jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-05-10 05:47:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add plugins (#27)

Browse Source
This commit is contained in:
澄潭
2022-11-04 17:46:43 +08:00
committed by GitHub
parent 5ac966495c
commit 1a0ed73cd5
92 changed files with 35435 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
plugins/wasm-cpp/extensions/basic_auth/BUILD Normal file
View File

@@ -0,0 +1,61 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "basic_auth.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"//common:base64.h",
],
deps = [
"//common:rule_util",
"//common:json_util",
"//common:crypto_util",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
],
)
cc_library(
name = "basic_auth_lib",
srcs = [
"plugin.cc",
"//common:base64.h",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
visibility = ["//visibility:public"],
alwayslink = 1,
deps = [
"//common:rule_util",
"//common:json_util",
"//common:crypto_util",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"@proxy_wasm_cpp_host//:lib",
],
)
cc_test(
name = "basic_auth_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":basic_auth_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
linkopts = ["-lcrypt"],
)
declare_wasm_image_targets(
name = "basic_auth",
wasm_file = ":basic_auth.wasm",
)

351
plugins/wasm-cpp/extensions/basic_auth/plugin.cc Normal file
View File

@@ -0,0 +1,351 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/basic_auth/plugin.h"
#include <array>
#include <functional>
#include <optional>
#include <utility>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "common/base64.h"
#include "common/common_util.h"
#include "common/crypto_util.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace basic_auth {
PROXY_WASM_NULL_PLUGIN_REGISTRY
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_basic_auth_plugin(
"envoy.wasm.basic_auth", []() {
return std::make_unique<NullPlugin>(basic_auth::context_registry_);
});
#endif
static RegisterContextFactory register_BasicAuth(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
namespace {
void deniedNoBasicAuthData(const std::string& realm) {
sendLocalResponse(
401,
"Request denied by Basic Auth check. No Basic "
"Authentication information found.",
"", {{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
void deniedInvalidCredentials(const std::string& realm) {
sendLocalResponse(
401,
"Request denied by Basic Auth check. Invalid "
"username and/or password",
"", {{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
void deniedUnauthorizedConsumer(const std::string& realm) {
sendLocalResponse(
403, "Request denied by Basic Auth check. Unauthorized consumer", "",
{{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
} // namespace
bool PluginRootContext::parsePluginConfig(const json& configuration,
BasicAuthConfigRule& rule) {
if ((configuration.find("consumers") != configuration.end()) &&
(configuration.find("credentials") != configuration.end())) {
LOG_WARN(
"The consumers field and the credentials field cannot appear at the "
"same level");
return false;
}
auto it = configuration.find("encrypted");
if (it != configuration.end()) {
auto passwd_encrypted = JsonValueAs<bool>(it.value());
if (passwd_encrypted.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse passwd_encrypted");
return false;
}
rule.passwd_encrypted = passwd_encrypted.first.value();
}
// no consumer name
if (!JsonArrayIterate(
configuration, "credentials", [&](const json& credentials) -> bool {
auto credential = JsonValueAs<std::string>(credentials);
if (credential.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("credential cannot be parsed");
return false;
}
// Check if credential has `:` in it. If it has, it needs to be
// base64 encoded.
if (absl::StrContains(credential.first.value(), ":")) {
return addBasicAuthConfigRule(rule, credential.first.value(),
std::nullopt, false);
}
if (rule.passwd_encrypted) {
LOG_WARN("colon not found in encrypted credential");
return false;
}
// Otherwise, try base64 decode and insert into credential list if
// it can be decoded.
if (!Base64::decodeWithoutPadding(credential.first.value())
.empty()) {
return addBasicAuthConfigRule(rule, credential.first.value(),
std::nullopt, true);
}
return false;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
// with consumer name
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
auto item = consumer.find("name");
if (item == consumer.end()) {
LOG_WARN("can't find 'name' field in consumer.");
return false;
}
auto name = JsonValueAs<std::string>(item.value());
if (name.second != Wasm::Common::JsonParserResultDetail::OK ||
!name.first) {
LOG_WARN("'name' cannot be parsed");
return false;
}
item = consumer.find("credential");
if (item == consumer.end()) {
LOG_WARN("can't find 'credential' field in consumer.");
return false;
}
auto credential = JsonValueAs<std::string>(item.value());
if (credential.second != Wasm::Common::JsonParserResultDetail::OK ||
!credential.first) {
LOG_WARN("field 'credential' cannot be parsed");
return false;
}
// Check if credential has `:` in it. If it has, it needs to be
// base64 encoded.
if (absl::StrContains(credential.first.value(), ":")) {
return addBasicAuthConfigRule(rule, credential.first.value(),
name.first, false);
}
if (rule.passwd_encrypted) {
