mirror of
https://github.com/alibaba/higress.git
synced 2026-03-06 17:40:51 +08:00
Update extensions & release 1.0.0-rc (#281)
This commit is contained in:
澄潭
GitHub
@@ -1,3 +1,17 @@
|
||||
# Copyright (c) 2022 Alibaba Group Holding Ltd.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
|
||||
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
|
||||
|
||||
@@ -17,9 +31,9 @@ wasm_cc_binary(
|
||||
"@com_google_absl//absl/strings:str_format",
|
||||
"@com_google_absl//absl/time",
|
||||
"//common:json_util",
|
||||
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
|
||||
"//common:http_util",
|
||||
"//common:rule_util",
|
||||
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
|
||||
],
|
||||
)
|
||||
|
||||
|
||||
@@ -135,11 +135,16 @@ bool PluginRootContext::parsePluginConfig(const json& configuration,
|
||||
[&](const json& from_header) -> bool {
|
||||
JSON_FIND_FIELD(from_header, name);
|
||||
JSON_FIELD_VALUE_AS(std::string, from_header, name);
|
||||
JSON_FIND_FIELD(from_header, value_prefix);
|
||||
JSON_FIELD_VALUE_AS(std::string, from_header,
|
||||
value_prefix);
|
||||
from_headers.push_back(FromHeader{
|
||||
from_header_name, from_header_value_prefix});
|
||||
std::string header_value_prefix;
|
||||
auto from_header_value_prefix_json =
|
||||
from_header.find("value_prefix");
|
||||
if (from_header_value_prefix_json != from_header.end()) {
|
||||
JSON_FIELD_VALUE_AS(std::string, from_header,
|
||||
value_prefix);
|
||||
header_value_prefix = from_header_value_prefix;
|
||||
}
|
||||
from_headers.push_back(
|
||||
FromHeader{from_header_name, header_value_prefix});
|
||||
return true;
|
||||
})) {
|
||||
LOG_WARN("failed to parse 'from_headers' in consumer: " +
|
||||
@@ -229,6 +234,18 @@ bool PluginRootContext::parsePluginConfig(const json& configuration,
|
||||
LOG_INFO("at least one consumer has to be configured for a rule.");
|
||||
return false;
|
||||
}
|
||||
std::vector<std::string> enable_headers;
|
||||
if (!JsonArrayIterate(configuration, "enable_headers",
|
||||
[&](const json& enable_header_json) -> bool {
|
||||
JSON_VALUE_AS(std::string, enable_header_json,
|
||||
enable_header, "invalid item");
|
||||
enable_headers.push_back(enable_header);
|
||||
return true;
|
||||
})) {
|
||||
LOG_WARN("failed to parse 'enable_headers'");
|
||||
return false;
|
||||
}
|
||||
rule.enable_headers = std::move(enable_headers);
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -307,6 +324,20 @@ Status PluginRootContext::consumerVerify(
|
||||
bool PluginRootContext::checkPlugin(
|
||||
const JwtAuthConfigRule& rule,
|
||||
const std::optional<std::unordered_set<std::string>>& allow_set) {
|
||||
if (!rule.enable_headers.empty()) {
|
||||
bool skip_auth = true;
|
||||
for (const auto& enable_header : rule.enable_headers) {
|
||||
auto header_ptr = getRequestHeader(enable_header);
|
||||
if (header_ptr->size() > 0) {
|
||||
LOG_DEBUG("enable by header: " + header_ptr->toString());
|
||||
skip_auth = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (skip_auth) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
std::optional<Status> err_status;
|
||||
bool verified = false;
|
||||
uint64_t now = getCurrentTimeNanoseconds() / 1e9;
|
||||
@@ -354,8 +385,7 @@ bool PluginRootContext::onConfigure(size_t size) {
|
||||
// Parse configuration JSON string.
|
||||
if (size > 0 && !configure(size)) {
|
||||
LOG_WARN("configuration has errors initialization will not continue.");
|
||||
setInvalidConfig();
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -73,6 +73,7 @@ struct Consumer {
|
||||
|
||||
struct JwtAuthConfigRule {
|
||||
std::vector<Consumer> consumers;
|
||||
std::vector<std::string> enable_headers;
|
||||
};
|
||||
|
||||
// PluginRootContext is the root context for all streams processed by the
|
||||
|
||||
@@ -84,6 +84,9 @@ class JwtAuthTest : public ::testing::Test {
|
||||
if (header == "Authorization") {
|
||||
*result = jwt_header_;
|
||||
}
|
||||
if (header == "x-custom-header") {
|
||||
*result = custom_header_;
|
||||
}
|
||||
return WasmResult::Ok;
|
||||
});
|
||||
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
|
||||
@@ -118,6 +121,7 @@ class JwtAuthTest : public ::testing::Test {
|
||||
std::string authority_;
|
||||
std::string route_name_;
|
||||
std::string jwt_header_;
|
||||
std::string custom_header_;
|
||||
uint64_t current_time_;
|
||||
};
|
||||
|
||||
@@ -146,7 +150,8 @@ TEST_F(JwtAuthTest, RSA) {
|
||||
}
|
||||
|
||||
TEST_F(JwtAuthTest, OCT) {
|
||||
std::string configuration = R"(
|
||||
{
|
||||
std::string configuration = R"(
|
||||
{
|
||||
"consumers": [
|
||||
{
|
||||
@@ -156,17 +161,65 @@ TEST_F(JwtAuthTest, OCT) {
|
||||
}
|
||||
]
|
||||
})";
|
||||
BufferBase buffer;
|
||||
buffer.set({configuration.data(), configuration.size()});
|
||||
BufferBase buffer;
|
||||
buffer.set({configuration.data(), configuration.size()});
|
||||
|
||||
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
|
||||
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
|
||||
EXPECT_TRUE(root_context_->configure(configuration.size()));
|
||||
current_time_ = 1665673819 * 1e9;
|
||||
jwt_header_ =
|
||||
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::Continue);
|
||||
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
|
||||
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
|
||||
EXPECT_TRUE(root_context_->configure(configuration.size()));
|
||||
current_time_ = 1665673819 * 1e9;
|
||||
jwt_header_ =
|
||||
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::Continue);
|
||||
}
|
||||
{
|
||||
std::string configuration = R"(
|
||||
{
|
||||
"consumers": [
|
||||
{
|
||||
"name": "consumer-2",
|
||||
"issuer": "abcd",
|
||||
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
|
||||
}
|
||||
]
|
||||
})";
|
||||
BufferBase buffer;
|
||||
buffer.set({configuration.data(), configuration.size()});
|
||||
|
||||
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
|
||||
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
|
||||
EXPECT_TRUE(root_context_->configure(configuration.size()));
|
||||
current_time_ = 1665673819 * 1e9;
|
||||
jwt_header_ =
|
||||
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKm1)";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::StopIteration);
|
||||
}
|
||||
{
|
||||
std::string configuration = R"(
|
||||
{
|
||||
"consumers": [
|
||||
{
|
||||
"name": "consumer-2",
|
||||
"issuer": "abcd",
|
||||
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
|
||||
}
|
||||
],
|
||||
"global_auth": false
|
||||
})";
|
||||
BufferBase buffer;
|
||||
buffer.set({configuration.data(), configuration.size()});
|
||||
|
||||
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
|
||||
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
|
||||
EXPECT_TRUE(root_context_->configure(configuration.size()));
|
||||
current_time_ = 1665673819 * 1e9;
|
||||
jwt_header_ =
|
||||
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKm1)";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::Continue);
|
||||
}
|
||||
}
|
||||
|
||||
TEST_F(JwtAuthTest, AuthZ) {
|
||||
@@ -264,6 +317,97 @@ TEST_F(JwtAuthTest, ClaimToHeader) {
|
||||
FilterHeadersStatus::Continue);
|
||||
}
|
||||
|
||||
TEST_F(JwtAuthTest, CustomHeader) {
|
||||
std::string configuration = R"(
|
||||
{
|
||||
"consumers": [
|
||||
{
|
||||
"name": "consumer-2",
|
||||
"issuer": "abcd",
|
||||
"from_headers": [
|
||||
{
|
||||
"name": "x-custom-header",
|
||||
"value_prefix": "token "
|
||||
},
|
||||
{
|
||||
"name": "Authorization"
|
||||
}
|
||||
],
|
||||
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
|
||||
}
|
||||
]
|
||||
})";
|
||||
BufferBase buffer;
|
||||
buffer.set({configuration.data(), configuration.size()});
|
||||
|
||||
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
|
||||
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
|
||||
EXPECT_TRUE(root_context_->configure(configuration.size()));
|
||||
custom_header_ =
|
||||
R"(token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::Continue);
|
||||
custom_header_.clear();
|
||||
jwt_header_ =
|
||||
R"(eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::Continue);
|
||||
}
|
||||
|
||||
TEST_F(JwtAuthTest, SkipAuthHeader) {
|
||||
std::string configuration = R"(
|
||||
{
|
||||
"consumers": [
|
||||
{
|
||||
"name": "consumer-1",
|
||||
"issuer": "abc",
|
||||
"jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"123\",\"alg\":\"RS256\",\"n\":\"i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw\"}]}"
|
||||
},
|
||||
{
|
||||
"name": "consumer-2",
|
||||
"issuer": "abcd",
|
||||
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
|
||||
}
|
||||
],
|
||||
"enable_headers": ["x-custom-header"],
|
||||
"_rules_": [{
|
||||
"_match_route_": [
|
||||
"test1"
|
||||
],
|
||||
"allow": [
|
||||
"consumer-1"
|
||||
]
|
||||
},
|
||||
{
|
||||
"_match_route_": [
|
||||
"test2"
|
||||
],
|
||||
"allow": [
|
||||
"consumer-2"
|
||||
]
|
||||
}
|
||||
]
|
||||
})";
|
||||
BufferBase buffer;
|
||||
buffer.set({configuration.data(), configuration.size()});
|
||||
|
||||
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
|
||||
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
|
||||
EXPECT_TRUE(root_context_->configure(configuration.size()));
|
||||
current_time_ = 1665673819 * 1e9;
|
||||
jwt_header_ =
|
||||
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
|
||||
route_name_ = "test1";
|
||||
custom_header_ = "123";
|
||||
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
|
||||
testing::_, testing::_));
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::StopIteration);
|
||||
custom_header_ = "";
|
||||
EXPECT_EQ(context_->onRequestHeaders(0, false),
|
||||
FilterHeadersStatus::Continue);
|
||||
}
|
||||
|
||||
} // namespace jwt_auth
|
||||
} // namespace null_plugin
|
||||
} // namespace proxy_wasm
|
||||
|
||||
Reference in New Issue
Block a user