Refactored, most tests are passing

Author: yaronf

fields.go

@@ -25,7 +25,7 @@ func (f *field) String() string {
 // HeaderList is a simple way to generate a Fields list, where only simple header names and specialty headers
 // are needed.
 func HeaderList(hs []string) Fields {
-	f := []field{}
+	var f []field
 	for _, h := range hs {
 		hd := strings.ToLower(h) // loop variable scope pitfall!
 		f = append(f, field{hd, "", ""})
@@ -85,8 +85,9 @@ func fromDictHeader(hdr, key string) *field {
 
 // AddDictHeader indicates that out of a header structured as a dictionary, a specific key value is signed/verified
 func (fs *Fields) AddDictHeader(hdr, key string) *Fields {
-	k := strings.ToLower(key)
-	return fs.addHeaderAndFlag(hdr, "key", k)
+	f := fromDictHeader(hdr, key)
+	*fs = append(*fs, *f)
+	return fs
 }
 
 func (f field) asSignatureInput() (string, error) {

httpparse.go

@@ -2,77 +2,49 @@ package httpsign
 
 import (
 	"fmt"
-	"github.com/dunglas/httpsfv"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 )
 
 // some fields (specifically, query params) may appear more than once, and those occurrences are ordered.
-type components map[field][]string
+type components map[string]string
 
 type parsedMessage struct {
-	components components
-}
-
-type fvPair struct {
-	f field
-	v []string
-}
-
-func matchFields(comps components, fields Fields) ([]fvPair, error) {
-	// Components for signature are ordered, thus an array of pairs and not a map
-	matched := make([]fvPair, 0)
-	for _, f := range fields {
-		if v, found := comps[f]; found {
-			matched = append(matched, fvPair{f, v})
-		} else {
-			return nil, fmt.Errorf("missing component \"%s\"", f.name)
-		}
-	}
-	return matched, nil
+	derived components
+	url     *url.URL
+	headers http.Header
+	qParams url.Values
 }
 
 func parseRequest(req *http.Request) (*parsedMessage, error) {
 	err := validateMessageHeaders(req.Header)
 	if err != nil {
 		return nil, err
 	}
-	components := components{}
-	generateReqSpecialtyComponents(req, components)
-	err = generateHeaderComponents(req.Header, components)
-	if err != nil {
-		return nil, err
-	}
 	values, err := url.ParseQuery(req.URL.RawQuery)
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse query: %s", req.URL.RawQuery)
 	}
-	generateQueryParams(values, components)
-
-	return &parsedMessage{components}, nil
+	return &parsedMessage{derived: generateReqDerivedComponents(req), url: req.URL, headers: normalizeHeaderNames(req.Header), qParams: values}, nil
 }
 
-func generateQueryParams(v map[string][]string, components components) {
-	for name, values := range v {
-		components[*fromQueryParam(name)] = values
+func normalizeHeaderNames(header http.Header) http.Header {
+	var t http.Header = http.Header{}
+	for k, v := range header {
+		t[strings.ToLower(k)] = v
 	}
+	return t
 }
 
 func parseResponse(res *http.Response) (*parsedMessage, error) {
 	err := validateMessageHeaders(res.Header)
 	if err != nil {
 		return nil, err
 	}
-	components := components{}
-	generateResSpecialtyComponents(res, components)
-	err = generateHeaderComponents(res.Header, components)
-	if err != nil {
-		return nil, err
-	}
 
-	return &parsedMessage{components}, nil
+	return &parsedMessage{derived: generateResDerivedComponents(res), url: nil, headers: normalizeHeaderNames(res.Header)}, nil
 }
 
 func validateMessageHeaders(header http.Header) error {
@@ -85,37 +57,6 @@ func validateMessageHeaders(header http.Header) error {
 	return nil
 }
 