LOG_WARN("colon not found in encrypted credential");
return false;
}
// Otherwise, try base64 decode and insert into credential list if
// it can be decoded.
if (!Base64::decodeWithoutPadding(credential.first.value())
.empty()) {
return addBasicAuthConfigRule(rule, credential.first.value(),
name.first, true);
}
return false;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (rule.encoded_credentials.empty() && rule.encrypted_credentials.empty()) {
LOG_INFO("at least one credential has to be configured for a rule.");
return false;
}
it = configuration.find("realm");
if (it != configuration.end()) {
auto realm_string = JsonValueAs<std::string>(it.value());
if (realm_string.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse realm");
return false;
}
rule.realm = realm_string.first.value();
}
return true;
}
bool PluginRootContext::addBasicAuthConfigRule(
BasicAuthConfigRule& rule, const std::string& credential,
const std::optional<std::string>& name, bool base64_encoded) {
std::string stored_str;
const std::string* stored_ptr = nullptr;
if (!base64_encoded && !rule.passwd_encrypted) {
stored_str = Base64::encode(credential.data(), credential.size());
stored_ptr = &stored_str;
} else {
stored_ptr = &credential;
}
if (!rule.passwd_encrypted) {
rule.encoded_credentials.insert(*stored_ptr);
} else {
std::vector<std::string> pair =
absl::StrSplit(*stored_ptr, absl::MaxSplits(":", 2));
if (pair.size() != 2) {
LOG_WARN(absl::StrCat("invalid encrypted credential: ", *stored_ptr));
return false;
}
rule.encrypted_credentials.emplace(
std::make_pair(std::move(pair[0]), std::move(pair[1])));
}
if (name) {
if (rule.credential_to_name.find(*stored_ptr) !=
rule.credential_to_name.end()) {
LOG_WARN(absl::StrCat("duplicate consumer credential: ", *stored_ptr));
return false;
}
rule.credential_to_name.emplace(std::make_pair(*stored_ptr, name.value()));
}
return true;
}
bool PluginRootContext::checkPlugin(
const BasicAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
auto authorization_header = getRequestHeader("authorization");
auto authorization = authorization_header->view();
// Check if the Basic auth header starts with "Basic "
if (!absl::StartsWith(Wasm::Common::stdToAbsl(authorization), "Basic ")) {
deniedNoBasicAuthData(rule.realm);
return false;
}
auto authorization_strip =
absl::StripPrefix(Wasm::Common::stdToAbsl(authorization), "Basic ");
std::string to_find_name;
if (!rule.passwd_encrypted) {
auto auth_credential_iter =
rule.encoded_credentials.find(std::string(authorization_strip));
// Check if encoded credential is part of the credential_to_name
// map from our container to grant or deny access.
if (auth_credential_iter == rule.encoded_credentials.end()) {
deniedInvalidCredentials(rule.realm);
return false;
}
to_find_name = std::string(authorization_strip);
} else {
auto user_and_passwd = Base64::decodeWithoutPadding(
Wasm::Common::abslToStd(authorization_strip));
if (user_and_passwd.empty()) {
LOG_WARN(
absl::StrCat("invalid base64 authorization: ", authorization_strip));
deniedInvalidCredentials(rule.realm);
return false;
}
std::vector<std::string> pair =
absl::StrSplit(user_and_passwd, absl::MaxSplits(":", 2));
if (pair.size() != 2) {
LOG_WARN(
absl::StrCat("invalid decoded authorization: ", user_and_passwd));
deniedInvalidCredentials(rule.realm);
return false;
}
auto encrypted_iter = rule.encrypted_credentials.find(pair[0]);
if (encrypted_iter == rule.encrypted_credentials.end()) {
LOG_DEBUG(absl::StrCat("username not found: ", pair[0]));
deniedInvalidCredentials(rule.realm);
return false;
}
auto expect_encrypted = encrypted_iter->second;
std::string actual_encrypted;
if (!Wasm::Common::Crypto::crypt(pair[1], expect_encrypted,
actual_encrypted)) {
LOG_DEBUG(absl::StrCat("crypt failed, expect: ", pair[1]));
deniedInvalidCredentials(rule.realm);
return false;
}
LOG_DEBUG(absl::StrCat("expect_encrypted: ", expect_encrypted,
", actual_encrypted: ", actual_encrypted));
if (expect_encrypted != actual_encrypted) {
LOG_DEBUG(absl::StrCat("invalid encrypted: ", actual_encrypted,
", expect: ", expect_encrypted));
deniedInvalidCredentials(rule.realm);
return false;
}
to_find_name = absl::StrCat(pair[0], ":", expect_encrypted);
}
// Check if this credential has a consumer name. If so, check if this
// consumer is allowed to access. If allow_set is empty, allow all consumers.
auto credential_to_name_iter = rule.credential_to_name.find(to_find_name);
if (credential_to_name_iter != rule.credential_to_name.end()) {
if (allow_set && !allow_set.value().empty()) {
if (allow_set.value().find(credential_to_name_iter->second) ==
allow_set.value().end()) {
deniedUnauthorizedConsumer(rule.realm);
return false;
}
}
addRequestHeader("X-Mse-Consumer", credential_to_name_iter->second);
}
return true;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
Wasm::Common::stdToAbsl(configuration_data->view())));
return false;
}
if (!parseAuthRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
Wasm::Common::stdToAbsl(configuration_data->view())));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkAuthRule(
[rootCtx](const auto& config, const auto& allow_set) {
return rootCtx->checkPlugin(config, allow_set);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace basic_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

