mirror of
https://github.com/golang/oauth2.git
synced 2025-07-21 00:00:09 +08:00
510acbce1f
Adds check for aws values in environment variables before the metadata server is called to prevent unnecessary off box calls. See https://github.com/googleapis/google-auth-library-java/pull/1100 for same change in java library. Change-Id: Ie86a899be88c38d3fcbbe377f9bf30a7a66530c0 GitHub-Last-Rev: bcab69572cb0dca4c7c6426203d4232e6e89d8db GitHub-Pull-Request: golang/oauth2#612 Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/453715 Reviewed-by: Leo Siracusa <leosiracusa@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Cody Oss <codyoss@google.com> Auto-Submit: Cody Oss <codyoss@google.com> Reviewed-by: Cody Oss <codyoss@google.com>
596 lines
16 KiB
Go
596 lines
16 KiB
Go
// Copyright 2021 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package externalaccount
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"sort"
|
|
"strings"
|
|
"time"
|
|
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
type awsSecurityCredentials struct {
|
|
AccessKeyID string `json:"AccessKeyID"`
|
|
SecretAccessKey string `json:"SecretAccessKey"`
|
|
SecurityToken string `json:"Token"`
|
|
}
|
|
|
|
// awsRequestSigner is a utility class to sign http requests using a AWS V4 signature.
|
|
type awsRequestSigner struct {
|
|
RegionName string
|
|
AwsSecurityCredentials awsSecurityCredentials
|
|
}
|
|
|
|
// getenv aliases os.Getenv for testing
|
|
var getenv = os.Getenv
|
|
|
|
const (
|
|
// AWS Signature Version 4 signing algorithm identifier.
|
|
awsAlgorithm = "AWS4-HMAC-SHA256"
|
|
|
|
// The termination string for the AWS credential scope value as defined in
|
|
// https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
|
|
awsRequestType = "aws4_request"
|
|
|
|
// The AWS authorization header name for the security session token if available.
|
|
awsSecurityTokenHeader = "x-amz-security-token"
|
|
|
|
// The name of the header containing the session token for metadata endpoint calls
|
|
awsIMDSv2SessionTokenHeader = "X-aws-ec2-metadata-token"
|
|
|
|
awsIMDSv2SessionTtlHeader = "X-aws-ec2-metadata-token-ttl-seconds"
|
|
|
|
awsIMDSv2SessionTtl = "300"
|
|
|
|
// The AWS authorization header name for the auto-generated date.
|
|
awsDateHeader = "x-amz-date"
|
|
|
|
// Supported AWS configuration environment variables.
|
|
awsAccessKeyId = "AWS_ACCESS_KEY_ID"
|
|
awsDefaultRegion = "AWS_DEFAULT_REGION"
|
|
awsRegion = "AWS_REGION"
|
|
awsSecretAccessKey = "AWS_SECRET_ACCESS_KEY"
|
|
awsSessionToken = "AWS_SESSION_TOKEN"
|
|
|
|
awsTimeFormatLong = "20060102T150405Z"
|
|
awsTimeFormatShort = "20060102"
|
|
)
|
|
|
|
func getSha256(input []byte) (string, error) {
|
|
hash := sha256.New()
|
|
if _, err := hash.Write(input); err != nil {
|
|
return "", err
|
|
}
|
|
return hex.EncodeToString(hash.Sum(nil)), nil
|
|
}
|
|
|
|
func getHmacSha256(key, input []byte) ([]byte, error) {
|
|
hash := hmac.New(sha256.New, key)
|
|
if _, err := hash.Write(input); err != nil {
|
|
return nil, err
|
|
}
|
|
return hash.Sum(nil), nil
|
|
}
|
|
|
|
func cloneRequest(r *http.Request) *http.Request {
|
|
r2 := new(http.Request)
|
|
*r2 = *r
|
|
if r.Header != nil {
|
|
r2.Header = make(http.Header, len(r.Header))
|
|
|
|
// Find total number of values.
