Fill in all the missing headers.

No-Issue Signed-off-by: James Tanner <[email protected]>
ansible · May 28, 2024 · 0c6fc99 · 0c6fc99
1 parent f52ac6b
commit 0c6fc99
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 3 deletions.
diff --git a/profiles/dab_jwt/proxy/go.mod b/profiles/dab_jwt/proxy/go.mod
@@ -2,4 +2,7 @@ module mockproxy
 
 go 1.16
 
-require github.com/golang-jwt/jwt/v4 v4.4.1
+require (
+	github.com/golang-jwt/jwt/v4 v4.4.1
+	github.com/google/uuid v1.6.0 // indirect
+)
diff --git a/profiles/dab_jwt/proxy/go.sum b/profiles/dab_jwt/proxy/go.sum
@@ -1,2 +1,4 @@
 github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ=
 github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
diff --git a/profiles/dab_jwt/proxy/proxy.go b/profiles/dab_jwt/proxy/proxy.go
@@ -38,7 +38,13 @@ import (
 	"strings"
 	"time"
 
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/json"
+	"errors"
+
 	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/uuid"
 )
 
 // User represents a user's information
@@ -100,6 +106,39 @@ func pathHasPrefix(path string, prefixes []string) bool {
 	return false
 }
 
+func generateHmacSha256SharedSecret(nonce *string) (string, error) {
+
+	const ANSIBLE_BASE_SHARED_SECRET = "redhat1234"
+	var SharedSecretNotFound = errors.New("The setting ANSIBLE_BASE_SHARED_SECRET was not set, some functionality may be disabled")
+
+	if ANSIBLE_BASE_SHARED_SECRET == "" {
+		log.Println("The setting ANSIBLE_BASE_SHARED_SECRET was not set, some functionality may be disabled.")
+		return "", SharedSecretNotFound
+	}
+
+	if nonce == nil {
+		currentNonce := fmt.Sprintf("%d", time.Now().Unix())
+		nonce = &currentNonce
+	}
+
+	message := map[string]string{
+		"nonce":         *nonce,
+		"shared_secret": ANSIBLE_BASE_SHARED_SECRET,
+	}
+
+	messageBytes, err := json.Marshal(message)
+	if err != nil {
+		return "", err
+	}
+
+	mac := hmac.New(sha256.New, []byte(ANSIBLE_BASE_SHARED_SECRET))
+	mac.Write(messageBytes)
+	signature := fmt.Sprintf("%x", mac.Sum(nil))
+
+	secret := fmt.Sprintf("%s:%s", *nonce, signature)
+	return secret, nil
+}
+
 // BasicAuth middleware
 func BasicAuth(next http.Handler, users map[string]User) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -157,6 +196,9 @@ func BasicAuth(next http.Handler, users map[string]User) http.Handler {
 
 			// Set the X-DAB-JW-TOKEN header
 			r.Header.Set("X-DAB-JW-TOKEN", token)
+
+			// Remove the Authorization header
+			r.Header.Del("Authorization")
 		}
 
 		next.ServeHTTP(w, r)
@@ -268,8 +310,20 @@ func main() {
 		// log every reqest
 		log.Printf("Request: %s %s", req.Method, req.URL.String())
 
-		// TODO: add any relevant headers to the downstream request
-		// req.Header.Add("X-Proxy-Header", "Header-Value")
+		// just assume this proxy is http ...
+		req.Header.Add("X-Forwarded-Proto", "https")
+
+		// https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-envoy-internal
+		req.Header.Add("X-Envoy-Internal", "true")
+
+		// each request has a unique ID
+		newUUID := uuid.New()
+		req.Header.Add("X-Request-Id", newUUID.String())
+
+		// make the x-trusted-proxy header
+		newSecret, _ := generateHmacSha256SharedSecret(nil)
+		req.Header.Add("X-Trusted-Proxy", newSecret)
+
 		originalDirector(req)
 	}