87
plugins/wasm-cpp/extensions/basic_auth/plugin.h Normal file
View File

@@ -0,0 +1,87 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_set>
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace basic_auth {
#endif
struct BasicAuthConfigRule {
std::unordered_map<std::string, std::string> encrypted_credentials;
std::unordered_set<std::string> encoded_credentials;
std::unordered_map<std::string, std::string> credential_to_name;
std::string realm = "MSE Gateway";
bool passwd_encrypted = false;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<BasicAuthConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkPlugin(const BasicAuthConfigRule&,
const std::optional<std::unordered_set<std::string>>&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, BasicAuthConfigRule&) override;
bool addBasicAuthConfigRule(BasicAuthConfigRule& rule,
const std::string& credential,
const std::optional<std::string>& name,
bool base64_encoded);
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace basic_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

969
plugins/wasm-cpp/extensions/basic_auth/plugin_test.cc Normal file
View File

@@ -0,0 +1,969 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/basic_auth/plugin.h"
#include "common/base64.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace basic_auth {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_basic_auth_plugin("basic_auth", []() {
return std::make_unique<NullPlugin>(basic_auth::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, addHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class BasicAuthTest : public ::testing::Test {
protected:
BasicAuthTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("basic_auth");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == "authorization") {
if (authorization_header_.empty()) {
authorization_header_ =
"Basic " + Base64::encode(cred_.data(), cred_.size());
}
*result = authorization_header_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view key,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~BasicAuthTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string authority_;
std::string cred_;
std::string route_name_;
std::string authorization_header_;
};
TEST_F(BasicAuthTest, OnConfigureSuccess) {
// without consumer
{
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2",
"YWRtaW4zOmFkbWluMw==" ],
"_rules_": [
{
"_match_route_":[ "abc", "test" ],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2",
"YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin:admin", "admin2:admin2", "ok:test",
"YWRtaW4zOmFkbWluMw==" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"},
{"credential" : "postuser1:123456", "name" : "consumer3"},
{"credential" : "postuser2:123456", "name" : "consumer4"}
],
"_rules_" : [
{
"_match_route_" : ["route-1"],
"allow" : [ "consumer1", "consumer2" ]
},
{
"_match_domain_" : ["*.example.com"],
"allow" : [ "consumer3", "consumer4" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureNoRules) {
// without consumer
{
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"},
{"credential" : "postuser1:123456", "name" : "consumer3"},
{"credential" : "postuser2:123456", "name" : "consumer4"}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureOnlyRules) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_":[ "test.com.*"],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_" : [
{
"_match_route_" : ["route-1"],
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"}
]
},
{
"_match_domain_" : ["*.example.com"],
"consumers" : [
{"credential" : "postuser1:123456", "name" : "consumer3"},
{"credential" : "postuser2:123456", "name" : "consumer4"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureEmptyRules) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_" : [
{
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureDuplicateRules) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_": ["abc.com"],
"_match_route_": ["abc"],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_": ["abc.com"],
"_match_route_": ["abc"],
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureNoCredentials) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":[ "abc", "test" ],
"credentials":[ ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":[ "abc", "test" ],
"consumers":[ ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureEmptyConfig) {
std::string configuration = "{}";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
TEST_F(BasicAuthTest, OnConfigureDuplicateCredential) {
// without consumer
// "admin:admin" base64 encoded is "YWRtaW46YWRtaW4="
{
std::string configuration = R"(
{
"credentials":[ "admin:admin", "YWRtaW46YWRtaW4=" ]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
// a consumer credential cannot be mapped to two name
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "admin:admin", "name" : "consumer1"},
{"credential" : "YWRtaW46YWRtaW4=", "name" : "consumer2"},
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
// two consumer credentials can be mapped to the same name
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "admin:admin", "name" : "consumer"},
{"credential" : "admin2:admin2", "name" : "consumer"}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureCredentialsWithConsumers) {
std::string configuration = R"(
{
"_rules_" : [
{
"_match_route_" : ["route-1"],
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"}
],
"credentials" : ["ok:test", "admin:admin", "admin2:admin2"]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
TEST_F(BasicAuthTest, RuleAllow) {
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":[ "test", "config" ],
"credentials":[ "ok:test", "admin2:admin2", "YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin:admin"]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "config";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "nope";
authority_ = "www.example.com:8080";
cred_ = "admin:admin";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, RuleWithConsumerAllow) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin2:admin2", "name" : "consumer2"},
{"credential" : "YWRtaW4zOmFkbWluMw==", "name" : "consumer3"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test", "config"],
"allow" : [ "consumer_ok", "consumer2", "consumer3"]
},
{
"_match_domain_" : ["test.com", "*.example.com"],
"allow" : [ "consumer" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "config";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "nope";
authority_ = "www.example.com:8080";
cred_ = "admin:admin";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, RuleWithEncryptedConsumerAllow) {
std::string configuration = R"(
{
"encrypted": true,
"consumers" : [
{"credential" : "myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC", "name": "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test_allow"],
"allow" : [ "consumer"]
},
{
"_match_route_" : ["test_deny"],
"allow" : []
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test_allow";
cred_ = "myName:myPassword";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test_deny";
cred_ = "abc:123";
authorization_header_ = "";
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, RuleDeny) {
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_":[ "test.com", "example.*" ],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
authority_ = "example.com";
cred_ = "wrong-cred";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "example.com";
cred_ = "admin2:admin2";
authorization_header_ = Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, RuleWithConsumerDeny) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_domain_" : ["test.com", "*.example.com"],
"allow" : [ "consumer" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
authority_ = "www.example.com";
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "www.example.com";
cred_ = "admin:admin";
authorization_header_ = Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, GlobalAllow) {
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ],
"_rules_": [
{
"_match_route_":[ "test", "config" ],
"credentials":[ "admin3:admin3", "YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin4:admin4"]
},
{
"_match_route_":["crypt"],
"credentials": ["myName:rqXexS6ZhobKA"],
"encrypted": true
},
{
"_match_route_":["bcrypt"],
"credentials": ["myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC"],
"encrypted": true
},
{
"_match_route_":["apr1"],
"credentials": ["myName:$apr1$EXfBN1bF$nuywSFTnPTcqbH5z4x6IG/"],
"encrypted": true
},
{
"_match_route_":["plain"],
"credentials": ["myName:{PLAIN}myPassword"],
"encrypted": true
},
{
"_match_route_":["sha"],
"credentials": ["myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE="],
"encrypted": true
},
{
"_match_route_":["ssha"],
"credentials": ["myName:{SSHA}98JUfJee5Wb13m5683sLku40P3Y2VjNX"],
"encrypted": true
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "test.com";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test";
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "";
authorization_header_ = "";
cred_ = "myName:myPassword";
route_name_ = "crypt";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "bcrypt";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "apr1";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "plain";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "sha";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "ssha";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, GlobalWithConsumerAllow) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin2:admin2", "name" : "consumer2"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test", "config"],
"consumers" : [
{"credential" : "admin3:admin3", "name" : "consumer3"},
{"credential" : "YWRtaW41OmFkbWluNQ==", "name" : "consumer5"}
]
},
{
"_match_domain_" : ["test.com", "*.example.com"],
"consumers" : [
{"credential" : "admin4:admin4", "name" : "consumer4"}
]
},
{
"_match_route_" : ["crypt"],
"encrypted" : true,
"consumers" : [
{"credential" : "myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC", "name": "consumer crypt"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "test.com";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test";
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authorization_header_ = "";
authority_ = "";
route_name_ = "crypt";
cred_ = "myName:myPassword";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, GlobalDeny) {
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ],
"_rules_": [
{
"_match_route_":[ "test", "config" ],
"credentials":[ "admin3:admin3", "YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin4:admin4"]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "wrong-cred";
route_name_ = "config";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "www.example.com";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "config";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, GlobalWithConsumerDeny) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin2:admin2", "name" : "consumer2"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test", "config"],
"consumers" : [
{"credential" : "admin3:admin3", "name" : "consumer3"},
{"credential" : "YWRtaW41OmFkbWluNQ==", "name" : "consumer5"}
]
},
{
"_match_domain_" : ["test.com", "*.example.com"],
"consumers" : [
{"credential" : "admin4:admin4", "name" : "consumer4"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "wrong-cred";
route_name_ = "config";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "www.example.com";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "config";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
} // namespace basic_auth
} // namespace null_plugin
} // namespace proxy_wasm

57
plugins/wasm-cpp/extensions/bot_detect/BUILD Normal file
View File

@@ -0,0 +1,57 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "bot_detect.wasm",
srcs = [
"plugin.cc",
"plugin.h",
],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:regex_util",
"//common:rule_util",
],
)
cc_library(
name = "bot_detect_lib",
srcs = [
"plugin.cc",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_google_absl//absl/strings",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util",
"//common:regex_util",
"//common:rule_util",
],
)
cc_test(
name = "bot_detect_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":bot_detect_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "bot_detect",
wasm_file = ":bot_detect.wasm",
)