|
|
headerCount := 0
|
|
for _, headerValues := range r.Header {
|
|
headerCount += len(headerValues)
|
|
}
|
|
copiedHeaders := make([]string, headerCount) // shared backing array for headers' values
|
|
|
|
for headerKey, headerValues := range r.Header {
|
|
headerCount = copy(copiedHeaders, headerValues)
|
|
r2.Header[headerKey] = copiedHeaders[:headerCount:headerCount]
|
|
copiedHeaders = copiedHeaders[headerCount:]
|
|
}
|
|
}
|
|
return r2
|
|
}
|
|
|
|
func canonicalPath(req *http.Request) string {
|
|
result := req.URL.EscapedPath()
|
|
if result == "" {
|
|
return "/"
|
|
}
|
|
return path.Clean(result)
|
|
}
|
|
|
|
func canonicalQuery(req *http.Request) string {
|
|
queryValues := req.URL.Query()
|
|
for queryKey := range queryValues {
|
|
sort.Strings(queryValues[queryKey])
|
|
}
|
|
return queryValues.Encode()
|
|
}
|
|
|
|
func canonicalHeaders(req *http.Request) (string, string) {
|
|
// Header keys need to be sorted alphabetically.
|
|
var headers []string
|
|
lowerCaseHeaders := make(http.Header)
|
|
for k, v := range req.Header {
|
|
k := strings.ToLower(k)
|
|
if _, ok := lowerCaseHeaders[k]; ok {
|
|
// include additional values
|
|
lowerCaseHeaders[k] = append(lowerCaseHeaders[k], v...)
|
|
} else {
|
|
headers = append(headers, k)
|
|
lowerCaseHeaders[k] = v
|
|
}
|
|
}
|
|
sort.Strings(headers)
|
|
|
|
var fullHeaders bytes.Buffer
|
|
for _, header := range headers {
|
|
headerValue := strings.Join(lowerCaseHeaders[header], ",")
|
|
fullHeaders.WriteString(header)
|
|
fullHeaders.WriteRune(':')
|
|
fullHeaders.WriteString(headerValue)
|
|
fullHeaders.WriteRune('\n')
|
|
}
|
|
|
|
return strings.Join(headers, ";"), fullHeaders.String()
|
|
}
|
|
|
|
func requestDataHash(req *http.Request) (string, error) {
|
|
var requestData []byte
|
|
if req.Body != nil {
|
|
requestBody, err := req.GetBody()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer requestBody.Close()
|
|
|
|
requestData, err = ioutil.ReadAll(io.LimitReader(requestBody, 1<<20))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
return getSha256(requestData)
|
|
}
|
|
|
|
func requestHost(req *http.Request) string {
|
|
if req.Host != "" {
|
|
return req.Host
|
|
}
|
|
return req.URL.Host
|
|
}
|
|
|
|
func canonicalRequest(req *http.Request, canonicalHeaderColumns, canonicalHeaderData string) (string, error) {
|
|
dataHash, err := requestDataHash(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return fmt.Sprintf("%s\n%s\n%s\n%s\n%s\n%s", req.Method, canonicalPath(req), canonicalQuery(req), canonicalHeaderData, canonicalHeaderColumns, dataHash), nil
|
|
}
|
|
|
|
// SignRequest adds the appropriate headers to an http.Request
|
|
// or returns an error if something prevented this.
