Auth: Guarantee consistency of signed SigV4 headers (#45054)

* use latest sigv4 changes * update configuration docs * lint * reformat lint ignore * specific version for docs
2025-02-25 18:55:37 -06:00 · 2022-02-08 14:48:17 +01:00 · 2022-02-08 14:48:17 +01:00 · fc42dfe396
commit fc42dfe396
parent 4e5b1ca141
9 changed files with 78 additions and 22 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -403,6 +403,9 @@ api_key_max_seconds_to_live = -1
 # Set to true to enable SigV4 authentication option for HTTP-based datasources
 sigv4_auth_enabled = false

+# Set to true to enable verbose logging of SigV4 request signing
+sigv4_verbose_logging = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -397,6 +397,9 @@
 # Set to true to enable SigV4 authentication option for HTTP-based datasources.
 ;sigv4_auth_enabled = false

+# Set to true to enable verbose logging of SigV4 request signing
+;sigv4_verbose_logging = false
+
 #################################### Anonymous Auth ######################
 [auth.anonymous]
 # enable anonymous access
--- a/docs/sources/administration/configuration.md
+++ b/docs/sources/administration/configuration.md
@ -757,6 +757,12 @@ Limit of API key seconds to live before expiration. Default is -1 (unlimited).

 Set to `true` to enable the AWS Signature Version 4 Authentication option for HTTP-based datasources. Default is `false`.

+### sigv4_verbose_logging
+
+> Only available in Grafana 8.3.6+.
+
+Set to `true` to enable verbose request signature logging when AWS Signature Version 4 Authentication is enabled. Default is `false`.
+
 <hr />

 ## [auth.anonymous]
--- a/go.mod
+++ b/go.mod
@ -53,7 +53,7 @@ require (
 	github.com/gorilla/websocket v1.4.2
 	github.com/gosimple/slug v1.9.0
 	github.com/grafana/cuetsy v0.0.0-20211119211437-8c25464cc9bf
-	github.com/grafana/grafana-aws-sdk v0.9.1
+	github.com/grafana/grafana-aws-sdk v0.10.0
 	github.com/grafana/grafana-plugin-sdk-go v0.125.0
 	github.com/grafana/loki v1.6.2-0.20211015002020-7832783b1caa
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
--- a/go.sum
+++ b/go.sum
@ -1242,6 +1242,8 @@ github.com/grafana/go-mssqldb v0.0.0-20210326084033-d0ce3c521036 h1:GplhUk6Xes5J
 github.com/grafana/go-mssqldb v0.0.0-20210326084033-d0ce3c521036/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/grafana/grafana-aws-sdk v0.9.1 h1:jMZlsLsWnqOwLt2UNcLUsJ2z6289hLYlscK35QgS158=
 github.com/grafana/grafana-aws-sdk v0.9.1/go.mod h1:6KaQ8uUD4KpXr/b7bAC7zbfSXTVOiTk4XhIrwkGWn4w=
+github.com/grafana/grafana-aws-sdk v0.10.0 h1:q7+mJtT/vsU5InDN57yM+BJ2z1kJDf1W4WwWPEZ0Cxw=
+github.com/grafana/grafana-aws-sdk v0.10.0/go.mod h1:vFIOHEnY1u5nY0/tge1IHQjPuG6DRKr2ISf/HikUdjE=
 github.com/grafana/grafana-google-sdk-go v0.0.0-20211104130251-b190293eaf58 h1:2ud7NNM7LrGPO4x0NFR8qLq68CqI4SmB7I2yRN2w9oE=
 github.com/grafana/grafana-google-sdk-go v0.0.0-20211104130251-b190293eaf58/go.mod h1:Vo2TKWfDVmNTELBUM+3lkrZvFtBws0qSZdXhQxRdJrE=
 github.com/grafana/grafana-plugin-sdk-go v0.94.0/go.mod h1:3VXz4nCv6wH5SfgB3mlW39s+c+LetqSCjFj7xxPC5+M=
--- a/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
+++ b/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
@ -31,7 +31,7 @@ func New(cfg *setting.Cfg, tracer tracing.Tracer, features featuremgmt.FeatureTo
 	}

