make request signing config validation easier to understand

TykTechnologies · Feb 7, 2025 · 35c23c3 · 35c23c3
1 parent 1d2f938
commit 35c23c3
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 1 deletion.
diff --git a/gateway/mw_request_signing.go b/gateway/mw_request_signing.go
@@ -91,7 +91,7 @@ func (s *RequestSigning) getRequestPath(r *http.Request) string {
 }
 
 func (s *RequestSigning) ProcessRequest(w http.ResponseWriter, r *http.Request, _ interface{}) (error, int) {
-	if (s.Spec.RequestSigning.Secret == "" && s.Spec.RequestSigning.CertificateId == "") || s.Spec.RequestSigning.KeyId == "" || s.Spec.RequestSigning.Algorithm == "" {
+	if !s.isRequestSigningConfigValid() {
 		log.Error("Fields required for signing the request are missing")
 		return errors.New("Fields required for signing the request are missing"), http.StatusInternalServerError
 	}
@@ -180,6 +180,23 @@ func (s *RequestSigning) ProcessRequest(w http.ResponseWriter, r *http.Request,
 	return nil, http.StatusOK
 }
 
+func (s *RequestSigning) isRequestSigningConfigValid() bool {
+	if s.Spec.RequestSigning.KeyId == "" || s.Spec.RequestSigning.Algorithm == "" {
+		return false
+	}
+
+	isRSAAlgorithm := strings.HasPrefix(s.Spec.RequestSigning.Algorithm, "rsa")
+	if isRSAAlgorithm && s.Spec.RequestSigning.CertificateId == "" {
+		return false
+	}
+
+	if !isRSAAlgorithm && s.Spec.RequestSigning.Secret == "" {
+		return false
+	}
+
+	return true
+}
+
 func generateRSAEncodedSignature(signatureString string, privateKey *rsa.PrivateKey, algorithm string) (string, error) {
 	var hashFunction hash.Hash
 	var hashType crypto.Hash

diff --git a/gateway/mw_request_signing_test.go b/gateway/mw_request_signing_test.go
@@ -609,3 +609,88 @@ func TestRequestSigning_getRequestPath(t *testing.T) {
 		ctxSetURLRewriteTarget(req, nil)
 	})
 }
+
+func TestRequestSigning_isRequestSigningConfigValid(t *testing.T) {
+	type testCase struct {
+		name     string
+		conf     apidef.RequestSigningMeta
+		expected bool
+	}
+
+	testCases := []testCase{
+		{
+			name: "missing keyID",
+			conf: apidef.RequestSigningMeta{
+				Secret:        "secret",
+				KeyId:         "",
+				Algorithm:     "hmac-sha256",
+				CertificateId: "certID",
+			},
+			expected: false,
+		},
+		{
+			name: "missing algorithm",
+			conf: apidef.RequestSigningMeta{
+				Secret:        "secret",
+				KeyId:         "keyID",
+				Algorithm:     "",
+				CertificateId: "certID",
+			},
+			expected: false,
+		},
+		{
+			name: "RSA and empty cert ID",
+			conf: apidef.RequestSigningMeta{
+				Secret:        "secret",
+				KeyId:         "keyID",
+				Algorithm:     "rsa-sha256",
+				CertificateId: "",
+			},
+			expected: false,
+		},
+		{
+			name: "non-RSA and empty secret",
+			conf: apidef.RequestSigningMeta{
+				Secret:        "",
+				KeyId:         "keyID",
+				Algorithm:     "hmac-sha256",
+				CertificateId: "certID",
+			},
+			expected: false,
+		},
+		{
+			name: "valid RSA config",
+			conf: apidef.RequestSigningMeta{
+				Secret:        "",
+				KeyId:         "keyID",
+				Algorithm:     "rsa-sha256",
+				CertificateId: "certID",
+			},
+			expected: true,
+		},
+		{
+			name: "valid non-RSA config",
+			conf: apidef.RequestSigningMeta{
+				Secret:        "secret",
+				KeyId:         "keyID",
+				Algorithm:     "hmac-sha256",
+				CertificateId: "",
+			},
+			expected: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+
+		api := BuildAPI(func(spec *APISpec) {
+			spec.RequestSigning = tc.conf
+		})[0]
+
+		rs := RequestSigning{
+			BaseMiddleware: &BaseMiddleware{Spec: api},
+		}
+
+		assert.Equal(t, tc.expected, rs.isRequestSigningConfigValid())
+	}
+}