initial commit

Author: Pavel

.gitignore

@@ -0,0 +1,2 @@
+proxy
+.idea

Dockerfile

@@ -0,0 +1,31 @@
+# syntax=docker/dockerfile:1
+
+##
+## Build
+##
+FROM golang:1.18-buster AS build
+
+WORKDIR /app
+
+COPY go.mod ./
+COPY go.sum ./
+RUN go mod download
+
+COPY *.go ./
+
+RUN go build -o /proxy
+
+##
+## Deploy
+##
+FROM gcr.io/distroless/base-debian10
+
+WORKDIR /
+
+COPY --from=build /proxy /proxy
+
+EXPOSE 8080
+
+USER nonroot:nonroot
+
+ENTRYPOINT ["/proxy"]

GcloudKeyLoader.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	secretmanager "cloud.google.com/go/secretmanager/apiv1"
+	"context"
+	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
+	"log"
+)
+
+type GcloudKeyLoader struct {
+}
+
+func (g GcloudKeyLoader) LoadKey(key string) ([]byte, error) {
+	ctx := context.Background()
+	client, err := secretmanager.NewClient(ctx)
+	if err != nil {
+		return []byte{}, err
+	}
+	defer func(client *secretmanager.Client) {
+		err := client.Close()
+		if err != nil {
+			log.Fatal(err)
+		}
+	}(client)
+	accessRequest := &secretmanagerpb.AccessSecretVersionRequest{
+		Name: key,
+	}
+	result, err := client.AccessSecretVersion(ctx, accessRequest)
+	if err != nil {
+		return []byte{}, err
+	}
+	return result.Payload.Data, nil
+}

KeyLoader.go

@@ -0,0 +1,5 @@
+package main
+
+type KeyLoader interface {
+	LoadKey(key string) ([]byte, error)
+}

README.md

@@ -0,0 +1,21 @@
+# TLS and eIDAS proxy server
+
+Simple proxy server meant to be run in secure Google Cloud environment.
+
+Server support two use-cases:
+1. TLS connection to any server using TLS certificates from Google Cloud Secret Manager
+
+TLS connection is implemented using regular proxy server.
+You need to specify name of a public certificate and a private key in the following headers:
+`X-Cert`
+`X-Key`
+Those headers are removed from actual request
+You can also specify `X-Follow-Redirects` header to follow redirects
+
+
+2. Signing data with eIDAS private key
+In order to do that just send a request to `/sign` endpoint with your data in the body and `X-Key` header
+
+Proxy is meant to be run in the secured environment, that is why no authentication is implemented.
+
+This project is just an experiment and the way for me to learn Go. Some (all?) of the things might be done in a better way.

consts.go

@@ -0,0 +1,5 @@
+package main
+
+const CertHeader = "X-Cert"
+const KeyHeader = "X-Key"
+const FollowRedirectsHeader = "X-Follow-Redirects"

go.mod

@@ -0,0 +1,24 @@
+module proxy
+
+go 1.17
+
+require (
+	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go/compute v1.3.0 // indirect
+	cloud.google.com/go/iam v0.1.0 // indirect
+	cloud.google.com/go/secretmanager v1.3.0 // indirect
+	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sys v0.0.0-20220209214540-3681064d5158 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	google.golang.org/api v0.70.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6 // indirect
+	google.golang.org/grpc v1.44.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+)

go.sum

@@ -0,0 +1,11 @@
+package main
+
+func main() {
+	proxy := Proxy{
+		GcloudKeyLoader{},
+	}
+	err := proxy.ListenAndServe()
+	if err != nil {
+		panic(err)
+	}
+}

