-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(hmac-auth): add support for RSA signatures #11133
Conversation
f404e20
to
46ae28a
Compare
46ae28a
to
ab0a2bc
Compare
@bungle please give this a review |
This comment was marked as resolved.
This comment was marked as resolved.
@@ -97,7 +125,7 @@ local function retrieve_hmac_fields(authorization_header) | |||
-- parse the header to retrieve hamc parameters | |||
if authorization_header then | |||
local iterator, iter_err = re_gmatch(authorization_header, | |||
"\\s*[Hh]mac\\s*username=\"(.+)\"," .. | |||
"(\\s*[Hh]mac)?\\s*username=\"(.+)\"," .. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to specify rsa
here when using rsa signature for consistency?
@@ -31,18 +32,45 @@ local SIGNATURE_NOT_VALID = "HMAC signature cannot be verified" | |||
local SIGNATURE_NOT_SAME = "HMAC signature does not match" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
error message needs to be changed accordingly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The specific string format for the "Authorization" header that includes the method (e.g., "Hmac" or "Rsa") and the various components (e.g., "username," "algorithm," "headers," and "signature") may not be standardized in the HTTP Signatures draft (draft-cavage-http-signatures). The draft defines the concept of HTTP signatures and how they can be generated and verified, but it doesn't prescribe a specific format for the "Authorization" header.
The format you are using, which includes "Hmac" or "Rsa" as the method prefix, is a common convention used in some implementations for clarity and to distinguish between different authentication methods (HMAC and RSA, in this case). However, this specific format might not be explicitly detailed in the draft itself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree. need to output the right error message
Strictly speaking, rsa doesn't belong to hmac. The scope of the plugin name feels a little small now. Maybe something like "sign-auth" would have been better |
ab0a2bc
to
e048cfa
Compare
hi @locao I'm helping to resolve this conflict, recently I have also reviewed original community PRs. Hans and me will be helping to move the progress of this communit PR into our master. |
18ca824
to
f5ac767
Compare
@@ -17,6 +17,7 @@ return { | |||
{ consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade", }, }, | |||
{ username = { type = "string", required = true, unique = true }, }, | |||
{ secret = { type = "string", auto = true }, }, | |||
{ public_key = { type = "string" }, }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about typedefs.key { required = false, referenceable = true, encrypted = true }, },
?
{ public_key = { type = "string" }, }, | |
{ public_key = typedefs.key { | |
description = "The RSA public key used to validate signature.", | |
type = "string", | |
encrypted = true, -- Kong Enterprise-exclusive feature, does nothing in Kong CE | |
referenceable = true, | |
}, }, |
An additional validator to validate it's a RSA key (not EC or ECX keys) would be good.
The hmac-auth plugin allow authentication with HMAC signatures based on the draft-cavage-http-signatures draft. This commit aims to add support for RSA signatures as described in the draft, providing a stronger layer of security via asymmetric encryption. This implementation has been made with backward compatibility in mind and only one new field has been added to the DAOs to store the RSA public key. Depending on the algorithm used during the request, the plugin will use either the HMAC secret or the RSA public key to verify the signature.
8f737a8
to
f52df68
Compare
@@ -6,6 +6,8 @@ local ALGORITHMS = { | |||
"hmac-sha256", | |||
"hmac-sha384", | |||
"hmac-sha512", | |||
"rsa-sha256", | |||
"rsa-sha512", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add these new options in the description of the algorithms
field? (line 30)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one concern regarding the if statement. Other than that it looks good 👍
@@ -113,10 +141,10 @@ local function retrieve_hmac_fields(authorization_header) | |||
end | |||
|
|||
if m and #m >= 4 then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we increment the check in the if as well?
if m and #m >= 4 then | |
if m and #m >= 5 then |
["proxy-authorization"] = hmacAuth, | ||
}, | ||
}) | ||
assert.res_status(401, res) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Depending on which PR goes it first - we need to either change it here or there (#11791) but in the end we need to make sure we return proper WWW-Authenticate
header on 401 response
Looks like this is the latest draft: So in theory at least I would rather move this plugin in direction of this: That lists there:
And perhaps later: |
3.8 FF is done, so I don't think we will ship this feature in 3.8. Removing it from the 3.8.0 milestone. cc: @locao |
We don't have a decision whether we want to include this change or not yet, so I'm closing it for now. Please chime in this PR or create a new issue if you think this change is relevant. |
Summary
The hmac-auth plugin allow authentication with HMAC signatures based on the draft-cavage-http-signatures draft.
This commit aims to add support for RSA signatures as described in the draft, providing a stronger layer
of security via asymmetric encryption.
Co-authored-by: Jérémy Quilleré [email protected]
Note: the feature was coded by @mideuger in #8530, this PR adds cluster compatibility support.
Checklist
Full changelog
algorithms
(rsa-sha256
andrsa-sha512
)public_key
)rsa
algorithmsHow to test
First, create a RSA key pair :
Then, enable the plugin, create a consumer and a corresponding credential with the public key :
Finally, make a signed request :
Possible improvements
Here are some improvements that we might want to implement after this one :
HTTP Signature
Signature
header to provide the signature (or let it be configurable)keyId
from the draftIssue reference
KAG-1934
Closes: #8530