envoyproxy · htuch · Jan 23, 2019 · Jan 12, 2019 · Jan 15, 2019 · Jan 17, 2019
diff --git a/source/common/crypto/BUILD b/source/common/crypto/BUILD
@@ -0,0 +1,23 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "utility_lib",
+    srcs = ["utility.cc"],
+    hdrs = ["utility.h"],
+    external_deps = [
+        "ssl",
+    ],
+    deps = [
+        "//include/envoy/buffer:buffer_interface",
+        "//source/common/common:assert_lib",
+        "//source/common/common:stack_array",
+    ],
+)
diff --git a/source/common/crypto/utility.cc b/source/common/crypto/utility.cc
@@ -0,0 +1,45 @@
+#include "common/crypto/utility.h"
+
+#include "common/common/assert.h"
+#include "common/common/stack_array.h"
+
+#include "openssl/evp.h"
+#include "openssl/hmac.h"
+#include "openssl/sha.h"
+
+namespace Envoy {
+namespace Common {
+namespace Crypto {
+
+std::vector<uint8_t> Utility::getSha256Digest(const Buffer::Instance& buffer) {
+  std::vector<uint8_t> digest(SHA256_DIGEST_LENGTH);
+  EVP_MD_CTX ctx;
+  auto rc = EVP_DigestInit(&ctx, EVP_sha256());
+  RELEASE_ASSERT(rc == 1, "Failed to init digest context");
+  const auto num_slices = buffer.getRawSlices(nullptr, 0);
+  STACK_ARRAY(slices, Buffer::RawSlice, num_slices);
+  buffer.getRawSlices(slices.begin(), num_slices);
+  for (const auto& slice : slices) {
+    rc = EVP_DigestUpdate(&ctx, slice.mem_, slice.len_);
+    RELEASE_ASSERT(rc == 1, "Failed to update digest");
+  }
+  unsigned int len;
+  rc = EVP_DigestFinal(&ctx, digest.data(), &len);
+  RELEASE_ASSERT(rc == 1, "Failed to finalize digest");
+  return digest;
+}
+
+std::vector<uint8_t> Utility::getSha256Hmac(const std::vector<uint8_t>& key,
+                                            absl::string_view message) {
+  std::vector<uint8_t> hmac(SHA256_DIGEST_LENGTH);
+  unsigned int len;
+  const auto ret =
+      HMAC(EVP_sha256(), key.data(), key.size(), reinterpret_cast<const uint8_t*>(message.data()),
+           message.size(), hmac.data(), &len);
+  RELEASE_ASSERT(ret != nullptr, "Failed to create HMAC");
+  return hmac;
+}
+
+} // namespace Crypto
+} // namespace Common
+} // namespace Envoy
diff --git a/source/common/crypto/utility.h b/source/common/crypto/utility.h
@@ -0,0 +1,30 @@
+#pragma once
+
+#include "envoy/buffer/buffer.h"
+
+namespace Envoy {
+namespace Common {
+namespace Crypto {
+
+class Utility {
+public:
+  /**
+   * Computes the SHA-256 digest of a buffer.
+   * @param buffer the buffer.
+   * @return a vector of bytes for the computed digest.
+   */
+  static std::vector<uint8_t> getSha256Digest(const Buffer::Instance& buffer);
+
+  /**
+   * Computes the SHA-256 HMAC for a given key and message.
+   * @param key the HMAC function key.
+   * @param message message data for the HMAC function.
+   * @return a vector of bytes for the computed HMAC.
