From 32e2a8b85f7650d4e60b9baa60e981306e9e0406 Mon Sep 17 00:00:00 2001 From: Sheetal Joshi Date: Thu, 2 Mar 2023 21:38:00 -0500 Subject: [PATCH 1/5] Added support for unsigned_payload. New services such as Lattice doesn't support signed payload yet. --- cmd/aws-sigv4-proxy/main.go | 15 +++++++++++---- handler/proxy_client.go | 1 + 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/cmd/aws-sigv4-proxy/main.go b/cmd/aws-sigv4-proxy/main.go index f4e2978..1d199f4 100644 --- a/cmd/aws-sigv4-proxy/main.go +++ b/cmd/aws-sigv4-proxy/main.go @@ -21,6 +21,7 @@ import ( "os" "strconv" "time" + "fmt" "aws-sigv4-proxy/handler" @@ -47,6 +48,8 @@ var ( regionOverride = kingpin.Flag("region", "AWS region to sign for").String() disableSSLVerification = kingpin.Flag("no-verify-ssl", "Disable peer SSL certificate validation").Bool() idleConnTimeout = kingpin.Flag("transport.idle-conn-timeout", "Idle timeout to the upstream service").Default("40s").Duration() + unsignedPayload = kingpin.Flag("unsigned-payload", "Prevent signing of the payload").Default("false").Bool() + ) type awsLoggerAdapter struct { @@ -61,9 +64,6 @@ func main() { kingpin.Parse() log.SetLevel(log.InfoLevel) - if *debug { - log.SetLevel(log.DebugLevel) - } sessionConfig := aws.Config{} if v := os.Getenv("AWS_STS_REGIONAL_ENDPOINTS"); len(v) == 0 { @@ -102,12 +102,14 @@ func main() { } else { credentials = session.Config.Credentials } - + + fmt.Printf("%t", useUnsignedPayload()) signer := v4.NewSigner(credentials, func(s *v4.Signer) { if shouldLogSigning() { s.Logger = awsLoggerAdapter{} s.Debug = aws.LogDebugWithSigning } + s.UnsignedPayload = useUnsignedPayload() }) client := &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { @@ -129,6 +131,7 @@ func main() { HostOverride: *hostOverride, RegionOverride: *regionOverride, LogFailedRequest: *logFailedResponse, + UnsignedPayload: *unsignedPayload, }, }), ) @@ -138,6 +141,10 @@ func shouldLogSigning() bool { return *logSinging || *debug } +func useUnsignedPayload() bool { + return *unsignedPayload || false +} + func roleSessionName() string { suffix, err := os.Hostname() diff --git a/handler/proxy_client.go b/handler/proxy_client.go index 6e52853..9629995 100644 --- a/handler/proxy_client.go +++ b/handler/proxy_client.go @@ -43,6 +43,7 @@ type ProxyClient struct { HostOverride string RegionOverride string LogFailedRequest bool + UnsignedPayload bool } func (p *ProxyClient) sign(req *http.Request, service *endpoints.ResolvedEndpoint) error { From b33f234aaa91fa9914e8f7c49aff8b46c12b0f38 Mon Sep 17 00:00:00 2001 From: Sheetal Joshi Date: Fri, 3 Mar 2023 12:35:49 -0500 Subject: [PATCH 2/5] removed the debug print --- cmd/aws-sigv4-proxy/main.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/cmd/aws-sigv4-proxy/main.go b/cmd/aws-sigv4-proxy/main.go index 1d199f4..5cbd21e 100644 --- a/cmd/aws-sigv4-proxy/main.go +++ b/cmd/aws-sigv4-proxy/main.go @@ -21,7 +21,6 @@ import ( "os" "strconv" "time" - "fmt" "aws-sigv4-proxy/handler" @@ -103,7 +102,6 @@ func main() { credentials = session.Config.Credentials } - fmt.Printf("%t", useUnsignedPayload()) signer := v4.NewSigner(credentials, func(s *v4.Signer) { if shouldLogSigning() { s.Logger = awsLoggerAdapter{} From 79e89f91dddb6d8c28996ae2a33676dd8ffb9af6 Mon Sep 17 00:00:00 2001 From: Sheetal Joshi Date: Fri, 3 Mar 2023 12:37:16 -0500 Subject: [PATCH 3/5] Added the log level debug if loop back --- cmd/aws-sigv4-proxy/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/aws-sigv4-proxy/main.go b/cmd/aws-sigv4-proxy/main.go index 5cbd21e..df7bca0 100644 --- a/cmd/aws-sigv4-proxy/main.go +++ b/cmd/aws-sigv4-proxy/main.go @@ -63,6 +63,9 @@ func main() { kingpin.Parse() log.SetLevel(log.InfoLevel) + if *debug { + log.SetLevel(log.DebugLevel) + } sessionConfig := aws.Config{} if v := os.Getenv("AWS_STS_REGIONAL_ENDPOINTS"); len(v) == 0 { From e56515028dfb1fd5f7c0d4fd19fa858a72e68728 Mon Sep 17 00:00:00 2001 From: Sheetal Joshi Date: Fri, 3 Mar 2023 12:41:43 -0500 Subject: [PATCH 4/5] Removed the unnecessary function --- cmd/aws-sigv4-proxy/main.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cmd/aws-sigv4-proxy/main.go b/cmd/aws-sigv4-proxy/main.go index df7bca0..d5b3d28 100644 --- a/cmd/aws-sigv4-proxy/main.go +++ b/cmd/aws-sigv4-proxy/main.go @@ -110,7 +110,7 @@ func main() { s.Logger = awsLoggerAdapter{} s.Debug = aws.LogDebugWithSigning } - s.UnsignedPayload = useUnsignedPayload() + s.UnsignedPayload = *unsignedPayload }) client := &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { @@ -142,10 +142,6 @@ func shouldLogSigning() bool { return *logSinging || *debug } -func useUnsignedPayload() bool { - return *unsignedPayload || false -} - func roleSessionName() string { suffix, err := os.Hostname() From d47db9fed561da7285672ef91b51e0257a617375 Mon Sep 17 00:00:00 2001 From: Sheetal Joshi Date: Fri, 10 Mar 2023 11:27:37 -0500 Subject: [PATCH 5/5] Removed unused struct variable called UnsignedPayload --- cmd/aws-sigv4-proxy/main.go | 1 - handler/proxy_client.go | 1 - 2 files changed, 2 deletions(-) diff --git a/cmd/aws-sigv4-proxy/main.go b/cmd/aws-sigv4-proxy/main.go index d5b3d28..c50e583 100644 --- a/cmd/aws-sigv4-proxy/main.go +++ b/cmd/aws-sigv4-proxy/main.go @@ -132,7 +132,6 @@ func main() { HostOverride: *hostOverride, RegionOverride: *regionOverride, LogFailedRequest: *logFailedResponse, - UnsignedPayload: *unsignedPayload, }, }), ) diff --git a/handler/proxy_client.go b/handler/proxy_client.go index 9629995..6e52853 100644 --- a/handler/proxy_client.go +++ b/handler/proxy_client.go @@ -43,7 +43,6 @@ type ProxyClient struct { HostOverride string RegionOverride string LogFailedRequest bool - UnsignedPayload bool } func (p *ProxyClient) sign(req *http.Request, service *endpoints.ResolvedEndpoint) error {