From 57d5184eb00d3469f1eb88b82e2dc47e8c9293f7 Mon Sep 17 00:00:00 2001 From: Mark van Holsteijn Date: Mon, 30 Oct 2017 10:34:36 +0000 Subject: [PATCH] fixed internal error with invalid hmac-auth authorization header fixes #2951 --- kong/plugins/hmac-auth/access.lua | 6 ++++-- spec/03-plugins/20-hmac-auth/03-access_spec.lua | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/kong/plugins/hmac-auth/access.lua b/kong/plugins/hmac-auth/access.lua index 26ddd30222c7..1a0481ee9e8b 100644 --- a/kong/plugins/hmac-auth/access.lua +++ b/kong/plugins/hmac-auth/access.lua @@ -73,8 +73,10 @@ local function validate_params(params, conf) -- check enforced headers are present if conf.enforce_headers and #conf.enforce_headers >= 1 then local enforced_header_set = list_as_set(conf.enforce_headers) - for _, header in ipairs(params.hmac_headers) do - enforced_header_set[header] = nil + if params.hmac_headers then + for _, header in ipairs(params.hmac_headers) do + enforced_header_set[header] = nil + end end for _, header in ipairs(conf.enforce_headers) do if enforced_header_set[header] then diff --git a/spec/03-plugins/20-hmac-auth/03-access_spec.lua b/spec/03-plugins/20-hmac-auth/03-access_spec.lua index 2d17c071d622..211da320cb48 100644 --- a/spec/03-plugins/20-hmac-auth/03-access_spec.lua +++ b/spec/03-plugins/20-hmac-auth/03-access_spec.lua @@ -1160,6 +1160,21 @@ describe("Plugin: hmac-auth (access)", function() assert.res_status(403, res) end) + it("should return a 403 with an invalid authorization header", function() + local date = os.date("!%a, %d %b %Y %H:%M:%S GMT") + local res = assert(client:send { + method = "GET", + path = "/request", + body = {}, + headers = { + ["HOST"] = "hmacauth6.com", + date = date, + ["proxy-authorization"] = "this is no hmac token at all is it?", + }, + }) + assert.res_status(403, res) + end) + it("should pass with hmac-sha1", function() local date = os.date("!%a, %d %b %Y %H:%M:%S GMT") local encodedSignature = ngx.encode_base64(