Add traffic-mesh signature decoder. (#173)

Author: mrdg

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/bugsnag/bugsnag-go v1.5.3
 	github.com/bugsnag/panicwrap v1.2.0 // indirect
 	github.com/confluentinc/confluent-kafka-go v1.4.2
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/go-chi/chi v4.0.2+incompatible
 	github.com/gofrs/uuid v3.2.0+incompatible // indirect
 	github.com/google/go-cmp v0.4.1 // indirect

go.sum

@@ -69,6 +69,7 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=

trafficmesh/signature.go

@@ -0,0 +1,71 @@
+package trafficmesh
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/dgrijalva/jwt-go"
+)
+
+const signatureHeader = "X-NF-Mesh-Signature"
+
+// SignatureDecoder decodes a signed traffic-mesh header.
+type SignatureDecoder struct {
+	secret string
+}
+
+// SignaturePayload represents the fields in a traffic-mesh signature.
+type SignaturePayload struct {
+	jwt.StandardClaims
+	SiteID    string `json:"sid,omitempty"`
+	DeployID  string `json:"did,omitempty"`
+	AccountID string `json:"aid,omitempty"`
+	URL       string `json:"url,omitempty"`
+	Remapped  bool   `json:"remapped,omitempty"`
+}
+
+// NewSignatureDecoder constructs a new SignatureDecoder. When secret is an empty string,
+// DecodeSignature is a no-op.
+func NewSignatureDecoder(secret string) *SignatureDecoder {
+	return &SignatureDecoder{
+		secret: secret,
+	}
+}
+
+// DecodeSignature decodes a traffic-mesh signature. When either the secret or the header is an
+// empty string, this method returns a nil payload and nil error.
+func (d *SignatureDecoder) DecodeSignature(req *http.Request) (*SignaturePayload, error) {
+	if d.secret == "" || req.Header.Get(signatureHeader) == "" {
+		return nil, nil
+	}
+
+	payload := new(SignaturePayload)
+	token, err := jwt.ParseWithClaims(req.Header.Get(signatureHeader), payload, func(token *jwt.Token) (interface{}, error) {
+		alg, ok := token.Method.(*jwt.SigningMethodHMAC)
+		if !ok || alg != jwt.SigningMethodHS256 {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(d.secret), nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode traffic mesh signature: %w", err)
+	}
+	if !token.Valid {
+		return nil, errors.New("invalid token")
+	}
+
+	payloadURL, err := url.Parse(payload.URL)
+	if err != nil {
+		return nil, err
+	}
+	if payloadURL.Host != req.Host {
+		return nil, fmt.Errorf("token host %s doesn't match request host: %s", payloadURL.Host, req.Host)
+	}
+	if payloadURI, reqURI := payloadURL.RequestURI(), req.URL.RequestURI(); payloadURI != reqURI {
+		return nil, fmt.Errorf("token uri %s doesn't match request uri: %s", payloadURI, reqURI)
+	}
+
+	return payload, nil
+}

trafficmesh/signature_test.go

@@ -0,0 +1,82 @@
+package trafficmesh
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/dgrijalva/jwt-go"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSignatureDecoder(t *testing.T) {
+	const url = "https://example.org/index.html"
+
+	var makeReq = func() *http.Request {
+		req := httptest.NewRequest(http.MethodGet, "https://192.0.2.1/index.html", nil)
+		req.Host = "example.org"
+		return req
+	}
+
+	var addToken = func(req *http.Request, secret, url string) {
+		token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+			"sid":      "1",
+			"did":      "2",
+			"url":      url,
+			"remapped": true,
+		})
+		sig, err := token.SignedString([]byte(secret))
+		require.NoError(t, err)
+		req.Header.Set(signatureHeader, sig)
+	}
+
+	dec := NewSignatureDecoder("secret")
+
+	t.Run("no token", func(t *testing.T) {
+		req := makeReq()
+		payload, err := dec.DecodeSignature(req)
+		require.NoError(t, err)
+		require.Nil(t, payload)
+	})
+
+	t.Run("valid token", func(t *testing.T) {
+		req := makeReq()
+		addToken(req, "secret", url)
+
+		payload, err := dec.DecodeSignature(req)
+		require.NoError(t, err)
+
+		require.Equal(t, payload.SiteID, "1")
+		require.Equal(t, payload.DeployID, "2")
+	})
+
+	t.Run("wrong secret", func(t *testing.T) {
+		req := makeReq()
+		addToken(req, "wrong-secret", url)
+
+		_, err := dec.DecodeSignature(req)
+		require.Error(t, err)
+	})
+
+	t.Run("wrong path", func(t *testing.T) {
+		req := makeReq()
+		addToken(req, "secret", "http://example.org/stuff")
+		_, err := dec.DecodeSignature(req)
+		require.Error(t, err)
+	})
+
+	t.Run("wrong host", func(t *testing.T) {
+		req := makeReq()
+		addToken(req, "secret", "http://example.net/index.html")
+		_, err := dec.DecodeSignature(req)
+		require.Error(t, err)
+	})
+
+	t.Run("remapped flag", func(t *testing.T) {
+		req := makeReq()
+		addToken(req, "secret", url)
+		payload, err := dec.DecodeSignature(req)
+		require.NoError(t, err)
+		require.True(t, payload.Remapped)
+	})
+}