-func generateHeaderComponents(headers http.Header, components components) error {
-	for hdrName, val := range headers {
-		lower := strings.ToLower(hdrName)
-		dict, err := httpsfv.UnmarshalDictionary(val)
-		if err == nil { // dictionary
-			for _, name := range dict.Names() {
-				v, _ := dict.Get(name)
-				switch v.(type) {
-				case httpsfv.Item:
-					vv, err := httpsfv.Marshal(v.(httpsfv.Item))
-					if err != nil {
-						return fmt.Errorf("malformed dictionry member %s: %v", name, err)
-					}
-					components[*fromDictHeader(lower, name)] = []string{vv}
-				case httpsfv.InnerList:
-					vv, err := httpsfv.Marshal(v.(httpsfv.InnerList))
-					if err != nil {
-						return fmt.Errorf("malformed dictionry member %s: %v", name, err)
-					}
-					components[*fromDictHeader(lower, name)] = []string{vv}
-				default:
-					return fmt.Errorf("unexpected dictionary value")
-				}
-			}
-		} else {
-			components[*fromHeaderName(lower)] = []string{foldFields(val)}
-		}
-	}
-	return nil
-}
-
 func foldFields(fields []string) string {
 	ff := strings.TrimSpace(fields[0])
 	for i := 1; i < len(fields); i++ {
@@ -125,10 +66,11 @@ func foldFields(fields []string) string {
 }
 
 func specialtyComponent(name, v string, components components) {
-	components[*fromHeaderName(name)] = []string{v}
+	components[name] = v
 }
 
-func generateReqSpecialtyComponents(req *http.Request, components components) {
+func generateReqDerivedComponents(req *http.Request) components {
+	components := components{}
 	specialtyComponent("@method", scMethod(req), components)
 	theURL := req.URL
 	specialtyComponent("@target-uri", scTargetURI(theURL), components)
@@ -138,6 +80,7 @@ func generateReqSpecialtyComponents(req *http.Request, components components) {
 	specialtyComponent("@request-target", scRequestTarget(theURL), components)
 	specialtyComponent("@query", scQuery(theURL), components)
 	// @request-response does not belong here
+	return components
 }
 
 func scPath(theURL *url.URL) string {
@@ -171,8 +114,10 @@ func scMethod(req *http.Request) string {
 	return req.Method
 }
 
-func generateResSpecialtyComponents(res *http.Response, components components) {
+func generateResDerivedComponents(res *http.Response) components {
+	components := components{}
 	specialtyComponent("@status", scStatus(res), components)
+	return components
 }
 
 func scStatus(res *http.Response) string {

signatures.go

@@ -11,7 +11,9 @@ import (
 	"encoding/base64"
 	"fmt"
 	"github.com/dunglas/httpsfv"
+	"log"
 	"net/http"
+	"strings"
 	"time"
 )
 
@@ -46,25 +48,80 @@ func encodeBytes(raw []byte) string {
 }
 
 func generateSignatureInput(message parsedMessage, fields Fields, params string) (string, error) {
-	mf, err := matchFields(message.components, fields)
-	if err != nil {
-		return "", err
-	}
 	inp := ""
-	for _, c := range mf {
-		f, err := c.f.asSignatureInput()
+	for _, c := range fields {
+		f, err := c.asSignatureInput()
+		if err != nil {
+			return "", fmt.Errorf("could not marshal %v", f)
+		}
+		fieldValues, err := generateFieldValues(c, message)
 		if err != nil {
-			return "", fmt.Errorf("could not marshal %v", c.f)
+			return "", err
 		}
-		for _, v := range c.v {
+		for _, v := range fieldValues {
 			inp += fmt.Sprintf("%s: %s\n", f, v)
 		}
 	}
 	inp += fmt.Sprintf("\"%s\": %s", "@signature-params", params)
-	// log.Println("inp:", "\n"+inp)
+	log.Println("inp:", "\n"+inp) // TODO!
 	return inp, nil
 }
 
