Feat/syslog

kong/plugins/hmac-auth/access.lua

@@ -18,6 +18,7 @@ local split = stringy.split
 local AUTHORIZATION = "authorization"
 local PROXY_AUTHORIZATION = "proxy-authorization"
 local DATE = "date"
+local X_DATE = "x-date"
 local SIGNATURE_NOT_VALID = "HMAC signature cannot be verified"
 
 local _M = {}
@@ -77,7 +78,6 @@ local function create_hash(request, hmac_params, headers)
       signing_string = signing_string.."\n"
     end       
   end
-
   return ngx_sha1(hmac_params.secret, signing_string)
 end
 
@@ -109,14 +109,14 @@ local function load_credential(username)
   return credential
 end
 
-local function validate_clock_skew(headers, allowed_clock_skew)
-  local date = headers[DATE]
+local function validate_clock_skew(headers, date_header_name, allowed_clock_skew)  
+  local date = headers[date_header_name]
   if not date then
     return false
   end
 
-  local requestTime, err = ngx_parse_time(date)
-  if err then
+  local requestTime = ngx_parse_time(date)
+  if not requestTime then
     return false
   end
 
@@ -136,8 +136,8 @@ function _M.execute(conf)
   end
 
   -- validate clock skew
-  if not validate_clock_skew(headers, conf.clock_skew) then
-    responses.send_HTTP_FORBIDDEN("HMAC signature cannot be verified, a valid date field is required for HMAC Authentication")
+  if not (validate_clock_skew(headers, X_DATE, conf.clock_skew) or validate_clock_skew(headers, DATE, conf.clock_skew)) then
+      responses.send_HTTP_FORBIDDEN("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication")
   end
 
   -- retrieve hmac parameter from Proxy-Authorization header
@@ -174,7 +174,7 @@ function _M.execute(conf)
   ngx_set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
   ngx_set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
   ngx.req.set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
-  ngx.ctx.authenticated_entity = secret
+  ngx.ctx.authenticated_entity = credential
 end
 
 return _M

spec/plugins/hmac-auth/access_spec.lua

@@ -46,9 +46,9 @@ describe("Authentication Plugin", function()
     it("should not be authorized when the hmac credentials are missing", function()
       local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
       local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", date = date})
-      local body = cjson.decode(response)
+      local parsed_response = cjson.decode(response)
       assert.equal(401, status)
-      assert.equal("Unauthorized", body.message)
+      assert.equal("Unauthorized", parsed_response.message)
     end)
 
     it("should not be authorized when the HMAC signature is wrong", function()
@@ -63,7 +63,7 @@ describe("Authentication Plugin", function()
       local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["proxy-authorization"] = "asd"})
       local body = cjson.decode(response)
       assert.equal(403, status)
-      assert.equal("HMAC signature cannot be verified, a valid date field is required for HMAC Authentication", body.message)
+      assert.equal("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication", body.message)
     end)
 
     it("should not be authorized when the HMAC signature is wrong in proxy-authorization", function()
@@ -285,6 +285,75 @@ describe("Authentication Plugin", function()
       assert.truthy(parsed_response.headers["X-Consumer-Username"])
       assert.truthy(parsed_response.headers["X-Credential-Username"])
       assert.equal("bob", parsed_response.headers["X-Credential-Username"])
+    end) 
+
+    it("should pass with GET with x-date header", function()
+      local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "x-date: "..date.."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1",  headers="x-date content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com",  ["x-date"] = date, authorization = hmacAuth, ["content-md5"] = "md5"})
+      assert.equal(200, status)
+      local parsed_response = cjson.decode(response)
+      assert.equal(hmacAuth, parsed_response.headers["authorization"])
+    end)
+
+    it("should not pass with GET with both date and x-date missing", function()
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",  algorithm="hmac-sha1" headers="content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["proxy-authorization"] = hmacAuth, authorization = "hello", ["content-md5"] = "md5"})
+      local body = cjson.decode(response)
+      assert.equal(403, status)
+      assert.equal("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication", body.message)
+    end)
+
+    it("should not pass with GET with x-date malformed", function()
+      local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "x-date: "..date.."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1",  headers="x-date content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com",  ["x-date"] = "wrong date", authorization = hmacAuth, ["content-md5"] = "md5"})
+      local body = cjson.decode(response)
+      assert.equal(403, status)
+      assert.equal("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication", body.message)
+    end)
+
+    it("should pass with GET with x-date malformed but date correct", function()
+      local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1",  headers="content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com",  ["x-date"] = "wrong date", date = date, authorization = hmacAuth, ["content-md5"] = "md5"})
+      assert.equal(200, status)
+      local parsed_response = cjson.decode(response)
+      assert.equal(hmacAuth, parsed_response.headers["authorization"])
+    end)
+
+    it("should pass with GET with x-date malformed but date correct and used for signature", function()
+      local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "date: "..date.."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1",  headers="date content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com",  ["x-date"] = "wrong date", date = date, authorization = hmacAuth, ["content-md5"] = "md5"})
+      assert.equal(200, status)
+      local parsed_response = cjson.decode(response)
+      assert.equal(hmacAuth, parsed_response.headers["authorization"])
+    end)
+
+    it("should pass with GET with x-date malformed and used for signature but skew test pass", function()
+      local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "x-date: ".."wrong date".."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1",  headers="x-date content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com",  ["x-date"] = "wrong date", date = date, authorization = hmacAuth, ["content-md5"] = "md5"})
+      assert.equal(200, status)
+      local parsed_response = cjson.decode(response)
+      assert.equal(hmacAuth, parsed_response.headers["authorization"])
+    end)
+
+    it("should pass with GET with date malformed and used for signature but skew test pass", function()
+      local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
+      local encodedSignature = base64.encode(hmac_sha1_binary("secret", "date: ".."wrong date".."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
+      local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1",  headers="date content-md5 request-line",signature="]]..encodedSignature..[["]]
+      local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com",  ["x-date"] = date, date = "wrong date", authorization = hmacAuth, ["content-md5"] = "md5"})
+      assert.equal(200, status)
+      local parsed_response = cjson.decode(response)
+      assert.equal(hmacAuth, parsed_response.headers["authorization"])
     end)
 
   end)