This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch release/2.13 in repository https://gitbox.apache.org/repos/asf/apisix.git
commit b3d6e5a58bf12045e5eb36d74b4f30b194184d80 Author: 罗泽轩 <[email protected]> AuthorDate: Sun Apr 17 19:36:35 2022 +0800 fix(hmac-auth): don't let client know why it is rejected (#6853) Signed-off-by: spacewander <[email protected]> --- apisix/plugins/hmac-auth.lua | 33 +++---- t/APISIX.pm | 14 --- .../{custom_hmac_auth.t => hmac-auth-custom.t} | 103 +++++++++++---------- t/plugin/hmac-auth.t | 66 ++++++++++--- t/plugin/hmac-auth2.t | 12 ++- t/plugin/hmac-auth3.t | 24 ++++- 6 files changed, 154 insertions(+), 98 deletions(-) diff --git a/apisix/plugins/hmac-auth.lua b/apisix/plugins/hmac-auth.lua index 9a63db977..6195644c0 100644 --- a/apisix/plugins/hmac-auth.lua +++ b/apisix/plugins/hmac-auth.lua @@ -171,12 +171,12 @@ end local function get_consumer(access_key) if not access_key then - return nil, {message = "missing access key"} + return nil, "missing access key" end local consumer_conf = consumer.plugin(plugin_name) if not consumer_conf then - return nil, {message = "Missing related consumer"} + return nil, "Missing related consumer" end local consumers = lrucache("consumers_key", consumer_conf.conf_version, @@ -184,7 +184,7 @@ local function get_consumer(access_key) local consumer = consumers[access_key] if not consumer then - return nil, {message = "Invalid access key"} + return nil, "Invalid access key" end core.log.info("consumer: ", core.json.delay_encode(consumer)) @@ -297,11 +297,11 @@ end local function validate(ctx, params) if not params.access_key or not params.signature then - return nil, {message = "access key or signature missing"} + return nil, "access key or signature missing" end if not params.algorithm then - return nil, {message = "algorithm missing"} + return nil, "algorithm missing" end local consumer, err = get_consumer(params.access_key) @@ -311,7 +311,7 @@ local function validate(ctx, params) local conf = consumer.auth_conf if conf.algorithm ~= params.algorithm then - return nil, {message = "algorithm " .. params.algorithm .. " not supported"} + return nil, "algorithm " .. params.algorithm .. " not supported" end core.log.info("clock_skew: ", conf.clock_skew) @@ -319,13 +319,13 @@ local function validate(ctx, params) local time = ngx.parse_http_time(params.date) core.log.info("params.date: ", params.date, " time: ", time) if not time then - return nil, {message = "Invalid GMT format time"} + return nil, "Invalid GMT format time" end local diff = abs(ngx_time() - time) core.log.info("gmt diff: ", diff) if diff > conf.clock_skew then - return nil, {message = "Clock skew exceeded"} + return nil, "Clock skew exceeded" end end @@ -335,7 +335,7 @@ local function validate(ctx, params) if params.signed_headers then for _, header in ipairs(params.signed_headers) do if not headers_map[header] then - return nil, {message = "Invalid signed header " .. header} + return nil, "Invalid signed header " .. header end end end @@ -349,27 +349,27 @@ local function validate(ctx, params) " generated_signature: ", generated_signature) if request_signature ~= generated_signature then - return nil, {message = "Invalid signature"} + return nil, "Invalid signature" end local validate_request_body = get_conf_field(params.access_key, "validate_request_body") if validate_request_body then local digest_header = params.body_digest if not digest_header then - return nil, {message = "Invalid digest"} + return nil, "Invalid digest" end local max_req_body = get_conf_field(params.access_key, "max_req_body") local req_body, err = core.request.get_body(max_req_body, ctx) if err then - return nil, {message = "Exceed body limit size"} + return nil, "Exceed body limit size" end req_body = req_body or "" local request_body_hash = ngx_encode_base64( hmac_funcs[params.algorithm](secret_key, req_body)) if request_body_hash ~= digest_header then - return nil, {message = "Invalid digest"} + return nil, "Invalid digest" end end @@ -449,12 +449,9 @@ end function _M.rewrite(conf, ctx) local params = get_params(ctx) local validated_consumer, err = validate(ctx, params) - if err then - return 401, err - end - if not validated_consumer then - return 401, {message = "Invalid signature"} + core.log.warn("client request can't be validated: ", err or "Invalid signature") + return 401, {message = "client request can't be validated"} end local consumer_conf = consumer.plugin(plugin_name) diff --git a/t/APISIX.pm b/t/APISIX.pm index b9f708925..859ae21da 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -110,20 +110,6 @@ etcd: _EOC_ } -my $custom_hmac_auth = $ENV{"CUSTOM_HMAC_AUTH"} || "false"; -if ($custom_hmac_auth eq "true") { - $user_yaml_config .