diff --git a/profiles/dab_jwt/proxy/go.mod b/profiles/dab_jwt/proxy/go.mod index fa2045b154..8dd8987e1a 100644 --- a/profiles/dab_jwt/proxy/go.mod +++ b/profiles/dab_jwt/proxy/go.mod @@ -2,4 +2,7 @@ module mockproxy go 1.16 -require github.com/golang-jwt/jwt/v4 v4.4.1 +require ( + github.com/golang-jwt/jwt/v4 v4.4.1 + github.com/google/uuid v1.6.0 // indirect +) diff --git a/profiles/dab_jwt/proxy/go.sum b/profiles/dab_jwt/proxy/go.sum index e2a8f55b2c..e3808450d0 100644 --- a/profiles/dab_jwt/proxy/go.sum +++ b/profiles/dab_jwt/proxy/go.sum @@ -1,2 +1,4 @@ github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ= github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= diff --git a/profiles/dab_jwt/proxy/proxy.go b/profiles/dab_jwt/proxy/proxy.go index e065eacf6d..992b45159c 100644 --- a/profiles/dab_jwt/proxy/proxy.go +++ b/profiles/dab_jwt/proxy/proxy.go @@ -38,7 +38,13 @@ import ( "strings" "time" + "crypto/hmac" + "crypto/sha256" + "encoding/json" + "errors" + "github.com/golang-jwt/jwt/v4" + "github.com/google/uuid" ) // User represents a user's information @@ -100,6 +106,39 @@ func pathHasPrefix(path string, prefixes []string) bool { return false } +func generateHmacSha256SharedSecret(nonce *string) (string, error) { + + const ANSIBLE_BASE_SHARED_SECRET = "redhat1234" + var SharedSecretNotFound = errors.New("The setting ANSIBLE_BASE_SHARED_SECRET was not set, some functionality may be disabled") + + if ANSIBLE_BASE_SHARED_SECRET == "" { + log.Println("The setting ANSIBLE_BASE_SHARED_SECRET was not set, some functionality may be disabled.") + return "", SharedSecretNotFound + } + + if nonce == nil { + currentNonce := fmt.Sprintf("%d", time.Now().Unix()) + nonce = ¤tNonce + } + + message := map[string]string{ + "nonce": *nonce, + "shared_secret": ANSIBLE_BASE_SHARED_SECRET, + } + + messageBytes, err := json.Marshal(message) + if err != nil { + return "", err + } + + mac := hmac.New(sha256.New, []byte(ANSIBLE_BASE_SHARED_SECRET)) + mac.Write(messageBytes) + signature := fmt.Sprintf("%x", mac.Sum(nil)) + + secret := fmt.Sprintf("%s:%s", *nonce, signature) + return secret, nil +} + // BasicAuth middleware func BasicAuth(next http.Handler, users map[string]User) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { @@ -157,6 +196,9 @@ func BasicAuth(next http.Handler, users map[string]User) http.Handler { // Set the X-DAB-JW-TOKEN header r.Header.Set("X-DAB-JW-TOKEN", token) + + // Remove the Authorization header + r.Header.Del("Authorization") } next.ServeHTTP(w, r) @@ -268,8 +310,20 @@ func main() { // log every reqest log.Printf("Request: %s %s", req.Method, req.URL.String()) - // TODO: add any relevant headers to the downstream request - // req.Header.Add("X-Proxy-Header", "Header-Value") + // just assume this proxy is http ... + req.Header.Add("X-Forwarded-Proto", "https") + + // https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-envoy-internal + req.Header.Add("X-Envoy-Internal", "true") + + // each request has a unique ID + newUUID := uuid.New() + req.Header.Add("X-Request-Id", newUUID.String()) + + // make the x-trusted-proxy header + newSecret, _ := generateHmacSha256SharedSecret(nil) + req.Header.Add("X-Trusted-Proxy", newSecret) + originalDirector(req) }