nic-chen commented on a change in pull request #2301:
URL: https://github.com/apache/apisix/pull/2301#discussion_r494154952
##########
File path: apisix/plugins/hmac-auth.lua
##########
@@ -246,10 +246,13 @@ local function validate(ctx, params)
core.log.info("clock_skew: ", conf.clock_skew)
if conf.clock_skew and conf.clock_skew > 0 then
- local diff = abs(ngx_time() - params.timestamp)
- core.log.info("timestamp diff: ", diff)
- if diff > conf.clock_skew then
- return nil, {message = "Invalid timestamp"}
+ local time = ngx.parse_http_time(params.date)
Review comment:
it hasn't a err here. if params.date is empty string or other invalid
string, it will return nil.
##########
File path: apisix/plugins/hmac-auth.lua
##########
@@ -246,10 +246,13 @@ local function validate(ctx, params)
core.log.info("clock_skew: ", conf.clock_skew)
if conf.clock_skew and conf.clock_skew > 0 then
- local diff = abs(ngx_time() - params.timestamp)
- core.log.info("timestamp diff: ", diff)
- if diff > conf.clock_skew then
- return nil, {message = "Invalid timestamp"}
+ local time = ngx.parse_http_time(params.date)
Review comment:
we allow it to be empty here
##########
File path: t/plugin/custom_hmac_auth.t
##########
@@ -210,17 +211,17 @@ X-APISIX-HMAC-ACCESS-KEY: sdf
-=== TEST 8: verify: invalid timestamp
+=== TEST 8: verify: Invalid GMT format time
--- request
GET /hello
--- more_headers
X-APISIX-HMAC-SIGNATURE: asdf
X-APISIX-HMAC-ALGORITHM: hmac-sha256
-X-APISIX-HMAC-TIMESTAMP: 112
+Date: Thu, 24 Sep 2020 06:39:52 GMT
Review comment:
not sensitive.
##########
File path: doc/plugins/hmac-auth.md
##########
@@ -83,12 +83,13 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H
'X-API-KEY: edd1c9f034335f13
## Test Plugin
### generate signature:
-The calculation formula of the signature is `signature =
HMAC-SHAx-HEX(secret_key, signing_string)`. From the formula, it can be seen
that in order to obtain the signature, two parameters, `SECRET_KEY` and
`signing_STRING`, are required. Where secret_key is configured by the
corresponding consumer, the calculation formula of `signing_STRING` is
`signing_string = HTTP Method + HTTP URI + canonical_query_string + access_key
+ timestamp + signed_headers_string`
+The calculation formula of the signature is `signature =
HMAC-SHAx-HEX(secret_key, signing_string)`. From the formula, it can be seen
that in order to obtain the signature, two parameters, `SECRET_KEY` and
`signing_STRING`, are required. Where secret_key is configured by the
corresponding consumer, the calculation formula of `signing_STRING` is
`signing_string = HTTP Method + HTTP URI + canonical_query_string + access_key
+ HTTP Date + signed_headers_string`
1. **HTTP Method** : Refers to the GET, PUT, POST and other request methods
defined in the HTTP protocol, and must be in all uppercase.
2. **HTTP URI** : `HTTP URI` requirements must start with "/", those that do
not start with "/" need to be added, and the empty path is "/".
-3. **canonical_query_string** :`canonical_query_string` is the result of
encoding the `query` in the URL (`query` is the string "key1 = valve1 & key2 =
valve2" after the "?" in the URL).
-4. **signed_headers_string** :`signed_headers_string` is the result of
obtaining the fields specified by the client from the request header and
concatenating the strings in order.
+3. **HTTP Date** : Date and time string in GMT format.
Review comment:
fixed.
##########
File path: apisix/plugins/hmac-auth.lua
##########
@@ -246,10 +246,13 @@ local function validate(ctx, params)
core.log.info("clock_skew: ", conf.clock_skew)
if conf.clock_skew and conf.clock_skew > 0 then
- local diff = abs(ngx_time() - params.timestamp)
- core.log.info("timestamp diff: ", diff)
- if diff > conf.clock_skew then
- return nil, {message = "Invalid timestamp"}
+ local time = ngx.parse_http_time(params.date)
Review comment:
OK.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
