feat: New endpoint auth type to create http message signatures for outbound requests according to RFC 9421

go.mod

@@ -39,6 +39,7 @@ require (
 	github.com/knadh/koanf/providers/rawbytes v0.1.0
 	github.com/knadh/koanf/providers/structs v0.1.0
 	github.com/knadh/koanf/v2 v2.1.1
+	github.com/offblocks/httpsig v0.8.1
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/cachecontrol v0.2.0
 	github.com/prometheus/client_golang v1.19.1
@@ -129,6 +130,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dunglas/httpsfv v1.0.2 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
 	github.com/fatih/structs v1.1.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect

go.sum

@@ -104,6 +104,8 @@ github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5sizHf27aoY2RTvw62mO6x7mxkScNk0=
 github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU=
+github.com/dunglas/httpsfv v1.0.2 h1:iERDp/YAfnojSDJ7PW3dj1AReJz4MrwbECSSE59JWL0=
+github.com/dunglas/httpsfv v1.0.2/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
 github.com/elnormous/contenttype v1.0.4 h1:FjmVNkvQOGqSX70yvocph7keC8DtmJaLzTTq6ZOQCI8=
 github.com/elnormous/contenttype v1.0.4/go.mod h1:5KTOW8m1kdX1dLMiUJeN9szzR2xkngiv2K+RVZwWBbI=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
@@ -306,6 +308,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/offblocks/httpsig v0.8.1 h1:yhPNaIS0W8f7Rr6Wjg76i4psgJEqvv8oJG3LiUQWnFM=
+github.com/offblocks/httpsig v0.8.1/go.mod h1:0+40VSLg4GX71fnwqQ17tKcmsXXDBFA0Gqg/y/EuVi8=
 github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
 github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
 github.com/openzipkin/zipkin-go v0.4.2 h1:zjqfqHjUpPmB3c1GlCvvgsM1G4LkvqQbBDueDOCg/jA=

internal/rules/endpoint/authstrategy/http_message_signatures.go

@@ -0,0 +1,93 @@
+package authstrategy
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/binary"
+	"net/http"
+	"time"
+
+	"github.com/offblocks/httpsig"
+	"github.com/rs/zerolog"
+
+	"github.com/dadrus/heimdall/internal/heimdall"
+	"github.com/dadrus/heimdall/internal/x/errorchain"
+	"github.com/dadrus/heimdall/internal/x/stringx"
+)
+
+type SignatureConfig struct {
+	TTL   *time.Duration `mapstructure:"ttl"`
+	KeyID string         `mapstructure:"key_id" validate:"required"`
+}
+
+type HTTPMessageSignatures struct {
+	Components []string        `mapstructure:"components" validate:"required"`
+	Signature  SignatureConfig `mapstructure:"signature"  validate:"required"`
+}
+
+func (c *HTTPMessageSignatures) Apply(ctx context.Context, req *http.Request) error {
+	logger := zerolog.Ctx(ctx)
+	logger.Debug().Msg("Applying http_message_signatures strategy to authenticate request")
+
+	// TODO: there is a need to have access to the Signer impl here
+
+	now := time.Now()
+	// TODO: tag is the same as iss for jwt and corresponds to signer.name in heimdall's configuration
+	tag := "foo"
+
+	var expires time.Time
+
+	if c.Signature.TTL != nil {
+		expires = now.Add(*c.Signature.TTL)
+	}
+
+	signer := httpsig.NewSigner(
+		httpsig.WithSignParams(
+			httpsig.ParamKeyID,
+			httpsig.ParamAlg,
+			httpsig.ParamCreated,
+			httpsig.ParamExpires,
+			httpsig.ParamNonce,
+			httpsig.ParamTag,
+		),
+		httpsig.WithSignParamValues(&httpsig.SignatureParameters{
+			Created: &now,
+			Expires: &expires,
+			Tag:     &tag,
+		}),
+		httpsig.WithSignFields(c.Components...),
+		// TODO: the below should be resolved via signer (see other todos above)
+		//httpsig.WithSignEcdsaP256Sha256("key1", privKey),
+	)
+
+	header, err := signer.Sign(httpsig.MessageFromRequest(req))
+	if err != nil {
+		return errorchain.NewWithMessage(heimdall.ErrInternal, "failed to sign request").CausedBy(err)
+	}
+
+	// set the updated headers
+	req.Header = header
+
+	return nil
+}
+
+func (c *HTTPMessageSignatures) Hash() []byte {
+	const int64BytesCount = 8
+
+	hash := sha256.New()
+
+	for _, component := range c.Components {
+		hash.Write(stringx.ToBytes(component))
+	}
+
+	if c.Signature.TTL != nil {
+		ttlBytes := make([]byte, int64BytesCount)
+		binary.LittleEndian.PutUint64(ttlBytes, uint64(*c.Signature.TTL))
+
+		hash.Write(ttlBytes)
+	}
+
+	hash.Write(stringx.ToBytes(c.Signature.KeyID))
+
+	return hash.Sum(nil)
+}