Error calling HMAC plugin create_hash

[joshbeckman]

Summary

I have recently configured HMAC auth via the bundled plugin with only default settings on a new API. The only other plugin running on this API is the CORS bundled plugin. Upon receiving the signed request, kong returns a 500 error, with the logs:

2017-02-28T17:55:11.285701+00:00 heroku[router]: at=info method=POST path="/mockbin/post" host=api.<ourcompany>.com request_id=b78ce346-fd44-4252-a845-b1288eff5123 fwd="96.65.75.149,162.158.74.140" dyno=web.1 connect=1ms service=115ms status=500 bytes=255
2017-02-28T17:55:11.277516+00:00 app[web.1]: 2017/02/28 17:55:11 [error] 96#0: *4061 lua entry thread aborted: runtime error: .../.heroku/share/lua/5.1/kong/plugins/hmac-auth/access.lua:99: bad argument #1 to 'create_hash' (string expected, got nil)
2017-02-28T17:55:11.277528+00:00 app[web.1]: stack traceback:
2017-02-28T17:55:11.277529+00:00 app[web.1]: coroutine 0:
2017-02-28T17:55:11.277529+00:00 app[web.1]: 	[C]: in function 'create_hash'
2017-02-28T17:55:11.277530+00:00 app[web.1]: 	.../.heroku/share/lua/5.1/kong/plugins/hmac-auth/access.lua:99: in function 'validate_signature'
2017-02-28T17:55:11.277531+00:00 app[web.1]: 	.../.heroku/share/lua/5.1/kong/plugins/hmac-auth/access.lua:168: in function 'execute'
2017-02-28T17:55:11.277532+00:00 app[web.1]: 	....heroku/share/lua/5.1/kong/plugins/hmac-auth/handler.lua:14: in function 'access'
2017-02-28T17:55:11.277534+00:00 app[web.1]: 	/app/.heroku/share/lua/5.1/kong.lua:193: in function 'access'
2017-02-28T17:55:11.277535+00:00 app[web.1]: 	access_by_lua(nginx.conf:87):2: in function <access_by_lua(nginx.conf:87):1>, client: 96.65.75.149, server: _, request: "POST /mockbin/post HTTP/1.1", host: "api.<ourcompany>.com", referrer: "http://localhost:3000/"

I don't see what the nil value stems from. By line 168 (https://github.com/Mashape/kong/blame/0.7.0/kong/plugins/hmac-auth/access.lua#L168) the hmac_params have been collected and validated, headers are present, and ngx.req is present. What's the issue?

Steps To Reproduce

curl https://api.<ourcompany>.com/mockbin/post --data 'foobar' -X POST --header 'content-md5: 3858f62230ac3c915f300c664312c63f' --header 'content-type: text/plain' --header 'date: Tue, 28 Feb 2017 19:42:34 GMT' --header 'authorization: hmac username="customercontact-381", algorithm="hmac-sha1", headers="date content-md5", signature="MTRjMTVkYzI4ODUwNjllMjRlMDhkY2ViNmQ4NWQxODVmYzFjMDA5MQ=="' -i

Additional Details & Logs

Here is the line in question: https://github.com/Mashape/kong/blame/0.7.0/kong/plugins/hmac-auth/access.lua#L58
The API in question is configured at the mockbin path.

• Kong version 0.7.0
• Operating System heroku
• Installed via: https://github.com/heroku/heroku-kong

[Tieske]

for reference see https://gitter.im/Mashape/kong?at=58b830f9f1a33b62756e9015

[joshbeckman]

This was due to the consumer/hmac-auth lacking a proper secret value. The only suggestion I would make is to require the secret value upon creation of an hmac-auth record. As it stands, it is an optional value, but obviously is required to actually use the HMAC scheme.

[Tieske]

@andjosh thx for the investigation, reopening this as to proper fix it in current versions as well.

[p0pr0ck5]

BTW, the fix in #2158 solves the issue of allowing a null secret; since this isn't a majorly pressing issue, I'd like to wait to merge until 0.10 is released, so as to avoid complicating the release any further. We'll also need to update the plugin docs to note this behavior change.

[p0pr0ck5]

Closing this, since it's fixed on the next branch. Thanks @andjosh for the report!