sigv4/sigv4.go - external/github.com/prometheus/common - Git at Google

 // Copyright 2021 The Prometheus Authors
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 // http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package sigv4

 import (
 	"bytes"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/textproto"
 	"sync"
 	"time"

 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
 	"github.com/aws/aws-sdk-go/aws/session"
 	signer "github.com/aws/aws-sdk-go/aws/signer/v4"
 )

 var sigv4HeaderDenylist = []string{
 	"uber-trace-id",
 }

 type sigV4RoundTripper struct {
 	region string
 	next   http.RoundTripper
 	pool   sync.Pool

 	signer *signer.Signer
 }

 // NewSigV4RoundTripper returns a new http.RoundTripper that will sign requests
 // using Amazon's Signature Verification V4 signing procedure. The request will
 // then be handed off to the next RoundTripper provided by next. If next is nil,
 // http.DefaultTransport will be used.
 //
 // Credentials for signing are retrieved using the the default AWS credential
 // chain. If credentials cannot be found, an error will be returned.
 func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundTripper, error) {
 	if next == nil {
 		next = http.DefaultTransport
 	}

 	creds := credentials.NewStaticCredentials(cfg.AccessKey, string(cfg.SecretKey), "")
 	if cfg.AccessKey == "" && cfg.SecretKey == "" {
 		creds = nil
 	}

 	sess, err := session.NewSessionWithOptions(session.Options{
 		Config: aws.Config{
 			Region:      aws.String(cfg.Region),
 			Credentials: creds,
 		},
 		Profile: cfg.Profile,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("could not create new AWS session: %w", err)
 	}
 	if _, err := sess.Config.Credentials.Get(); err != nil {
 		return nil, fmt.Errorf("could not get SigV4 credentials: %w", err)
 	}
 	if aws.StringValue(sess.Config.Region) == "" {
 		return nil, fmt.Errorf("region not configured in sigv4 or in default credentials chain")
 	}

 	signerCreds := sess.Config.Credentials
 	if cfg.RoleARN != "" {
 		signerCreds = stscreds.NewCredentials(sess, cfg.RoleARN)
 	}

 	rt := &sigV4RoundTripper{
 		region: cfg.Region,
 		next:   next,
 		signer: signer.NewSigner(signerCreds),
 	}
 	rt.pool.New = rt.newBuf
 	return rt, nil
 }

 func (rt *sigV4RoundTripper) newBuf() interface{} {
 	return bytes.NewBuffer(make([]byte, 0, 1024))
 }

 func (rt *sigV4RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	// rt.signer.Sign needs a seekable body, so we replace the body with a
 	// buffered reader filled with the contents of original body.
 	buf := rt.pool.Get().(*bytes.Buffer)
 	defer func() {
 		buf.Reset()
 		rt.pool.Put(buf)
 	}()
 	if _, err := io.Copy(buf, req.Body); err != nil {
 		return nil, err
 	}
 	// Close the original body since we don't need it anymore.
 	_ = req.Body.Close()

 	// Ensure our seeker is back at the start of the buffer once we return.
 	var seeker io.ReadSeeker = bytes.NewReader(buf.Bytes())
 	defer func() {
 		_, _ = seeker.Seek(0, io.SeekStart)
 	}()
 	req.Body = ioutil.NopCloser(seeker)

 	// Clone the request and trim out headers that we don't want to sign.
 	signReq := req.Clone(req.Context())
 	for _, header := range sigv4HeaderDenylist {
 		signReq.Header.Del(header)
 	}

 	headers, err := rt.signer.Sign(signReq, seeker, "aps", rt.region, time.Now().UTC())
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign request: %w", err)
 	}