|
|
func (rs *awsRequestSigner) SignRequest(req *http.Request) error {
|
|
signedRequest := cloneRequest(req)
|
|
timestamp := now()
|
|
|
|
signedRequest.Header.Add("host", requestHost(req))
|
|
|
|
if rs.AwsSecurityCredentials.SecurityToken != "" {
|
|
signedRequest.Header.Add(awsSecurityTokenHeader, rs.AwsSecurityCredentials.SecurityToken)
|
|
}
|
|
|
|
if signedRequest.Header.Get("date") == "" {
|
|
signedRequest.Header.Add(awsDateHeader, timestamp.Format(awsTimeFormatLong))
|
|
}
|
|
|
|
authorizationCode, err := rs.generateAuthentication(signedRequest, timestamp)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
signedRequest.Header.Set("Authorization", authorizationCode)
|
|
|
|
req.Header = signedRequest.Header
|
|
return nil
|
|
}
|
|
|
|
func (rs *awsRequestSigner) generateAuthentication(req *http.Request, timestamp time.Time) (string, error) {
|
|
canonicalHeaderColumns, canonicalHeaderData := canonicalHeaders(req)
|
|
|
|
dateStamp := timestamp.Format(awsTimeFormatShort)
|
|
serviceName := ""
|
|
if splitHost := strings.Split(requestHost(req), "."); len(splitHost) > 0 {
|
|
serviceName = splitHost[0]
|
|
}
|
|
|
|
credentialScope := fmt.Sprintf("%s/%s/%s/%s", dateStamp, rs.RegionName, serviceName, awsRequestType)
|
|
|
|
requestString, err := canonicalRequest(req, canonicalHeaderColumns, canonicalHeaderData)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
requestHash, err := getSha256([]byte(requestString))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
stringToSign := fmt.Sprintf("%s\n%s\n%s\n%s", awsAlgorithm, timestamp.Format(awsTimeFormatLong), credentialScope, requestHash)
|
|
|
|
signingKey := []byte("AWS4" + rs.AwsSecurityCredentials.SecretAccessKey)
|
|
for _, signingInput := range []string{
|
|
dateStamp, rs.RegionName, serviceName, awsRequestType, stringToSign,
|
|
} {
|
|
signingKey, err = getHmacSha256(signingKey, []byte(signingInput))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
}
|
|
|
|
return fmt.Sprintf("%s Credential=%s/%s, SignedHeaders=%s, Signature=%s", awsAlgorithm, rs.AwsSecurityCredentials.AccessKeyID, credentialScope, canonicalHeaderColumns, hex.EncodeToString(signingKey)), nil
|
|
}
|
|
|
|
type awsCredentialSource struct {
|
|
EnvironmentID string
|
|
RegionURL string
|
|
RegionalCredVerificationURL string
|
|
CredVerificationURL string
|
|
IMDSv2SessionTokenURL string
|
|
TargetResource string
|
|
requestSigner *awsRequestSigner
|
|
region string
|
|
ctx context.Context
|
|
client *http.Client
|
|
}
|
|
|
|
type awsRequestHeader struct {
|
|
Key string `json:"key"`
|
|
Value string `json:"value"`
|
|
}
|
|
|
|
type awsRequest struct {
|
|
URL string `json:"url"`
|
|
Method string `json:"method"`
|
|
Headers []awsRequestHeader `json:"headers"`
|
|
}
|
|
|
|
func (cs awsCredentialSource) validateMetadataServers() error {
|
|
if err := cs.validateMetadataServer(cs.RegionURL, "region_url"); err != nil {
|
|
return err
|
|
}
|
|
if err := cs.validateMetadataServer(cs.CredVerificationURL, "url"); err != nil {
|
|
return err
|
|
}
|
|
return cs.validateMetadataServer(cs.IMDSv2SessionTokenURL, "imdsv2_session_token_url")
|
|
}
|
|
|
|
var validHostnames []string = []string{"169.254.169.254", "fd00:ec2::254"}
|
|
|
|
func (cs awsCredentialSource) isValidMetadataServer(metadataUrl string) bool {
|
|
if metadataUrl == "" {
|
|
// Zero value means use default, which is valid.
|
|
return true
|
|
}
|
|
|
|
u, err := url.Parse(metadataUrl)
|
|
if err != nil {
|
|
// Unparseable URL means invalid
|
|
return false
|
|
}
|
|
|
|
for _, validHostname := range validHostnames {
|
|
if u.Hostname() == validHostname {
|
|
// If it's one of the valid hostnames, everything is good
|
|
return true
|
|
}
|
|
}
|
|
|
|
// hostname not found in our allowlist, so not valid
|
|
return false
|
|
}
|
|
|
|
func (cs awsCredentialSource) validateMetadataServer(metadataUrl, urlName string) error {
|
|
if !cs.isValidMetadataServer(metadataUrl) {
|
|
return fmt.Errorf("oauth2/google: invalid hostname %s for %s", metadataUrl, urlName)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (cs awsCredentialSource) doRequest(req *http.Request) (*http.Response, error) {
|
|
if cs.client == nil {
|
|
cs.client = oauth2.NewClient(cs.ctx, nil)
|
|
}
|
|
return cs.client.Do(req.WithContext(cs.ctx))
|
|
}
|
|
|
|
func canRetrieveRegionFromEnvironment() bool {
|
|
// The AWS region can be provided through AWS_REGION or AWS_DEFAULT_REGION. Only one is
|
|
// required.
