oauth2/google/internal/externalaccount/aws.go

// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package externalaccount

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"errors"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"path"
	"sort"
	"strings"
	"time"
)

// RequestSigner is a utility class to sign http requests using a AWS V4 signature.
type awsRequestSigner struct {
	RegionName             string
	AwsSecurityCredentials map[string]string
}

const (
// AWS Signature Version 4 signing algorithm identifier.
	awsAlgorithm = "AWS4-HMAC-SHA256"

// The termination string for the AWS credential scope value as defined in
// https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
	awsRequestType = "aws4_request"

// The AWS authorization header name for the security session token if available.
	awsSecurityTokenHeader = "x-amz-security-token"

// The AWS authorization header name for the auto-generated date.
	awsDateHeader = "x-amz-date"

	awsTimeFormatLong = "20060102T150405Z"
	awsTimeFormatShort = "20060102"
)

func getSha256(input []byte) (string, error) {
	hash := sha256.New()
	if _, err := hash.Write(input); err != nil {
		return "", err
	}
	return hex.EncodeToString(hash.Sum(nil)), nil
}

func getHmacSha256(key, input []byte) ([]byte, error) {
	hash := hmac.New(sha256.New, key)
	if _, err := hash.Write(input); err != nil {
		return nil, err
	}
	return hash.Sum(nil), nil
}

func cloneRequest(r *http.Request) *http.Request {
	r2 := new(http.Request)
	*r2 = *r
	if r.Header != nil {
		r2.Header = make(http.Header, len(r.Header))

		// Find total number of values.
		headerCount := 0
		for _, headerValues := range r.Header {
			headerCount += len(headerValues)
		}
		copiedHeaders := make([]string, headerCount) // shared backing array for headers' values

		for headerKey, headerValues := range r.Header {
			headerCount = copy(copiedHeaders, headerValues)
			r2.Header[headerKey] = copiedHeaders[:headerCount:headerCount]
			copiedHeaders = copiedHeaders[headerCount:]
		}
	}
	return r2
}

func canonicalPath(req *http.Request) string {
	result := req.URL.EscapedPath()
	if result == "" {
		return "/"
	}
	return path.Clean(result)
}

func canonicalQuery(req *http.Request) string {
	queryValues := req.URL.Query()
	for queryKey := range queryValues {
		sort.Strings(queryValues[queryKey])
	}
	return queryValues.Encode()
}

func canonicalHeaders(req *http.Request) (string, string) {
	// Header keys need to be sorted alphabetically.
	var headers []string
	lowerCaseHeaders := make(http.Header)
	for k, v := range req.Header {
		k := strings.ToLower(k)
		if _, ok := lowerCaseHeaders[k]; ok {
			// include additional values
			lowerCaseHeaders[k] = append(lowerCaseHeaders[k], v...)
		} else {
			headers = append(headers, k)
			lowerCaseHeaders[k] = v
		}
	}
	sort.Strings(headers)

	var fullHeaders strings.Builder
	for _, header := range headers {
		headerValue := strings.Join(lowerCaseHeaders[header], ",")
		fullHeaders.WriteString(header)
		fullHeaders.WriteRune(':')
		fullHeaders.WriteString(headerValue)
		fullHeaders.WriteRune('\n')
	}

	return strings.Join(headers, ";"), fullHeaders.String()
}

func requestDataHash(req *http.Request) (string, error) {
	var requestData []byte
	if req.Body != nil {
		requestBody, err := req.GetBody()
		if err != nil {
			return "", err
		}
		defer requestBody.Close()

		requestData, err = ioutil.ReadAll(io.LimitReader(requestBody, 1<<20))
		if err != nil {
			return "", err
		}
	}

	return getSha256(requestData)
}

func requestHost(req *http.Request) string {
	if req.Host != "" {
		return req.Host
	}
	return req.URL.Host
}

func canonicalRequest(req *http.Request, canonicalHeaderColumns, canonicalHeaderData string) (string, error) {
	dataHash, err := requestDataHash(req)
	if err != nil {
		return "", err
	}

	return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", req.Method, canonicalPath(req), canonicalQuery(req), canonicalHeaderData, canonicalHeaderColumns, dataHash), nil
}

// SignRequest adds the appropriate headers to an http.Request
// or returns an error if something prevented this.
func (rs *awsRequestSigner) SignRequest(req *http.Request) error {
	signedRequest := cloneRequest(req)
	timestamp := now()

	signedRequest.Header.Add("host", requestHost(req))

	if securityToken, ok := rs.AwsSecurityCredentials["security_token"]; ok {
		signedRequest.Header.Add(awsSecurityTokenHeader, securityToken)
	}

	if signedRequest.Header.Get("date") == "" {
		signedRequest.Header.Add(awsDateHeader, timestamp.Format(awsTimeFormatLong))
	}

	authorizationCode, err := rs.generateAuthentication(signedRequest, timestamp)
	if err != nil {
		return err
	}
	signedRequest.Header.Set("Authorization", authorizationCode)

