func (rs *RouteServiceConfig) ValidateSignature(headers *http.Header, requestUrl string) error { metadataHeader := headers.Get(RouteServiceMetadata) signatureHeader := headers.Get(RouteServiceSignature) signature, err := header.SignatureFromHeaders(signatureHeader, metadataHeader, rs.crypto) if err != nil { rs.logger.Info("proxy.route-service.current_key", lager.Data{"error": err.Error()}) // Decrypt the head again trying to use the old key. if rs.cryptoPrev != nil { rs.logger.Info("proxy.route-service.current_key", lager.Data{"error": err.Error()}) signature, err = header.SignatureFromHeaders(signatureHeader, metadataHeader, rs.cryptoPrev) if err != nil { rs.logger.Info("proxy.route-service.previous_key", lager.Data{"error": err.Error()}) } } return err } err = rs.validateSignatureTimeout(signature) if err != nil { return err } return rs.validateForwardedUrl(signature, requestUrl) }
func ReadSignature(c *cli.Context) { sigEncoded := c.String("signature") metaEncoded := c.String("metadata") if sigEncoded == "" || metaEncoded == "" { cli.ShowCommandHelp(c, "read") os.Exit(1) } crypto, err := common.CreateCrypto(c) if err != nil { os.Exit(1) } signature, err := header.SignatureFromHeaders(sigEncoded, metaEncoded, crypto) if err != nil { fmt.Printf("Failed to read signature: %s\n", err.Error()) os.Exit(1) } printSignature(signature) }
crypto.EncryptReturns([]byte{}, []byte{}, errors.New("No entropy")) }) It("returns an error", func() { _, _, err := header.BuildSignatureAndMetadata(crypto, signature) Expect(err).To(HaveOccurred()) }) }) }) Describe("Parse signature from headers", func() { var ( signatureHeader string metadataHeader string ) BeforeEach(func() { var err error signatureHeader, metadataHeader, err = header.BuildSignatureAndMetadata(crypto, signature) Expect(err).ToNot(HaveOccurred()) }) It("parses signature from signature and metadata headers", func() { decryptedSignature, err := header.SignatureFromHeaders(signatureHeader, metadataHeader, crypto) Expect(err).ToNot(HaveOccurred()) Expect(signature.RequestedTime.Sub(decryptedSignature.RequestedTime)).To(Equal(time.Duration(0))) }) }) })
Expect(err).ToNot(HaveOccurred()) }() }) BeforeEach(func() { conf.RouteServiceEnabled = true recommendHttps = true forwardedUrl = "https://my_host.com/resource+9-9_9?query=123&query$2=345#page1..5" routeServiceHandler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { metadataHeader := r.Header.Get(route_service.RouteServiceMetadata) signatureHeader := r.Header.Get(route_service.RouteServiceSignature) crypto, err := secure.NewAesGCM([]byte(cryptoKey)) Expect(err).ToNot(HaveOccurred()) _, err = header.SignatureFromHeaders(signatureHeader, metadataHeader, crypto) Expect(err).ToNot(HaveOccurred()) Expect(r.Header.Get("X-CF-ApplicationID")).To(Equal("")) // validate client request header Expect(r.Header.Get("X-CF-Forwarded-Url")).To(Equal(forwardedUrl)) w.Write([]byte("My Special Snowflake Route Service\n")) }) crypto, err := secure.NewAesGCM([]byte(cryptoKey)) Expect(err).ToNot(HaveOccurred()) signature := &header.Signature{ RequestedTime: time.Now(),