 	if cfg.SigV4AuthEnabled {
-		middlewares = append(middlewares, SigV4Middleware())
+		middlewares = append(middlewares, SigV4Middleware(cfg.SigV4VerboseLogging))
 	}

 	setDefaultTimeoutOptions(cfg)
--- a/pkg/infra/httpclient/httpclientprovider/sigv4_middleware.go
+++ b/pkg/infra/httpclient/httpclientprovider/sigv4_middleware.go
@ -1,6 +1,7 @@
 package httpclientprovider

 import (
+	"fmt"
 	"net/http"

 	"github.com/grafana/grafana-aws-sdk/pkg/sigv4"
@ -13,24 +14,34 @@ const SigV4MiddlewareName = "sigv4"
 var newSigV4Func = sigv4.New

 // SigV4Middleware applies AWS Signature Version 4 request signing for the outgoing request.
-func SigV4Middleware() httpclient.Middleware {
+func SigV4Middleware(verboseLogging bool) httpclient.Middleware {
 	return httpclient.NamedMiddlewareFunc(SigV4MiddlewareName, func(opts httpclient.Options, next http.RoundTripper) http.RoundTripper {
 		if opts.SigV4 == nil {
 			return next
 		}

-		return newSigV4Func(
-			&sigv4.Config{
-				Service:       opts.SigV4.Service,
-				AccessKey:     opts.SigV4.AccessKey,
-				SecretKey:     opts.SigV4.SecretKey,
-				Region:        opts.SigV4.Region,
-				AssumeRoleARN: opts.SigV4.AssumeRoleARN,
-				AuthType:      opts.SigV4.AuthType,
-				ExternalID:    opts.SigV4.ExternalID,
-				Profile:       opts.SigV4.Profile,
-			},
-			next,
-		)
+		conf := &sigv4.Config{
+			Service:       opts.SigV4.Service,
+			AccessKey:     opts.SigV4.AccessKey,
+			SecretKey:     opts.SigV4.SecretKey,
+			Region:        opts.SigV4.Region,
+			AssumeRoleARN: opts.SigV4.AssumeRoleARN,
+			AuthType:      opts.SigV4.AuthType,
+			ExternalID:    opts.SigV4.ExternalID,
+			Profile:       opts.SigV4.Profile,
+		}
+
+		rt, err := newSigV4Func(conf, next, sigv4.Opts{VerboseMode: verboseLogging})
+		if err != nil {
+			return invalidSigV4Config(err)
+		}
+
+		return rt
+	})
+}
+
+func invalidSigV4Config(err error) http.RoundTripper {
+	return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+		return nil, fmt.Errorf("invalid SigV4 configuration: %w", err)
 	})
 }
--- a/pkg/infra/httpclient/httpclientprovider/sigv4_middleware_test.go
+++ b/pkg/infra/httpclient/httpclientprovider/sigv4_middleware_test.go
@ -1,6 +1,7 @@
 package httpclientprovider

 import (
+	"fmt"
 	"net/http"
 	"testing"

@ -14,12 +15,12 @@ func TestSigV4Middleware(t *testing.T) {
 		origSigV4Func := newSigV4Func
 		newSigV4Called := false
 		middlewareCalled := false
-		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper) http.RoundTripper {
+		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper, opts ...sigv4.Opts) (http.RoundTripper, error) {
 			newSigV4Called = true
 			return httpclient.RoundTripperFunc(func(r *http.Request) (*http.Response, error) {
 				middlewareCalled = true
 				return next.RoundTrip(r)
-			})
+			}), nil
 		}
 		t.Cleanup(func() {
 			newSigV4Func = origSigV4Func
@ -27,7 +28,7 @@ func TestSigV4Middleware(t *testing.T) {