|
|
return getenv(awsRegion) != "" || getenv(awsDefaultRegion) != ""
|
|
}
|
|
|
|
func canRetrieveSecurityCredentialFromEnvironment() bool {
|
|
// Check if both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are available.
|
|
return getenv(awsAccessKeyId) != "" && getenv(awsSecretAccessKey) != ""
|
|
}
|
|
|
|
func shouldUseMetadataServer() bool {
|
|
return !canRetrieveRegionFromEnvironment() || !canRetrieveSecurityCredentialFromEnvironment()
|
|
}
|
|
|
|
func (cs awsCredentialSource) subjectToken() (string, error) {
|
|
if cs.requestSigner == nil {
|
|
headers := make(map[string]string)
|
|
if shouldUseMetadataServer() {
|
|
awsSessionToken, err := cs.getAWSSessionToken()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if awsSessionToken != "" {
|
|
headers[awsIMDSv2SessionTokenHeader] = awsSessionToken
|
|
}
|
|
}
|
|
|
|
awsSecurityCredentials, err := cs.getSecurityCredentials(headers)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if cs.region, err = cs.getRegion(headers); err != nil {
|
|
return "", err
|
|
}
|
|
|
|
cs.requestSigner = &awsRequestSigner{
|
|
RegionName: cs.region,
|
|
AwsSecurityCredentials: awsSecurityCredentials,
|
|
}
|
|
}
|
|
|
|
// Generate the signed request to AWS STS GetCallerIdentity API.
|
|
// Use the required regional endpoint. Otherwise, the request will fail.
|
|
req, err := http.NewRequest("POST", strings.Replace(cs.RegionalCredVerificationURL, "{region}", cs.region, 1), nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
// The full, canonical resource name of the workload identity pool
|
|
// provider, with or without the HTTPS prefix.
|
|
// Including this header as part of the signature is recommended to
|
|
// ensure data integrity.
|
|
if cs.TargetResource != "" {
|
|
req.Header.Add("x-goog-cloud-target-resource", cs.TargetResource)
|
|
}
|
|
cs.requestSigner.SignRequest(req)
|
|
|
|
/*
|
|
The GCP STS endpoint expects the headers to be formatted as:
|
|
# [
|
|
# {key: 'x-amz-date', value: '...'},
|
|
# {key: 'Authorization', value: '...'},
|
|
# ...
|
|
# ]
|
|
# And then serialized as:
|
|
# quote(json.dumps({
|
|
# url: '...',
|
|
# method: 'POST',
|
|
# headers: [{key: 'x-amz-date', value: '...'}, ...]
|
|
# }))
|
|
*/
|
|
|
|
awsSignedReq := awsRequest{
|
|
URL: req.URL.String(),
|
|
Method: "POST",
|
|
}
|
|
for headerKey, headerList := range req.Header {
|
|
for _, headerValue := range headerList {
|
|
awsSignedReq.Headers = append(awsSignedReq.Headers, awsRequestHeader{
|
|
Key: headerKey,
|
|
Value: headerValue,
|
|
})
|
|
}
|
|
}
|
|
sort.Slice(awsSignedReq.Headers, func(i, j int) bool {
|
|
headerCompare := strings.Compare(awsSignedReq.Headers[i].Key, awsSignedReq.Headers[j].Key)
|
|
if headerCompare == 0 {
|
|
return strings.Compare(awsSignedReq.Headers[i].Value, awsSignedReq.Headers[j].Value) < 0
|
|
}
|
|
return headerCompare < 0
|
|
})
|
|
|
|
result, err := json.Marshal(awsSignedReq)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return url.QueryEscape(string(result)), nil
|
|
}
|
|
|
|
func (cs *awsCredentialSource) getAWSSessionToken() (string, error) {
|
|
if cs.IMDSv2SessionTokenURL == "" {
|
|
return "", nil
|
|
}
|
|
|
|
req, err := http.NewRequest("PUT", cs.IMDSv2SessionTokenURL, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
req.Header.Add(awsIMDSv2SessionTtlHeader, awsIMDSv2SessionTtl)
|
|
|
|
resp, err := cs.doRequest(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
respBody, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if resp.StatusCode != 200 {
|
|
return "", fmt.Errorf("oauth2/google: unable to retrieve AWS session token - %s", string(respBody))
|
|
}
|
|
|
|
return string(respBody), nil
|
|
}
|
|
|
|
func (cs *awsCredentialSource) getRegion(headers map[string]string) (string, error) {
|
|
if canRetrieveRegionFromEnvironment() {
|
|
if envAwsRegion := getenv(awsRegion); envAwsRegion != "" {
|
|
return envAwsRegion, nil
|
|
}
|
|
return getenv("AWS_DEFAULT_REGION"), nil
|
|
}
|
|
|
|
if cs.RegionURL == "" {
|
|
return "", errors.New("oauth2/google: unable to determine AWS region")
|
|
}
|
|
|
|
req, err := http.NewRequest("GET", cs.RegionURL, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
for name, value := range headers {
|
|
req.Header.Add(name, value)
|
|
}
|
|
|
|
resp, err := cs.doRequest(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
respBody, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if resp.StatusCode != 200 {
|
|
return "", fmt.Errorf("oauth2/google: unable to retrieve AWS region - %s", string(respBody))
|
|
}
|
|
|
|
// This endpoint will return the region in format: us-east-2b.