+   */
+  static std::vector<uint8_t> getSha256Hmac(const std::vector<uint8_t>& key,
+                                            absl::string_view message);
+};
+
+} // namespace Crypto
+} // namespace Common
+} // namespace Envoy
diff --git a/source/extensions/filters/http/common/aws/BUILD b/source/extensions/filters/http/common/aws/BUILD
@@ -0,0 +1,51 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "signer_interface",
+    hdrs = ["signer.h"],
+    deps = [
+        "//include/envoy/http:message_interface",
+    ],
+)
+
+envoy_cc_library(
+    name = "signer_impl_lib",
+    srcs = ["signer_impl.cc"],
+    hdrs = ["signer_impl.h"],
+    deps = [
+        ":credentials_provider_interface",
+        ":signer_interface",
+        ":utility_lib",
+        "//source/common/buffer:buffer_lib",
+        "//source/common/common:hex_lib",
+        "//source/common/common:logger_lib",
+        "//source/common/common:utility_lib",
+        "//source/common/crypto:utility_lib",
+        "//source/common/http:headers_lib",
+        "//source/common/singleton:const_singleton",
+    ],
+)
+
+envoy_cc_library(
+    name = "credentials_provider_interface",
+    hdrs = ["credentials_provider.h"],
+    external_deps = ["abseil_optional"],
+)
+
+envoy_cc_library(
+    name = "utility_lib",
+    srcs = ["utility.cc"],
+    hdrs = ["utility.h"],
+    deps = [
+        "//source/common/common:utility_lib",
+        "//source/common/http:headers_lib",
+    ],
+)
diff --git a/source/extensions/filters/http/common/aws/credentials_provider.h b/source/extensions/filters/http/common/aws/credentials_provider.h
@@ -0,0 +1,53 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/common/pure.h"
+
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace Common {
+namespace Aws {
+
+class Credentials {
+public:
+  Credentials() = default;
+
+  Credentials(absl::string_view access_key_id, absl::string_view secret_access_key)
+      : access_key_id_(access_key_id), secret_access_key_(secret_access_key) {}
+
+  Credentials(absl::string_view access_key_id, absl::string_view secret_access_key,
+              absl::string_view session_token)
+      : access_key_id_(access_key_id), secret_access_key_(secret_access_key),
+        session_token_(session_token) {}
+
+  const absl::optional<std::string>& accessKeyId() const { return access_key_id_; }
+
+  const absl::optional<std::string>& secretAccessKey() const { return secret_access_key_; }
+
+  const absl::optional<std::string>& sessionToken() const { return session_token_; }
+
+private:
+  absl::optional<std::string> access_key_id_;
+  absl::optional<std::string> secret_access_key_;
+  absl::optional<std::string> session_token_;
+};
+
+class CredentialsProvider {
+public:
+  virtual ~CredentialsProvider() = default;
+
+  virtual Credentials getCredentials() PURE;
+};
+
+typedef std::shared_ptr<CredentialsProvider> CredentialsProviderSharedPtr;
+
+} // namespace Aws
+} // namespace Common
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/extensions/filters/http/common/aws/signer.h b/source/extensions/filters/http/common/aws/signer.h
@@ -0,0 +1,32 @@
+#pragma once
+
+#include "envoy/common/pure.h"
+#include "envoy/http/message.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace Common {
+namespace Aws {
+
+// TODO(lavignes): Move this interface to include/envoy if this is needed elsewhere
+class Signer {
+public:
+  virtual ~Signer() = default;
+
+  /**
+   * Sign an AWS request.
+   * @param message an AWS API request message.
+   * @param sign_body include the message body in the signature. The body must be fully buffered.
+   * @throws EnvoyException if the request cannot be signed.
+   */
+  virtual void sign(Http::Message& message, bool sign_body) PURE;
+};
+
+typedef std::unique_ptr<Signer> SignerPtr;
+
+} // namespace Aws
+} // namespace Common
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy
diff --git a/source/extensions/filters/http/common/aws/signer_impl.cc b/source/extensions/filters/http/common/aws/signer_impl.cc
@@ -0,0 +1,116 @@
+#include "extensions/filters/http/common/aws/signer_impl.h"
+
+#include "envoy/common/exception.h"
+
+#include "common/buffer/buffer_impl.h"
+#include "common/common/fmt.h"
+#include "common/common/hex.h"
+#include "common/crypto/utility.h"
+#include "common/http/headers.h"
+
+#include "extensions/filters/http/common/aws/utility.h"
+
+#include "absl/strings/str_join.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace Common {
+namespace Aws {
+
+void SignerImpl::sign(Http::Message& message, bool sign_body) {
+  const auto& credentials = credentials_provider_->getCredentials();
+  if (!credentials.accessKeyId() || !credentials.secretAccessKey()) {
+    // Empty or "anonymous" credentials are a valid use-case for non-production environments.
+    // This behavior matches what the AWS SDK would do.
