You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/05/29 12:56:36 UTC
[apisix] 11/12: fix(hmac-auth): don't let client know why it is rejected (#6853)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch release/2.13
in repository https://gitbox.apache.org/repos/asf/apisix.git
commit b3d6e5a58bf12045e5eb36d74b4f30b194184d80
Author: 罗泽轩 <sp...@gmail.com>
AuthorDate: Sun Apr 17 19:36:35 2022 +0800
fix(hmac-auth): don't let client know why it is rejected (#6853)
Signed-off-by: spacewander <sp...@gmail.com>
---
apisix/plugins/hmac-auth.lua | 33 +++----
t/APISIX.pm | 14 ---
.../{custom_hmac_auth.t => hmac-auth-custom.t} | 103 +++++++++++----------
t/plugin/hmac-auth.t | 66 ++++++++++---
t/plugin/hmac-auth2.t | 12 ++-
t/plugin/hmac-auth3.t | 24 ++++-
6 files changed, 154 insertions(+), 98 deletions(-)
diff --git a/apisix/plugins/hmac-auth.lua b/apisix/plugins/hmac-auth.lua
index 9a63db977..6195644c0 100644
--- a/apisix/plugins/hmac-auth.lua
+++ b/apisix/plugins/hmac-auth.lua
@@ -171,12 +171,12 @@ end
local function get_consumer(access_key)
if not access_key then
- return nil, {message = "missing access key"}
+ return nil, "missing access key"
end
local consumer_conf = consumer.plugin(plugin_name)
if not consumer_conf then
- return nil, {message = "Missing related consumer"}
+ return nil, "Missing related consumer"
end
local consumers = lrucache("consumers_key", consumer_conf.conf_version,
@@ -184,7 +184,7 @@ local function get_consumer(access_key)
local consumer = consumers[access_key]
if not consumer then
- return nil, {message = "Invalid access key"}
+ return nil, "Invalid access key"
end
core.log.info("consumer: ", core.json.delay_encode(consumer))
@@ -297,11 +297,11 @@ end
local function validate(ctx, params)
if not params.access_key or not params.signature then
- return nil, {message = "access key or signature missing"}
+ return nil, "access key or signature missing"
end
if not params.algorithm then
- return nil, {message = "algorithm missing"}
+ return nil, "algorithm missing"
end
local consumer, err = get_consumer(params.access_key)
@@ -311,7 +311,7 @@ local function validate(ctx, params)
local conf = consumer.auth_conf
if conf.algorithm ~= params.algorithm then
- return nil, {message = "algorithm " .. params.algorithm .. " not supported"}
+ return nil, "algorithm " .. params.algorithm .. " not supported"
end
core.log.info("clock_skew: ", conf.clock_skew)
@@ -319,13 +319,13 @@ local function validate(ctx, params)
local time = ngx.parse_http_time(params.date)
core.log.info("params.date: ", params.date, " time: ", time)
if not time then
- return nil, {message = "Invalid GMT format time"}
+ return nil, "Invalid GMT format time"
end
local diff = abs(ngx_time() - time)
core.log.info("gmt diff: ", diff)
if diff > conf.clock_skew then
- return nil, {message = "Clock skew exceeded"}
+ return nil, "Clock skew exceeded"
end
end
@@ -335,7 +335,7 @@ local function validate(ctx, params)
if params.signed_headers then
for _, header in ipairs(params.signed_headers) do
if not headers_map[header] then
- return nil, {message = "Invalid signed header " .. header}
+ return nil, "Invalid signed header " .. header
end
end
end
@@ -349,27 +349,27 @@ local function validate(ctx, params)
" generated_signature: ", generated_signature)
if request_signature ~= generated_signature then
- return nil, {message = "Invalid signature"}
+ return nil, "Invalid signature"
end
local validate_request_body = get_conf_field(params.access_key, "validate_request_body")
if validate_request_body then
local digest_header = params.body_digest
if not digest_header then
- return nil, {message = "Invalid digest"}
+ return nil, "Invalid digest"
end
local max_req_body = get_conf_field(params.access_key, "max_req_body")
local req_body, err = core.request.get_body(max_req_body, ctx)
if err then
- return nil, {message = "Exceed body limit size"}
+ return nil, "Exceed body limit size"
end
req_body = req_body or ""
local request_body_hash = ngx_encode_base64(
hmac_funcs[params.algorithm](secret_key, req_body))
if request_body_hash ~= digest_header then
- return nil, {message = "Invalid digest"}
+ return nil, "Invalid digest"
end
end
@@ -449,12 +449,9 @@ end
function _M.rewrite(conf, ctx)
local params = get_params(ctx)
local validated_consumer, err = validate(ctx, params)
- if err then
- return 401, err
- end
-
if not validated_consumer then
- return 401, {message = "Invalid signature"}
+ core.log.warn("client request can't be validated: ", err or "Invalid signature")
+ return 401, {message = "client request can't be validated"}
end
local consumer_conf = consumer.plugin(plugin_name)
diff --git a/t/APISIX.pm b/t/APISIX.pm
index b9f708925..859ae21da 100644
--- a/t/APISIX.pm
+++ b/t/APISIX.pm
@@ -110,20 +110,6 @@ etcd:
_EOC_
}
-my $custom_hmac_auth = $ENV{"CUSTOM_HMAC_AUTH"} || "false";
-if ($custom_hmac_auth eq "true") {
- $user_yaml_config .= <<_EOC_;
-plugin_attr:
- hmac-auth:
- signature_key: X-APISIX-HMAC-SIGNATURE
- algorithm_key: X-APISIX-HMAC-ALGORITHM
- date_key: X-APISIX-DATE
- access_key: X-APISIX-HMAC-ACCESS-KEY
- signed_headers_key: X-APISIX-HMAC-SIGNED-HEADERS
-_EOC_
-}
-
-
my $profile = $ENV{"APISIX_PROFILE"};
diff --git a/t/plugin/custom_hmac_auth.t b/t/plugin/hmac-auth-custom.t
similarity index 83%
rename from t/plugin/custom_hmac_auth.t
rename to t/plugin/hmac-auth-custom.t
index 48066e2bc..f7608f0d8 100644
--- a/t/plugin/custom_hmac_auth.t
+++ b/t/plugin/hmac-auth-custom.t
@@ -14,16 +14,37 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
-BEGIN {
- $ENV{"CUSTOM_HMAC_AUTH"} = "true"
-}
-
use t::APISIX 'no_plan';
repeat_each(2);
no_long_string();
no_root_location();
no_shuffle();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!$block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+
+ my $extra_yaml_config = <<_EOC_;
+plugin_attr:
+ hmac-auth:
+ signature_key: X-APISIX-HMAC-SIGNATURE
+ algorithm_key: X-APISIX-HMAC-ALGORITHM
+ date_key: X-APISIX-DATE
+ access_key: X-APISIX-HMAC-ACCESS-KEY
+ signed_headers_key: X-APISIX-HMAC-SIGNED-HEADERS
+_EOC_
+
+ $block->set_value("extra_yaml_config", $extra_yaml_config);
+});
+
run_tests;
__DATA__
@@ -53,12 +74,8 @@ __DATA__
ngx.say(body)
}
}
---- request
-GET /t
--- response_body
passed
---- no_error_log
-[error]
@@ -82,11 +99,7 @@ passed
ngx.say(body)
}
}
---- request
-GET /t
--- error_code: 400
---- no_error_log
-[error]
@@ -110,11 +123,7 @@ GET /t
ngx.say(body)
}
}
---- request
-GET /t
--- error_code: 400
---- no_error_log
-[error]
@@ -145,12 +154,8 @@ GET /t
ngx.say(body)
}
}
---- request
-GET /t
--- response_body
passed
---- no_error_log
-[error]
@@ -158,10 +163,12 @@ passed
--- request
GET /hello
--- error_code: 401
---- response_body
-{"message":"access key or signature missing"}
---- no_error_log
-[error]
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: access key or signature missing
+--- response_body eval
+qr/\{"message":"client request can't be validated"\}/
@@ -174,10 +181,12 @@ X-APISIX-HMAC-ALGORITHM: hmac-sha256
X-APISIX-Date: Thu, 24 Sep 2020 06:39:52 GMT
X-APISIX-HMAC-ACCESS-KEY: sdf
--- error_code: 401
---- response_body
-{"message":"Invalid access key"}
---- no_error_log
-[error]
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid access key
+--- response_body eval
+qr/\{"message":"client request can't be validated"\}/
@@ -190,10 +199,12 @@ X-APISIX-HMAC-ALGORITHM: ljlj
X-APISIX-Date: Thu, 24 Sep 2020 06:39:52 GMT
X-APISIX-HMAC-ACCESS-KEY: sdf
--- error_code: 401
---- response_body
-{"message":"Invalid access key"}
---- no_error_log
-[error]
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid access key
+--- response_body eval
+qr/\{"message":"client request can't be validated"\}/
@@ -206,10 +217,12 @@ X-APISIX-HMAC-ALGORITHM: hmac-sha256
X-APISIX-Date: adfa
X-APISIX-HMAC-ACCESS-KEY: my-access-key
--- error_code: 401
---- response_body
-{"message":"Invalid GMT format time"}
---- no_error_log
-[error]
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid GMT format time
+--- response_body eval
+qr/\{"message":"client request can't be validated"\}/
@@ -264,12 +277,8 @@ location /t {
ngx.say(body)
}
}
---- request
-GET /t
--- response_body
passed
---- no_error_log
-[error]
@@ -297,12 +306,8 @@ passed
ngx.say(body)
}
}
---- request
-GET /t
--- response_body
passed
---- no_error_log
-[error]
@@ -347,10 +352,10 @@ location /t {
ngx.say(body)
}
}
---- request
-GET /t
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Clock skew exceeded
--- response_body eval
-qr/\{"message":"Clock skew exceeded"\}/
---- no_error_log
-[error]
+qr/\{"message":"client request can't be validated"\}/
diff --git a/t/plugin/hmac-auth.t b/t/plugin/hmac-auth.t
index 1895a8417..bc530eb2b 100644
--- a/t/plugin/hmac-auth.t
+++ b/t/plugin/hmac-auth.t
@@ -221,7 +221,11 @@ passed
GET /hello
--- error_code: 401
--- response_body
-{"message":"access key or signature missing"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: access key or signature missing
--- no_error_log
[error]