188
plugins/wasm-cpp/extensions/bot_detect/plugin.cc Normal file
View File

@@ -0,0 +1,188 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/bot_detect/plugin.h"
#include <array>
#include <memory>
#include <stdexcept>
#include <string_view>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_join.h"
#include "absl/strings/str_split.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace bot_detect {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
static RegisterContextFactory register_BotDetect(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
static std::array<std::string, 6> default_bot_regex = {
R"(/((?:Ant-)?Nutch|[A-z]+[Bb]ot|[A-z]+[Ss]pider|Axtaris|fetchurl|Isara|ShopSalad|Tailsweep)[ \-](\d+)(?:\.(\d+)(?:\.(\d+))?)?)",
R"((?:\/[A-Za-z0-9\.]+|) {0,5}([A-Za-z0-9 \-_\!\[\]:]{0,50}(?:[Aa]rchiver|[Ii]ndexer|[Ss]craper|[Bb]ot|[Ss]pider|[Cc]rawl[a-z]{0,50}))[/ ](\d+)(?:\.(\d+)(?:\.(\d+)|)|))",
R"((?:\/[A-Za-z0-9\.]+|) {0,5}([A-Za-z0-9 \-_\!\[\]:]{0,50}(?:[Aa]rchiver|[Ii]ndexer|[Ss]craper|[Bb]ot|[Ss]pider|[Cc]rawl[a-z]{0,50})) (\d+)(?:\.(\d+)(?:\.(\d+)|)|))",
R"(((?:[A-z0-9]{1,50}|[A-z\-]{1,50} ?|)(?: the |)(?:[Ss][Pp][Ii][Dd][Ee][Rr]|[Ss]crape|[Cc][Rr][Aa][Ww][Ll])[A-z0-9]{0,50})(?:(?:[ /]| v)(\d+)(?:\.(\d+)|)(?:\.(\d+)|)|))",
R"(\b(008|Altresium|Argus|BaiduMobaider|BoardReader|DNSGroup|DataparkSearch|EDI|Goodzer|Grub|INGRID|Infohelfer|LinkedInBot|LOOQ|Nutch|OgScrper|PathDefender|Peew|PostPost|Steeler|Twitterbot|VSE|WebCrunch|WebZIP|Y!J-BR[A-Z]|YahooSeeker|envolk|sproose|wminer)/(\d+)(?:\.(\d+)|)(?:\.(\d+)|))",
R"((CSimpleSpider|Cityreview Robot|CrawlDaddy|CrawlFire|Finderbots|Index crawler|Job Roboter|KiwiStatus Spider|Lijit Crawler|QuerySeekerSpider|ScollSpider|Trends Crawler|USyd-NLP-Spider|SiteCat Webbot|BotName\/\$BotVersion|123metaspider-Bot|1470\.net crawler|50\.nu|8bo Crawler Bot|Aboundex|Accoona-[A-z]{1,30}-Agent|AdsBot-Google(?:-[a-z]{1,30}|)|altavista|AppEngine-Google|archive.{0,30}\.org_bot|archiver|Ask Jeeves|[Bb]ai[Dd]u[Ss]pider(?:-[A-Za-z]{1,30})(?:-[A-Za-z]{1,30}|)|bingbot|BingPreview|blitzbot|BlogBridge|Bloglovin|BoardReader Blog Indexer|BoardReader Favicon Fetcher|boitho.com-dc|BotSeer|BUbiNG|\b\w{0,30}favicon\w{0,30}\b|\bYeti(?:-[a-z]{1,30}|)|Catchpoint(?: bot|)|[Cc]harlotte|Checklinks|clumboot|Comodo HTTP\(S\) Crawler|Comodo-Webinspector-Crawler|ConveraCrawler|CRAWL-E|CrawlConvera|Daumoa(?:-feedfetcher|)|Feed Seeker Bot|Feedbin|findlinks|Flamingo_SearchEngine|FollowSite Bot|furlbot|Genieo|gigabot|GomezAgent|gonzo1|(?:[a-zA-Z]{1,30}-|)Googlebot(?:-[a-zA-Z]{1,30}|)|Google SketchUp|grub-client|gsa-crawler|heritrix|HiddenMarket|holmes|HooWWWer|htdig|ia_archiver|ICC-Crawler|Icarus6j|ichiro(?:/mobile|)|IconSurf|IlTrovatore(?:-Setaccio|)|InfuzApp|Innovazion Crawler|InternetArchive|IP2[a-z]{1,30}Bot|jbot\b|KaloogaBot|Kraken|Kurzor|larbin|LEIA|LesnikBot|Linguee Bot|LinkAider|LinkedInBot|Lite Bot|Llaut|lycos|Mail\.RU_Bot|masscan|masidani_bot|Mediapartners-Google|Microsoft .{0,30} Bot|mogimogi|mozDex|MJ12bot|msnbot(?:-media {0,2}|)|msrbot|Mtps Feed Aggregation System|netresearch|Netvibes|NewsGator[^/]{0,30}|^NING|Nutch[^/]{0,30}|Nymesis|ObjectsSearch|OgScrper|Orbiter|OOZBOT|PagePeeker|PagesInventory|PaxleFramework|Peeplo Screenshot Bot|PlantyNet_WebRobot|Pompos|Qwantify|Read%20Later|Reaper|RedCarpet|Retreiver|Riddler|Rival IQ|scooter|Scrapy|Scrubby|searchsight|seekbot|semanticdiscovery|SemrushBot|Simpy|SimplePie|SEOstats|SimpleRSS|SiteCon|Slackbot-LinkExpanding|Slack-ImgProxy|Slurp|snappy|Speedy Spider|Squrl Java|Stringer|TheUsefulbot|ThumbShotsBot|Thumbshots\.ru|Tiny Tiny RSS|Twitterbot|WhatsApp|URL2PNG|Vagabondo|VoilaBot|^vortex|Votay bot|^voyager|WASALive.Bot|Web-sniffer|WebThumb|WeSEE:[A-z]{1,30}|WhatWeb|WIRE|WordPress|Wotbox|www\.almaden\.ibm\.com|Xenu(?:.s|) Link Sleuth|Xerka [A-z]{1,30}Bot|yacy(?:bot|)|YahooSeeker|Yahoo! Slurp|Yandex\w{1,30}|YodaoBot(?:-[A-z]{1,30}|)|YottaaMonitor|Yowedo|^Zao|^Zao-Crawler|ZeBot_www\.ze\.bz|ZooShot|ZyBorg)(?:[ /]v?(\d+)(?:\.(\d+)(?:\.(\d+)|)|)|))",
};
bool PluginRootContext::parsePluginConfig(const json& configuration,
BotDetectConfigRule& rule) {
auto it = configuration.find("blocked_code");
if (it != configuration.end()) {
auto blocked_code = JsonValueAs<int64_t>(it.value());
if (blocked_code.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse status code");
return false;
}
rule.blocked_code = blocked_code.first.value();
}
it = configuration.find("blocked_message");
if (it != configuration.end()) {
auto blocked_message = JsonValueAs<std::string>(it.value());
if (blocked_message.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse blocked_message");
return false;
}
rule.blocked_message = blocked_message.first.value();
}
if (!JsonArrayIterate(configuration, "allow", [&](const json& item) -> bool {
auto regex = JsonValueAs<std::string>(item);
if (regex.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse allow");
return false;
}
try {
rule.allow.push_back(
std::make_unique<ReMatcher>(regex.first.value()));
} catch (const std::runtime_error& e) {
LOG_WARN(e.what());
return false;
}
return true;
})) {
LOG_WARN("failed to parse configuration for allow.");
return false;
}
if (!JsonArrayIterate(configuration, "deny", [&](const json& item) -> bool {
auto regex = JsonValueAs<std::string>(item);
if (regex.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse deny");
return false;
}
try {
rule.deny.push_back(std::make_unique<ReMatcher>(regex.first.value()));
} catch (const std::runtime_error& e) {
LOG_WARN(e.what());
return false;
}
return true;
})) {
LOG_WARN("failed to parse configuration for deny.");
return false;
}
return true;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
if (size == 0) {
// support empty config
setEmptyGlobalConfig();
}
for (auto& regex : default_bot_regex) {
default_matchers_.push_back(std::make_unique<ReMatcher>(regex, false));
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result.has_value()) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
bool PluginRootContext::checkHeader(const BotDetectConfigRule& rule) {
GET_HEADER_VIEW(Wasm::Common::Http::Header::UserAgent, user_agent);
for (const auto& matcher : rule.allow) {
if (matcher->match(user_agent)) {
LOG_DEBUG("bot detected by allow rule");
return true;
}
}
for (const auto& matcher : rule.deny) {
if (matcher->match(user_agent)) {
LOG_DEBUG("bot detected by deny rule");
sendLocalResponse(rule.blocked_code, "", rule.blocked_message, {});
return false;
}
}
for (const auto& matcher : default_matchers_) {
if (matcher->match(user_agent)) {
LOG_DEBUG("bot detected by default rule");
sendLocalResponse(rule.blocked_code, "", rule.blocked_message, {});
return false;
}
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkRule([rootCtx](const auto& config) {
return rootCtx->checkHeader(config);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace bot_detect
} // namespace null_plugin
} // namespace proxy_wasm
#endif

88
plugins/wasm-cpp/extensions/bot_detect/plugin.h Normal file
View File

@@ -0,0 +1,88 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_map>
#include "common/http_util.h"
#include "common/regex.h"
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace bot_detect {
#endif
using ReMatcher = Wasm::Common::Regex::CompiledGoogleReMatcher;
using ReMatcherPtr = std::unique_ptr<ReMatcher>;
struct BotDetectConfigRule {
int blocked_code = 403;
std::string blocked_message;
std::vector<ReMatcherPtr> allow;
std::vector<ReMatcherPtr> deny;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<BotDetectConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkHeader(const BotDetectConfigRule&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, BotDetectConfigRule&) override;
std::vector<ReMatcherPtr> default_matchers_;
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace bot_detect
} // namespace null_plugin
} // namespace proxy_wasm
#endif

178
plugins/wasm-cpp/extensions/bot_detect/plugin_test.cc Normal file
View File

@@ -0,0 +1,178 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/bot_detect/plugin.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace bot_detect {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_bot_detect_plugin("bot_detect", []() {
return std::make_unique<NullPlugin>(bot_detect::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, getHeaderMapPairs, (WasmHeaderMapType, Pairs*));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class BotDetectTest : public ::testing::Test {
protected:
BotDetectTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("bot_detect");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == "user-agent") {
*result = user_agent_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~BotDetectTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string authority_;
std::string route_name_;
std::string user_agent_;
};
TEST_F(BotDetectTest, UseDefault) {
std::string configuration = R"(
{
"blocked_code": 404
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->onConfigure(configuration.size()));
user_agent_ = "BaiduMobaider/1.1.0";
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
user_agent_ = "Go-client";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BotDetectTest, UseAllowAndDeny) {
std::string configuration = R"(
{
"blocked_code": 404,
"allow": ["BaiduMobaider.*"],
"deny": ["Go-client"]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->onConfigure(configuration.size()));
user_agent_ = "BaiduMobaider/1.1.0";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
user_agent_ = "Go-client";
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BotDetectTest, UseEmptyConfig) {
std::string configuration = R"()";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_TRUE(root_context_->onConfigure(configuration.size()));
user_agent_ = "BaiduMobaider/1.1.0";
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
user_agent_ = "Go-client";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
} // namespace bot_detect
} // namespace null_plugin
} // namespace proxy_wasm

55
plugins/wasm-cpp/extensions/custom_response/BUILD Normal file
View File

@@ -0,0 +1,55 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "custom_response.wasm",
srcs = [
"plugin.cc",
"plugin.h",
],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "custom_response_lib",
srcs = [
"plugin.cc",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_google_absl//absl/strings",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util_nullvm",
"//common:rule_util_nullvm",
],
)
cc_test(
name = "custom_response_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":custom_response_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "custom_response",
wasm_file = ":custom_response.wasm",
)

