From 59bf378e216e5c5e05f0848128c6e13eac846577 Mon Sep 17 00:00:00 2001
From: Nick Meves <nick.meves@greenhouse.io>
Date: Sun, 14 Mar 2021 09:47:44 -0700
Subject: [PATCH] Deprecate GAP-Signature and add a warning on usage (#1103)

---
 CHANGELOG.md                             |  5 +++++
 docs/docs/features/request_signatures.md | 20 --------------------
 docs/sidebars.js                         |  2 +-
 pkg/validation/options.go                | 13 ++++++-------
 4 files changed, 12 insertions(+), 28 deletions(-)
 delete mode 100644 docs/docs/features/request_signatures.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4abe5e82de..7226857806 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,11 +4,16 @@
 
 ## Important Notes
 
+
+- [#1103](https://github.com/oauth2-proxy/oauth2-proxy/pull/1103) Upstream request signatures via `--signature-key` is
+  deprecated. Support will be removed completely in v8.0.0.
+
 ## Breaking Changes
 
 ## Changes since v7.0.1
 
 - [#1045](https://github.com/oauth2-proxy/oauth2-proxy/pull/1045) Ensure redirect URI always has a scheme (@JoelSpeed)
+- [#1103](https://github.com/oauth2-proxy/oauth2-proxy/pull/1103) Deprecate upstream request signatures (@NickMeves)
 - [#914](https://github.com/oauth2-proxy/oauth2-proxy/pull/914) Extract email from id_token for azure provider when oidc is configured
 - [#1047](https://github.com/oauth2-proxy/oauth2-proxy/pull/1047) Refactor HTTP Server and add ServerGroup to handle graceful shutdown of multiple servers (@JoelSpeed)
 - [#1070](https://github.com/oauth2-proxy/oauth2-proxy/pull/1070) Refactor logging middleware to middleware package (@NickMeves)
diff --git a/docs/docs/features/request_signatures.md b/docs/docs/features/request_signatures.md
deleted file mode 100644
index 44dee21805..0000000000
--- a/docs/docs/features/request_signatures.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-id: request_signatures
-title: Request Signatures
----
-
-If `signature_key` is defined, proxied requests will be signed with the
-`GAP-Signature` header, which is a [Hash-based Message Authentication Code
-(HMAC)](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code)
-of selected request information and the request body [see `SIGNATURE_HEADERS`
-in `oauthproxy.go`](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/oauthproxy.go).
-
-`signature_key` must be of the form `algorithm:secretkey`, (ie: `signature_key = "sha1:secret0"`)
-
-For more information about HMAC request signature validation, read the
-following:
-
-- [Amazon Web Services: Signing and Authenticating REST
-  Requests](https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html)
-- [rc3.org: Using HMAC to authenticate Web service
-  requests](http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/)
diff --git a/docs/sidebars.js b/docs/sidebars.js
index f96b74f6b6..f74b9da6f1 100644
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -18,7 +18,7 @@ module.exports = {
       type: 'category',
       label: 'Features',
       collapsed: false,
-      items: ['features/endpoints', 'features/request_signatures'],
+      items: ['features/endpoints'],
     },
     {
       type: 'category',
diff --git a/pkg/validation/options.go b/pkg/validation/options.go
index 220438edfa..e541e15902 100644
--- a/pkg/validation/options.go
+++ b/pkg/validation/options.go
@@ -2,7 +2,6 @@ package validation
 
 import (
 	"context"
-	"crypto"
 	"crypto/tls"
 	"fmt"
 	"io/ioutil"
@@ -30,8 +29,8 @@ func Validate(o *options.Options) error {
 	msgs = append(msgs, validateRedisSessionStore(o)...)
 	msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...)
 	msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...)
-	msgs = parseSignatureKey(o, msgs)
 	msgs = configureLogger(o.Logging, msgs)
+	msgs = parseSignatureKey(o, msgs)
 
 	if o.SSLInsecureSkipVerify {
 		// InsecureSkipVerify is a configurable option we allow
@@ -355,6 +354,8 @@ func parseSignatureKey(o *options.Options, msgs []string) []string {
 		return msgs
 	}
 
+	logger.Print("WARNING: `--signature-key` is deprecated. It will be removed in a future release")
+
 	components := strings.Split(o.SignatureKey, ":")
 	if len(components) != 2 {
 		return append(msgs, "invalid signature hash:key spec: "+
@@ -362,11 +363,9 @@ func parseSignatureKey(o *options.Options, msgs []string) []string {
 	}
 
 	algorithm, secretKey := components[0], components[1]
-	var hash crypto.Hash
-	var err error
-	if hash, err = hmacauth.DigestNameToCryptoHash(algorithm); err != nil {
-		return append(msgs, "unsupported signature hash algorithm: "+
-			o.SignatureKey)
+	hash, err := hmacauth.DigestNameToCryptoHash(algorithm)
+	if err != nil {
+		return append(msgs, "unsupported signature hash algorithm: "+o.SignatureKey)
 	}
 	o.SetSignatureData(&options.SignatureData{Hash: hash, Key: secretKey})
 	return msgs