|
|
// Only the us-east-2 part should be used.
|
|
respBodyEnd := 0
|
|
if len(respBody) > 1 {
|
|
respBodyEnd = len(respBody) - 1
|
|
}
|
|
return string(respBody[:respBodyEnd]), nil
|
|
}
|
|
|
|
func (cs *awsCredentialSource) getSecurityCredentials(headers map[string]string) (result awsSecurityCredentials, err error) {
|
|
if canRetrieveSecurityCredentialFromEnvironment() {
|
|
return awsSecurityCredentials{
|
|
AccessKeyID: getenv(awsAccessKeyId),
|
|
SecretAccessKey: getenv(awsSecretAccessKey),
|
|
SecurityToken: getenv(awsSessionToken),
|
|
}, nil
|
|
}
|
|
|
|
roleName, err := cs.getMetadataRoleName(headers)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
credentials, err := cs.getMetadataSecurityCredentials(roleName, headers)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if credentials.AccessKeyID == "" {
|
|
return result, errors.New("oauth2/google: missing AccessKeyId credential")
|
|
}
|
|
|
|
if credentials.SecretAccessKey == "" {
|
|
return result, errors.New("oauth2/google: missing SecretAccessKey credential")
|
|
}
|
|
|
|
return credentials, nil
|
|
}
|
|
|
|
func (cs *awsCredentialSource) getMetadataSecurityCredentials(roleName string, headers map[string]string) (awsSecurityCredentials, error) {
|
|
var result awsSecurityCredentials
|
|
|
|
req, err := http.NewRequest("GET", fmt.Sprintf("%s/%s", cs.CredVerificationURL, roleName), nil)
|
|
if err != nil {
|
|
return result, err
|
|
}
|
|
req.Header.Add("Content-Type", "application/json")
|
|
|
|
for name, value := range headers {
|
|
req.Header.Add(name, value)
|
|
}
|
|
|
|
resp, err := cs.doRequest(req)
|
|
if err != nil {
|
|
return result, err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
respBody, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return result, err
|
|
}
|
|
|
|
if resp.StatusCode != 200 {
|
|
return result, fmt.Errorf("oauth2/google: unable to retrieve AWS security credentials - %s", string(respBody))
|
|
}
|
|
|
|
err = json.Unmarshal(respBody, &result)
|
|
return result, err
|
|
}
|
|
|
|
func (cs *awsCredentialSource) getMetadataRoleName(headers map[string]string) (string, error) {
|
|
if cs.CredVerificationURL == "" {
|
|
return "", errors.New("oauth2/google: unable to determine the AWS metadata server security credentials endpoint")
|
|
}
|
|
|
|
req, err := http.NewRequest("GET", cs.CredVerificationURL, nil)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
for name, value := range headers {
|
|
req.Header.Add(name, value)
|
|
}
|
|
|
|
resp, err := cs.doRequest(req)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
respBody, err := ioutil.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
if resp.StatusCode != 200 {
|
|
return "", fmt.Errorf("oauth2/google: unable to retrieve AWS role name - %s", string(respBody))
|
|
}
|
|
|
|
return string(respBody), nil
|
|
}
|