Skip to content
This repository has been archived by the owner on Dec 8, 2017. It is now read-only.

Commit

Permalink
Handle headers that are defined more than once
Browse files Browse the repository at this point in the history 
Per @jehiah's suggestion in bitly/oauth2_proxy#147.

Also adds a test to ensure that the query string of the URL is factored in.
  • Loading branch information
Mike Bland committed Oct 2, 2015
1 parent 2804e0a commit fc29040
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 8 deletions.
12 changes: 9 additions & 3 deletions hmacauth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,15 @@ func StringToSign(req *http.Request, headers []string) string {
buffer.WriteString(req.Method)
buffer.WriteString("\n")

for i := 0; i != len(headers); i++ {
buffer.WriteString(req.Header.Get(headers[i]))
buffer.WriteString("\n")
for _, header := range headers {
values := req.Header[header]
for _, value := range values {
buffer.WriteString(value)
buffer.WriteString("\n")
}
if len(values) == 0 {
buffer.WriteString("\n")
}
}
buffer.WriteString(req.URL.String())
return buffer.String()
Expand Down
64 changes: 59 additions & 5 deletions hmacauth_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,15 +84,19 @@ func TestRequestSignaturePost(t *testing.T) {
"sha1 722UbRYfC6MnjtIxqEJMDPrW2mk=")
}

func TestRequestSignatureGet(t *testing.T) {
req := newTestRequest(
func newGetRequest() *http.Request {
return newTestRequest(
"GET /foo/bar HTTP/1.1",
"Date: 2015-09-29",
"Cookie: foo; bar; baz=quux",
"Gap-Auth: mbland",
"",
"",
)
}

func TestRequestSignatureGet(t *testing.T) {
req := newGetRequest()
assert.Equal(t, StringToSign(req, HEADERS), strings.Join([]string{
"GET",
"",
Expand All @@ -111,15 +115,65 @@ func TestRequestSignatureGet(t *testing.T) {
"sha1 JBQJcmSTteQyHZXFUA9glis9BIk=")
}

func newGetRequest() *http.Request {
return newTestRequest(
"GET /foo/bar HTTP/1.1",
func TestRequestSignatureGetWithQuery(t *testing.T) {
req := newTestRequest(
"GET /foo/bar?baz=quux HTTP/1.1",
"Date: 2015-09-29",
"Cookie: foo; bar; baz=quux",
"Gap-Auth: mbland",
"",
"",
)

assert.Equal(t, StringToSign(req, HEADERS), strings.Join([]string{
"GET",
"",
"",
"",
"2015-09-29",
"",
"",
"",
"",
"foo; bar; baz=quux",
"mbland",
"/foo/bar?baz=quux",
}, "\n"))
assert.Equal(t, RequestSignature(req, crypto.SHA1, HEADERS, "foobar"),
"sha1 IdVTzG_70lbqE52JoYHmR2oDYO8=")
}

func TestRequestSignatureGetWithMultipleHeadersWithTheSameName(t *testing.T) {
// Just using "Cookie:" out of convenience.
req := newTestRequest(
"GET /foo/bar HTTP/1.1",
"Date: 2015-09-29",
"Cookie: foo",
"Cookie: bar",
"Cookie: baz=quux",
"Gap-Auth: mbland",
"",
"",
)

assert.Equal(t, StringToSign(req, HEADERS), strings.Join([]string{
"GET",
"",
"",
"",
"2015-09-29",
"",
"",
"",
"",
"foo",
"bar",
"baz=quux",
"mbland",
"/foo/bar",
}, "\n"))
assert.Equal(t, RequestSignature(req, crypto.SHA1, HEADERS, "foobar"),
"sha1 3QTHq0aEEwZz637DtDXoT48afrc=")
}

func TestValidateRequestNoSignature(t *testing.T) {
Expand Down

0 comments on commit fc29040

Please sign in to comment.