194
plugins/wasm-cpp/extensions/custom_response/plugin.cc Normal file
View File

@@ -0,0 +1,194 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/custom_response/plugin.h"
#include <array>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace custom_response {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
static RegisterContextFactory register_CustomResponse(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
bool PluginRootContext::parsePluginConfig(const json& configuration,
CustomResponseConfigRule& rule) {
if (!JsonArrayIterate(
configuration, "enable_on_status", [&](const json& item) -> bool {
auto status = JsonValueAs<int64_t>(item);
if (status.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse enable_on_status");
return false;
}
rule.enable_on_status.push_back(
std::to_string(status.first.value()));
return true;
})) {
LOG_WARN("failed to parse configuration for enable_on_status.");
return false;
}
bool has_content_type = false;
if (!JsonArrayIterate(
configuration, "headers", [&](const json& item) -> bool {
auto header = JsonValueAs<std::string>(item);
if (header.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse header");
return false;
}
std::vector<std::string> pair =
absl::StrSplit(header.first.value(), absl::MaxSplits("=", 2));
if (pair.size() != 2) {
LOG_WARN("invalid header pair format");
}
if (absl::AsciiStrToLower(pair[0]) ==
Wasm::Common::Http::Header::ContentLength) {
return true;
}
if (absl::AsciiStrToLower(pair[0]) ==
Wasm::Common::Http::Header::ContentType) {
rule.content_type = pair[1];
has_content_type = true;
return true;
}
rule.headers.emplace_back(pair[0], pair[1]);
return true;
})) {
LOG_WARN("failed to parse configuration for headers.");
return false;
}
auto it = configuration.find("status_code");
if (it != configuration.end()) {
auto status_code = JsonValueAs<int64_t>(it.value());
if (status_code.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse status code");
return false;
}
rule.status_code = status_code.first.value();
}
it = configuration.find("body");
if (it != configuration.end()) {
auto body_string = JsonValueAs<std::string>(it.value());
if (body_string.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse body");
return false;
}
rule.body = body_string.first.value();
}
if (!rule.body.empty() && !has_content_type) {
auto try_decode_json = Wasm::Common::JsonParse(rule.body);
if (try_decode_json.has_value()) {
rule.content_type = "application/json; charset=utf-8";
// rule.headers.emplace_back(Wasm::Common::Http::Header::ContentType,
// "application/json; charset=utf-8");
} else {
rule.content_type = "text/plain; charset=utf-8";
// rule.headers.emplace_back(Wasm::Common::Http::Header::ContentType,
// "text/plain; charset=utf-8");
}
}
return true;
}
FilterHeadersStatus PluginRootContext::onRequest(
const CustomResponseConfigRule& rule) {
if (!rule.enable_on_status.empty()) {
return FilterHeadersStatus::Continue;
}
sendLocalResponse(rule.status_code, "", rule.body, rule.headers);
return FilterHeadersStatus::StopIteration;
}
FilterHeadersStatus PluginRootContext::onResponse(
const CustomResponseConfigRule& rule) {
GET_RESPONSE_HEADER_VIEW(":status", status_code);
bool hit = false;
for (const auto& status : rule.enable_on_status) {
if (status_code == status) {
hit = true;
break;
}
}
if (!hit) {
return FilterHeadersStatus::Continue;
}
replaceResponseHeader(Wasm::Common::Http::Header::ContentType,
rule.content_type);
sendLocalResponse(rule.status_code, "", rule.body, rule.headers);
return FilterHeadersStatus::StopIteration;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result.has_value()) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->onHeaders(
[rootCtx](const auto& config) { return rootCtx->onRequest(config); });
}
FilterHeadersStatus PluginContext::onResponseHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->onHeaders(
[rootCtx](const auto& config) { return rootCtx->onResponse(config); });
}
#ifdef NULL_PLUGIN
} // namespace custom_response
} // namespace null_plugin
} // namespace proxy_wasm
#endif

85
plugins/wasm-cpp/extensions/custom_response/plugin.h Normal file
View File

@@ -0,0 +1,85 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_map>
#include "common/http_util.h"
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace custom_response {
#endif
struct CustomResponseConfigRule {
std::vector<std::string> enable_on_status;
std::vector<std::pair<std::string, std::string>> headers;
std::string content_type;
int32_t status_code = 200;
std::string body;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<CustomResponseConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
FilterHeadersStatus onRequest(const CustomResponseConfigRule&);
FilterHeadersStatus onResponse(const CustomResponseConfigRule&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, CustomResponseConfigRule&) override;
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
FilterHeadersStatus onResponseHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace custom_response
} // namespace null_plugin
} // namespace proxy_wasm
#endif

186
plugins/wasm-cpp/extensions/custom_response/plugin_test.cc Normal file
View File

@@ -0,0 +1,186 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/custom_response/plugin.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace custom_response {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_custom_response_plugin(
"custom_response", []() {
return std::make_unique<NullPlugin>(custom_response::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, replaceHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class CustomResponseTest : public ::testing::Test {
protected:
CustomResponseTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("custom_response");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_,
replaceHeaderMapValue(WasmHeaderMapType::RequestHeaders, testing::_,
testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view key,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_,
getHeaderMapValue(WasmHeaderMapType::ResponseHeaders, testing::_,
testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":status") {
*result = status_code_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~CustomResponseTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string authority_;
std::string route_name_;
std::string status_code_;
};
TEST_F(CustomResponseTest, EnableOnStatus) {
std::string configuration = R"(
{
"enable_on_status": [429],
"headers": ["abc=123","zty=test"],
"status_code": 233,
"body": "{\"abc\":123}"
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
status_code_ = "200";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onResponseHeaders(0, false),
FilterHeadersStatus::Continue);
status_code_ = "429";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_CALL(*mock_context_, sendLocalResponse(233, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onResponseHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(CustomResponseTest, NoGlobalRule) {
std::string configuration = R"(
{
"_rules_": [{
"_match_route_": ["test"],
"headers": ["abc=123","zty=test"],
"status_code": 233,
"body": "{\"abc\":123}"
}]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onResponseHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test";
EXPECT_CALL(*mock_context_, sendLocalResponse(233, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
} // namespace custom_response
} // namespace null_plugin
} // namespace proxy_wasm

63
plugins/wasm-cpp/extensions/hmac_auth/BUILD Normal file
View File

@@ -0,0 +1,63 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "hmac_auth.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"//common:base64.h",
],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:crypto_util",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "hmac_auth_lib",
srcs = [
"plugin.cc",
"//common:base64.h",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:crypto_util",
"//common:http_util",
"//common:rule_util",
],
)
cc_test(
name = "hmac_auth_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":hmac_auth_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
linkopts = ["-lcrypt"],
)
declare_wasm_image_targets(
name = "hmac_auth",
wasm_file = ":hmac_auth.wasm",
)

