prometheus/storage/remote/sigv4.go

139 lines
4.1 KiB
Go

// Copyright 2021 The Prometheus Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package remote
import (
"bytes"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/textproto"
"sync"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
signer "github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/prometheus/prometheus/config"
)
var sigv4HeaderDenylist = []string{
"uber-trace-id",
}
type sigV4RoundTripper struct {
region string
next http.RoundTripper
pool sync.Pool
signer *signer.Signer
}
// newSigV4RoundTripper returns a new http.RoundTripper that will sign requests
// using Amazon's Signature Verification V4 signing procedure. The request will
// then be handed off to the next RoundTripper provided by next. If next is nil,
// http.DefaultTransport will be used.
//
// Credentials for signing are retrieved using the the default AWS credential
// chain. If credentials cannot be found, an error will be returned.
func newSigV4RoundTripper(cfg *config.SigV4Config, next http.RoundTripper) (http.RoundTripper, error) {
if next == nil {
next = http.DefaultTransport
}
creds := credentials.NewStaticCredentials(cfg.AccessKey, string(cfg.SecretKey), "")
if cfg.AccessKey == "" && cfg.SecretKey == "" {
creds = nil
}
sess, err := session.NewSessionWithOptions(session.Options{
Config: aws.Config{
Region: aws.String(cfg.Region),
Credentials: creds,
},
Profile: cfg.Profile,
})
if err != nil {
return nil, fmt.Errorf("could not create new AWS session: %w", err)
}
if _, err := sess.Config.Credentials.Get(); err != nil {
return nil, fmt.Errorf("could not get SigV4 credentials: %w", err)
}
if aws.StringValue(sess.Config.Region) == "" {
return nil, fmt.Errorf("region not configured in sigv4 or in default credentials chain")
}
signerCreds := sess.Config.Credentials
if cfg.RoleARN != "" {
signerCreds = stscreds.NewCredentials(sess, cfg.RoleARN)
}
rt := &sigV4RoundTripper{
region: cfg.Region,
next: next,
signer: signer.NewSigner(signerCreds),
}
rt.pool.New = rt.newBuf
return rt, nil
}
func (rt *sigV4RoundTripper) newBuf() interface{} {
return bytes.NewBuffer(make([]byte, 0, 1024))
}
func (rt *sigV4RoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
// rt.signer.Sign needs a seekable body, so we replace the body with a
// buffered reader filled with the contents of original body.
buf := rt.pool.Get().(*bytes.Buffer)
defer func() {
buf.Reset()
rt.pool.Put(buf)
}()
if _, err := io.Copy(buf, req.Body); err != nil {
return nil, err
}
// Close the original body since we don't need it anymore.
_ = req.Body.Close()
// Ensure our seeker is back at the start of the buffer once we return.
var seeker io.ReadSeeker = bytes.NewReader(buf.Bytes())
defer func() {
_, _ = seeker.Seek(0, io.SeekStart)
}()
req.Body = ioutil.NopCloser(seeker)
// Clone the request and trim out headers that we don't want to sign.
signReq := req.Clone(req.Context())
for _, header := range sigv4HeaderDenylist {
signReq.Header.Del(header)
}
headers, err := rt.signer.Sign(signReq, seeker, "aps", rt.region, time.Now().UTC())
if err != nil {
return nil, fmt.Errorf("failed to sign request: %w", err)
}
// Copy over signed headers. Authorization header is not returned by
// rt.signer.Sign and needs to be copied separately.
for k, v := range headers {
req.Header[textproto.CanonicalMIMEHeaderKey(k)] = v
}
req.Header.Set("Authorization", signReq.Header.Get("Authorization"))
return rt.next.RoundTrip(req)
}