1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
package oci
import (
"bytes"
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/sha256"
"encoding/base64"
"fmt"
"io"
"net/http"
"strconv"
"strings"
"time"
)
type nopCloser struct {
io.Reader
}
func (nopCloser) Close() error {
return nil
}
// Transport adds OCI signature authentication to each outgoing request.
type Transport struct {
transport http.RoundTripper
config *Config
}
// NewTransport creates a new Transport to add OCI signature authentication
// to each outgoing request.
func NewTransport(transport http.RoundTripper, config *Config) *Transport {
return &Transport{
transport: transport,
config: config,
}
}
func (t *Transport) RoundTrip(req *http.Request) (*http.Response, error) {
var buf *bytes.Buffer
if req.Body != nil {
buf = new(bytes.Buffer)
buf.ReadFrom(req.Body)
req.Body = nopCloser{buf}
}
if req.Header.Get("date") == "" {
req.Header.Set("date", time.Now().UTC().Format(http.TimeFormat))
}
if req.Header.Get("content-type") == "" {
req.Header.Set("content-type", "application/json")
}
if req.Header.Get("accept") == "" {
req.Header.Set("accept", "application/json")
}
if req.Header.Get("host") == "" {
req.Header.Set("host", req.URL.Host)
}
var signheaders []string
if (req.Method == "PUT" || req.Method == "POST") && buf != nil {
signheaders = []string{"(request-target)", "host", "date",
"content-length", "content-type", "x-content-sha256"}
if req.Header.Get("content-length") == "" {
req.Header.Set("content-length", strconv.Itoa(buf.Len()))
}
hasher := sha256.New()
hasher.Write(buf.Bytes())
hash := hasher.Sum(nil)
req.Header.Set("x-content-sha256", base64.StdEncoding.EncodeToString(hash))
} else {
signheaders = []string{"date", "host", "(request-target)"}
}
var signbuffer bytes.Buffer
for idx, header := range signheaders {
signbuffer.WriteString(header)
signbuffer.WriteString(": ")
if header == "(request-target)" {
signbuffer.WriteString(strings.ToLower(req.Method))
signbuffer.WriteString(" ")
signbuffer.WriteString(req.URL.RequestURI())
} else {
signbuffer.WriteString(req.Header.Get(header))
}
if idx < len(signheaders)-1 {
signbuffer.WriteString("\n")
}
}
h := sha256.New()
h.Write(signbuffer.Bytes())
digest := h.Sum(nil)
signature, err := rsa.SignPKCS1v15(rand.Reader, t.config.Key, crypto.SHA256, digest)
if err != nil {
return nil, err
}
authHeader := fmt.Sprintf("Signature headers=\"%s\","+
"keyId=\"%s/%s/%s\","+
"algorithm=\"rsa-sha256\","+
"signature=\"%s\","+
"version=\"1\"",
strings.Join(signheaders, " "),
t.config.Tenancy, t.config.User, t.config.Fingerprint,
base64.StdEncoding.EncodeToString(signature))
req.Header.Add("Authorization", authHeader)
return t.transport.RoundTrip(req)
}
|