+    return;
+  }
+  auto& headers = message.headers();
+  const auto* method_header = headers.Method();
+  if (method_header == nullptr) {
+    throw EnvoyException("Message is missing :method header");
+  }
+  const auto* path_header = headers.Path();
+  if (path_header == nullptr) {
+    throw EnvoyException("Message is missing :path header");
+  }
+  if (credentials.sessionToken()) {
+    headers.addCopy(SignatureHeaders::get().SecurityToken, credentials.sessionToken().value());
+  }
+  const auto long_date = long_date_formatter_.now(time_source_);
+  const auto short_date = short_date_formatter_.now(time_source_);
+  headers.addCopy(SignatureHeaders::get().Date, long_date);
+  const auto content_hash = createContentHash(message, sign_body);
+  // Phase 1: Create a canonical request
+  const auto canonical_headers = Utility::canonicalizeHeaders(headers);
+  const auto canonical_request = Utility::createCanonicalRequest(
+      method_header->value().getStringView(), path_header->value().getStringView(),
+      canonical_headers, content_hash);
+  ENVOY_LOG(debug, "Canonical request:\n{}", canonical_request);
+  // Phase 2: Create a string to sign
+  const auto credential_scope = createCredentialScope(short_date);
+  const auto string_to_sign = createStringToSign(canonical_request, long_date, credential_scope);
+  ENVOY_LOG(debug, "String to sign:\n{}", string_to_sign);
+  // Phase 3: Create a signature
+  const auto signature =
+      createSignature(credentials.secretAccessKey().value(), short_date, string_to_sign);
+  // Phase 4: Sign request
+  const auto authorization_header = createAuthorizationHeader(
+      credentials.accessKeyId().value(), credential_scope, canonical_headers, signature);
+  ENVOY_LOG(debug, "Signing request with: {}", authorization_header);
+  headers.addCopy(Http::Headers::get().Authorization, authorization_header);
+}
+
+std::string SignerImpl::createContentHash(Http::Message& message, bool sign_body) const {
+  if (!sign_body) {
+    return SignatureConstants::get().HashedEmptyString;
+  }
+  const auto content_hash =
+      message.body() ? Hex::encode(Envoy::Common::Crypto::Utility::getSha256Digest(*message.body()))
+                     : SignatureConstants::get().HashedEmptyString;
+  message.headers().addCopy(SignatureHeaders::get().ContentSha256, content_hash);
+  return content_hash;
+}
+
+std::string SignerImpl::createCredentialScope(absl::string_view short_date) const {
+  return fmt::format(SignatureConstants::get().CredentialScopeFormat, short_date, region_,
+                     service_name_);
+}
+
+std::string SignerImpl::createStringToSign(absl::string_view canonical_request,
+                                           absl::string_view long_date,
+                                           absl::string_view credential_scope) const {
+  return fmt::format(SignatureConstants::get().StringToSignFormat, long_date, credential_scope,
+                     Hex::encode(Envoy::Common::Crypto::Utility::getSha256Digest(
+                         Buffer::OwnedImpl(canonical_request))));
+}
+
+std::string SignerImpl::createSignature(absl::string_view secret_access_key,
+                                        absl::string_view short_date,
+                                        absl::string_view string_to_sign) const {
+  const auto secret_key =
+      absl::StrCat(SignatureConstants::get().SignatureVersion, secret_access_key);
+  const auto date_key = Envoy::Common::Crypto::Utility::getSha256Hmac(
+      std::vector<uint8_t>(secret_key.begin(), secret_key.end()), short_date);
+  const auto region_key = Envoy::Common::Crypto::Utility::getSha256Hmac(date_key, region_);
+  const auto service_key = Envoy::Common::Crypto::Utility::getSha256Hmac(region_key, service_name_);
+  const auto signing_key = Envoy::Common::Crypto::Utility::getSha256Hmac(
+      service_key, SignatureConstants::get().Aws4Request);
+  return Hex::encode(Envoy::Common::Crypto::Utility::getSha256Hmac(signing_key, string_to_sign));
+}
+
+std::string
+SignerImpl::createAuthorizationHeader(absl::string_view access_key_id,
+                                      absl::string_view credential_scope,
+                                      const std::map<std::string, std::string>& canonical_headers,
+                                      absl::string_view signature) const {
+  const auto signed_headers = Utility::joinCanonicalHeaderNames(canonical_headers);
+  return fmt::format(SignatureConstants::get().AuthorizationHeaderFormat, access_key_id,
+                     credential_scope, signed_headers, signature);
+}
+
+} // namespace Aws
+} // namespace Common
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy