tghfly opened a new issue #3334: URL: https://github.com/apache/apisix/issues/3334
### Issue description 在测试 hmac-auth插件时一直提示Invalid signature ### Environment * apisix version:2.2 * OS: Linux apisix01 3.10.0-327.4.5.el7.x86_64 #1 SMP Mon Jan 25 22:07:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux * OpenResty / Nginx version: nginx version: openresty/1.19.3.1 具体操作步骤是参照:https://github.com/apache/apisix/blob/master/doc/zh-cn/plugins/hmac-auth.md 1、创建 consumer 对象,并设置插件 hmac-auth 的值 curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "username": "tgh", "plugins": { "hmac-auth": { "access_key": "test-key", "secret_key": "test-secret-key", "clock_skew": 0, "signed_headers": ["x-custom-a"] } } }' 2、创建 Route 或 Service 对象,并开启 hmac-auth 插件。 curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' { "uri": "/index.html", "plugins": { "hmac-auth": {} }, "upstream": { "type": "roundrobin", "nodes": { "172.20.11.172:8080": 1 } } }' 3、按照 文档【hmac-auth.md】中【签名生成公式】和【签名生成示例】生成签名 secret_key=test-secret-key signing_string="GET / test-key Mon, 18 Jan 2021 09:35:39 GMT x-custom-a:test " shell 脚本生成 #!/bin/bash SECRET="test-secret-key" MESSAGE="GET /index.html test-key Mon, 18 Jan 2021 09:35:39 GMT x-custom-a:test " # to lowercase hexits echo -n $MESSAGE | openssl dgst -sha256 -hmac $SECRET # to base64 echo -n $MESSAGE | openssl dgst -sha256 -hmac $SECRET -binary | base64 按shell代码生成的签名(base64)为:vycNuRE4In8s9DyREidj7hPUuhcKsZA3NsRSdboRZI8= 4、在shell终端使用curl请求 ACCESS_KEY=test-key SIGNATURE=vycNuRE4In8s9DyREidj7hPUuhcKsZA3NsRSdboRZI8= ALGORITHM=hmac-sha256 DATE="Mon, 18 Jan 2021 09:35:39 GMT" SIGNED_HEADERS="x-custom-a" curl -i -vv http://172.20.11.161/index.html \ -H "x-custom-a:test" \ -H "X-HMAC-SIGNATURE: $SIGNATURE" \ -H "X-HMAC-ALGORITHM: $ALGORITHM" \ -H "X-HMAC-ACCESS-KEY: $ACCESS_KEY" \ -H "X-HMAC-SIGNED-HEADERS: $SIGNED_HEADERS" 返回结果是:【HTTP/1.1 401 Unauthorized】【{"message":"Invalid signature"}】 返回内容如下: * About to connect() to 172.20.11.161 port 80 (#0) * Trying 172.20.11.161... * Connected to 172.20.11.161 (172.20.11.161) port 80 (#0) > GET /index.html HTTP/1.1 > User-Agent: curl/7.29.0 > Host: 172.20.11.161 > Accept: */* > x-custom-a:test > X-HMAC-SIGNATURE: vycNuRE4In8s9DyREidj7hPUuhcKsZA3NsRSdboRZI8= > X-HMAC-ALGORITHM: hmac-sha256 > Date: Mon, 18 Jan 2021 09:35:39 GMT > X-HMAC-ACCESS-KEY: test-key > X-HMAC-SIGNED-HEADERS: x-custom-a > < HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized < Date: Tue, 19 Jan 2021 00:51:51 GMT Date: Tue, 19 Jan 2021 00:51:51 GMT < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Transfer-Encoding: chunked Transfer-Encoding: chunked < Connection: keep-alive Connection: keep-alive < Server: APISIX/2.2 Server: APISIX/2.2 < {"message":"Invalid signature"} * Connection #0 to host 172.20.11.161 left intact 诉求:在文档描述生成签名那能否再详细一点,最好是提供一个可测试的用例,谢谢。 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
