// Copyright 2021 The Prometheus Authors // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package sigv4 import ( "bytes" "fmt" "io" "io/ioutil" "net/http" "net/textproto" "sync" "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/credentials/stscreds" "github.com/aws/aws-sdk-go/aws/session" signer "github.com/aws/aws-sdk-go/aws/signer/v4" ) var sigv4HeaderDenylist = []string{ "uber-trace-id", } type sigV4RoundTripper struct { region string next http.RoundTripper pool sync.Pool signer *signer.Signer } // NewSigV4RoundTripper returns a new http.RoundTripper that will sign requests // using Amazon's Signature Verification V4 signing procedure. The request will // then be handed off to the next RoundTripper provided by next. If next is nil, // http.DefaultTransport will be used. // // Credentials for signing are retrieved using the the default AWS credential // chain. If credentials cannot be found, an error will be returned. func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundTripper, error) { if next == nil { next = http.DefaultTransport } creds := credentials.NewStaticCredentials(cfg.AccessKey, string(cfg.SecretKey), "") if cfg.AccessKey == "" && cfg.SecretKey == "" { creds = nil } sess, err := session.NewSessionWithOptions(session.Options{ Config: aws.Config{ Region: aws.String(cfg.Region), Credentials: creds, }, Profile: cfg.Profile, }) if err != nil { return nil, fmt.Errorf("could not create new AWS session: %w", err) } if _, err := sess.Config.Credentials.Get(); err != nil { return nil, fmt.Errorf("could not get SigV4 credentials: %w", err) } if aws.StringValue(sess.Config.Region) == "" { return nil, fmt.Errorf("region not configured in sigv4 or in default credentials chain") } signerCreds := sess.Config.Credentials if cfg.RoleARN != "" { signerCreds = stscreds.NewCredentials(sess, cfg.RoleARN) } rt := &sigV4RoundTripper{ region: cfg.Region, next: next, signer: signer.NewSigner(signerCreds), } rt.pool.New = rt.newBuf return rt, nil } func (rt *sigV4RoundTripper) newBuf() interface{} { return bytes.NewBuffer(make([]byte, 0, 1024)) } func (rt *sigV4RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { // rt.signer.Sign needs a seekable body, so we replace the body with a // buffered reader filled with the contents of original body. buf := rt.pool.Get().(*bytes.Buffer) defer func() { buf.Reset() rt.pool.Put(buf) }() if _, err := io.Copy(buf, req.Body); err != nil { return nil, err } // Close the original body since we don't need it anymore. _ = req.Body.Close() // Ensure our seeker is back at the start of the buffer once we return. var seeker io.ReadSeeker = bytes.NewReader(buf.Bytes()) defer func() { _, _ = seeker.Seek(0, io.SeekStart) }() req.Body = ioutil.NopCloser(seeker) // Clone the request and trim out headers that we don't want to sign. signReq := req.Clone(req.Context()) for _, header := range sigv4HeaderDenylist { signReq.Header.Del(header) } headers, err := rt.signer.Sign(signReq, seeker, "aps", rt.region, time.Now().UTC()) if err != nil { return nil, fmt.Errorf("failed to sign request: %w", err) } // Copy over signed headers. Authorization header is not returned by // rt.signer.Sign and needs to be copied separately. for k, v := range headers { req.Header[textproto.CanonicalMIMEHeaderKey(k)] = v } req.Header.Set("Authorization", signReq.Header.Get("Authorization")) return rt.next.RoundTrip(req) }