feat: create a C++ sample plugin for HMAC cookie authorization. #117
Conversation
|
Here is the summary of changes. You are about to add 1 region tag.
This comment is generated by snippet-bot.
|
| # To avoid the error: | ||
| # library_pthread.js:26: #error "STANDALONE_WASM does not support shared memories yet". | ||
| # Disabling the pthreads avoids the inclusion of the library_pthread.js. | ||
| "-sUSE_PTHREADS=0", |
There was a problem hiding this comment.
FWIW this will be fixed soon-ish in proxy-wasm/proxy-wasm-cpp-sdk#173 by setting threads = "off" in the Bazel transition.
There was a problem hiding this comment.
@walves-cit can you remove the linkopts setting (per @martijneken 's comment above)? Also I think it can be removed from plugins/samples/jwt_auth/BUILD as well (in a separate PR)
There was a problem hiding this comment.
Did not work. 😢
I've got the following error:
wasm-ld: error: --shared-memory is disallowed by lto.tmp because it was not compiled with 'atomics' or 'bulk-memory' features.
| # To avoid the error: | ||
| # library_pthread.js:26: #error "STANDALONE_WASM does not support shared memories yet". | ||
| # Disabling the pthreads avoids the inclusion of the library_pthread.js. | ||
| "-sUSE_PTHREADS=0", |
There was a problem hiding this comment.
@walves-cit can you remove the linkopts setting (per @martijneken 's comment above)? Also I think it can be removed from plugins/samples/jwt_auth/BUILD as well (in a separate PR)
|
|
||
| FilterHeadersStatus onRequestHeaders(uint32_t headers, | ||
| bool end_of_stream) override { | ||
| const auto token = getTokenFromCookie(); |
| return FilterHeadersStatus::ContinueAndEndStream; | ||
| } | ||
|
|
||
| const auto path = getRequestHeader(":path")->toString(); |
There was a problem hiding this comment.
Using a cookie to hold a HMAC for a specific path seems unrealistic to me: for that case, you'd typically include the HMAC in the path, like in #114 . The main benefit / use case of cookie-based HMAC would be to give a client a (usually time-bounded) token that can be used across multiple URLs.
For this example, I'd propose using a simple example cookie that contains the values (client IP, expiration timestamp, hash(client IP, expiration timestamp, secret)). More concretely, let payload = the string client_ip + "," + expiration_timestamp, and then the cookie would be `base64(payload) + "." + base64(computeHmacSignature(payload)).
You can determine the client IP by parsing the X-Forwarded-For header, whose format is documented at https://cloud.google.com/load-balancing/docs/https#x-forwarded-for_header. If that header isn't present or fails parsing, reject the request.
Then you can verify a request by:
- obtaining client IP (reject if not present)
- obtaining cookie (reject if not present)
- Verify that cookie hash matches cookie payload (reject if no match)
- get current time by calling
getCurrentTimeNanoseconds() - Ensure that client IP matches cookie payload IP, and current time is earlier than cookie payload expiration time.
There was a problem hiding this comment.
Done.... pls, take a look.
A lot of changes done 😅
| } | ||
|
|
||
| // Helper function to convert binary data to a hexadecimal string. | ||
| std::string toHexString(const unsigned char* data, size_t length) { |
There was a problem hiding this comment.
Suggest using absl::BytesToHexString
If that can't be used, suggest passing data and length as a string_view.
This plugin is a HMAC cookie authorization showcase.
Technically, this is performed by ensuring that the request has a valid HMAC cookie.
This examples contains only a C++ version.