509
plugins/wasm-cpp/extensions/hmac_auth/plugin.cc Normal file
View File

@@ -0,0 +1,509 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/hmac_auth/plugin.h"
#include <algorithm>
#include <array>
#include <chrono>
#include <functional>
#include <optional>
#include <string_view>
#include <utility>
#include <valarray>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_format.h"
#include "absl/strings/str_replace.h"
#include "absl/strings/str_split.h"
#include "common/base64.h"
#include "common/crypto_util.h"
#include "common/http_util.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace hmac_auth {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
static RegisterContextFactory register_HmacAuth(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
static constexpr std::string_view CA_KEY = "x-ca-key";
static constexpr std::string_view CA_SIGNATURE_METHOD = "x-ca-signature-method";
static constexpr std::string_view CA_SIGNATURE_HEADERS =
"x-ca-signature-headers";
static constexpr std::string_view CA_SIGNATURE = "x-ca-signature";
static constexpr std::string_view CA_ERRMSG = "x-ca-error-message";
static constexpr std::string_view CA_TIMESTAMP = "x-ca-timestamp";
static constexpr size_t MILLISEC_MIN_LENGTH = 13;
static constexpr std::array<std::string_view, 5> CHECK_HEADERS{
Wasm::Common::Http::Header::Method,
Wasm::Common::Http::Header::Accept,
Wasm::Common::Http::Header::ContentMD5,
Wasm::Common::Http::Header::ContentType,
Wasm::Common::Http::Header::Date,
};
static constexpr size_t MAX_BODY_SIZE = 32 * 1024 * 1024;
static constexpr int64_t NANO_SECONDS = 1000 * 1000 * 1000;
namespace {
void deniedInvalidCaKey() {
sendLocalResponse(401, "Invalid Key", "Invalid Key", {});
}
void deniedNoSignature() {
sendLocalResponse(401, "Empty Signature", "Empty Signature", {});
}
void deniedUnauthorizedConsumer() {
sendLocalResponse(403, "Unauthorized Consumer", "Unauthorized Consumer", {});
}
void deniedInvalidCredentials(const std::string& errmsg) {
sendLocalResponse(400, "Invalid Signature", "Invalid Signature",
{{std::string(CA_ERRMSG), errmsg}});
}
void deniedInvalidContentMD5() {
sendLocalResponse(400, "Invalid Content-MD5", "Invalid Content-MD5", {});
}
void deniedInvalidDate() {
sendLocalResponse(400, "Invalid Date", "Invalid Date", {});
}
void deniedBodyTooLarge() {
sendLocalResponse(413, "Request Body Too Large", "Request Body Too Large",
{});
}
std::string getStringToSign() {
std::string message;
for (const auto& header : CHECK_HEADERS) {
auto header_value = getRequestHeader(header)->toString();
absl::StrAppendFormat(&message, "%s\n", header_value);
}
auto dynamic_check_headers =
getRequestHeader(CA_SIGNATURE_HEADERS)->toString();
std::vector<std::string> header_arr;
for (const auto& header : absl::StrSplit(dynamic_check_headers, ",")) {
auto lower_header = absl::AsciiStrToLower(header);
if (lower_header == CA_SIGNATURE || lower_header == CA_SIGNATURE_HEADERS) {
continue;
}
bool is_static = false;
for (const auto& h : CHECK_HEADERS) {
if (h == lower_header) {
is_static = true;
break;
}
}
if (!is_static) {
header_arr.push_back(std::move(lower_header));
}
}
std::sort(header_arr.begin(), header_arr.end());
for (const auto& header : header_arr) {
auto header_value = getRequestHeader(header)->toString();
absl::StrAppendFormat(&message, "%s:%s\n", header, header_value);
}
return message;
}
void getStringToSignWithParam(
std::string* str_to_sign, const std::string& path,
std::optional<std::reference_wrapper<Wasm::Common::Http::QueryParams>>
body_params) {
// need alphabetical order
auto params =
Wasm::Common::Http::parseAndDecodeQueryString(std::string(path));
if (body_params) {
for (auto&& param : body_params.value().get()) {
params.emplace(param);
}
}
auto url_path = path.substr(0, path.find('?'));
absl::StrAppend(str_to_sign, url_path);
if (params.empty()) {
return;
}
str_to_sign->append("?");
auto it = params.begin();
for (; it != std::prev(params.end()); it++) {
absl::StrAppendFormat(str_to_sign, "%s=%s&", it->first, it->second);
}
absl::StrAppendFormat(str_to_sign, "%s=%s", it->first, it->second);
return;
}
} // namespace
bool PluginRootContext::parsePluginConfig(const json& configuration,
HmacAuthConfigRule& rule) {
if ((configuration.find("consumers") != configuration.end()) &&
(configuration.find("credentials") != configuration.end())) {
LOG_WARN(
"The consumers field and the credentials field cannot appear at the "
"same level");
return false;
}
if (!JsonArrayIterate(
configuration, "credentials", [&](const json& credential) -> bool {
auto item = credential.find("key");
if (item == credential.end()) {
LOG_WARN("can't find 'key' field in credential.");
return false;
}
auto key = JsonValueAs<std::string>(item.value());
if (key.second != Wasm::Common::JsonParserResultDetail::OK ||
!key.first) {
return false;
}
item = credential.find("secret");
if (item == credential.end()) {
LOG_WARN("can't find 'secret' field in credential.");
return false;
}
auto secret = JsonValueAs<std::string>(item.value());
if (secret.second != Wasm::Common::JsonParserResultDetail::OK ||
!secret.first) {
return false;
}
auto result = rule.credentials.emplace(
std::make_pair(key.first.value(), secret.first.value()));
if (!result.second) {
LOG_WARN(absl::StrCat("duplicate credential key: ",
key.first.value()));
return false;
}
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
auto item = consumer.find("key");
if (item == consumer.end()) {
LOG_WARN("can't find 'key' field in consumer.");
return false;
}
auto key = JsonValueAs<std::string>(item.value());
if (key.second != Wasm::Common::JsonParserResultDetail::OK ||
!key.first) {
return false;
}
item = consumer.find("secret");
if (item == consumer.end()) {
LOG_WARN("can't find 'secret' field in consumer.");
return false;