	req.Header = signedRequest.Header
	return nil
}

func (rs *awsRequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) {
	secretAccessKey, ok := rs.AwsSecurityCredentials["secret_access_key"]
	if !ok {
		return "", errors.New("oauth2/google: missing secret_access_key header")
	}
	accessKeyId, ok := rs.AwsSecurityCredentials["access_key_id"]
	if !ok {
		return "", errors.New("oauth2/google: missing access_key_id header")
	}

	canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req)

	dateStamp := timestamp.Format(awsTimeFormatShort)
	serviceName := ""
	if splitHost := strings.Split(requestHost(req), "."); len(splitHost) > 0 {
		serviceName = splitHost[0]
	}

	credentialScope := fmt.Sprintf("%s/%s/%s/%s",dateStamp, rs.RegionName, serviceName, awsRequestType)

	requestString, err := canonicalRequest(req, canonicalHeaderColumns, canonicalHeaderData)
	if err != nil {
		return "", err
	}
	requestHash, err := getSha256([]byte(requestString))
	if err != nil{
		return "", err
	}

	stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s", awsAlgorithm, timestamp.Format(awsTimeFormatLong), credentialScope, requestHash)

	signingKey := []byte("AWS4" + secretAccessKey)
	for _, signingInput := range []string{
		dateStamp, rs.RegionName, serviceName, awsRequestType, stringToSign,
	} {
		signingKey, err = getHmacSha256(signingKey, []byte(signingInput))
		if err != nil{
			return "", err
		}
	}

	return fmt.Sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s", awsAlgorithm, accessKeyId, credentialScope, canonicalHeaderColumns, hex.EncodeToString(signingKey)), nil
}
google: Create AWS V4 Signing Utility Change-Id: I59b4a13ed0433de7dfaa064a0f7dc1f3dd724518 GitHub-Last-Rev: 8cdc6a9ad02da61234e7d18db77294cef31367da GitHub-Pull-Request: golang/oauth2#467 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/284632 Run-TryBot: Cody Oss <codyoss@google.com> TryBot-Result: Go Bot <gobot@golang.org> Trust: Cody Oss <codyoss@google.com> Trust: Tyler Bui-Palsulich <tbp@google.com> Reviewed-by: Cody Oss <codyoss@google.com> 2021-01-25 15:07:25 -05:00			`// Copyright 2021 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`package externalaccount`

			`import (`
			`"crypto/hmac"`
			`"crypto/sha256"`
			`"encoding/hex"`
			`"errors"`
			`"fmt"`
			`"io"`
			`"io/ioutil"`
			`"net/http"`
			`"path"`
			`"sort"`
			`"strings"`
			`"time"`
			`)`

			`// RequestSigner is a utility class to sign http requests using a AWS V4 signature.`
			`type awsRequestSigner struct {`
			`RegionName string`
			`AwsSecurityCredentials map[string]string`
			`}`

			`const (`
			`// AWS Signature Version 4 signing algorithm identifier.`
			`awsAlgorithm = "AWS4-HMAC-SHA256"`

			`// The termination string for the AWS credential scope value as defined in`
			`// https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html`
			`awsRequestType = "aws4_request"`

			`// The AWS authorization header name for the security session token if available.`
			`awsSecurityTokenHeader = "x-amz-security-token"`

			`// The AWS authorization header name for the auto-generated date.`
			`awsDateHeader = "x-amz-date"`

			`awsTimeFormatLong = "20060102T150405Z"`
			`awsTimeFormatShort = "20060102"`
			`)`

			`func getSha256(input []byte) (string, error) {`
			`hash := sha256.New()`
			`if _, err := hash.Write(input); err != nil {`
			`return "", err`
			`}`
			`return hex.EncodeToString(hash.Sum(nil)), nil`
			`}`

			`func getHmacSha256(key, input []byte) ([]byte, error) {`
			`hash := hmac.New(sha256.New, key)`
			`if _, err := hash.Write(input); err != nil {`
			`return nil, err`
			`}`
			`return hash.Sum(nil), nil`
			`}`

			`func cloneRequest(r http.Request) http.Request {`
			`r2 := new(http.Request)`
			`r2 = r`
			`if r.Header != nil {`
			`r2.Header = make(http.Header, len(r.Header))`

			`// Find total number of values.`
			`headerCount := 0`
			`for _, headerValues := range r.Header {`
			`headerCount += len(headerValues)`
			`}`
			`copiedHeaders := make([]string, headerCount) // shared backing array for headers' values`

			`for headerKey, headerValues := range r.Header {`
			`headerCount = copy(copiedHeaders, headerValues)`
			`r2.Header[headerKey] = copiedHeaders[:headerCount:headerCount]`
			`copiedHeaders = copiedHeaders[headerCount:]`
			`}`
			`}`
			`return r2`
			`}`

			`func canonicalPath(req *http.Request) string {`
			`result := req.URL.EscapedPath()`
			`if result == "" {`
			`return "/"`
			`}`
			`return path.Clean(result)`
			`}`