main.go

@@ -0,0 +1,132 @@
+package main
+
+import (
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"strconv"
+)
+
+type Proxy struct {
+	KeyLoader KeyLoader
+}
+
+func (p *Proxy) GetTLSConfig(certPath string, keyPath string) (*tls.Config, error) {
+	if certPath == "" && keyPath == "" {
+		return nil, nil
+	}
+	tlsConfig := &tls.Config{}
+	cert, err := p.KeyLoader.LoadKey(certPath)
+	if err != nil {
+		return nil, err
+	}
+	key, err := p.KeyLoader.LoadKey(keyPath)
+	if err != nil {
+		return nil, err
+	}
+	certificate, err := tls.X509KeyPair(cert, key)
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig.Certificates = []tls.Certificate{certificate}
+	return tlsConfig, nil
+}
+
+func (p *Proxy) ListenAndServe() error {
+	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Scheme == "" {
+			// This handler is expected to handle proxy requests.
+			// It should not be used for the regular request.
+			// Perhaps there is a better way to handle this.
+			http.Error(w, "Bad request", http.StatusBadRequest)
+			return
+		}
+		transport := http.Transport{}
+		tlsConfig, err := p.GetTLSConfig(r.Header.Get(CertHeader), r.Header.Get(KeyHeader))
+		if err != nil {
+			http.Error(w, "Bad request", http.StatusBadRequest)
+			return
+		}
+		r.Header.Del(CertHeader)
+		r.Header.Del(KeyHeader)
+		outReq := &http.Request{
+			Method: r.Method,
+			URL:    r.URL,
+			Header: r.Header,
+			Body:   r.Body,
+		}
+
+		if tlsConfig != nil {
+			transport.TLSClientConfig = tlsConfig
+		}
+		followRedirectsHeader := r.Header.Get(FollowRedirectsHeader)
+		r.Header.Del(FollowRedirectsHeader)
+		followRedirects, err := strconv.ParseBool(followRedirectsHeader)
+		if err != nil {
+			followRedirects = true
+		}
+		client := &http.Client{
+			Transport: &transport,
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				if followRedirects {
+					return nil
+				}
+				return http.ErrUseLastResponse
+			},
+		}
+		resp, err := client.Do(outReq)
+
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadGateway)
+			return
+		}
+		defer func(Body io.ReadCloser) {
+			err := Body.Close()
+			if err != nil {
+				fmt.Println(err)
+			}
+		}(resp.Body)
+		for k, v := range resp.Header {
+			for _, vv := range v {
+				w.Header().Add(k, vv)
+			}
+		}
+		w.WriteHeader(resp.StatusCode)
+		_, err = io.Copy(w, resp.Body)
+		if err != nil {
+			fmt.Println("Error:", err)
+		}
+	})
+
+	http.HandleFunc("/sign", func(w http.ResponseWriter, r *http.Request) {
+		privateKey, err := loadPrivateKey(r.Header.Get(KeyHeader))
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		r.Header.Del(KeyHeader)
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		signature, err := sign(privateKey, body)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		_, err = w.Write([]byte(signature))
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+	})
+
+	port := os.Getenv("PORT")
+	if port == "" {
+		port = "8080"
+	}
+	return http.ListenAndServe(":"+port, nil)
+}

proxy.go

@@ -0,0 +1,62 @@
+package main
+
+import (
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"io/ioutil"
+)
+
+func readKey(path string) ([]byte, error) {
+	file, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return file, nil
+}
+
+func loadPrivateKey(path string) (*rsa.PrivateKey, error) {
+	keyContent, err := readKey(path)
+	if err != nil {
+		return nil, err
+	}
+	block, _ := pem.Decode(keyContent)
+	if block == nil {
+		return nil, errors.New("failed to parse PEM private key")
+	}
+	switch block.Type {
+	case "RSA PRIVATE KEY":
+		privateKey, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		return privateKey, nil
+	case "PRIVATE KEY":
+		privateKey, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		return privateKey.(*rsa.PrivateKey), nil
+	default:
+		fmt.Println("Unsupported key type:", block.Type)
+		return nil, errors.New("failed to parse PEM private key")
+	}
+}
+
+func sign(privateKey *rsa.PrivateKey, data []byte) (string, error) {
+	hash := sha256.New()
+	hash.Write(data)
+	hashed := hash.Sum(nil)
+	signature, err := rsa.SignPKCS1v15(rand.Reader, privateKey, crypto.SHA256, hashed)
+	if err != nil {
+		return "", err
+	}
+	encodedSignature := base64.RawURLEncoding.EncodeToString(signature)
+	return encodedSignature, nil
+}