diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..cdbe2b3 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,24 @@ +on: + release: + types: [published] + +name: Publish + +jobs: + release: + name: Release + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: stable + override: true + - uses: actions-rs/cargo@v1 + with: + command: login + args: -- ${{secrets.CARGO_TOKEN}} + - uses: actions-rs/cargo@v1 + with: + command: publish diff --git a/.github/workflows/toolchain.yml b/.github/workflows/toolchain.yml new file mode 100644 index 0000000..1f7e80b --- /dev/null +++ b/.github/workflows/toolchain.yml @@ -0,0 +1,81 @@ +on: [push] + +name: CI + +jobs: + check: + name: Check + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: stable + override: true + - uses: actions-rs/cargo@v1 + with: + command: check + args: --all-features + + fmt: + name: Rustfmt + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: stable + override: true + - run: rustup component add rustfmt + - uses: actions-rs/cargo@v1 + with: + command: fmt + args: --all -- --check + + clippy: + name: Clippy + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: actions-rs/toolchain@v1 + with: + profile: minimal + toolchain: stable + override: true + - run: rustup component add clippy + - uses: actions-rs/cargo@v1 + with: + command: clippy + args: --all --all-features -- -D warnings + + test: + name: Test + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Install stable toolchain + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + override: true + + - name: Run cargo-tarpaulin + uses: actions-rs/tarpaulin@v0.1 + with: + version: latest + args: --all --all-features + + - name: Upload to codecov.io + uses: codecov/codecov-action@v1.0.2 + with: + token: ${{secrets.CODECOV_TOKEN}} + + - name: Archive code coverage results + uses: actions/upload-artifact@v1 + with: + name: code-coverage-report + path: cobertura.xml diff --git a/Cargo.toml b/Cargo.toml index 792424f..55da734 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,10 +1,16 @@ [package] name = "http-sig" +description = "Implementation of the IETF draft 'Signing HTTP Messages'" version = "0.1.0" -authors = ["Jack Cargill "] +authors = ["Jack Cargill ", "Diggory Blake"] edition = "2018" +license = "MIT/Apache-2.0" +documentation = "https://docs.rs/crate/http-sig" +repository = "https://github.com/PassFort/http-signatures" +homepage = "https://github.com/PassFort/http-signatures" -# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html +[package.metadata.docs.rs] +all-features = true [dependencies] chrono = "0.4.10" @@ -12,8 +18,4 @@ hmac = "0.7.1" http = "0.2.0" sha2 = "0.8.1" base64 = "0.11.0" -reqwest = {version = "0.10.1", optional = true} - - -[features] -reqwest_client = ["reqwest"] \ No newline at end of file +reqwest = {version = "0.10.1", features = ["blocking"], optional = true} diff --git a/LICENSE-APACHE b/LICENSE-APACHE new file mode 100644 index 0000000..0b26a67 --- /dev/null +++ b/LICENSE-APACHE @@ -0,0 +1,208 @@ +Copyright 2020 PassFort Limited + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. + +A copy of the license is reproduced below. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/LICENSE-MIT b/LICENSE-MIT new file mode 100644 index 0000000..3c8e2e3 --- /dev/null +++ b/LICENSE-MIT @@ -0,0 +1,25 @@ +Copyright (c) 2020 PassFort Limited + +Permission is hereby granted, free of charge, to any +person obtaining a copy of this software and associated +documentation files (the "Software"), to deal in the +Software without restriction, including without +limitation the rights to use, copy, modify, merge, +publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software +is furnished to do so, subject to the following +conditions: + +The above copyright notice and this permission notice +shall be included in all copies or substantial portions +of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF +ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED +TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A +PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT +SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR +IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER +DEALINGS IN THE SOFTWARE. diff --git a/src/algorithm.rs b/src/algorithm.rs new file mode 100644 index 0000000..8091194 --- /dev/null +++ b/src/algorithm.rs @@ -0,0 +1,30 @@ +use hmac::{Hmac, Mac}; +use sha2::{Digest, Sha256}; + +pub trait HttpSignatureAlgorithm { + const NAME: &'static str; + fn http_sign(&self, bytes_to_sign: &[u8]) -> String; +} + +pub trait HttpDigestAlgorithm { + const NAME: &'static str; + fn http_digest(bytes_to_digest: &[u8]) -> String; +} + +pub struct InvalidKey; + +impl HttpSignatureAlgorithm for Hmac { + const NAME: &'static str = "hmac-sha256"; + fn http_sign(&self, bytes_to_sign: &[u8]) -> String { + let mut mac = self.clone(); + mac.input(bytes_to_sign); + base64::encode(&mac.result().code()) + } +} + +impl HttpDigestAlgorithm for Sha256 { + const NAME: &'static str = "SHA-256"; + fn http_digest(bytes_to_digest: &[u8]) -> String { + base64::encode(&Sha256::digest(bytes_to_digest)) + } +} diff --git a/src/header.rs b/src/header.rs new file mode 100644 index 0000000..b25950a --- /dev/null +++ b/src/header.rs @@ -0,0 +1,56 @@ +use std::cmp::Ordering; + +use http::header::HeaderName; + +#[derive(Debug, Copy, Clone, PartialOrd, Ord, PartialEq, Eq)] +#[non_exhaustive] +pub enum PseudoHeader { + RequestTarget, +} + +impl PseudoHeader { + pub fn as_str(&self) -> &str { + match self { + PseudoHeader::RequestTarget => "(request-target)", + } + } +} + +#[derive(Debug, Clone, PartialEq, Eq)] +pub enum Header { + Pseudo(PseudoHeader), + Normal(HeaderName), +} + +impl Header { + pub fn as_str(&self) -> &str { + match self { + Header::Pseudo(h) => h.as_str(), + Header::Normal(h) => h.as_str(), + } + } +} + +impl Ord for Header { + fn cmp(&self, other: &Header) -> Ordering { + self.as_str().cmp(other.as_str()) + } +} + +impl PartialOrd for Header { + fn partial_cmp(&self, other: &Header) -> Option { + Some(self.cmp(other)) + } +} + +impl From for Header { + fn from(other: HeaderName) -> Self { + Header::Normal(other) + } +} + +impl From for Header { + fn from(other: PseudoHeader) -> Self { + Header::Pseudo(other) + } +} diff --git a/src/lib.rs b/src/lib.rs index 34024fa..8f3ca3b 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -1,197 +1,277 @@ -use chrono::{DateTime, Utc}; -use http::header::{HeaderName, HeaderValue}; +use std::collections::BTreeSet; +use std::convert::TryInto; +use std::error; +use std::fmt; +use std::marker::PhantomData; + +use chrono::Utc; +use http::header::{HeaderName, HeaderValue, AUTHORIZATION, DATE, HOST}; use hmac::{Hmac, Mac}; -use sha2::{Digest, Sha256}; +use sha2::Sha256; -// Create alias for HMAC-SHA256 -type HmacSha256 = Hmac; +type DefaultSignatureAlgorithm = Hmac; +type DefaultDigestAlgorithm = Sha256; -pub fn body_digest(body: &[u8]) -> String { - let mut hasher = Sha256::default(); - hasher.input(body); - base64::encode(&hasher.result()) -} +mod algorithm; +pub use algorithm::*; -pub fn signature( - // base64 encoded integration key - key: &str, - bytes_to_sign: &[u8], -) -> Result { - let key = base64::decode(key)?; - // Create HMAC-SHA256 instance which implements `Mac` trait - let mut mac = HmacSha256::new_varkey(&key).expect("HMAC can take key of any size"); - mac.input(bytes_to_sign); - Ok(base64::encode(&mac.result().code())) -} +mod header; +pub use header::*; -pub const KEY_ID_LEN: usize = 8; +#[cfg(feature = "reqwest")] +mod reqwest_impls; +#[cfg(feature = "reqwest")] +pub use reqwest_impls::*; -pub trait HttpSigExt: Sized { - type Error; - fn with_sig( - self, - key: &str, - date: DateTime, - headers: Vec<(HeaderName, Option)>, - ) -> Result; +#[derive(Debug)] +pub struct HttpSignatureConfig { + algorithm: SigAlg, + key_id: Option, + headers: BTreeSet
