Fix @request-uri on the server side

Author: yaronf

go.mod

@@ -3,6 +3,7 @@ module github.com/yaronf/httpsign
 go 1.17
 
 require (
+	github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
 	github.com/dunglas/httpsfv v0.1.1
 	github.com/lestrrat-go/jwx v1.2.18
 )
@@ -16,5 +17,6 @@ require (
 	github.com/lestrrat-go/iter v1.0.1 // indirect
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
 	golang.org/x/crypto v0.0.0-20201217014255-9d1352758620 // indirect
 )

go.sum

@@ -1,12 +1,18 @@
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
+github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d h1:1iy2qD6JEhHKKhUOA9IWs7mjco7lnw2qx8FsRI2wirE=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
 github.com/dunglas/httpsfv v0.1.1 h1:iV2PWNlj9Qbk+5I3fxPDJPTh9eM0rskrI1qdUVUNK1E=
 github.com/dunglas/httpsfv v0.1.1/go.mod h1:zID2mqw9mFsnt7YC3vYQ9/cjq30q41W+1AnDwH8TiMg=
 github.com/goccy/go-json v0.9.4 h1:L8MLKG2mvVXiQu07qB6hmfqeSYQdOnqPot2GhsIwIaI=
 github.com/goccy/go-json v0.9.4/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
 github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
 github.com/lestrrat-go/blackmagic v1.0.0 h1:XzdxDbuQTz0RZZEmdU7cnQxUtFUzgCSPq8RCz4BxIi4=
@@ -23,7 +29,10 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
+github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
@@ -37,6 +46,8 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

http2_test.go

@@ -0,0 +1,99 @@
+package httpsign
+
+import (
+	"bufio"
+	"bytes"
+	"github.com/andreyvit/diff"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+	"text/template"
+)
+
+var httpreq5 = ``
+
+var wantFields = `"kuku": my awesome header
+"@query": ?k1=v1&k2
+"@method": GET
+"@target-uri": http://127.0.0.1:{{.Port}}/?k1=v1&k2
+"@signature-params": ("kuku" "@query" "@method" "@target-uri");alg="hmac-sha256";keyid="key1"`
+
+func execTemplate(t template.Template, name string, data interface{}) (string, error) {
+	buf := &bytes.Buffer{}
+	err := t.ExecuteTemplate(buf, name, data)
+	return buf.String(), err
+}
+
+func newClientRequest(t *testing.T, method, url, body string) *http.Request {
+	in := strings.NewReader(body)
+	req, err := http.NewRequest(method, url, bufio.NewReader(in))
+	if err != nil {
+		t.Errorf("could not read request")
+	}
+	return req
+}
+
+var ts *httptest.Server // global, so can be used *inside* the server, too
+
+func TestHTTP11(t *testing.T) {
+	simpleHandler := func(w http.ResponseWriter, r *http.Request) {
+		proto := r.Proto
+		if proto != "HTTP/1.1" {
+			t.Errorf("expected HTTP/1.1, got %s", proto)
+		}
+		sp := bytes.Split([]byte(ts.URL), []byte(":"))
+		portval, err := strconv.Atoi(string(sp[2]))
+		if err != nil {
+			t.Errorf("cannot parse server port number")
+		}
+		tpl, err := template.New("fields").Parse(wantFields)
+		if err != nil {
+			t.Errorf("could not parse template")
+		}
+		type inputs struct{ Port int }
+		wf, err := execTemplate(*tpl, "fields", inputs{Port: portval})
+		verifier, err := NewHMACSHA256Verifier("key1", bytes.Repeat([]byte{0x03}, 64),
+			NewVerifyConfig().SetVerifyCreated(false),
+			Headers("@query"))
+		if err != nil {
+			t.Errorf("could not create verifier")
+		}
+		sigInput, err := verifyRequestDebug("sig1", *verifier, r)
+		if err != nil {
+			t.Errorf("failed to verify request: sig input: %s\nerr: %v", sigInput, err)
+		}
+
+		if sigInput != wf {
+			// t.Errorf("expected: %s\ngot: %s\n", wantFields, sigInput)
+			t.Errorf("unexpected fields: %s\n", diff.CharacterDiff(sigInput, wantFields))
+		} // TODO: copy Host from request/response to URL if empty in URL
+		w.WriteHeader(200)
+	}
+	ts = httptest.NewServer(http.HandlerFunc(simpleHandler))
+	defer ts.Close()
+
+	signer, err := NewHMACSHA256Signer("key1", bytes.Repeat([]byte{0x03}, 64),
+		NewSignConfig().SignCreated(false),
+		Headers("kuku", "@query", "@method", "@target-uri"))
+	client := NewDefaultClient("sig1", signer, nil, nil)
+	req := newClientRequest(t, "GET", ts.URL+"/"+"?k1=v1&k2", httpreq5)
+	req.Header.Set("Kuku", "my awesome header")
+	res, err := client.Do(req)
+	if err != nil {
+		t.Errorf("%v", err)
+	}
+	if res != nil {
+		_, err = io.ReadAll(res.Body)
+		_ = res.Body.Close()
+		if err != nil {
+			t.Errorf("%v", err)
+		}
+
+		if res.Status != "200 OK" {
+			t.Errorf("Bad status returned")
+		}
+	}
+}