 		ctx := &testContext{}
 		finalRoundTripper := ctx.createRoundTripper("finalrt")
-		mw := SigV4Middleware()
+		mw := SigV4Middleware(false)
 		rt := mw.CreateMiddleware(httpclient.Options{}, finalRoundTripper)
 		require.NotNil(t, rt)
 		middlewareName, ok := mw.(httpclient.MiddlewareName)
@ -52,12 +53,12 @@ func TestSigV4Middleware(t *testing.T) {
 		origSigV4Func := newSigV4Func
 		newSigV4Called := false
 		middlewareCalled := false
-		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper) http.RoundTripper {
+		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper, opts ...sigv4.Opts) (http.RoundTripper, error) {
 			newSigV4Called = true
 			return httpclient.RoundTripperFunc(func(r *http.Request) (*http.Response, error) {
 				middlewareCalled = true
 				return next.RoundTrip(r)
-			})
+			}), nil
 		}
 		t.Cleanup(func() {
 			newSigV4Func = origSigV4Func
@ -65,7 +66,7 @@ func TestSigV4Middleware(t *testing.T) {

 		ctx := &testContext{}
 		finalRoundTripper := ctx.createRoundTripper("final")
-		mw := SigV4Middleware()
+		mw := SigV4Middleware(false)
 		rt := mw.CreateMiddleware(httpclient.Options{SigV4: &httpclient.SigV4Config{}}, finalRoundTripper)
 		require.NotNil(t, rt)
 		middlewareName, ok := mw.(httpclient.MiddlewareName)
@ -86,4 +87,32 @@ func TestSigV4Middleware(t *testing.T) {
 		require.True(t, newSigV4Called)
 		require.True(t, middlewareCalled)
 	})
+
+	t.Run("With sigv4 error returned", func(t *testing.T) {
+		origSigV4Func := newSigV4Func
+		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper, opts ...sigv4.Opts) (http.RoundTripper, error) {
+			return nil, fmt.Errorf("problem")
+		}
+		t.Cleanup(func() {
+			newSigV4Func = origSigV4Func
+		})
+
+		ctx := &testContext{}
+		finalRoundTripper := ctx.createRoundTripper("final")
+		mw := SigV4Middleware(false)
+		rt := mw.CreateMiddleware(httpclient.Options{SigV4: &httpclient.SigV4Config{}}, finalRoundTripper)
+		require.NotNil(t, rt)
+		middlewareName, ok := mw.(httpclient.MiddlewareName)
+		require.True(t, ok)
+		require.Equal(t, SigV4MiddlewareName, middlewareName.MiddlewareName())
+
+		req, err := http.NewRequest(http.MethodGet, "http://", nil)
+		require.NoError(t, err)
+		// response is nil
+		// nolint:bodyclose
+		res, err := rt.RoundTrip(req)
+		require.Error(t, err)
+		require.Nil(t, res)
+		require.Empty(t, ctx.callChain)
+	})
 }
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -284,6 +284,7 @@ type Cfg struct {
 	LoginMaxLifetime             time.Duration
 	TokenRotationIntervalMinutes int
 	SigV4AuthEnabled             bool
+	SigV4VerboseLogging          bool
 	BasicAuthEnabled             bool
 	AdminUser                    string
 	AdminPassword                string
@ -1259,6 +1260,7 @@ func readAuthSettings(iniFile *ini.File, cfg *Cfg) (err error) {
 	// SigV4
 	SigV4AuthEnabled = auth.Key("sigv4_auth_enabled").MustBool(false)
 	cfg.SigV4AuthEnabled = SigV4AuthEnabled
+	cfg.SigV4VerboseLogging = auth.Key("sigv4_verbose_logging").MustBool(false)

 	// anonymous access
 	AnonymousEnabled = iniFile.Section("auth.anonymous").Key("enabled").MustBool(false)