@@ -236,7 +240,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT
X-HMAC-ACCESS-KEY: my-access-key
--- error_code: 401
--- response_body
-{"message":"algorithm missing"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: algorithm missing
--- no_error_log
[error]
@@ -252,7 +260,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT
X-HMAC-ACCESS-KEY: sdf
--- error_code: 401
--- response_body
-{"message":"Invalid access key"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid access key
--- no_error_log
[error]
@@ -268,7 +280,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT
X-HMAC-ACCESS-KEY: my-access-key
--- error_code: 401
--- response_body
-{"message":"algorithm ljlj not supported"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: algorithm ljlj not supported
--- no_error_log
[error]
@@ -284,7 +300,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT
X-HMAC-ACCESS-KEY: my-access-key
--- error_code: 401
--- response_body
-{"message":"Clock skew exceeded"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Clock skew exceeded
--- no_error_log
[error]
@@ -299,7 +319,11 @@ X-HMAC-ALGORITHM: hmac-sha256
X-HMAC-ACCESS-KEY: my-access-key
--- error_code: 401
--- response_body
-{"message":"Invalid GMT format time"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid GMT format time
--- no_error_log
[error]
@@ -315,7 +339,11 @@ Date: adfsdf
X-HMAC-ACCESS-KEY: my-access-key
--- error_code: 401
--- response_body
-{"message":"Invalid GMT format time"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid GMT format time
--- no_error_log
[error]
@@ -425,7 +453,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT
X-HMAC-ACCESS-KEY: my-access-key3
--- error_code: 401
--- response_body
-{"message":"Invalid signature"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid signature
--- no_error_log
[error]
@@ -514,7 +546,11 @@ location /t {
GET /t
--- error_code: 401
--- response_body eval
-qr/\{"message":"Clock skew exceeded"\}/
+qr/{"message":"client request can't be validated"}/
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Clock skew exceeded
--- no_error_log
[error]
@@ -654,7 +690,11 @@ passed
GET /hello
--- error_code: 401
--- response_body
-{"message":"access key or signature missing"}
+{"message":"client request can't be validated"}
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: access key or signature missing
--- no_error_log
[error]
@@ -741,7 +781,11 @@ location /t {
GET /t
--- error_code: 401
--- response_body eval
-qr/\{"message":"Invalid signed header x-custom-header-c"\}/
+qr/{"message":"client request can't be validated"}/
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid signed header x-custom-header-c
--- no_error_log
[error]
diff --git a/t/plugin/hmac-auth2.t b/t/plugin/hmac-auth2.t
index e0a3bfdff..4358ef0f8 100644
--- a/t/plugin/hmac-auth2.t
+++ b/t/plugin/hmac-auth2.t
@@ -559,8 +559,12 @@ location /t {
}
}
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid signature
--- response_body eval
-qr/\{"message":"Invalid signature"\}/
+qr/\{"message":"client request can't be validated"\}/
--- error_log eval
qr/name=LeBron\%2Cjames\&name2=\%2C\%3E/
@@ -707,8 +711,12 @@ location /t {
}
}
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid signature
--- response_body eval
-qr/\{"message":"Invalid signature"\}/
+qr/\{"message":"client request can't be validated"\}/
diff --git a/t/plugin/hmac-auth3.t b/t/plugin/hmac-auth3.t
index 3a60cf718..9157f8916 100644
--- a/t/plugin/hmac-auth3.t
+++ b/t/plugin/hmac-auth3.t
@@ -154,8 +154,12 @@ passed
}
}
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid digest
--- response_body eval
-qr/\{"message":"Invalid digest"\}/
+qr/\{"message":"client request can't be validated"\}/
@@ -215,8 +219,12 @@ qr/\{"message":"Invalid digest"\}/
}
}
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid digest
--- response_body eval
-qr/\{"message":"Invalid digest"\}/
+qr/\{"message":"client request can't be validated"\}/
@@ -367,8 +375,12 @@ passed
}
}
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Exceed body limit size
--- response_body eval
-qr/\{"message":"Exceed body limit size"}/
+qr/\{"message":"client request can't be validated"}/
@@ -433,8 +445,12 @@ plugin_attr:
}
}
--- error_code: 401
+--- grep_error_log eval
+qr/client request can't be validated: [^,]+/
+--- grep_error_log_out
+client request can't be validated: Invalid digest
--- response_body eval
-qr/\{"message":"Invalid digest"\}/
+qr/\{"message":"client request can't be validated"\}/