-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(hmac) multiple HMAC algorithms support and enforce_headers
option
#2644
Conversation
92492ab
to
8d55afa
Compare
kong/plugins/hmac-auth/access.lua
Outdated
local matched = false | ||
for _, algo in ipairs(conf.algorithms) do | ||
if algo == params.algorithm then | ||
matched = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets just return true, no need to keep running through this loop once we have a match? also means we dont need matched
:
for _, algo in ipairs(conf.algorithms) do
if algo == params.algorithm then
return true
end
end
return nil, fmt("algorithm %s not supported", params.algorithm)
kong/plugins/hmac-auth/access.lua
Outdated
end | ||
|
||
-- check enforced headers are present | ||
local enfoprced_header_set = list_as_set(conf.enforce_headers) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo, 'enfoprced_header_set'.
also, how hard would it be to cache the enforce_headers
table, so we dont have to constantly call list_as_set?
kong/plugins/hmac-auth/access.lua
Outdated
local function list_as_set(list) | ||
local set = {} | ||
for _, v in ipairs(list) do | ||
set[v] = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
semicolon?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Java
memory :)
for _, row in ipairs(rows) do | ||
row.config.validate_request_body = false | ||
row.config.enforce_headers = {} | ||
row.config.algorithms = {"hmac-sha1"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not quite sure i agree with this default assignment, as the schema default is to support all 4 algorithms.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is intentional, older version only has support for hmac-sha1
, so after migration I defaulted it to {"hmac-sha1"}. If user want to support all 4, he would need to patch the plugin.
kong/plugins/hmac-auth/access.lua
Outdated
} | ||
|
||
local function list_as_set(list) | ||
local set = {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since we know the size of this table, a minor optimization here would be to use table.new
to create the appropriately-sized table.
8d55afa
to
cbf0cfe
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks! couple minor things then i think looks good!
kong/plugins/hmac-auth/access.lua
Outdated
local resty_sha256 = require "resty.sha256" | ||
local new_table = require "table.new" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we typically wrap this in pcall. see https://github.com/Mashape/kong/blob/master/kong/plugins/ip-restriction/handler.lua#L5 as an example
kong/plugins/hmac-auth/access.lua
Outdated
end | ||
|
||
-- check supported alorithm used | ||
local matched = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dont need this matched
var. and after this for loop we can just return nil, fmt(...)
cbf0cfe
to
e52b7d5
Compare
@p0pr0ck5 makes sense, thanks. Updated code as you advised. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor things to cleanup, but LGTM overall.
for _, row in ipairs(rows) do | ||
row.config.validate_request_body = false | ||
row.config.enforce_headers = {} | ||
row.config.algorithms = {"hmac-sha1"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
space in between brackets and quotes
it("errors with wrong algorithm", function() | ||
local ok, err = validate_entity({algorithms = {"sha1024"}}, hmac_auth_schema) | ||
assert.equal('"sha1024" is not allowed. Allowed values are: "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512"', err.algorithms) | ||
assert.False(ok) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
prefer lowercase is_false
to False
, i believe
e52b7d5
to
046bd3e
Compare
kong/plugins/hmac-auth/access.lua
Outdated
} | ||
|
||
local function list_as_set(list) | ||
local set = new_tab(#list, 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
new_tab(narr, nrec)
, this should be: new_tab(0, #list)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you sure @thibaultcha, because in following code, 1st argument is length?
https://github.com/Mashape/kong/blob/master/kong/plugins/ip-restriction/handler.lua#L26
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, because this code you pointed is using the array part of the table, but your use-case concerns the hash part.
kong/plugins/hmac-auth/access.lua
Outdated
|
||
local function validate_params(params, conf) | ||
-- check username and signature are present | ||
if not (params.username and params.signature) then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No parenthesis is the preferred style and also reads better: if not params.username or not params.signature
kong/plugins/hmac-auth/access.lua
Outdated
for _, header in ipairs(params.hmac_headers) do | ||
enforced_header_set[header] = nil | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one too many blank line it seems?
kong/plugins/hmac-auth/access.lua
Outdated
return true | ||
end | ||
end | ||
return nil, fmt("algorithm %s not supported", params.algorithm) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should jump a line before the return statement
kong/plugins/hmac-auth/access.lua
Outdated
local _M = {} | ||
|
||
local hmac = { | ||
["hmac-sha1"] = function(secret, data) | ||
return crypto.hmac.digest("sha1", data, secret, true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should keep using ngx.sha1
when possible? This way we reduce the risk and we take advantage of using the FFI over the crypto
lib?
kong/plugins/hmac-auth/access.lua
Outdated
@@ -183,6 +248,7 @@ local function set_consumer(consumer, credential) | |||
end | |||
|
|||
local function do_authentication(conf) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems this is an undesired change too?
kong/plugins/hmac-auth/access.lua
Outdated
return false, {status = 403, message = SIGNATURE_NOT_VALID} | ||
end | ||
|
||
-- validate signature | ||
local credential = load_credential(hmac_params.username) | ||
if not credential then | ||
ngx_log(ngx.DEBUG, "failed to retrieve credential for " .. hmac_params.username) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should avoid string concatenation operators and use variadic arguments when possible. Here:
ngx_log(ngx.DEBUG, "failed to retrieve credential for ", hmac_params.username)
- Support for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512. - User can enforce which headers must at least be used for http signature creation using `config.enforce_headers`.
046bd3e
to
4b18109
Compare
@thibaultcha update PR as you suggested. |
SUMMARY
http signature creation using
config.enforce_headers
.Full changelog
config.alogorithms
andconfig.enforce_headers
added to schema