Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error calling HMAC plugin create_hash #2143

Closed
joshbeckman opened this issue Feb 28, 2017 · 5 comments
Closed

Error calling HMAC plugin create_hash #2143

joshbeckman opened this issue Feb 28, 2017 · 5 comments
Labels

Comments

@joshbeckman
Copy link

joshbeckman commented Feb 28, 2017

Summary

I have recently configured HMAC auth via the bundled plugin with only default settings on a new API. The only other plugin running on this API is the CORS bundled plugin. Upon receiving the signed request, kong returns a 500 error, with the logs:

2017-02-28T17:55:11.285701+00:00 heroku[router]: at=info method=POST path="/mockbin/post" host=api.<ourcompany>.com request_id=b78ce346-fd44-4252-a845-b1288eff5123 fwd="96.65.75.149,162.158.74.140" dyno=web.1 connect=1ms service=115ms status=500 bytes=255
2017-02-28T17:55:11.277516+00:00 app[web.1]: 2017/02/28 17:55:11 [error] 96#0: *4061 lua entry thread aborted: runtime error: .../.heroku/share/lua/5.1/kong/plugins/hmac-auth/access.lua:99: bad argument #1 to 'create_hash' (string expected, got nil)
2017-02-28T17:55:11.277528+00:00 app[web.1]: stack traceback:
2017-02-28T17:55:11.277529+00:00 app[web.1]: coroutine 0:
2017-02-28T17:55:11.277529+00:00 app[web.1]: 	[C]: in function 'create_hash'
2017-02-28T17:55:11.277530+00:00 app[web.1]: 	.../.heroku/share/lua/5.1/kong/plugins/hmac-auth/access.lua:99: in function 'validate_signature'
2017-02-28T17:55:11.277531+00:00 app[web.1]: 	.../.heroku/share/lua/5.1/kong/plugins/hmac-auth/access.lua:168: in function 'execute'
2017-02-28T17:55:11.277532+00:00 app[web.1]: 	....heroku/share/lua/5.1/kong/plugins/hmac-auth/handler.lua:14: in function 'access'
2017-02-28T17:55:11.277534+00:00 app[web.1]: 	/app/.heroku/share/lua/5.1/kong.lua:193: in function 'access'
2017-02-28T17:55:11.277535+00:00 app[web.1]: 	access_by_lua(nginx.conf:87):2: in function <access_by_lua(nginx.conf:87):1>, client: 96.65.75.149, server: _, request: "POST /mockbin/post HTTP/1.1", host: "api.<ourcompany>.com", referrer: "http://localhost:3000/"

I don't see what the nil value stems from. By line 168 (https://github.com/Mashape/kong/blame/0.7.0/kong/plugins/hmac-auth/access.lua#L168) the hmac_params have been collected and validated, headers are present, and ngx.req is present. What's the issue?

Steps To Reproduce

curl https://api.<ourcompany>.com/mockbin/post --data 'foobar' -X POST --header 'content-md5: 3858f62230ac3c915f300c664312c63f' --header 'content-type: text/plain' --header 'date: Tue, 28 Feb 2017 19:42:34 GMT' --header 'authorization: hmac username="customercontact-381", algorithm="hmac-sha1", headers="date content-md5", signature="MTRjMTVkYzI4ODUwNjllMjRlMDhkY2ViNmQ4NWQxODVmYzFjMDA5MQ=="' -i

Additional Details & Logs

Here is the line in question: https://github.com/Mashape/kong/blame/0.7.0/kong/plugins/hmac-auth/access.lua#L58
The API in question is configured at the mockbin path.

@joshbeckman joshbeckman changed the title Issues with HMAC plugin create_hash Error calling HMAC plugin create_hash Feb 28, 2017
@Tieske
Copy link
Member

Tieske commented Mar 2, 2017

@joshbeckman
Copy link
Author

This was due to the consumer/hmac-auth lacking a proper secret value. The only suggestion I would make is to require the secret value upon creation of an hmac-auth record. As it stands, it is an optional value, but obviously is required to actually use the HMAC scheme.

@Tieske Tieske reopened this Mar 2, 2017
@Tieske
Copy link
Member

Tieske commented Mar 2, 2017

@andjosh thx for the investigation, reopening this as to proper fix it in current versions as well.

@Tieske Tieske added the task/bug label Mar 2, 2017
p0pr0ck5 added a commit that referenced this issue Mar 3, 2017
Since the credential secret is required to compute the signature,
create a random secret which will be displayed back to the user
as part of the response body.

This fixes issue #2143.
p0pr0ck5 added a commit that referenced this issue Mar 3, 2017
Since the credential secret is required to compute the signature,
create a random secret which will be displayed back to the user
as part of the response body.

This fixes issue #2143.
@p0pr0ck5
Copy link
Contributor

p0pr0ck5 commented Mar 7, 2017

BTW, the fix in #2158 solves the issue of allowing a null secret; since this isn't a majorly pressing issue, I'd like to wait to merge until 0.10 is released, so as to avoid complicating the release any further. We'll also need to update the plugin docs to note this behavior change.

p0pr0ck5 added a commit that referenced this issue Mar 8, 2017
Since the credential secret is required to compute the signature,
create a random secret which will be displayed back to the user
as part of the response body.

This fixes issue #2143.
p0pr0ck5 added a commit that referenced this issue Mar 13, 2017
Since the credential secret is required to compute the signature,
create a random secret which will be displayed back to the user
as part of the response body.

This fixes issue #2143.
@p0pr0ck5
Copy link
Contributor

Closing this, since it's fixed on the next branch. Thanks @andjosh for the report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants