Custom HMAC signed requests

Hi all,

I’d like to use Gatling to load test some web services which use a custom authorization/authentication mechanism which includes a consumer’s API key and an HMAC of various key values from the request plus a timestamp.

Can Gatling be extended to sign requests using this custom mechanism, and if so how would I best go about it?

Any advice appreciated - I’m brand new to both Scala and Gatling, so forgive me if this an obvious question!

Thanks,
Rowan

Hi,

Can’t tell without knowing what the signed requests look like.
Is this a special header?

Sorry, I should have said. The Authorization header is populated with “[API key]:[HMAC]”, and a custom header is added with the timestamp to be used when recalculating the HMAC at the other end.

OK, so no problem.

Are you related to Lars Mulanski?
He just posted some code here, that’s very similar to your needs.

Nope, nothing to do with Lars, that’s just an odd coincidence.

I’ll take a look at that code - it looks like it should be useful!

Thanks,
Rowan

Just for anyone who might come across this thread later, the thread of Lars’ that Stéphane mentioned in here: https://groups.google.com/forum/#!topic/gatling/hg6x7NeME0M

Hi again,

I’m just taking another look at this today, and I’m not sure I can see how I can get hold of the details of a request being build from a Session. Is that possible? I need to know the URL, HTTP method, request body and content type.

I’m using Gatling 2, since I don’t want to have to rewrite this all again in the near future, so I’ve been taking a look at Dino Fancellu’s code here.

Again, any pointers appreciated!

Thanks,
Rowan

If those elements depend on the session, the only way I see is to process in several steps:

  • have an exec(function) that build them and store them in their final form in the session + compute your token
  • send the request
  • optional: clear the session if the bodies are significant so that they don’t linger and put more GC pressure

Hi Stéphane,

That’s a shame - it’s a lot of repetition I’d like to avoid.

I was hoping something like the following would be possible:

scenario(“My Scenario”)
.exec(
sign(
http(“some request”)

)
)

I.e. write a sign method that takes a builder, inspects the HTTP attributes, computes the HMAC, adds the required headers, then returns the modified builder.

It doesn’t look like that’s possible in 2.0.0-M3a because the HttpAttributes are private in AbstractHttpRequestBuilder. If my understanding of Scala is correct, though, they’re public in master (there’s a “val” in the constructor on master). Is this likely to be released any time soon?

Thanks,
Rowan

I.e. write a sign method that takes a builder, inspects the HTTP
attributes, computes the HMAC, adds the required headers, then returns the
modified builder.

Indeed, you could write such a method, that's a nice idea.
You would avoid repetition, but it will still have to generate the
boilerplate I mentioned (first resolve the expressions and store the
computed HMAC into the session in an exec(function) and then exec the
request).

It doesn't look like that's possible in 2.0.0-M3a because
the HttpAttributes are private in AbstractHttpRequestBuilder. If my
understanding of Scala is correct, though, they're public in master
(there's a "val" in the constructor on master).

Absolutely.

Is this likely to be released any time soon?

That's a matter of weeks.
There's still some stuff we have to fix/finish implementing in the recorder.

Until then, you can use snapshots hosted on Sonatype:
https://github.com/excilys/gatling/wiki/Continuous-Integration