, + compute_digest: bool, + add_date: bool, + add_host: bool, + phantom: PhantomData DigestAlg>, } -#[cfg(feature = "reqwest_client")] -mod reqwest { - pub use super::*; - - #[derive(Debug)] - pub enum ReqwestSignatureError { - KeyTooShort, - KeyNotBase64(base64::DecodeError), - UrlHostMissing, - MissingHeaderValue(http::header::HeaderName), - } - - fn get_header_value<'a>( - req: &'a ::reqwest::Request, - name: &HeaderName, - ) -> Option { - let from_headers = req.headers().get(name).cloned(); - match name { - HOST => from_headers.or_else(|| { - req.url() - .host_str() - .map(HeaderValue::from_str) - .and_then(Result::ok) - - }), - header => from_headers, - } - } - - - - impl HttpSigExt for ::reqwest::Request { - type Error = ReqwestSignatureError; - - fn with_sig( - mut self, - key: &str, - date: DateTime, - headers: Vec<(HeaderName, Option)>, - ) -> Result { - if key.len() < KEY_ID_LEN { - return Err(ReqwestSignatureError::KeyTooShort); - } - let date = date.format("%a, %d %b %Y %T GMT").to_string(); - - let digest = self.body().map(|body| { - body_digest( - body.as_bytes() - .expect("cannot compute digest for stream body"), - ) - }); - - let host = self - .url() - .host_str() - .ok_or(ReqwestSignatureError::UrlHostMissing)?; - let path = self.url().path(); - - let mut bytes_to_sign = format!( - "(request-target): {} {}\ndate: {}", - self.method().as_str().to_lowercase(), - path, - date - ); - - for (header, value) in &headers { - let from_req = get_header_value(&self, &header); - - let value: Option<&HeaderValue> = value.as_ref().or_else(|| from_req.as_ref()); - - //TODO: special casing for date, digest, etc. - bytes_to_sign.push_str(&format!( - "\n{}: {}", - header.as_str().to_lowercase(), - value - .ok_or_else(|| ReqwestSignatureError::MissingHeaderValue(header.clone()))? - .to_str() - .expect("Binary header value") - )); - } +impl HttpSignatureConfig { + // Use the default signature algorithm + pub fn new_default(key: &[u8]) -> Self { + Self::new( + DefaultSignatureAlgorithm::new_varkey(key).expect("HMAC can take key of any size"), + ) + } +} - self.headers_mut().insert( - DATE, - HeaderValue::from_str(&date) - .expect("HTTP formatted date should always be a valid header value"), - ); +impl HttpSignatureConfig { + pub fn new(algorithm: SigAlg) -> Self { + HttpSignatureConfig { + algorithm, + key_id: None, + headers: [ + Header::Pseudo(PseudoHeader::RequestTarget), + Header::Normal(HOST), + Header::Normal(DATE), + Header::Normal(HeaderName::from_static("digest")), + ] + .iter() + .cloned() + .collect(), + compute_digest: true, + add_date: true, + add_host: true, + phantom: PhantomData, + } + } +} - if let Some(digest) = digest { - let digest_string = format!("SHA-256={}", digest); +impl HttpSignatureConfig { + pub fn key_id(&self) -> Option<&str> { + self.key_id.as_ref().map(AsRef::as_ref) + } + pub fn set_key_id(&mut self, key_id: Option<&str>) -> &mut Self { + self.key_id = key_id.map(Into::into); + self + } + pub fn with_key_id(mut self, key_id: Option<&str>) -> Self { + self.set_key_id(key_id); + self + } + pub fn with_digest(self) -> HttpSignatureConfig { + HttpSignatureConfig { + algorithm: self.algorithm, + key_id: self.key_id, + headers: self.headers, + compute_digest: self.compute_digest, + add_date: self.add_date, + add_host: self.add_host, + phantom: PhantomData, + } + } + pub fn compute_digest(&self) -> bool { + self.compute_digest + } + pub fn set_compute_digest(&mut self, compute_digest: bool) -> &mut Self { + self.compute_digest = compute_digest; + self + } + pub fn with_compute_digest(mut self, compute_digest: bool) -> Self { + self.set_compute_digest(compute_digest); + self + } + pub fn add_date(&self) -> bool { + self.add_date + } + pub fn set_add_date(&mut self, add_date: bool) -> &mut Self { + self.add_date = add_date; + self + } + pub fn with_add_date(mut self, add_date: bool) -> Self { + self.set_add_date(add_date); + self + } + pub fn add_host(&self) -> bool { + self.add_host + } + pub fn set_add_host(&mut self, add_host: bool) -> &mut Self { + self.add_host = add_host; + self + } + pub fn with_add_host(mut self, add_host: bool) -> Self { + self.set_add_host(add_host); + self + } + pub fn headers(&self) -> impl IntoIterator { + &self.headers + } + pub fn set_headers(&mut self, headers: &[Header]) -> &mut Self { + self.headers = headers.iter().cloned().collect(); + self + } + pub fn with_headers(mut self, headers: &[Header]) -> Self { + self.set_headers(headers); + self + } +} - bytes_to_sign.push_str("\ndigest: "); - bytes_to_sign.push_str(&digest_string); - self.headers_mut().insert( - HeaderName::from_static("digest"), - HeaderValue::from_str(&digest_string) - .expect("Base64 encoded digest should always be a valid header value"), - ); - } +pub trait HttpSignatureExt: Sized { + fn signed( + mut self, + config: &HttpSignatureConfig, + ) -> Result + where + SigAlg: HttpSignatureAlgorithm, + DigestAlg: HttpDigestAlgorithm, + { + self.sign(config)?; + Ok(self) + } - let header_names = format!("(request-target) date {} digest", headers.iter().map(|(name, _)| name.as_str()).collect::>().join(" ")); - - let signature = signature(key, dbg!(bytes_to_sign).as_bytes()) - .map_err(ReqwestSignatureError::KeyNotBase64)?; - - let auth_header = format!( - r#"Signature keyId="{}",algorithm="hmac-sha256",signature="{}",headers="{}"#, - &key[..KEY_ID_LEN], - signature, - header_names - ); + fn sign( + &mut self, + config: &HttpSignatureConfig, + ) -> Result<(), Error> + where + SigAlg: HttpSignatureAlgorithm, + DigestAlg: HttpDigestAlgorithm; +} - self.headers_mut().insert( - AUTHORIZATION, - HeaderValue::from_str(&auth_header) - .expect("Auth signature should always be a valid header value"), - ); +#[derive(Debug)] +#[non_exhaustive] +pub enum Error { + Unknown, +} - Ok(self) +impl fmt::Display for Error { + fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { + match self { + Error::Unknown => f.write_str("Unknown error"), } } +} - #[cfg(test)] - mod tests { - use chrono::{offset::TimeZone, Utc}; - use http::header::{HeaderName, AUTHORIZATION, CONTENT_TYPE, DATE, HOST}; - - use super::HttpSigExt; - - #[test] - fn it_works() { - let client = reqwest::Client::new(); - - let without_sig = client - .post("http://test.com/foo/bar") - .header(CONTENT_TYPE, "application/json") - .body(&br#"{ "x": 1, "y": 2}"#[..]) - .build() - .unwrap(); - - let with_sig = without_sig - .with_sig( - "abcdefgh", - Utc.ymd(2014, 7, 8).and_hms(9, 10, 11), - vec![(HOST, None)], - ) - .unwrap(); - - assert_eq!(with_sig.headers().get(AUTHORIZATION).unwrap(), "Signature keyId=\"abcdefgh\",algorithm=\"hmac-sha256\",signature=\"2fZGHoEIscD9Kak7lxSmKgwk6KZEYiE+rm3s1qMtj8w=\",headers=\"(request-target) host date digest"); - assert_eq!( - with_sig - .headers() - .get(HeaderName::from_static("digest")) - .unwrap(), - "SHA-256=2vgEVkfe4d6VW+tSWAziO7BUx7uT/rA9hn1EoxUJi2o=" +impl error::Error for Error {} + +pub trait ClientRequestLike { + fn host(&self) -> Option; + fn header(&self, header_name: &Header) -> Option; + fn compute_digest(&mut self) -> Option; + fn set_header(&mut self, header: HeaderName, value: HeaderValue); +} + +impl HttpSignatureExt for R { + fn sign( + &mut self, + config: &HttpSignatureConfig, + ) -> Result<(), Error> + where + SigAlg: HttpSignatureAlgorithm, + DigestAlg: HttpDigestAlgorithm, + { + let digest_header = HeaderName::from_static("digest"); + + // Add missing date header + if config.add_date && self.header(&DATE.into()).is_none() { + let date = Utc::now().format("%a, %d %b %Y %T GMT").to_string(); + self.set_header( + DATE, + date.try_into() + .expect("Dates should always be valid header values"), ); } + // Add missing host header + if config.add_host && self.header(&HOST.into()).is_none() { + if let Some(host) = self.host() { + self.set_header( + HOST, + host.try_into() + .expect("Host should be valid in a HTTP header"), + ); + } + } + // Add missing digest header + if config.compute_digest && self.header(&digest_header.clone().into()).is_none() { + if let Some(digest_str) = self.compute_digest::() { + let digest = format!