support signing for upload endpoints (#2376)

Author: motatoes

taco/internal/api/routes.go

@@ -271,8 +271,10 @@ func RegisterRoutes(e *echo.Echo, deps Dependencies) {
 	// Upload endpoints exempt from auth middleware (Terraform doesn't send auth headers)
 	// Security: These validate lock ownership and have RBAC checks in handlers
 	// Upload URLs can only be obtained from authenticated CreateStateVersion calls
-	e.PUT("/tfe/api/v2/state-versions/:id/upload", tfeHandler.UploadStateVersion)
-	e.PUT("/tfe/api/v2/state-versions/:id/json-upload", tfeHandler.UploadJSONStateOutputs)
+	tfeSignedUrlsGroup := e.Group("/tfe/api/v2")
+	tfeSignedUrlsGroup.Use(middleware.VerifySignedURL)
+	tfeSignedUrlsGroup.PUT("/state-versions/:id/upload", tfeHandler.UploadStateVersion)
+	tfeSignedUrlsGroup.PUT("/state-versions/:id/json-upload", tfeHandler.UploadJSONStateOutputs)
 
 	// Keep discovery endpoints unprotected (needed for terraform login)
 	e.GET("/.well-known/terraform.json", tfeHandler.GetWellKnownJson)

taco/internal/auth/signed_url.go

@@ -0,0 +1,68 @@
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/diggerhq/digger/opentaco/internal/config"
+)
+
+
+// SignURL creates a signed URL valid until expiry
+func SignURL(baseURL, path string, expiry time.Time) (string, error) {
+	secret, err := config.GetConfig().GetSecretKey()
+	if err != nil {
+		return "", fmt.Errorf("signing secret key error: %w", err)
+	}
+	u, _ := url.Parse(baseURL)
+	u.Path = path
+	q := u.Query()
+	q.Set("exp", fmt.Sprint(expiry.Unix()))
+
+	// Compute HMAC
+	mac := hmac.New(sha256.New, []byte(secret))
+	mac.Write([]byte(path + q.Get("exp")))
+	sig := base64.URLEncoding.EncodeToString(mac.Sum(nil))
+	q.Set("sig", sig)
+	u.RawQuery = q.Encode()
+
+	return u.String(), nil
+}
+
+
+func VerifySignedUrl(signedUrl string) error {
+	secret, err := config.GetConfig().GetSecretKey()
+	if err != nil {
+		return fmt.Errorf("signing secret key error: %w", err)
+	}
+
+	u, _ := url.Parse(signedUrl)
+	path := u.Path
+	query := u.Query()
+	exp := query.Get("exp")
+	sig := query.Get("sig")
+
+	// Parse expiry timestamp
+	unix, err := strconv.ParseInt(exp, 10, 64)
+	if err != nil {
+		return fmt.Errorf("signing expired url error: %w", err)
+	}
+	if time.Now().Unix() > unix {
+		return fmt.Errorf("the signed url is expired")
+	}
+
+	// Compute expected signature
+	mac := hmac.New(sha256.New, []byte(secret))
+	mac.Write([]byte(path + exp))
+	expectedSig := base64.URLEncoding.EncodeToString(mac.Sum(nil))
+
+	if !hmac.Equal([]byte(sig), []byte(expectedSig)) {
+		return fmt.Errorf("the signed url is invalid")
+	}
+	return nil
+}

