Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/hmac nonconstant digest compare #703

Closed
wants to merge 45 commits into from
Closed
Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
8954a1e
Adding a function to count the entities in a table
subnetmarco Oct 13, 2015
806ae78
Disabling access log for status endpoint
subnetmarco Oct 14, 2015
787b99e
Merge pull request #623 from Mashape/fix/status-logs
subnetmarco Oct 14, 2015
d26c761
Customizable DNS settings
subnetmarco Oct 15, 2015
3114ef7
Merge pull request #625 from Mashape/feat/custom-dns
subnetmarco Oct 15, 2015
731e203
fix(alf_serializer) always ensure mimeType is a string
thibaultcha Oct 15, 2015
956f94d
perf(alf_serializer) globals optimizations
thibaultcha Oct 15, 2015
eef305a
Merge pull request #626 from Mashape/fix/alf-serializer
thibaultcha Oct 15, 2015
c0ab86d
OAuth 2.0 tests to check for upstream headers
subnetmarco Oct 15, 2015
a0fc23f
Merge pull request #627 from Mashape/tests/oauth2
subnetmarco Oct 15, 2015
aa54b58
Updating dependencies
subnetmarco Oct 15, 2015
709f4b9
Merge pull request #628 from Mashape/enhancement/updating-dependencies
subnetmarco Oct 15, 2015
b912125
Merge pull request #632 from Mashape/dao/count
subnetmarco Oct 15, 2015
57b9e30
feat(cli) config validation and defaults utility
thibaultcha Oct 7, 2015
d26e179
feat(cli) use new config and dao loaders
thibaultcha Oct 7, 2015
92a37c8
Adding "total" field in API responses
subnetmarco Oct 15, 2015
21d77a5
Adding database stats into status endpoint
subnetmarco Oct 16, 2015
9f2e83a
Merge pull request #635 from Mashape/chore/api-totals
subnetmarco Oct 16, 2015
94747d8
Updating changelog for 0.6.x
subnetmarco Oct 16, 2015
15addbf
Refactoring the count function in DAO and API
subnetmarco Oct 16, 2015
d0edd94
Merge pull request #636 from Mashape/refactor/count
thibaultcha Oct 16, 2015
370f124
feat(config) commented configuration file
thibaultcha Oct 8, 2015
121a949
feat(config) add options for keyspace replication strategy
thibaultcha Sep 30, 2015
ccac50b
refactor(config) remove unnecessary dao config nesting
thibaultcha Oct 5, 2015
15e6205
feat(config) implement `enum` check for properties
thibaultcha Oct 16, 2015
303e235
feat(config) update `kong config` to new config file format
thibaultcha Oct 16, 2015
12d8171
Merge pull request #633 from Mashape/feat/commented-config
thibaultcha Oct 16, 2015
b97eef2
fix(readme): update community resources
Oct 16, 2015
fcfdc4d
Merge pull request #637 from Mashape/readme-patch
Oct 16, 2015
daa8632
Merge branch 'sinzone-patch-1' into next
thibaultcha Oct 19, 2015
99d584d
docs(readme)
sonicaghi Oct 19, 2015
50382d4
fix(config/rockspec) add missing files and remove dnsmasq_port property
thibaultcha Oct 20, 2015
f2f84fd
Merge pull request #645 from Mashape/fix/config
thibaultcha Oct 20, 2015
34fd7d8
Merge branch 'sinzone-patch-1' into next
thibaultcha Oct 20, 2015
00e5e2b
Merge branch 'master' into next
thibaultcha Oct 21, 2015
fb22f93
chore(ci) bump Cassandra version
thibaultcha Oct 21, 2015
77fd7e1
Merge pull request #649 from Mashape/chore/bump-cassandra
thibaultcha Oct 21, 2015
5163571
Merge remote-tracking branch 'mybuilder/fix-oauth2-https-check' into …
thibaultcha Oct 21, 2015
635daf0
Merge branch 'hotfix/hmac-date' into next
thibaultcha Oct 21, 2015
2bf4def
Merge branch 'release/0.5.2' into next
thibaultcha Oct 22, 2015
7595850
Merge branch 'hotfix/path-search' into next
thibaultcha Oct 22, 2015
6df7bbd
docs(ldoc) better documentation for public Lua API
thibaultcha Oct 27, 2015
e029020
Merge pull request #657 from Mashape/docs/comments
thibaultcha Oct 27, 2015
7d5420d
fix: remove erroneous inspect statement
thibaultcha Oct 27, 2015
cccee8d
non constant digest comparision, wip
Oct 28, 2015
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions kong/plugins/hmac-auth/access.lua
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ local split = stringy.split
local AUTHORIZATION = "authorization"
local PROXY_AUTHORIZATION = "proxy-authorization"
local DATE = "date"
local X_DATE = "x-date"
local SIGNATURE_NOT_VALID = "HMAC signature cannot be verified"

local _M = {}
Expand Down Expand Up @@ -77,7 +78,6 @@ local function create_hash(request, hmac_params, headers)
signing_string = signing_string.."\n"
end
end

return ngx_sha1(hmac_params.secret, signing_string)
end

Expand Down Expand Up @@ -109,14 +109,14 @@ local function load_credential(username)
return credential
end

local function validate_clock_skew(headers, allowed_clock_skew)
local date = headers[DATE]
local function validate_clock_skew(headers, date_header_name, allowed_clock_skew)
local date = headers[date_header_name]
if not date then
return false
end

local requestTime, err = ngx_parse_time(date)
if err then
local requestTime = ngx_parse_time(date)
if not requestTime then
return false
end

