Adds HeaderSHA256 predicate

[AlexanderYastrebov]

HeaderSHA256 predicate matches SHA-256 hash of the configured header value.

go test ./predicates/auth/ -run NONE -bench BenchmarkHeaderSHA256Match -benchmem
goos: linux
goarch: amd64
pkg: github.com/zalando/skipper/predicates/auth
cpu: Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz
BenchmarkHeaderSHA256Match-8     4675351               237.2 ns/op             0 B/op          0 allocs/op

Signed-off-by: Alexander Yastrebov [email protected]

[AlexanderYastrebov]

discuss: add salt?

[AlexanderYastrebov]

Added guide on how to generate secure header value.
I think salt is not required if secret value is random, its length is at least 32 bytes (SHA-256 output size) and there is no need to hide the possible reuse of the same secret value in several routes.

In general proper salt value has its own requirements so the idea is to get rid of it if possible to minimize number of parameters that users need to specify and understand.

[szuecs]

What's the use case?
It sounds more like an auth filter to me. A predicate will slow down all route lookoups, that's why we do not validate Jwt* predicates.
I think you want to do something independent of the chosen algorithm. What if SHA256 is broken and you need to use $someOtheHashFunction? I would suggest passing the chosen hash function as parameter to the filter.
On the other hand what's the difference between this and basic auth? Maybe better to make a better basic auth filter, that do not need a file but can have the salted,hashed secret as filter parameter?

[AlexanderYastrebov]

What's the use case?

Match routes with known header value without revealing the actual value to the parties that have access to the routes source (source code, ingress definitions, allowed to query /routes endpoint)

A predicate will slow down all route lookoups

The benchmark shows that it takes 340 ns to match header hash.

I think you want to do something independent of the chosen algorithm. What if SHA256 is broken and you need to use $someOtheHashFunction? I would suggest passing the chosen hash function as parameter to the filter.

If that happens we will introduce HeaderSomeOtheHashFunction and discourage use of HeaderSHA256.

On the other hand what's the difference between this and basic auth? Maybe better to make a better basic auth filter, that do not need a file but can have the salted,hashed secret as filter parameter?

This predicate allows users to implement Basic Authentication as well as shown in the docs without revealing the username:password pair.

[AlexanderYastrebov]

The same could be achieved using two routes with two different HeaderSHA256 but it is more convenient to use single predicate with multiple secrets to avoid route duplication, e.g. in zalando.org/skipper-predicate ingress annotation.

[szuecs]

👍

[szuecs]

👍

[AlexanderYastrebov]

👍