Auth: Guarantee consistency of signed SigV4 headers (#45054)

* use latest sigv4 changes * update configuration docs * lint * reformat lint ignore * specific version for docs
2025-02-25 18:55:37 -06:00 · 2022-02-08 14:48:17 +01:00
parent 4e5b1ca141
commit fc42dfe396
9 changed files with 78 additions and 22 deletions
--- a/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
+++ b/pkg/infra/httpclient/httpclientprovider/http_client_provider.go
@@ -31,7 +31,7 @@ func New(cfg *setting.Cfg, tracer tracing.Tracer, features featuremgmt.FeatureTo
 	}

 	if cfg.SigV4AuthEnabled {
-		middlewares = append(middlewares, SigV4Middleware())
+		middlewares = append(middlewares, SigV4Middleware(cfg.SigV4VerboseLogging))
 	}

 	setDefaultTimeoutOptions(cfg)
--- a/pkg/infra/httpclient/httpclientprovider/sigv4_middleware.go
+++ b/pkg/infra/httpclient/httpclientprovider/sigv4_middleware.go
@@ -1,6 +1,7 @@
 package httpclientprovider

 import (
+	"fmt"
 	"net/http"

 	"github.com/grafana/grafana-aws-sdk/pkg/sigv4"
@@ -13,24 +14,34 @@ const SigV4MiddlewareName = "sigv4"
 var newSigV4Func = sigv4.New

 // SigV4Middleware applies AWS Signature Version 4 request signing for the outgoing request.
-func SigV4Middleware() httpclient.Middleware {
+func SigV4Middleware(verboseLogging bool) httpclient.Middleware {
 	return httpclient.NamedMiddlewareFunc(SigV4MiddlewareName, func(opts httpclient.Options, next http.RoundTripper) http.RoundTripper {
 		if opts.SigV4 == nil {
 			return next
 		}

-		return newSigV4Func(
-			&sigv4.Config{
-				Service:       opts.SigV4.Service,
-				AccessKey:     opts.SigV4.AccessKey,
-				SecretKey:     opts.SigV4.SecretKey,
-				Region:        opts.SigV4.Region,
-				AssumeRoleARN: opts.SigV4.AssumeRoleARN,
-				AuthType:      opts.SigV4.AuthType,
-				ExternalID:    opts.SigV4.ExternalID,
-				Profile:       opts.SigV4.Profile,
-			},
-			next,
-		)
+		conf := &sigv4.Config{
+			Service:       opts.SigV4.Service,
+			AccessKey:     opts.SigV4.AccessKey,
+			SecretKey:     opts.SigV4.SecretKey,
+			Region:        opts.SigV4.Region,
+			AssumeRoleARN: opts.SigV4.AssumeRoleARN,
+			AuthType:      opts.SigV4.AuthType,
+			ExternalID:    opts.SigV4.ExternalID,
+			Profile:       opts.SigV4.Profile,
+		}
+
+		rt, err := newSigV4Func(conf, next, sigv4.Opts{VerboseMode: verboseLogging})
+		if err != nil {
+			return invalidSigV4Config(err)
+		}
+
+		return rt
+	})
+}
+
+func invalidSigV4Config(err error) http.RoundTripper {
+	return httpclient.RoundTripperFunc(func(req *http.Request) (*http.Response, error) {
+		return nil, fmt.Errorf("invalid SigV4 configuration: %w", err)
 	})
 }
--- a/pkg/infra/httpclient/httpclientprovider/sigv4_middleware_test.go
+++ b/pkg/infra/httpclient/httpclientprovider/sigv4_middleware_test.go
@@ -1,6 +1,7 @@
 package httpclientprovider

 import (
+	"fmt"
 	"net/http"
 	"testing"

@@ -14,12 +15,12 @@ func TestSigV4Middleware(t *testing.T) {
 		origSigV4Func := newSigV4Func
 		newSigV4Called := false
 		middlewareCalled := false
-		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper) http.RoundTripper {
+		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper, opts ...sigv4.Opts) (http.RoundTripper, error) {
 			newSigV4Called = true
 			return httpclient.RoundTripperFunc(func(r *http.Request) (*http.Response, error) {
 				middlewareCalled = true
 				return next.RoundTrip(r)
-			})
+			}), nil
 		}
 		t.Cleanup(func() {
 			newSigV4Func = origSigV4Func
@@ -27,7 +28,7 @@ func TestSigV4Middleware(t *testing.T) {

 		ctx := &testContext{}
 		finalRoundTripper := ctx.createRoundTripper("finalrt")
-		mw := SigV4Middleware()
+		mw := SigV4Middleware(false)
 		rt := mw.CreateMiddleware(httpclient.Options{}, finalRoundTripper)
 		require.NotNil(t, rt)
 		middlewareName, ok := mw.(httpclient.MiddlewareName)
@@ -52,12 +53,12 @@ func TestSigV4Middleware(t *testing.T) {
 		origSigV4Func := newSigV4Func
 		newSigV4Called := false
 		middlewareCalled := false
-		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper) http.RoundTripper {
+		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper, opts ...sigv4.Opts) (http.RoundTripper, error) {
 			newSigV4Called = true
 			return httpclient.RoundTripperFunc(func(r *http.Request) (*http.Response, error) {
 				middlewareCalled = true
 				return next.RoundTrip(r)
-			})
+			}), nil
 		}
 		t.Cleanup(func() {
 			newSigV4Func = origSigV4Func
@@ -65,7 +66,7 @@ func TestSigV4Middleware(t *testing.T) {

 		ctx := &testContext{}
 		finalRoundTripper := ctx.createRoundTripper("final")
-		mw := SigV4Middleware()
+		mw := SigV4Middleware(false)
 		rt := mw.CreateMiddleware(httpclient.Options{SigV4: &httpclient.SigV4Config{}}, finalRoundTripper)
 		require.NotNil(t, rt)
 		middlewareName, ok := mw.(httpclient.MiddlewareName)
@@ -86,4 +87,32 @@ func TestSigV4Middleware(t *testing.T) {
 		require.True(t, newSigV4Called)
 		require.True(t, middlewareCalled)
 	})
+
+	t.Run("With sigv4 error returned", func(t *testing.T) {
+		origSigV4Func := newSigV4Func
+		newSigV4Func = func(config *sigv4.Config, next http.RoundTripper, opts ...sigv4.Opts) (http.RoundTripper, error) {
+			return nil, fmt.Errorf("problem")
+		}
+		t.Cleanup(func() {
+			newSigV4Func = origSigV4Func
+		})
+
+		ctx := &testContext{}
+		finalRoundTripper := ctx.createRoundTripper("final")
+		mw := SigV4Middleware(false)
+		rt := mw.CreateMiddleware(httpclient.Options{SigV4: &httpclient.SigV4Config{}}, finalRoundTripper)
+		require.NotNil(t, rt)
+		middlewareName, ok := mw.(httpclient.MiddlewareName)
+		require.True(t, ok)
+		require.Equal(t, SigV4MiddlewareName, middlewareName.MiddlewareName())
+
+		req, err := http.NewRequest(http.MethodGet, "http://", nil)
+		require.NoError(t, err)
+		// response is nil
+		// nolint:bodyclose
+		res, err := rt.RoundTrip(req)
+		require.Error(t, err)
+		require.Nil(t, res)
+		require.Empty(t, ctx.callChain)
+	})
 }