= <<_EOC_; -plugin_attr: - hmac-auth: - signature_key: X-APISIX-HMAC-SIGNATURE - algorithm_key: X-APISIX-HMAC-ALGORITHM - date_key: X-APISIX-DATE - access_key: X-APISIX-HMAC-ACCESS-KEY - signed_headers_key: X-APISIX-HMAC-SIGNED-HEADERS -_EOC_ -} - - my $profile = $ENV{"APISIX_PROFILE"}; diff --git a/t/plugin/custom_hmac_auth.t b/t/plugin/hmac-auth-custom.t similarity index 83% rename from t/plugin/custom_hmac_auth.t rename to t/plugin/hmac-auth-custom.t index 48066e2bc..f7608f0d8 100644 --- a/t/plugin/custom_hmac_auth.t +++ b/t/plugin/hmac-auth-custom.t @@ -14,16 +14,37 @@ # See the License for the specific language governing permissions and # limitations under the License. # -BEGIN { - $ENV{"CUSTOM_HMAC_AUTH"} = "true" -} - use t::APISIX 'no_plan'; repeat_each(2); no_long_string(); no_root_location(); no_shuffle(); + +add_block_preprocessor(sub { + my ($block) = @_; + + if (!$block->request) { + $block->set_value("request", "GET /t"); + } + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + my $extra_yaml_config = <<_EOC_; +plugin_attr: + hmac-auth: + signature_key: X-APISIX-HMAC-SIGNATURE + algorithm_key: X-APISIX-HMAC-ALGORITHM + date_key: X-APISIX-DATE + access_key: X-APISIX-HMAC-ACCESS-KEY + signed_headers_key: X-APISIX-HMAC-SIGNED-HEADERS +_EOC_ + + $block->set_value("extra_yaml_config", $extra_yaml_config); +}); + run_tests; __DATA__ @@ -53,12 +74,8 @@ __DATA__ ngx.say(body) } } ---- request -GET /t --- response_body passed ---- no_error_log -[error] @@ -82,11 +99,7 @@ passed ngx.say(body) } } ---- request -GET /t --- error_code: 400 ---- no_error_log -[error] @@ -110,11 +123,7 @@ GET /t ngx.say(body) } } ---- request -GET /t --- error_code: 400 ---- no_error_log -[error] @@ -145,12 +154,8 @@ GET /t ngx.say(body) } } ---- request -GET /t --- response_body passed ---- no_error_log -[error] @@ -158,10 +163,12 @@ passed --- request GET /hello --- error_code: 401 ---- response_body -{"message":"access key or signature missing"} ---- no_error_log -[error] +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: access key or signature missing +--- response_body eval +qr/\{"message":"client request can't be validated"\}/ @@ -174,10 +181,12 @@ X-APISIX-HMAC-ALGORITHM: hmac-sha256 X-APISIX-Date: Thu, 24 Sep 2020 06:39:52 GMT X-APISIX-HMAC-ACCESS-KEY: sdf --- error_code: 401 ---- response_body -{"message":"Invalid access key"} ---- no_error_log -[error] +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid access key +--- response_body eval +qr/\{"message":"client request can't be validated"\}/ @@ -190,10 +199,12 @@ X-APISIX-HMAC-ALGORITHM: ljlj X-APISIX-Date: Thu, 24 Sep 2020 06:39:52 GMT X-APISIX-HMAC-ACCESS-KEY: sdf --- error_code: 401 ---- response_body -{"message":"Invalid access key"} ---- no_error_log -[error] +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid access key +--- response_body eval +qr/\{"message":"client request can't be validated"\}/ @@ -206,10 +217,12 @@ X-APISIX-HMAC-ALGORITHM: hmac-sha256 X-APISIX-Date: adfa X-APISIX-HMAC-ACCESS-KEY: my-access-key --- error_code: 401 ---- response_body -{"message":"Invalid GMT format time"} ---- no_error_log -[error] +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid GMT format time +--- response_body eval +qr/\{"message":"client request can't be validated"\}/ @@ -264,12 +277,8 @@ location /t { ngx.say(body) } } ---- request -GET /t --- response_body passed ---- no_error_log -[error] @@ -297,12 +306,8 @@ passed ngx.say(body) } } ---- request -GET /t --- response_body passed ---- no_error_log -[error] @@ -347,10 +352,10 @@ location /t { ngx.say(body) } } ---- request -GET /t --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Clock skew exceeded --- response_body eval -qr/\{"message":"Clock skew exceeded"\}/ ---- no_error_log -[error] +qr/\{"message":"client request can't be validated"\}/ diff --git a/t/plugin/hmac-auth.t b/t/plugin/hmac-auth.t index 1895a8417..bc530eb2b 100644 --- a/t/plugin/hmac-auth.t +++ b/t/plugin/hmac-auth.t @@ -221,7 +221,11 @@ passed GET /hello --- error_code: 401 --- response_body -{"message":"access key or signature missing"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: access key or signature missing --- no_error_log [error] @@ -236,7 +240,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT X-HMAC-ACCESS-KEY: my-access-key --- error_code: 401 --- response_body -{"message":"algorithm missing"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: algorithm missing --- no_error_log [error] @@ -252,7 +260,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT X-HMAC-ACCESS-KEY: sdf --- error_code: 401 --- response_body -{"message":"Invalid access key"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid access key --- no_error_log [error] @@ -268,7 +280,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT X-HMAC-ACCESS-KEY: my-access-key --- error_code: 401 --- response_body -{"message":"algorithm ljlj not supported"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: algorithm ljlj not supported --- no_error_log [error] @@ -284,7 +300,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT X-HMAC-ACCESS-KEY: my-access-key --- error_code: 401 --- response_body -{"message":"Clock skew exceeded"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Clock skew exceeded --- no_error_log [error] @@ -299,7 +319,11 @@ X-HMAC-ALGORITHM: hmac-sha256 X-HMAC-ACCESS-KEY: my-access-key --- error_code: 401 --- response_body -{"message":"Invalid GMT format time"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid GMT format time --- no_error_log [error] @@ -315,7 +339,11 @@ Date: adfsdf X-HMAC-ACCESS-KEY: my-access-key --- error_code: 401 --- response_body -{"message":"Invalid GMT format time"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid GMT format time --- no_error_log [error] @@ -425,7 +453,11 @@ Date: Thu, 24 Sep 2020 06:39:52 GMT X-HMAC-ACCESS-KEY: my-access-key3 --- error_code: 401 --- response_body -{"message":"Invalid signature"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid signature --- no_error_log [error] @@ -514,7 +546,11 @@ location /t { GET /t --- error_code: 401 --- response_body eval -qr/\{"message":"Clock skew exceeded"\}/ +qr/{"message":"client request can't be validated"}/ +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Clock skew exceeded --- no_error_log [error] @@ -654,7 +690,11 @@ passed GET /hello --- error_code: 401 --- response_body -{"message":"access key or signature missing"} +{"message":"client request can't be validated"} +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: access key or signature missing --- no_error_log [error] @@ -741,7 +781,11 @@ location /t { GET /t --- error_code: 401 --- response_body eval -qr/\{"message":"Invalid signed header x-custom-header-c"\}/ +qr/{"message":"client request can't be validated"}/ +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid signed header x-custom-header-c --- no_error_log [error] diff --git a/t/plugin/hmac-auth2.t b/t/plugin/hmac-auth2.t index e0a3bfdff..4358ef0f8 100644 --- a/t/plugin/hmac-auth2.t +++ b/t/plugin/hmac-auth2.t @@ -559,8 +559,12 @@ location /t { } } --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid signature --- response_body eval -qr/\{"message":"Invalid signature"\}/ +qr/\{"message":"client request can't be validated"\}/ --- error_log eval qr/name=LeBron\%2Cjames\&name2=\%2C\%3E/ @@ -707,8 +711,12 @@ location /t { } } --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid signature --- response_body eval -qr/\{"message":"Invalid signature"\}/ +qr/\{"message":"client request can't be validated"\}/ diff --git a/t/plugin/hmac-auth3.t b/t/plugin/hmac-auth3.t index 3a60cf718..9157f8916 100644 --- a/t/plugin/hmac-auth3.t +++ b/t/plugin/hmac-auth3.t @@ -154,8 +154,12 @@ passed } } --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid digest --- response_body eval -qr/\{"message":"Invalid digest"\}/ +qr/\{"message":"client request can't be validated"\}/ @@ -215,8 +219,12 @@ qr/\{"message":"Invalid digest"\}/ } } --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid digest --- response_body eval -qr/\{"message":"Invalid digest"\}/ +qr/\{"message":"client request can't be validated"\}/ @@ -367,8 +375,12 @@ passed } } --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Exceed body limit size --- response_body eval -qr/\{"message":"Exceed body limit size"}/ +qr/\{"message":"client request can't be validated"}/ @@ -433,8 +445,12 @@ plugin_attr: } } --- error_code: 401 +--- grep_error_log eval +qr/client request can't be validated: [^,]+/ +--- grep_error_log_out +client request can't be validated: Invalid digest --- response_body eval -qr/\{"message":"Invalid digest"\}/ +qr/\{"message":"client request can't be validated"\}/