 	// Copy over signed headers. Authorization header is not returned by
 	// rt.signer.Sign and needs to be copied separately.
 	for k, v := range headers {
 		req.Header[textproto.CanonicalMIMEHeaderKey(k)] = v
 	}
 	req.Header.Set("Authorization", signReq.Header.Get("Authorization"))

 	return rt.next.RoundTrip(req)
 }
	// Copyright 2021 The Prometheus Authors
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package sigv4

	import (
	"bytes"
	"fmt"
	"io"
	"io/ioutil"
	"net/http"
	"net/textproto"
	"sync"
	"time"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
	"github.com/aws/aws-sdk-go/aws/session"
	signer "github.com/aws/aws-sdk-go/aws/signer/v4"
	)

	var sigv4HeaderDenylist = []string{
	"uber-trace-id",
	}

	type sigV4RoundTripper struct {
	region string
	next http.RoundTripper
	pool sync.Pool

	signer *signer.Signer
	}

	// NewSigV4RoundTripper returns a new http.RoundTripper that will sign requests
	// using Amazon's Signature Verification V4 signing procedure. The request will
	// then be handed off to the next RoundTripper provided by next. If next is nil,
	// http.DefaultTransport will be used.
	//
	// Credentials for signing are retrieved using the the default AWS credential
	// chain. If credentials cannot be found, an error will be returned.
	func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundTripper, error) {
	if next == nil {
	next = http.DefaultTransport
	}

	creds := credentials.NewStaticCredentials(cfg.AccessKey, string(cfg.SecretKey), "")
	if cfg.AccessKey == "" && cfg.SecretKey == "" {
	creds = nil
	}

	sess, err := session.NewSessionWithOptions(session.Options{
	Config: aws.Config{
	Region: aws.String(cfg.Region),
	Credentials: creds,
	},
	Profile: cfg.Profile,
	})
	if err != nil {
	return nil, fmt.Errorf("could not create new AWS session: %w", err)
	}
	if _, err := sess.Config.Credentials.Get(); err != nil {
	return nil, fmt.Errorf("could not get SigV4 credentials: %w", err)
	}
	if aws.StringValue(sess.Config.Region) == "" {
	return nil, fmt.Errorf("region not configured in sigv4 or in default credentials chain")
	}

	signerCreds := sess.Config.Credentials
	if cfg.RoleARN != "" {
	signerCreds = stscreds.NewCredentials(sess, cfg.RoleARN)
	}

	rt := &sigV4RoundTripper{
	region: cfg.Region,
	next: next,
	signer: signer.NewSigner(signerCreds),
	}
	rt.pool.New = rt.newBuf
	return rt, nil
	}

	func (rt *sigV4RoundTripper) newBuf() interface{} {
	return bytes.NewBuffer(make([]byte, 0, 1024))
	}

	func (rt sigV4RoundTripper) RoundTrip(req http.Request) (*http.Response, error) {
	// rt.signer.Sign needs a seekable body, so we replace the body with a
	// buffered reader filled with the contents of original body.
	buf := rt.pool.Get().(*bytes.Buffer)
	defer func() {
	buf.Reset()
	rt.pool.Put(buf)
	}()
	if _, err := io.Copy(buf, req.Body); err != nil {
	return nil, err
	}
	// Close the original body since we don't need it anymore.
	_ = req.Body.Close()

	// Ensure our seeker is back at the start of the buffer once we return.
	var seeker io.ReadSeeker = bytes.NewReader(buf.Bytes())
	defer func() {
	_, _ = seeker.Seek(0, io.SeekStart)
	}()
	req.Body = ioutil.NopCloser(seeker)

	// Clone the request and trim out headers that we don't want to sign.
	signReq := req.Clone(req.Context())
	for _, header := range sigv4HeaderDenylist {
	signReq.Header.Del(header)
	}

	headers, err := rt.signer.Sign(signReq, seeker, "aps", rt.region, time.Now().UTC())
	if err != nil {
	return nil, fmt.Errorf("failed to sign request: %w", err)
	}

	// Copy over signed headers. Authorization header is not returned by
	// rt.signer.Sign and needs to be copied separately.
	for k, v := range headers {
	req.Header[textproto.CanonicalMIMEHeaderKey(k)] = v
	}
	req.Header.Set("Authorization", signReq.Header.Get("Authorization"))

	return rt.next.RoundTrip(req)
	}