diff --git a/apisix/core/request.lua b/apisix/core/request.lua index 0c614edf1b20..98b357f7a07b 100644 --- a/apisix/core/request.lua +++ b/apisix/core/request.lua @@ -107,7 +107,9 @@ function _M.header(ctx, name) if not ctx then ctx = ngx.ctx.api_ctx end - return _headers(ctx)[name] + + local value = _headers(ctx)[name] + return type(value) == "table" and value[1] or value end local function modify_header(ctx, header_name, header_value, override) diff --git a/apisix/plugins/real-ip.lua b/apisix/plugins/real-ip.lua index 71c33095b801..212199662b89 100644 --- a/apisix/plugins/real-ip.lua +++ b/apisix/plugins/real-ip.lua @@ -90,7 +90,9 @@ end local function get_addr(conf, ctx) if conf.source == "http_x_forwarded_for" then -- use the last address from X-Forwarded-For header - local addrs = core.request.header(ctx, "X-Forwarded-For") + -- after core.request.header function changed + -- we need to get original header value by using core.request.headers + local addrs = core.request.headers(ctx)["X-Forwarded-For"] if not addrs then return nil end diff --git a/apisix/plugins/ua-restriction.lua b/apisix/plugins/ua-restriction.lua index 577dc2b67cbb..bf28685dd441 100644 --- a/apisix/plugins/ua-restriction.lua +++ b/apisix/plugins/ua-restriction.lua @@ -150,7 +150,9 @@ end function _M.access(conf, ctx) - local user_agent = core.request.header(ctx, "User-Agent") + -- after core.request.header function changed + -- we need to get original header value by using core.request.headers + local user_agent = core.request.headers(ctx)["User-Agent"] if not user_agent then if conf.bypass_missing then diff --git a/t/core/request.t b/t/core/request.t index 9bf48ddbae8d..dc9a82c2e748 100644 --- a/t/core/request.t +++ b/t/core/request.t @@ -454,10 +454,10 @@ $s local h = core.request.header(ctx, "test_header") ngx.say(h) core.request.add_header(ctx, "test_header", "t2") - local h2 = core.request.header(ctx, "test_header") + local h2 = core.request.headers(ctx)["test_header"] ngx.say(json.encode(h2)) core.request.add_header(ctx, "test_header", "t3") - local h3 = core.request.header(ctx, "test_header") + local h3 = core.request.headers(ctx)["test_header"] ngx.say(json.encode(h3)) } } diff --git a/t/plugin/hmac-auth.t b/t/plugin/hmac-auth.t index ef4503159804..4efdae88f1b3 100644 --- a/t/plugin/hmac-auth.t +++ b/t/plugin/hmac-auth.t @@ -382,7 +382,67 @@ passed -=== TEST 15: add consumer with 0 clock skew +=== TEST 15: verify: ok (multiple duplicates X-HMAC-SIGNATURE header) +--- config +location /t { + content_by_lua_block { + local ngx_time = ngx.time + local ngx_http_time = ngx.http_time + local core = require("apisix.core") + local t = require("lib.test_admin") + local hmac = require("resty.hmac") + local ngx_encode_base64 = ngx.encode_base64 + + local secret_key = "my-secret-key" + local timestamp = ngx_time() + local gmt = ngx_http_time(timestamp) + local access_key = "my-access-key" + local custom_header_a = "asld$%dfasf" + local custom_header_b = "23879fmsldfk" + + local signing_string = { + "GET", + "/hello", + "", + access_key, + gmt, + "x-custom-header-a:" .. custom_header_a, + "x-custom-header-b:" .. custom_header_b + } + signing_string = core.table.concat(signing_string, "\n") .. "\n" + core.log.info("signing_string:", signing_string) + + local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) + core.log.info("signature:", ngx_encode_base64(signature)) + local headers = {} + local encoded_signature = ngx_encode_base64(signature) + headers["X-HMAC-SIGNATURE"] = {encoded_signature, "another-signature"} + headers["X-HMAC-ALGORITHM"] = "hmac-sha256" + headers["Date"] = gmt + headers["X-HMAC-ACCESS-KEY"] = access_key + headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b" + headers["x-custom-header-a"] = custom_header_a + headers["x-custom-header-b"] = custom_header_b + + local code, body = t.test('/hello', + ngx.HTTP_GET, + "", + nil, + headers + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed + + + +=== TEST 16: add consumer with 0 clock skew --- config location /t { content_by_lua_block { @@ -413,11 +473,12 @@ passed -=== TEST 16: verify: invalid signature +=== TEST 17: verify: invalid signature --- request GET /hello --- more_headers X-HMAC-SIGNATURE: asdf +X-HMAC-SIGNATURE: asdf X-HMAC-ALGORITHM: hmac-sha256 Date: Thu, 24 Sep 2020 06:39:52 GMT X-HMAC-ACCESS-KEY: my-access-key3 @@ -431,7 +492,7 @@ client request can't be validated: Invalid signature -=== TEST 17: add consumer with 1 clock skew +=== TEST 18: add consumer with 1 clock skew --- config location /t { content_by_lua_block { @@ -463,7 +524,7 @@ passed -=== TEST 18: verify: Invalid GMT format time +=== TEST 19: verify: Invalid GMT format time --- config location /t { content_by_lua_block { @@ -520,7 +581,7 @@ client request can't be validated: Clock skew exceeded -=== TEST 19: verify: put ok +=== TEST 20: verify: put ok --- config location /t { content_by_lua_block { @@ -583,7 +644,7 @@ passed -=== TEST 20: verify: put ok (pass auth data by header `Authorization`) +=== TEST 21: verify: put ok (pass auth data by header `Authorization`) --- config location /t { content_by_lua_block { @@ -645,7 +706,7 @@ passed -=== TEST 21: hit route without auth info +=== TEST 22: hit route without auth info --- request GET /hello --- error_code: 401 @@ -658,7 +719,7 @@ client request can't be validated: access key or signature missing -=== TEST 22: add consumer with signed_headers +=== TEST 23: add consumer with signed_headers --- config location /t { content_by_lua_block { @@ -690,7 +751,7 @@ passed -=== TEST 23: verify with invalid signed header +=== TEST 24: verify with invalid signed header --- config location /t { content_by_lua_block { @@ -745,7 +806,7 @@ client request can't be validated: Invalid signed header x-custom-header-c -=== TEST 24: verify ok with signed headers +=== TEST 25: verify ok with signed headers --- config location /t { content_by_lua_block { @@ -800,7 +861,7 @@ passed -=== TEST 25: add consumer with plugin hmac-auth - empty configuration +=== TEST 26: add consumer with plugin hmac-auth - empty configuration --- config location /t { content_by_lua_block {