forked from kopeio/aws-es-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
signing_transport.go
136 lines (114 loc) · 3.04 KB
/
signing_transport.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
package main
import (
"bytes"
"io/ioutil"
"net/http"
"strings"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/request"
"github.com/aws/aws-sdk-go/private/signer/v4"
"github.com/golang/glog"
)
const SERVICE_NAME = "es"
type SigningRoundTripper struct {
region string
inner http.RoundTripper
credentials *credentials.Credentials
}
var _ http.RoundTripper = &SigningRoundTripper{}
func NewSigningRoundTripper(inner http.RoundTripper, region string, credentials *credentials.Credentials) *SigningRoundTripper {
if inner == nil {
inner = http.DefaultTransport
}
p := &SigningRoundTripper{inner: inner, region: region, credentials: credentials}
return p
}
func (p *SigningRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
glog.V(2).Infof("Got request: %s %s", req.Method, req.URL)
// Fix the host header in case broken by proxy-rewrite
if req.URL.Host != "" {
req.Host = req.URL.Host
}
// I think the AWS authentication proxy does not like forwarded headers
for k := range req.Header {
lk := strings.ToLower(k)
if lk == "x-forwarded-host" {
delete(req.Header, k)
}
if lk == "x-forwarded-port" {
delete(req.Header, k)
}
if lk == "x-forwarded-for" {
delete(req.Header, k)
}
if lk == "x-forwarded-proto" {
delete(req.Header, k)
}
if lk == "x-forwarded-uri" {
delete(req.Header, k)
}
if lk == "x-forward-for" {
delete(req.Header, k)
}
if lk == "x-forward-proto" {
delete(req.Header, k)
}
if lk == "x-forward-port" {
delete(req.Header, k)
}
}
// We're going to put our own auth headers on here
delete(req.Header, "Authorization")
var body []byte
var err error
if req.Body != nil {
body, err = ioutil.ReadAll(req.Body)
if err != nil {
glog.Infof("error reading request body: %v", err)
return nil, err
}
}
if req.Method == "GET" || req.Method == "HEAD" {
delete(req.Header, "Content-Length")
}
oldPath := req.URL.Path
if oldPath != "" {
// Escape the path before signing so that the path in the signature and
// the path in the request match.
req.URL.Path = req.URL.EscapedPath()
glog.V(4).Infof("Path -> %q", req.URL.Path)
}
awsReq := &request.Request{}
awsReq.Config.Credentials = p.credentials
awsReq.Config.Region = aws.String(p.region)
awsReq.ClientInfo.ServiceName = SERVICE_NAME
awsReq.HTTPRequest = req
awsReq.Time = time.Now()
awsReq.ExpireTime = 0
if body != nil {
awsReq.Body = bytes.NewReader(body)
}
if glog.V(4) {
awsReq.Config.LogLevel = aws.LogLevel(aws.LogDebugWithSigning)
awsReq.Config.Logger = aws.NewDefaultLogger()
}
v4.Sign(awsReq)
if awsReq.Error != nil {
glog.Warningf("error signing request: %v", awsReq.Error)
return nil, awsReq.Error
}
req.URL.Path = oldPath
if body != nil {
req.Body = ioutil.NopCloser(bytes.NewReader(body))
}
response, err := p.inner.RoundTrip(req)
if err != nil {
glog.Warning("Request error: ", err)
return nil, err
} else {
glog.V(2).Infof("response %s", response.Status)
return response, err
}
}