feat(hmac) multiple HMAC algorithms support and enforce_headers option
#2644
Conversation
shashiranjan84
force-pushed
the
feat/hmac-header-algo
branch
from
92492ab to
8d55afa
Compare
kong/plugins/hmac-auth/access.lua
Outdated
| local matched = false | ||
| for _, algo in ipairs(conf.algorithms) do | ||
| if algo == params.algorithm then | ||
| matched = true |
There was a problem hiding this comment.
lets just return true, no need to keep running through this loop once we have a match? also means we dont need matched:
for _, algo in ipairs(conf.algorithms) do
if algo == params.algorithm then
return true
end
end
return nil, fmt("algorithm %s not supported", params.algorithm)
kong/plugins/hmac-auth/access.lua
Outdated
| end | ||
|
|
||
| -- check enforced headers are present | ||
| local enfoprced_header_set = list_as_set(conf.enforce_headers) |
There was a problem hiding this comment.
typo, 'enfoprced_header_set'.
also, how hard would it be to cache the enforce_headers table, so we dont have to constantly call list_as_set?
kong/plugins/hmac-auth/access.lua
Outdated
| local function list_as_set(list) | ||
| local set = {} | ||
| for _, v in ipairs(list) do | ||
| set[v] = true; |
There was a problem hiding this comment.
Java memory :)
| for _, row in ipairs(rows) do | ||
| row.config.validate_request_body = false | ||
| row.config.enforce_headers = {} | ||
| row.config.algorithms = {"hmac-sha1"} |
There was a problem hiding this comment.
not quite sure i agree with this default assignment, as the schema default is to support all 4 algorithms.
There was a problem hiding this comment.
This is intentional, older version only has support for hmac-sha1, so after migration I defaulted it to {"hmac-sha1"}. If user want to support all 4, he would need to patch the plugin.
kong/plugins/hmac-auth/access.lua
Outdated
| } | ||
|
|
||
| local function list_as_set(list) | ||
| local set = {} |
There was a problem hiding this comment.
since we know the size of this table, a minor optimization here would be to use table.new to create the appropriately-sized table.
p0pr0ck5
added
pr/changes requested
shashiranjan84
force-pushed
the
feat/hmac-header-algo
branch
from
8d55afa to
cbf0cfe
Compare
shashiranjan84
added
pr/status/please review
and removed
pr/changes requested
kong/plugins/hmac-auth/access.lua
Outdated
| local resty_sha256 = require "resty.sha256" | ||
| local new_table = require "table.new" |
There was a problem hiding this comment.
we typically wrap this in pcall. see https://github.com/Mashape/kong/blob/master/kong/plugins/ip-restriction/handler.lua#L5 as an example
kong/plugins/hmac-auth/access.lua
Outdated
| end | ||
|
|
||
| -- check supported alorithm used | ||
| local matched = false |
There was a problem hiding this comment.
dont need this matched var. and after this for loop we can just return nil, fmt(...)
p0pr0ck5
added
pr/changes requested
shashiranjan84
force-pushed
the
feat/hmac-header-algo
branch
from
cbf0cfe to
e52b7d5
Compare
shashiranjan84
added
pr/status/please review
and removed
pr/changes requested
|
@p0pr0ck5 makes sense, thanks. Updated code as you advised. |
| for _, row in ipairs(rows) do | ||
| row.config.validate_request_body = false | ||
| row.config.enforce_headers = {} | ||
| row.config.algorithms = {"hmac-sha1"} |
There was a problem hiding this comment.
space in between brackets and quotes
| it("errors with wrong algorithm", function() | ||
| local ok, err = validate_entity({algorithms = {"sha1024"}}, hmac_auth_schema) | ||
| assert.equal('"sha1024" is not allowed. Allowed values are: "hmac-sha1", "hmac-sha256", "hmac-sha384", "hmac-sha512"', err.algorithms) | ||
| assert.False(ok) |
There was a problem hiding this comment.
prefer lowercase is_false to False, i believe
shashiranjan84
force-pushed
the
feat/hmac-header-algo
branch
from
e52b7d5 to
046bd3e
Compare
p0pr0ck5
added
the
pr/ready
kong/plugins/hmac-auth/access.lua
Outdated
| } | ||
|
|
||
| local function list_as_set(list) | ||
| local set = new_tab(#list, 0) |
There was a problem hiding this comment.
new_tab(narr, nrec), this should be: new_tab(0, #list)
There was a problem hiding this comment.
Are you sure @thibaultcha, because in following code, 1st argument is length?
https://github.com/Mashape/kong/blob/master/kong/plugins/ip-restriction/handler.lua#L26
There was a problem hiding this comment.
Yes, because this code you pointed is using the array part of the table, but your use-case concerns the hash part.
kong/plugins/hmac-auth/access.lua
Outdated
|
|
||
| local function validate_params(params, conf) | ||
| -- check username and signature are present | ||
| if not (params.username and params.signature) then |
There was a problem hiding this comment.
No parenthesis is the preferred style and also reads better: if not params.username or not params.signature
kong/plugins/hmac-auth/access.lua
Outdated
| for _, header in ipairs(params.hmac_headers) do | ||
| enforced_header_set[header] = nil | ||
| end | ||
|
|
There was a problem hiding this comment.
one too many blank line it seems?
kong/plugins/hmac-auth/access.lua
Outdated
| return true | ||
| end | ||
| end | ||
| return nil, fmt("algorithm %s not supported", params.algorithm) |
There was a problem hiding this comment.
We should jump a line before the return statement
kong/plugins/hmac-auth/access.lua
Outdated
| local _M = {} | ||
|
|
||
| local hmac = { | ||
| ["hmac-sha1"] = function(secret, data) | ||
| return crypto.hmac.digest("sha1", data, secret, true) |
There was a problem hiding this comment.
Maybe we should keep using ngx.sha1 when possible? This way we reduce the risk and we take advantage of using the FFI over the crypto lib?
kong/plugins/hmac-auth/access.lua
Outdated
| @@ -183,6 +248,7 @@ local function set_consumer(consumer, credential) | |||
| end | |||
|
|
|||
| local function do_authentication(conf) | |||
|
|
|||
There was a problem hiding this comment.
Seems this is an undesired change too?
kong/plugins/hmac-auth/access.lua
Outdated
| return false, {status = 403, message = SIGNATURE_NOT_VALID} | ||
| end | ||
|
|
||
| -- validate signature | ||
| local credential = load_credential(hmac_params.username) | ||
| if not credential then | ||
| ngx_log(ngx.DEBUG, "failed to retrieve credential for " .. hmac_params.username) |
There was a problem hiding this comment.
We should avoid string concatenation operators and use variadic arguments when possible. Here:
ngx_log(ngx.DEBUG, "failed to retrieve credential for ", hmac_params.username)
thibaultcha
added
pr/changes requested
- Support for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512. - User can enforce which headers must at least be used for http signature creation using `config.enforce_headers`.
shashiranjan84
force-pushed
the
feat/hmac-header-algo
branch
from
046bd3e to
4b18109
Compare
shashiranjan84
added
pr/status/please review
and removed
pr/changes requested
|
@thibaultcha update PR as you suggested. |
SUMMARY
http signature creation using
config.enforce_headers.Full changelog
config.alogorithmsandconfig.enforce_headersadded to schema