taco/internal/auth/signed_url_test.go

@@ -0,0 +1,139 @@
+package auth
+
+import (
+	"errors"
+	"net/url"
+	"testing"
+	"time"
+
+	"github.com/diggerhq/digger/opentaco/internal/config"
+)
+
+// helper: set mock config for each test
+func withMockConfig(t *testing.T, secret string, err error, fn func()) {
+	orig := config.GetConfig() // capture current provider
+
+	config.SetConfig(&config.MockConfig{
+		Secret: secret,
+		Err:    err,
+	})
+
+	t.Cleanup(func() {
+		config.SetConfig(orig)
+	})
+
+	fn()
+}
+
+func TestSignAndVerify_Success(t *testing.T) {
+	withMockConfig(t, "test-secret", nil, func() {
+		exp := time.Now().Add(1 * time.Hour)
+
+		signed, err := SignURL("https://example.com", "/files/123", exp)
+		if err != nil {
+			t.Fatalf("SignURL() unexpected error: %v", err)
+		}
+
+		if err := VerifySignedUrl(signed); err != nil {
+			t.Fatalf("VerifySignedUrl() unexpected error: %v", err)
+		}
+	})
+}
+
+func TestVerifySignedUrl_Expired(t *testing.T) {
+	withMockConfig(t, "test-secret", nil, func() {
+		expired := time.Now().Add(-2 * time.Minute)
+
+		signed, err := SignURL("https://example.com", "/files/123", expired)
+		if err != nil {
+			t.Fatalf("SignURL() unexpected error: %v", err)
+		}
+
+		if err := VerifySignedUrl(signed); err == nil {
+			t.Fatalf("expected error for expired URL, got nil")
+		}
+	})
+}
+
+func TestVerifySignedUrl_TamperedPath(t *testing.T) {
+	withMockConfig(t, "test-secret", nil, func() {
+		exp := time.Now().Add(1 * time.Hour)
+
+		signed, err := SignURL("https://example.com", "/files/123", exp)
+		if err != nil {
+			t.Fatalf("SignURL() unexpected error: %v", err)
+		}
+
+		// parse and change the path AFTER signing
+		u, _ := url.Parse(signed)
+		u.Path = "/files/999" // attacker changes resource
+		tampered := u.String()
+
+		if err := VerifySignedUrl(tampered); err == nil {
+			t.Fatalf("expected invalid signature error for tampered path, got nil")
+		}
+	})
+}
+
+func TestVerifySignedUrl_TamperedSignature(t *testing.T) {
+	withMockConfig(t, "test-secret", nil, func() {
+		exp := time.Now().Add(1 * time.Hour)
+
+		signed, err := SignURL("https://example.com", "/files/123", exp)
+		if err != nil {
+			t.Fatalf("SignURL() unexpected error: %v", err)
+		}
+
+		u, _ := url.Parse(signed)
+		q := u.Query()
+		q.Set("sig", "definitely-wrong-signature")
+		u.RawQuery = q.Encode()
+		tampered := u.String()
+
+		if err := VerifySignedUrl(tampered); err == nil {
+			t.Fatalf("expected invalid signature error for tampered signature, got nil")
+		}
+	})
+}
+
+func TestVerifySignedUrl_BadExpiryFormat(t *testing.T) {
+	withMockConfig(t, "test-secret", nil, func() {
+		exp := time.Now().Add(1 * time.Hour)
+
+		signed, err := SignURL("https://example.com", "/files/123", exp)
+		if err != nil {
+			t.Fatalf("SignURL() unexpected error: %v", err)
+		}
+
+		u, _ := url.Parse(signed)
+		q := u.Query()
+		q.Set("exp", "not-a-timestamp") // break exp
+		u.RawQuery = q.Encode()
+		bad := u.String()
+
+		if err := VerifySignedUrl(bad); err == nil {
+			t.Fatalf("expected error for bad exp format, got nil")
+		}
+	})
+}
+
+func TestSignURL_SecretError(t *testing.T) {
+	withMockConfig(t, "", errors.New("nope"), func() {
+		_, err := SignURL("https://example.com", "/files/123", time.Now().Add(time.Hour))
+		if err == nil {
+			t.Fatalf("expected error because secret retrieval failed in SignURL, got nil")
+		}
+	})
+}
+
+func TestVerifySignedUrl_SecretError(t *testing.T) {
+	withMockConfig(t, "", errors.New("nope"), func() {
+		// doesn't matter if URL shape is valid, config will fail first
+		testURL := "https://example.com/files/123?exp=123&sig=abc"
+
+		if err := VerifySignedUrl(testURL); err == nil {
+			t.Fatalf("expected error because secret retrieval failed in VerifySignedUrl, got nil")
+		}
+	})
+}
+

taco/internal/config/config.go

@@ -0,0 +1,52 @@
+package config
+
+import (
+	"errors"
+	"os"
+)
+
+// ConfigProvider is what the rest of the code depends on.
+// Both Config and MockConfig will satisfy this.
+type ConfigProvider interface {
+	GetSecretKey() (string, error)
+}
+
+// Config is the real implementation that reads from env.
+type Config struct{}
+
+func (c *Config) GetSecretKey() (string, error) {
+	secret := os.Getenv("OPENTACO_SECRET_KEY")
+	if secret == "" {
+		return "", errors.New("OPENTACO_SECRET_KEY environment variable not set")
+	}
+	return secret, nil
+}
+
+// MockConfig is a test double you can inject in tests.
+type MockConfig struct {
+	Secret string
+	Err    error
+}
+
+func (m *MockConfig) GetSecretKey() (string, error) {
+	if m.Err != nil {
+		return "", m.Err
+	}
+	return m.Secret, nil
+}
+
+// active is the "current" config provider used by prod code.
+// default is the real env-based config.
+var active ConfigProvider = &Config{}
+
+// GetConfig returns whichever provider is currently active.
+func GetConfig() ConfigProvider {
+	return active
+}
+
+// SetConfig lets tests (or special code) replace the active provider.
+// You call this in tests to inject MockConfig.
+// DO NOT call this in normal runtime code unless you really mean to override.
+func SetConfig(p ConfigProvider) {
+	active = p
+}