Expand All @@ -136,8 +136,8 @@ function _M.execute(conf)
end

-- validate clock skew
if not validate_clock_skew(headers, conf.clock_skew) then
responses.send_HTTP_FORBIDDEN("HMAC signature cannot be verified, a valid date field is required for HMAC Authentication")
if not (validate_clock_skew(headers, X_DATE, conf.clock_skew) or validate_clock_skew(headers, DATE, conf.clock_skew)) then
responses.send_HTTP_FORBIDDEN("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication")
end

-- retrieve hmac parameter from Proxy-Authorization header
Expand Down Expand Up @@ -174,7 +174,7 @@ function _M.execute(conf)
ngx_set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
ngx_set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
ngx.req.set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
ngx.ctx.authenticated_entity = secret
ngx.ctx.authenticated_entity = credential
end

return _M
75 changes: 72 additions & 3 deletions spec/plugins/hmac-auth/access_spec.lua
Original file line number Diff line number Diff line change
Expand Up @@ -46,9 +46,9 @@ describe("Authentication Plugin", function()
it("should not be authorized when the hmac credentials are missing", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", date = date})
local body = cjson.decode(response)
local parsed_response = cjson.decode(response)
assert.equal(401, status)
assert.equal("Unauthorized", body.message)
assert.equal("Unauthorized", parsed_response.message)
end)

it("should not be authorized when the HMAC signature is wrong", function()
Expand All @@ -63,7 +63,7 @@ describe("Authentication Plugin", function()
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["proxy-authorization"] = "asd"})
local body = cjson.decode(response)
assert.equal(403, status)
assert.equal("HMAC signature cannot be verified, a valid date field is required for HMAC Authentication", body.message)
assert.equal("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication", body.message)
end)

it("should not be authorized when the HMAC signature is wrong in proxy-authorization", function()
Expand Down Expand Up @@ -285,6 +285,75 @@ describe("Authentication Plugin", function()
assert.truthy(parsed_response.headers["X-Consumer-Username"])
assert.truthy(parsed_response.headers["X-Credential-Username"])
assert.equal("bob", parsed_response.headers["X-Credential-Username"])
end)

it("should pass with GET with x-date header", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "x-date: "..date.."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1", headers="x-date content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["x-date"] = date, authorization = hmacAuth, ["content-md5"] = "md5"})
assert.equal(200, status)
local parsed_response = cjson.decode(response)
assert.equal(hmacAuth, parsed_response.headers["authorization"])
end)

it("should not pass with GET with both date and x-date missing", function()
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob", algorithm="hmac-sha1" headers="content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["proxy-authorization"] = hmacAuth, authorization = "hello", ["content-md5"] = "md5"})
local body = cjson.decode(response)
assert.equal(403, status)
assert.equal("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication", body.message)
end)

it("should not pass with GET with x-date malformed", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "x-date: "..date.."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1", headers="x-date content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["x-date"] = "wrong date", authorization = hmacAuth, ["content-md5"] = "md5"})
local body = cjson.decode(response)
assert.equal(403, status)
assert.equal("HMAC signature cannot be verified, a valid date or x-date header is required for HMAC Authentication", body.message)
end)

it("should pass with GET with x-date malformed but date correct", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1", headers="content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["x-date"] = "wrong date", date = date, authorization = hmacAuth, ["content-md5"] = "md5"})
assert.equal(200, status)
local parsed_response = cjson.decode(response)
assert.equal(hmacAuth, parsed_response.headers["authorization"])
end)

it("should pass with GET with x-date malformed but date correct and used for signature", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "date: "..date.."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1", headers="date content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["x-date"] = "wrong date", date = date, authorization = hmacAuth, ["content-md5"] = "md5"})
assert.equal(200, status)
local parsed_response = cjson.decode(response)
assert.equal(hmacAuth, parsed_response.headers["authorization"])
end)

it("should pass with GET with x-date malformed and used for signature but skew test pass", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "x-date: ".."wrong date".."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1", headers="x-date content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["x-date"] = "wrong date", date = date, authorization = hmacAuth, ["content-md5"] = "md5"})
assert.equal(200, status)
local parsed_response = cjson.decode(response)
assert.equal(hmacAuth, parsed_response.headers["authorization"])
end)

it("should pass with GET with date malformed and used for signature but skew test pass", function()
local date = os.date("!%a, %d %b %Y %H:%M:%S GMT")
local encodedSignature = base64.encode(hmac_sha1_binary("secret", "date: ".."wrong date".."\n".."content-md5: md5".."\nGET /request? HTTP/1.1"))
local hmacAuth = [["hmac username="bob",algorithm="hmac-sha1", headers="date content-md5 request-line",signature="]]..encodedSignature..[["]]
local response, status = http_client.get(STUB_GET_URL, {}, {host = "hmacauth.com", ["x-date"] = date, date = "wrong date", authorization = hmacAuth, ["content-md5"] = "md5"})
assert.equal(200, status)
local parsed_response = cjson.decode(response)
assert.equal(hmacAuth, parsed_response.headers["authorization"])
end)

end)
Expand Down