func (rs *RouteServiceConfig) ValidateSignature(headers *http.Header, requestUrl string) error {
metadataHeader := headers.Get(RouteServiceMetadata)
signatureHeader := headers.Get(RouteServiceSignature)
signature, err := header.SignatureFromHeaders(signatureHeader, metadataHeader, rs.crypto)
if err != nil {
rs.logger.Info("proxy.route-service.current_key", lager.Data{"error": err.Error()})
// Decrypt the head again trying to use the old key.
if rs.cryptoPrev != nil {
rs.logger.Info("proxy.route-service.current_key", lager.Data{"error": err.Error()})
signature, err = header.SignatureFromHeaders(signatureHeader, metadataHeader, rs.cryptoPrev)
if err != nil {
rs.logger.Info("proxy.route-service.previous_key", lager.Data{"error": err.Error()})
}
}
return err
}
err = rs.validateSignatureTimeout(signature)
if err != nil {
return err
}
return rs.validateForwardedUrl(signature, requestUrl)
}
func ReadSignature(c *cli.Context) {
sigEncoded := c.String("signature")
metaEncoded := c.String("metadata")
if sigEncoded == "" || metaEncoded == "" {
cli.ShowCommandHelp(c, "read")
os.Exit(1)
}
crypto, err := common.CreateCrypto(c)
if err != nil {
os.Exit(1)
}
signature, err := header.SignatureFromHeaders(sigEncoded, metaEncoded, crypto)
if err != nil {
fmt.Printf("Failed to read signature: %s\n", err.Error())
os.Exit(1)
}
printSignature(signature)
}
crypto.EncryptReturns([]byte{}, []byte{}, errors.New("No entropy"))
})
It("returns an error", func() {
_, _, err := header.BuildSignatureAndMetadata(crypto, signature)
Expect(err).To(HaveOccurred())
})
})
})
Describe("Parse signature from headers", func() {
var (
signatureHeader string
metadataHeader string
)
BeforeEach(func() {
var err error
signatureHeader, metadataHeader, err = header.BuildSignatureAndMetadata(crypto, signature)
Expect(err).ToNot(HaveOccurred())
})
It("parses signature from signature and metadata headers", func() {
decryptedSignature, err := header.SignatureFromHeaders(signatureHeader, metadataHeader, crypto)
Expect(err).ToNot(HaveOccurred())
Expect(signature.RequestedTime.Sub(decryptedSignature.RequestedTime)).To(Equal(time.Duration(0)))
})
})
})
Expect(err).ToNot(HaveOccurred())
}()
})
BeforeEach(func() {
conf.RouteServiceEnabled = true
recommendHttps = true
forwardedUrl = "https://my_host.com/resource+9-9_9?query=123&query$2=345#page1..5"
routeServiceHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
metadataHeader := r.Header.Get(route_service.RouteServiceMetadata)
signatureHeader := r.Header.Get(route_service.RouteServiceSignature)
crypto, err := secure.NewAesGCM([]byte(cryptoKey))
Expect(err).ToNot(HaveOccurred())
_, err = header.SignatureFromHeaders(signatureHeader, metadataHeader, crypto)
Expect(err).ToNot(HaveOccurred())
Expect(r.Header.Get("X-CF-ApplicationID")).To(Equal(""))
// validate client request header
Expect(r.Header.Get("X-CF-Forwarded-Url")).To(Equal(forwardedUrl))
w.Write([]byte("My Special Snowflake Route Service\n"))
})
crypto, err := secure.NewAesGCM([]byte(cryptoKey))
Expect(err).ToNot(HaveOccurred())
signature := &header.Signature{
RequestedTime: time.Now(),