taco/internal/middleware/auth.go

@@ -198,7 +198,8 @@ func OpaqueOnlyVerifier(apiTokenMgr *auth.APITokenManager) AccessTokenVerifier {
         if apiTokenMgr == nil {
             return echo.NewHTTPError(http.StatusInternalServerError, "API token manager not configured")
         }
-        
+
+
         // Default to "default" org (no context available in this verifier)
         if _, err := apiTokenMgr.Verify(context.Background(), "default", token); err != nil {
             return echo.ErrUnauthorized

taco/internal/middleware/signed_url.go

@@ -0,0 +1,22 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+
+	"github.com/diggerhq/digger/opentaco/internal/auth"
+	"github.com/labstack/echo/v4"
+)
+
+
+// VerifySignedURL middleware
+func VerifySignedURL(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		err := auth.VerifySignedUrl(c.Request().URL.String())
+		if err != nil {
+			slog.Error("could not verify signature", "error", err.Error())
+			return c.NoContent(http.StatusUnauthorized)
+		}
+		return next(c)
+	}
+}

taco/internal/tfe/workspaces.go

@@ -5,7 +5,10 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+
+	"github.com/diggerhq/digger/opentaco/internal/auth"
 	"github.com/diggerhq/digger/opentaco/internal/domain/tfe"
+
 	"io"
 	"net/http"
 	"strings"
@@ -679,9 +682,20 @@ func (h *TfeHandler) CreateStateVersion(c echo.Context) error {
 
 	// Build URLs
 	baseURL := getBaseURL(c)
-	uploadURL := fmt.Sprintf("%s/tfe/api/v2/state-versions/%s/upload", baseURL, stateVersionID)
+
+	signedUploadUrl, err := auth.SignURL(baseURL, fmt.Sprintf("/tfe/api/v2/state-versions/%s/upload", stateVersionID), time.Now().Add(2*time.Minute))
+	if err != nil {
+		fmt.Printf("CreateStateVersion: ERROR - Failed to sign URL: %v\n", err)
+		return c.JSON(500, map[string]string{"error": "Failed to sign URL"})
+	}
+
+	signedJsonUploadUrl, err := auth.SignURL(baseURL, fmt.Sprintf("/tfe/api/v2/state-versions/%s/json-upload", stateVersionID), time.Now().Add(2*time.Minute))
+	if err != nil {
+		fmt.Printf("CreateStateVersion: ERROR - Failed to sign URL: %v\n", err)
+		return c.JSON(500, map[string]string{"error": "Failed to sign URL"})
+	}
+
 	downloadURL := fmt.Sprintf("%s/tfe/api/v2/state-versions/%s/download", baseURL, stateVersionID)
-	jsonUploadURL := fmt.Sprintf("%s/tfe/api/v2/state-versions/%s/json-upload", baseURL, stateVersionID)
 
 	// Derive serial and lineage from existing state (if any)
 	serial := 0
@@ -699,7 +713,6 @@ func (h *TfeHandler) CreateStateVersion(c echo.Context) error {
 	}
 
 	fmt.Printf("CreateStateVersion: baseURL='%s'\n", baseURL)
-	fmt.Printf("CreateStateVersion: uploadURL='%s'\n", uploadURL)
 
 	// Build the response
 	response := map[string]interface{}{
@@ -710,10 +723,10 @@ func (h *TfeHandler) CreateStateVersion(c echo.Context) error {
 				"created-at":                   time.Now().UTC().Format(time.RFC3339),
 				"updated-at":                   time.Now().UTC().Format(time.RFC3339),
 				"size":                         0,
-				"upload-url":                   uploadURL,
-				"hosted-state-upload-url":      uploadURL,
+				"upload-url":                   signedUploadUrl,
+				"hosted-state-upload-url":      signedUploadUrl,
 				"hosted-state-download-url":    downloadURL,
-				"hosted-json-state-upload-url": jsonUploadURL,
+				"hosted-json-state-upload-url": signedJsonUploadUrl,
 				"serial":                       serial,
 				"lineage":                      lineage,
 			},