("{}={}", DigestAlg::NAME, digest_str); + self.set_header( + digest_header, + digest + .try_into() + .expect("Digest should be valid in a HTTP header"), + ); + } + } + + // Build the content block + let (header_vec, content_vec): (Vec<_>, Vec<_>) = config + .headers + .iter() + .filter_map(|header| { + // Lookup header values, and filter out any headers that are missing + self.header(&header) + .as_ref() + .and_then(|value| value.to_str().ok()) + .map(|value| (header.as_str(), value.to_owned())) + }) + .map(|(header, value)| { + // Construct the content to be signed + (header, format!("{}: {}", header, value)) + }) + .unzip(); + + let headers = header_vec.join(" "); + let content = content_vec.join("\n"); + + // Sign the content + let signature = config.algorithm.http_sign(content.as_bytes()); + + // Construct the authorization header + let auth_header = if let Some(key_id) = config.key_id.as_ref() { + format!( + r#"Signature keyId="{}",algorithm="{}",signature="{}",headers="{}"#, + key_id, + SigAlg::NAME, + signature, + headers + ) + } else { + format!( + r#"Signature algorithm="{}",signature="{}",headers="{}"#, + SigAlg::NAME, + signature, + headers + ) + }; + + // Attach the authorization header to the request + self.set_header( + AUTHORIZATION, + auth_header + .try_into() + .expect("Signature scheme should generate a valid header"), + ); + + Ok(()) } } diff --git a/src/reqwest_impls.rs b/src/reqwest_impls.rs new file mode 100644 index 0000000..2277e59 --- /dev/null +++ b/src/reqwest_impls.rs @@ -0,0 +1,105 @@ +use super::*; + +impl ClientRequestLike for reqwest::Request { + fn host(&self) -> Option { + self.url().host_str().map(Into::into) + } + fn header(&self, header: &Header) -> Option { + match header { + Header::Normal(header_name) => self.headers().get(header_name).cloned(), + Header::Pseudo(PseudoHeader::RequestTarget) => { + let method = self.method().as_str().to_ascii_lowercase(); + let path = self.url().path(); + format!("{} {}", method, path).try_into().ok() + } + } + } + fn compute_digest(&mut self) -> Option { + self.body()?.as_bytes().map(D::http_digest) + } + fn set_header(&mut self, header: HeaderName, value: HeaderValue) { + self.headers_mut().insert(header, value); + } +} + +impl ClientRequestLike for reqwest::blocking::Request { + fn host(&self) -> Option { + self.url().host_str().map(Into::into) + } + fn header(&self, header: &Header) -> Option { + match header { + Header::Normal(header_name) => self.headers().get(header_name).cloned(), + Header::Pseudo(PseudoHeader::RequestTarget) => { + let method = self.method().as_str().to_ascii_lowercase(); + let path = self.url().path(); + format!("{} {}", method, path).try_into().ok() + } + } + } + fn compute_digest(&mut self) -> Option { + None + } + fn set_header(&mut self, header: HeaderName, value: HeaderValue) { + self.headers_mut().insert(header, value); + } +} + +#[cfg(test)] +mod tests { + use chrono::{offset::TimeZone, Utc}; + use http::header::CONTENT_TYPE; + + use super::*; + + #[test] + fn it_works() { + let config = HttpSignatureConfig::new_default("abcdefgh".as_bytes()); + + let client = reqwest::Client::new(); + + let without_sig = client + .post("http://test.com/foo/bar") + .header(CONTENT_TYPE, "application/json") + .header( + DATE, + Utc.ymd(2014, 7, 8) + .and_hms(9, 10, 11) + .format("%a, %d %b %Y %T GMT") + .to_string(), + ) + .body(&br#"{ "x": 1, "y": 2}"#[..]) + .build() + .unwrap(); + + let with_sig = without_sig.signed(&config).unwrap(); + + assert_eq!(with_sig.headers().get(AUTHORIZATION).unwrap(), "Signature algorithm=\"hmac-sha256\",signature=\"uH2I9FSuCGUrIEygs7hR29oz0Afkz0bZyHpz6cW/mLQ=\",headers=\"(request-target) date digest host"); + assert_eq!( + with_sig + .headers() + .get(HeaderName::from_static("digest")) + .unwrap(), + "SHA-256=2vgEVkfe4d6VW+tSWAziO7BUx7uT/rA9hn1EoxUJi2o=" + ); + } + + #[test] + #[ignore] + fn it_can_talk_to_reference_integration() { + let config = HttpSignatureConfig::new_default(&base64::decode("dummykey").unwrap()) + .with_key_id(Some("dummykey")); + + let client = reqwest::blocking::Client::new(); + + let req = client + .get("http://localhost:8080/config") + .build() + .unwrap() + .signed(&config) + .unwrap(); + + let result = client.execute(req).unwrap(); + println!("{:?}", result.text().unwrap()); + assert!(false); + } +}