httpparse.go

@@ -27,7 +27,18 @@ func parseRequest(req *http.Request) (*parsedMessage, error) {
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse query: %s", req.URL.RawQuery)
 	}
-	return &parsedMessage{derived: generateReqDerivedComponents(req), url: req.URL, headers: normalizeHeaderNames(req.Header), qParams: values}, nil
+	url := req.URL
+	if url.Host == "" {
+		url.Host = req.Host
+	}
+	if url.Scheme == "" {
+		if req.TLS == nil {
+			url.Scheme = "http"
+		} else {
+			url.Scheme = "https"
+		}
+	}
+	return &parsedMessage{derived: generateReqDerivedComponents(req), url: url, headers: normalizeHeaderNames(req.Header), qParams: values}, nil
 }
 
 func normalizeHeaderNames(header http.Header) http.Header {

signatures.go

@@ -171,7 +171,8 @@ func generateSigParams(config *SignConfig, keyID, alg string, foreignSigner inte
 // SignRequest signs an HTTP request. Returns the Signature-Input and the Signature header values.
 //
 func SignRequest(signatureName string, signer Signer, req *http.Request) (signatureInputHeader, signature string, err error) {
-	signatureInputHeader, signature, _, err = signRequestDebug(signatureName, signer, req)
+	signatureInputHeader, signature, signatureInput, err := signRequestDebug(signatureName, signer, req)
+	_ = signatureInput
 	return
 }
 
@@ -230,20 +231,24 @@ func addPseudoHeaders(message *parsedMessage, rr *requestResponse, fields Fields
 
 //
 // VerifyRequest verifies a signed HTTP request. Returns an error if verification failed for any reason, otherwise nil.
-//
-func VerifyRequest(signatureName string, verifier Verifier, req *http.Request) (err error) {
+func VerifyRequest(signatureName string, verifier Verifier, req *http.Request) error {
+	_, err := verifyRequestDebug(signatureName, verifier, req)
+	return err
+}
+
+func verifyRequestDebug(signatureName string, verifier Verifier, req *http.Request) (signatureInput string, err error) {
 	if req == nil {
-		return fmt.Errorf("nil request")
+		return "", fmt.Errorf("nil request")
 	}
 	if signatureName == "" {
-		return fmt.Errorf("empty signature name")
+		return "", fmt.Errorf("empty signature name")
 	}
 	if verifier.config.requestResponse != nil {
-		return fmt.Errorf("use request-response only to verify responses")
+		return "", fmt.Errorf("use request-response only to verify responses")
 	}
 	parsedMessage, err := parseRequest(req)
 	if err != nil {
-		return err
+		return "", err
 	}
 	return verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, verifier.fields)
 }
@@ -352,48 +357,47 @@ func VerifyResponse(signatureName string, verifier Verifier, res *http.Response)
 		return err
 	}
 	extendedFields := addPseudoHeaders(parsedMessage, verifier.config.requestResponse, verifier.fields)
-	return verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, extendedFields)
+	_, err = verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, extendedFields)
+	return err
 }
 
-func verifyMessage(config VerifyConfig, name string, verifier Verifier, message parsedMessage, fields Fields) error {
+func verifyMessage(config VerifyConfig, name string, verifier Verifier, message parsedMessage, fields Fields) (string, error) {
 	wsi, err := message.getDictHeader("signature-input", name)
 	if err != nil {
-		return fmt.Errorf("missing \"signature-input\" header, or cannot find signature \"%s\": %w", name, err)
+		return "", fmt.Errorf("missing \"signature-input\" header, or cannot find signature \"%s\": %w", name, err)
 	}
 	if len(wsi) > 1 {
-		return fmt.Errorf("multiple \"signature-header\" values for %s", name)
+		return "", fmt.Errorf("multiple \"signature-header\" values for %s", name)
 	}
 	wantSignatureInput := wsi[0]
 	ws, err := message.getDictHeader("signature", name)
 	if err != nil {
-		return fmt.Errorf("missing \"signature\" header")
+		return "", fmt.Errorf("missing \"signature\" header")
 	}
 	if len(ws) > 1 {
-		return fmt.Errorf("multiple \"signature\" values for %s", name)
+		return "", fmt.Errorf("multiple \"signature\" values for %s", name)
 	}
 	wantSignature := ws[0]
-	//delete(message.components, *fromDictHeader("signature-input", name))
-	//delete(message.components, *fromDictHeader("signature", name))
 	wantSigRaw, err := parseWantSignature(wantSignature)
 	if err != nil {
-		return err
+		return "", err
 	}
 	psiSig, err := parseSignatureInput(wantSignatureInput, name)
 	if err != nil {
-		return err
+		return "", err
 	}
 	if !(psiSig.fields.contains(&fields)) {
-		return fmt.Errorf("actual signature does not cover all required fields")
+		return "", fmt.Errorf("actual signature does not cover all required fields")
 	}
 	err = applyVerificationPolicy(verifier, psiSig, config)
 	if err != nil {
-		return err
+		return "", err
 	}
 	signatureInput, err := generateSignatureInput(message, psiSig.fields, psiSig.origSigParams)
 	if err != nil {
-		return err
+		return "", err
 	}
-	return verifySignature(verifier, signatureInput, wantSigRaw)
+	return signatureInput, verifySignature(verifier, signatureInput, wantSigRaw)
 }
 
 func applyVerificationPolicy(verifier Verifier, psi *psiSignature, config VerifyConfig) error {