			`func canonicalQuery(req *http.Request) string {`
			`queryValues := req.URL.Query()`
			`for queryKey := range queryValues {`
			`sort.Strings(queryValues[queryKey])`
			`}`
			`return queryValues.Encode()`
			`}`

			`func canonicalHeaders(req *http.Request) (string, string) {`
			`// Header keys need to be sorted alphabetically.`
			`var headers []string`
			`lowerCaseHeaders := make(http.Header)`
			`for k, v := range req.Header {`
			`k := strings.ToLower(k)`
			`if _, ok := lowerCaseHeaders[k]; ok {`
			`// include additional values`
			`lowerCaseHeaders[k] = append(lowerCaseHeaders[k], v...)`
			`} else {`
			`headers = append(headers, k)`
			`lowerCaseHeaders[k] = v`
			`}`
			`}`
			`sort.Strings(headers)`

			`var fullHeaders strings.Builder`
			`for _, header := range headers {`
			`headerValue := strings.Join(lowerCaseHeaders[header], ",")`
			`fullHeaders.WriteString(header)`
			`fullHeaders.WriteRune(':')`
			`fullHeaders.WriteString(headerValue)`
			`fullHeaders.WriteRune('\n')`
			`}`

			`return strings.Join(headers, ";"), fullHeaders.String()`
			`}`

			`func requestDataHash(req *http.Request) (string, error) {`
			`var requestData []byte`
			`if req.Body != nil {`
			`requestBody, err := req.GetBody()`
			`if err != nil {`
			`return "", err`
			`}`
			`defer requestBody.Close()`

			`requestData, err = ioutil.ReadAll(io.LimitReader(requestBody, 1<<20))`
			`if err != nil {`
			`return "", err`
			`}`
			`}`

			`return getSha256(requestData)`
			`}`

			`func requestHost(req *http.Request) string {`
			`if req.Host != "" {`
			`return req.Host`
			`}`
			`return req.URL.Host`
			`}`

			`func canonicalRequest(req *http.Request, canonicalHeaderColumns, canonicalHeaderData string) (string, error) {`
			`dataHash, err := requestDataHash(req)`
			`if err != nil {`
			`return "", err`
			`}`

			`return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", req.Method, canonicalPath(req), canonicalQuery(req), canonicalHeaderData, canonicalHeaderColumns, dataHash), nil`
			`}`

			`// SignRequest adds the appropriate headers to an http.Request`
			`// or returns an error if something prevented this.`
			`func (rs awsRequestSigner) SignRequest(req http.Request) error {`
			`signedRequest := cloneRequest(req)`
			`timestamp := now()`

			`signedRequest.Header.Add("host", requestHost(req))`

			`if securityToken, ok := rs.AwsSecurityCredentials["security_token"]; ok {`
			`signedRequest.Header.Add(awsSecurityTokenHeader, securityToken)`
			`}`

			`if signedRequest.Header.Get("date") == "" {`
			`signedRequest.Header.Add(awsDateHeader, timestamp.Format(awsTimeFormatLong))`
			`}`

			`authorizationCode, err := rs.generateAuthentication(signedRequest, timestamp)`
			`if err != nil {`
			`return err`
			`}`
			`signedRequest.Header.Set("Authorization", authorizationCode)`

			`req.Header = signedRequest.Header`
			`return nil`
			`}`

			`func (rs awsRequestSigner) generateAuthentication(req http.Request, timestamp time.Time) (string, error) {`
			`secretAccessKey, ok := rs.AwsSecurityCredentials["secret_access_key"]`
			`if !ok {`
			`return "", errors.New("oauth2/google: missing secret_access_key header")`
			`}`
			`accessKeyId, ok := rs.AwsSecurityCredentials["access_key_id"]`
			`if !ok {`
			`return "", errors.New("oauth2/google: missing access_key_id header")`
			`}`

			`canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req)`

			`dateStamp := timestamp.Format(awsTimeFormatShort)`
			`serviceName := ""`
			`if splitHost := strings.Split(requestHost(req), "."); len(splitHost) > 0 {`
			`serviceName = splitHost[0]`
			`}`

			`credentialScope := fmt.Sprintf("%s/%s/%s/%s",dateStamp, rs.RegionName, serviceName, awsRequestType)`

			`requestString, err := canonicalRequest(req, canonicalHeaderColumns, canonicalHeaderData)`
			`if err != nil {`
			`return "", err`
			`}`
			`requestHash, err := getSha256([]byte(requestString))`
			`if err != nil{`
			`return "", err`
			`}`

			`stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s", awsAlgorithm, timestamp.Format(awsTimeFormatLong), credentialScope, requestHash)`

			`signingKey := []byte("AWS4" + secretAccessKey)`
			`for _, signingInput := range []string{`
			`dateStamp, rs.RegionName, serviceName, awsRequestType, stringToSign,`
			`} {`
			`signingKey, err = getHmacSha256(signingKey, []byte(signingInput))`
			`if err != nil{`
			`return "", err`
			`}`
			`}`

			`return fmt.Sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s", awsAlgorithm, accessKeyId, credentialScope, canonicalHeaderColumns, hex.EncodeToString(signingKey)), nil`
			`}`