBuf::from("/usr/local/bin/claude"),
binary_sha256: "unused".into(),
ancestors: vec![],
cmdline_paths: vec![],
};

let config = engine
.query_endpoint_config(&input)
.unwrap()
.expect("endpoint config");
let l7 = crate::l7::parse_l7_config(&config).unwrap();
assert_eq!(l7.credential_signing, crate::l7::CredentialSigning::SigV4);
assert_eq!(l7.signing_service, "bedrock");
}

#[test]
fn l7_endpoint_config_preserves_proto_request_body_credential_rewrite() {
let mut network_policies = std::collections::HashMap::new();
Expand Down
2 changes: 2 additions & 0 deletions crates/openshell-sandbox/src/policy_local.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1097,6 +1097,8 @@ fn network_endpoint_from_json(
graphql_persisted_queries: HashMap::new(),
graphql_max_body_bytes: 0,
path: String::new(),
credential_signing: String::new(),
signing_service: String::new(),
})
}

Expand Down
Loading
Loading