Apply HMAC signatures to upstream requests #147
Conversation
mbland
force-pushed
the
hmac-signatures
branch
6 times, most recently
from
50ab403 to
e44dfad
Compare
mbland
changed the title
mbland
force-pushed
the
hmac-signatures
branch
3 times, most recently
from
16832c7 to
71931f2
Compare
|
OK @jehiah, this is ready for a look-see. I haven't squashed down the commits yet, just in case I end up wanting/needing to tweak something. Also, the last commit is a broader change to allow for more algorithms besides sha1; all the commits before that hardcode sha1. Note that |
|
I've gotten the jump on the Ruby and Node implementations; as expected, they were more or less straight ports of https://rubygems.org/gems/oauth2_proxy_authentication I'll get on the Python version soon. Of course, I stand ready to update these and share maintainership based on the outcome of this PR. |
|
So I went on a tear, and figured out how generic this HMAC signature logic could be. I've extracted the former https://rubygems.org/gems/hmac_authentication So now the headers could even be configurable between instances. |
|
@mbland I'm excited for this PR. It certainly adds a few new configuration options for oauth2proxy. Some general feedback on a first read:
|
|
Hey @jehiah:
As a government employee, I can't solicit effort, but I'll copy you on the 18F/hmacauth PR(s). 😉 |
|
oops, no i wasn't implying to sort all headers, i was implying we sort the order of the headers we are hashing. english-- |
|
Ah, got it. I'll keep the header config bit, then. |
Per @jehiah's suggestion in bitly/oauth2_proxy#147. Also adds a test to ensure that the query string of the URL is factored in.
|
FYI, I managed to get a generic proxy server together based on the 18F/hmacauth package. Check it out: /~https://github.com/18F/hmacproxy/ However, I don't know why the build is breaking; it somehow can't find 18F/hmacauth, even though it's public and specified in the |
|
What d'ya know, it's passing again. :-) @jehiah So long as you're comfortable with the implementation of github.com/18F/hmacauth, this may be ready for another look. But to pick up two points from before:
|
|
I just pushed a commit to simulate a request body buffer consumed by Read(), which is why the test is currently failing. Using fakeNetConn in the test exposes a bug in 18F/hmacauth when handling POST requests, addressed by 18F/hmacauth#4. The bug was that the strings.Reader does not consume its buffer contents the same way that a net.Conn does. So the test would pass because its request body would still be intact after signing, but during live testing, the request body would be consumed by HmacAuth.requestSignature(). It also happened to expose a subsequent 18F/hmacauth bug addressed in 18F/hmacauth#5. It turns out that checking Request.ContentLength is an unreliable way of detecting that a body is present, and checking body != nil is sufficient. 18F/hmacauth#4 is already merged; when 18F/hmacauth#5 is in, I'll tag 18F/hmacauth v1.0.1 and update the Godeps to use that version, at which point the test should pass. cc: @dlapiduz @jcscottiii |
|
OK, hmacauth bumped to v1.0.1 and the test is passing again. |
|
@mbland 😄 I think this is in good shape now! Sorry i've been silent here over the past week. I should be able to help wrap this up today |
|
No worries, and no rush! 😄 |
mbland
force-pushed
the
hmac-signatures
branch
from
69c4bc4 to
116a68e
Compare
Using fakeNetConn in the test exposes a bug in 18F/hmacauth when handling POST requests, addressed by 18F/hmacauth#4. The bug was that the strings.Reader does not consume its buffer contents the same way that a net.Conn does. So the test would pass because its request body would still be intact after signing, but during live testing, the request body would be consumed by HmacAuth.requestSignature(). It also happened to expose a subsequent 18F/hmacauth bug addressed in 18F/hmacauth#5. It turns out that checking Request.ContentLength is an unreliable way of detecting that a body is present, and checking body != nil is sufficient. 18F/hmacauth#4 is already merged; when 18F/hmacauth#5 is in, I'll tag 18F/hmacauth v1.0.1 and update the Godeps to use that version, at which point the test should pass.
v1.0.1 contains 18F/hmacauth#4 and 18F/hmacauth#5, needed to make TestRequestSignaturePostRequest pass again.
mbland
force-pushed
the
hmac-signatures
branch
from
116a68e to
47696e0
Compare
|
...and after #153. 😄 |
|
merged with some slight readme changes as e4626c1 |
|
Ah, thanks, @jehiah! |
Updates readme and help Adds azure to the providers. Fixes race condition Sometimes, during tests, a race condition occurs. Using `break` instead of `return` fixes this for me. Tries to read mail address Tries to read mail address from the Graph API. Currently this has not been tested properly. Adds resource parameter Uses to gain access to protected resources when redeeming the token. Gets the mail address from the graph *: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. oauthproxy: rename Uri to URI Be consistent with Go coding style for acroynyms. *: rename Oauth to OAuth Be consistent with Go capitalization styling and use a single way of spelling this across the tree. Add /auth endpoint to support Nginx's auth_request Closes bitly#152. Extract Authenticate for Proxy, AuthenticateOnly Add nginx auth_request config to README Sign Upstream requests with HMAC. closes bitly#147 Renames var ending on Url to URL Simplifies configuration for brevity
Closes #146.
This still a work-in-progress, as I need to add tests to verify that the actual signing of requests by the proxy is implemented properly. I will remove the "[WIP]" from the title and ping when that's done.
However, the
signaturepackage itself and the updating ofoptionsto include the newsignature_keyandupstream_keysconfiguration values is tested and complete.