github.com/google/osv-scalibr@v0.4.1/veles/secrets/gcshmackey/validator.go (about) 1 // Copyright 2025 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package gcshmackey 16 17 import ( 18 "context" 19 "encoding/xml" 20 "fmt" 21 "net/http" 22 23 "github.com/google/osv-scalibr/veles" 24 "github.com/google/osv-scalibr/veles/secrets/common/awssignerv4" 25 ) 26 27 const ( 28 // CodeSignatureDoesNotMatch is returned by GCS if a request and the signature don't match 29 CodeSignatureDoesNotMatch = "SignatureDoesNotMatch" 30 // CodeAccessDenied is returned by GCS if the user doesn't have access to a resource 31 CodeAccessDenied = "AccessDenied" 32 ) 33 34 // HTTPAwsSignerV4 defines the interface for signing HTTP requests using 35 // the AWS Signature Version 4 signing process. 36 type HTTPAwsSignerV4 interface { 37 Sign(req *http.Request, accessKey, secretKey string) error 38 } 39 40 // Validator is a Veles Validator for Google Cloud Storage HMAC keys 41 type Validator struct { 42 client *http.Client 43 signer HTTPAwsSignerV4 44 } 45 46 // SetHTTPClient configures the http.Client that the Validator uses. 47 func (v *Validator) SetHTTPClient(cli *http.Client) { 48 v.client = cli 49 } 50 51 // SetSigner configures HTTPSignerV4 that the Validator uses. 52 func (v *Validator) SetSigner(signer HTTPAwsSignerV4) { 53 v.signer = signer 54 } 55 56 // NewValidator creates a new Validator with the given ValidatorOptions. 57 func NewValidator() *Validator { 58 return &Validator{ 59 client: http.DefaultClient, 60 signer: awssignerv4.New(awssignerv4.Config{ 61 Service: "s3", Region: "auto", 62 SignedHeaders: []string{ 63 "amz-sdk-invocation-id", "amz-sdk-request", "host", "x-amz-content-sha256", "x-amz-date", 64 }, 65 }), 66 } 67 } 68 69 // Validate checks whether the given Google Cloud Storage HMAC key is valid 70 // using the ListBuckets api call 71 func (v *Validator) Validate(ctx context.Context, key HMACKey) (veles.ValidationStatus, error) { 72 req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://storage.googleapis.com/", nil) 73 if err != nil { 74 return veles.ValidationFailed, fmt.Errorf("building failed: %w", err) 75 } 76 req.Header.Set("User-Agent", "osv-scalibr") 77 req.Header.Set("Accept-Encoding", "gzip") 78 79 if err := v.signer.Sign(req, key.AccessID, key.Secret); err != nil { 80 return veles.ValidationFailed, fmt.Errorf("signing failed: %w", err) 81 } 82 83 rsp, err := v.client.Do(req) 84 if err != nil { 85 return veles.ValidationFailed, fmt.Errorf("GET failed: %w", err) 86 } 87 defer rsp.Body.Close() 88 89 // the credentials are valid and the resource is accessible 90 if rsp.StatusCode == http.StatusOK { 91 return veles.ValidationValid, nil 92 } 93 94 type errorResponse struct { 95 Code string `xml:"Code"` 96 } 97 98 errResp := errorResponse{} 99 if err := xml.NewDecoder(rsp.Body).Decode(&errResp); err != nil { 100 return veles.ValidationFailed, fmt.Errorf("failed to parse the response body: %w", err) 101 } 102 103 switch errResp.Code { 104 case CodeSignatureDoesNotMatch: 105 // Signature mismatch => credentials invalid 106 return veles.ValidationInvalid, nil 107 case CodeAccessDenied: 108 // Signature valid, but account lacks access 109 return veles.ValidationValid, nil 110 default: 111 // Unexpected error response 112 return veles.ValidationFailed, fmt.Errorf("unknown error code: %q", errResp.Code) 113 } 114 }