+func generateFieldValues(f field, message parsedMessage) ([]string, error) {
+	if f.flagName == "" {
+		if strings.HasPrefix(f.name, "@") { // derived component
+			return []string{message.derived[f.name]}, nil
+		}
+		vv, found := message.headers[f.name] // normal header, cannot use "Values" on lowercased header name
+		if !found {
+			return nil, fmt.Errorf("header %s not found", f.name)
+		}
+		return []string{foldFields(vv)}, nil
+	}
+	if f.name == "@query-params" && f.flagName == "name" {
+		vals, found := message.qParams[f.flagValue]
+		if !found {
+			return nil, fmt.Errorf("query parameter %s not found", f.flagValue)
+		}
+		return vals, nil
+	}
+	if f.flagName == "key" { // dictionary header
+		return message.getDictHeader(f.name, f.flagValue)
+	}
+	return nil, fmt.Errorf("unrecognized field %s", f)
+}
+
+func (message *parsedMessage) getDictHeader(hdr, member string) ([]string, error) {
+	vals, found := message.headers[hdr]
+	if !found {
+		return nil, fmt.Errorf("dictionary header %s not found", hdr)
+	}
+	dict, err := httpsfv.UnmarshalDictionary(vals)
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse dictionary for %s", hdr)
+	}
+	v, found := dict.Get(member)
+	if !found {
+		return nil, fmt.Errorf("cannot find member %s of dictionary %s", member, hdr)
+	}
+	switch v.(type) {
+	case httpsfv.Item:
+		vv, err := httpsfv.Marshal(v.(httpsfv.Item))
+		if err != nil {
+			return nil, fmt.Errorf("malformed dictionry member %s: %v", hdr, err)
+		}
+		return []string{vv}, nil
+	case httpsfv.InnerList:
+		vv, err := httpsfv.Marshal(v.(httpsfv.InnerList))
+		if err != nil {
+			return nil, fmt.Errorf("malformed dictionry member %s: %v", hdr, err)
+		}
+		return []string{vv}, nil
+	default:
+		return nil, fmt.Errorf("unexpected dictionary value")
+	}
+}
+
 func generateSigParams(config *SignConfig, keyID, alg string, foreignSigner interface{}, fields Fields) (string, error) {
 	p := httpsfv.NewParams()
 	var createdTime int64
@@ -126,23 +183,23 @@ func SignResponse(signatureName string, signer Signer, res *http.Response) (sign
 	if err != nil {
 		return "", "", err
 	}
-	extendedFields := addPseudoHeaders(parsedMessage, signer.config.requestResponse, signer.fields)
-	return signMessage(*signer.config, signatureName, signer, *parsedMessage, extendedFields)
+	//	extendedFields := addPseudoHeaders(parsedMessage, signer.config.requestResponse, signer.fields)
+	return signMessage(*signer.config, signatureName, signer, *parsedMessage, signer.fields)
 }
 
 // Handle the special header-like @request-response
-func addPseudoHeaders(message *parsedMessage, rr *requestResponse, fields Fields) Fields {
-	if rr != nil {
-		rrfield := field{
-			name:      "@request-response",
-			flagName:  "key",
-			flagValue: rr.name,
-		}
-		message.components[rrfield] = []string{rr.signature}
-		return append(fields, rrfield)
-	}
-	return fields
-}
+//func addPseudoHeaders(message *parsedMessage, rr *requestResponse, fields Fields) Fields {
+//	if rr != nil {
+//		rrfield := field{
+//			name:      "@request-response",
+//			flagName:  "key",
+//			flagValue: rr.name,
+//		}
+//		message.components[rrfield] = []string{rr.signature}
+//		return append(fields, rrfield)
+//	}
+//	return fields
+//}
 
