-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: added sigv4 filter #3070
base: master
Are you sure you want to change the base?
feat: added sigv4 filter #3070
Conversation
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
filters/sigv4/signer/httpsigner.go
Outdated
signedURLMsg = fmt.Sprintf(logSignedURLMsg, request.Request.URL.String()) | ||
} | ||
logger := log.WithContext(ctx.Request().Context()) | ||
logger.Logf(log.DebugLevel, logSignInfoMsg, request.CanonicalString, request.StringToSign, signedURLMsg) |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Sensitive data returned by HTTP request headers
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only for debugging and only logs when options.LogSigning
is true. This is also taken directly from SDK code here
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is quite a lot of new code and I am concerned about supporting this.
@szuecs should we also consider
- adding AWS sdk as a dependency
- copy-paste AWS signer code (vendor-in)
- use AWS sdk with a build tag to exclude for lib users by default
filters/signer/internal/cache.go
Outdated
return cred | ||
} | ||
|
||
func deriveKey(secret, service, region string, t SigningTime) []byte { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need all this caching complexity from the start?
Maybe we may have a benchmark to see how long does it take to calculate these four hmacs ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need all this caching complexity from the start? Maybe we may have a benchmark to see how long does it take to calculate these four hmacs ?
Thanks for the review. I copied this entirely from sdk. My approach was to introduce very little over what is available from sdk, just enough to independently carve out signing functionality . I would be open to do as you suggested of course.
filters/signer/internal/cache.go
Outdated
|
||
func lookupKey(service, region string) string { | ||
var s strings.Builder | ||
s.Grow(len(region) + len(service) + 3) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why +3?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
copied this from here.
A quick test reveals that /
takes up 3 bytes . I suspect that there is some char escaping taking place . I can confirm after checking the source for Marshal
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not entirely sure. A rune typically occupies 1 to 4 bytes, but looking at code here , there is an optimization to check if it fits lesser number of bytes. For '/' rune, uint32 value comes out to be 47 which is < rune1Max
and may only need one byte.
filters/signer/internal/cache.go
Outdated
} | ||
|
||
// SigningKeyDeriver derives a signing key from a set of credentials | ||
type SigningKeyDeriver struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why some types/functions are exported and some not?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made Get
un-exported. So now only SigningKeyDeriver
type and its function DeriveKey
is exported , since they are used in httpsigner.go
Good question, I thought it makes sense to not put AWS SDK into dependency because this is really huge. Adding an AWS build tag would be something we can do to have this feature as a more "experimental" implementation. |
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
Signed-off-by: Anurag252 <Anuragsgsits@gmail.com>
Added review comments except the unresolved open discussions.
will add changes for these once I have more information |
#2911
Example 1 with default body {}
actual sdk code
see https://go.dev/play/p/nPiTzwAl6Ut for a signed sample request with sdk.
response : -
skipper
./bin/skipper -inline-routes='r: * -> status(200) -> sigv4( "us-east-1","dynamodb", "false", "false", "false") -> "http://httpbin.org"'
curl -
Response from curl -
Example 2 with non-default body
skipper
curl
actual sdk code
https://go.dev/play/p/Ixx-ozxeWfv
Response