spacewander commented on a change in pull request #5038:
URL: https://github.com/apache/apisix/pull/5038#discussion_r707946396
##########
File path: docs/en/latest/plugins/hmac-auth.md
##########
@@ -192,6 +194,16 @@ print(base64.b64encode(hash.digest()))
| --------- | -------------------------------------------- |
| SIGNATURE | 8XV1GB7Tq23OJcoz6wjqTs4ZLxr9DiLoY4PxzScWGYg= |
+### Request body checking
+
+When `validate_request_body` is assigned to `true`, the plugin will check the
request body. The plugin will calculate the hmac-sha value of the request
body,and check against the `X-HMAC-DIGEST` header.
Review comment:
Better to mention the max_req_body limitation
##########
File path: t/plugin/hmac-auth3.t
##########
@@ -521,3 +520,134 @@ passed
--- error_code: 401
--- response_body eval
qr/\{"message":"Exceed body limit size"}/
+
+
+
+=== TEST 10: Test custom request body digest header name with mismatched
header.
+--- yaml_config
+plugin_attr:
+ hmac-auth:
+ body_digest_key: "X-Digest-Custom"
+--- config
+ location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local ngx_http_time = ngx.http_time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local gmt = ngx_http_time(timestamp)
+ local access_key = "my-access-key"
+ local custom_header_a = "asld$%dfasf"
+ local custom_header_b = "23879fmsldfk"
+ local body = "{\"name\": \"world\"}"
+
+ local signing_string = {
+ "POST",
+ "/hello",
+ "",
+ access_key,
+ gmt,
+ "x-custom-header-a:" .. custom_header_a,
+ "x-custom-header-b:" .. custom_header_b
+ }
+ signing_string = core.table.concat(signing_string, "\n") .. "\n"
+ core.log.info("signing_string:", signing_string)
+
+ local signature = hmac:new(secret_key,
hmac.ALGOS.SHA256):final(signing_string)
+ local body_digest = hmac:new(secret_key,
hmac.ALGOS.SHA256):final(body)
+
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["Date"] = gmt
+ headers["X-Digest"] = ngx_encode_base64(body_digest)
Review comment:
Should be `X-HMAC-DIGEST`?
##########
File path: docs/en/latest/plugins/hmac-auth.md
##########
@@ -192,6 +194,16 @@ print(base64.b64encode(hash.digest()))
| --------- | -------------------------------------------- |
| SIGNATURE | 8XV1GB7Tq23OJcoz6wjqTs4ZLxr9DiLoY4PxzScWGYg= |
+### Request body checking
+
+When `validate_request_body` is assigned to `true`, the plugin will check the
request body. The plugin will calculate the hmac-sha value of the request
body,and check against the `X-HMAC-DIGEST` header.
+
+```
+X-HMAC-DIGEST: base64(hmac-sha(<body>))
+```
+
+When there is no request body, the `X-HMAC-DIGEST` header can be omitted. If
you want to send request with this header whether the body is empty or not, you
can set `X-HMAC-DIGEST` value to the hmac-sha of empty string.
Review comment:
```suggestion
When there is no request body, the `X-HMAC-DIGEST` header can be omitted. If
you want to send a request with this header when the body is missing, you can
set `X-HMAC-DIGEST` value to the hmac-sha of empty string.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