 //
 // VerifyRequest verifies a signed HTTP request. Returns an error if verification failed for any reason, otherwise nil.
@@ -207,8 +264,8 @@ func GetRequestSignature(req *http.Request, signatureName string) (string, error
 	if err != nil {
 		return "", err
 	}
-	ws, found := parsedMessage.components[*fromDictHeader("signature", signatureName)]
-	if !found {
+	ws, err := parsedMessage.getDictHeader("signature", signatureName)
+	if err != nil {
 		return "", fmt.Errorf("missing \"signature\" header for \"%s\"", signatureName)
 	}
 	if len(ws) > 1 {
@@ -223,8 +280,8 @@ func GetRequestSignature(req *http.Request, signatureName string) (string, error
 }
 
 func messageKeyID(signatureName string, parsedMessage parsedMessage) (keyID, alg string, err error) {
-	si, found := parsedMessage.components[*fromDictHeader("signature-input", signatureName)]
-	if !found {
+	si, err := parsedMessage.getDictHeader("signature-input", signatureName)
+	if err != nil {
 		return "", "", fmt.Errorf("missing \"signature-input\" header, or cannot find \"%s\"", signatureName)
 	}
 	if len(si) > 1 {
@@ -267,29 +324,29 @@ func VerifyResponse(signatureName string, verifier Verifier, res *http.Response)
 	if err != nil {
 		return err
 	}
-	extendedFields := addPseudoHeaders(parsedMessage, verifier.config.requestResponse, verifier.fields)
-	return verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, extendedFields)
+	// extendedFields := addPseudoHeaders(parsedMessage, verifier.config.requestResponse, verifier.fields)
+	return verifyMessage(*verifier.config, signatureName, verifier, *parsedMessage, verifier.fields)
 }
 
 func verifyMessage(config VerifyConfig, name string, verifier Verifier, message parsedMessage, fields Fields) error {
-	wsi, found := message.components[*fromDictHeader("signature-input", name)]
-	if !found {
+	wsi, err := message.getDictHeader("signature-input", name)
+	if err != nil {
 		return fmt.Errorf("missing \"signature-input\" header, or cannot find signature \"%s\"", name)
 	}
 	if len(wsi) > 1 {
 		return fmt.Errorf("multiple \"signature-header\" values for %s", name)
 	}
 	wantSignatureInput := wsi[0]
-	ws, found := message.components[*fromDictHeader("signature", name)]
-	if !found {
+	ws, err := message.getDictHeader("signature", name)
+	if err != nil {
 		return fmt.Errorf("missing \"signature\" header")
 	}
 	if len(ws) > 1 {
 		return fmt.Errorf("multiple \"signature\" values for %s", name)
 	}
 	wantSignature := ws[0]
-	delete(message.components, *fromDictHeader("signature-input", name))
-	delete(message.components, *fromDictHeader("signature", name))
+	//delete(message.components, *fromDictHeader("signature-input", name))
+	//delete(message.components, *fromDictHeader("signature", name))
 	wantSigRaw, err := parseWantSignature(wantSignature)
 	if err != nil {
 		return err

signatures_test.go

@@ -1052,7 +1052,15 @@ func TestRequestResponse(t *testing.T) {
 	res.Header.Add("Signature", sig2)
 
 	// Client verifies response
-	verifier2, err := NewP256Verifier("key10", pub2, NewVerifyConfig().SetRequestResponse("sig1", sig1Value).SetVerifyCreated(false), HeaderList([]string{"@status"}))
+	verifier2, err := NewP256Verifier("key10", pub2, NewVerifyConfig().SetRequestResponse("sigxx", sig1Value).SetVerifyCreated(false), HeaderList([]string{"@status"}))
+	if err != nil {
+		t.Errorf("Could not create second verifier: %v", err)
+	}
+	err = VerifyResponse("sig2", *verifier2, res)
+	if err == nil {
+		t.Errorf("Verification should have failed, wrong sig name in SetRequestResponse")
+	}
+	verifier2, err = NewP256Verifier("key10", pub2, NewVerifyConfig().SetRequestResponse("sig1", sig1Value).SetVerifyCreated(false), HeaderList([]string{"@status"}))
 	if err != nil {
 		t.Errorf("Could not create second verifier: %v", err)
 	}