}
auto secret = JsonValueAs<std::string>(item.value());
if (secret.second != Wasm::Common::JsonParserResultDetail::OK ||
!secret.first) {
return false;
}
item = consumer.find("name");
if (item == consumer.end()) {
LOG_WARN("can't find 'name' field in consumer.");
return false;
}
auto name = JsonValueAs<std::string>(item.value());
if (name.second != Wasm::Common::JsonParserResultDetail::OK ||
!name.first) {
return false;
}
if (rule.credentials.find(key.first.value()) !=
rule.credentials.end()) {
LOG_WARN(
absl::StrCat("duplicate consumer key: ", key.first.value()));
return false;
}
rule.credentials.emplace(
std::make_pair(key.first.value(), secret.first.value()));
rule.key_to_name.emplace(
std::make_pair(key.first.value(), name.first.value()));
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (rule.credentials.empty()) {
LOG_INFO("at least one credential has to be configured for a rule.");
return false;
}
auto it = configuration.find("date_offset");
if (it != configuration.end()) {
auto date_offset = JsonValueAs<int64_t>(it.value());
if (date_offset.second != Wasm::Common::JsonParserResultDetail::OK ||
!date_offset.first) {
LOG_WARN("failed to parse 'date_offset' field in configuration.");
return false;
}
rule.date_nano_offset = date_offset.first.value() * NANO_SECONDS;
}
return true;
}
bool PluginRootContext::checkConsumer(
const std::string& ca_key, const HmacAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
if (ca_key.empty()) {
LOG_DEBUG("empty key");
deniedInvalidCaKey();
return false;
}
auto credentials_iter = rule.credentials.find(std::string(ca_key));
if (credentials_iter == rule.credentials.end()) {
LOG_DEBUG(absl::StrCat("can't find secret through key: ", ca_key));
deniedInvalidCaKey();
return false;
}
auto key_to_name_iter = rule.key_to_name.find(std::string(ca_key));
if (key_to_name_iter != rule.key_to_name.end()) {
if (allow_set && !allow_set.value().empty()) {
if (allow_set.value().find(key_to_name_iter->second) ==
allow_set.value().end()) {
LOG_DEBUG(absl::StrCat("consumer is not allowed: ",
key_to_name_iter->second));
deniedUnauthorizedConsumer();
return false;
}
}
addRequestHeader("X-Mse-Consumer", key_to_name_iter->second);
}
return true;
}
bool PluginRootContext::checkPlugin(
const std::string& ca_key, const std::string& signature,
const std::string& signature_method, const std::string& path,
const std::string& date, bool is_timetamp, std::string* sts,
const HmacAuthConfigRule& rule,
std::optional<std::reference_wrapper<Wasm::Common::Http::QueryParams>>
body_params) {
if (ca_key.empty()) {
LOG_DEBUG("empty key");
deniedInvalidCaKey();
return false;
}
if (signature.empty()) {
LOG_DEBUG("empty signature");
deniedNoSignature();
return false;
}
int64_t time_offset = 0;
if (rule.date_nano_offset > 0) {
auto current_time = getCurrentTimeNanoseconds();
if (!is_timetamp) {
auto time_from_date = Wasm::Common::Http::httpTime(date);
if (!Wasm::Common::Http::timePointValid(time_from_date)) {
LOG_DEBUG(absl::StrFormat("invalid date format: %s", date));
deniedInvalidDate();
return false;
}
time_offset = std::abs(
(long long)(std::chrono::duration_cast<std::chrono::nanoseconds>(
time_from_date.time_since_epoch())
.count() -
current_time));
} else {
int64_t timestamp;
if (!absl::SimpleAtoi(date, &timestamp)) {
LOG_DEBUG(absl::StrFormat("invalid timestamp format: %s", date));
deniedInvalidDate();
return false;
}
time_offset = std::abs((long long)(timestamp - current_time));
// milliseconds to nanoseconds
time_offset *= 1e6;
// seconds
if (date.size() < MILLISEC_MIN_LENGTH) {
time_offset *= 1e3;
}
}
if (time_offset > rule.date_nano_offset) {
LOG_DEBUG(absl::StrFormat("date expired, offset is: %u",
time_offset / NANO_SECONDS));
deniedInvalidDate();
return false;
}
}
std::string hash_type{"sha256"};
if (signature_method == "HmacSHA1") {
hash_type = "sha1";
}
auto credentials_iter = rule.credentials.find(std::string(ca_key));
if (credentials_iter == rule.credentials.end()) {
LOG_DEBUG(absl::StrCat("can't find secret through key: ", ca_key));
deniedInvalidCaKey();
return false;
}
const auto& secret = credentials_iter->second;
getStringToSignWithParam(sts, path, body_params);
const auto& str_to_sign = *sts;
auto hmac =
Wasm::Common::Crypto::getShaHmacBase64(hash_type, secret, str_to_sign);
if (hmac != signature) {
auto tip = absl::StrReplaceAll(str_to_sign, {{"\n", "#"}});
LOG_DEBUG(absl::StrCat("invalid signature, stringToSign: ", tip,
" signature: ", hmac));
deniedInvalidCredentials(absl::StrFormat("Server StringToSign:`%s`", tip));
return false;
}
return true;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseAuthRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
ca_key_ = getRequestHeader(CA_KEY)->toString();
signature_ = getRequestHeader(CA_SIGNATURE)->toString();
signature_method_ = getRequestHeader(CA_SIGNATURE_METHOD)->toString();
path_ = getRequestHeader(Wasm::Common::Http::Header::Path)->toString();
date_ = getRequestHeader(Wasm::Common::Http::Header::Date)->toString();
str_to_sign_ = getStringToSign();
body_md5_ =
getRequestHeader(Wasm::Common::Http::Header::ContentMD5)->toString();
GET_HEADER_VIEW(Wasm::Common::Http::Header::ContentType, content_type);
if (date_.empty()) {
date_ = getRequestHeader(CA_TIMESTAMP)->toString();
is_timestamp_ = true;
}
auto* rootCtx = rootContext();
auto config = rootCtx->getMatchAuthConfig();
config_ = config.first;
if (!config_) {
return FilterHeadersStatus::Continue;
}
allow_set_ = config.second;
// check if ca_key present in config and it's consumer_name is allowed
if (!rootCtx->checkConsumer(ca_key_, config_.value(), allow_set_)) {
return FilterHeadersStatus::StopIteration;
}
if (absl::StrContains(absl::AsciiStrToLower(content_type),
"application/x-www-form-urlencoded")) {
check_body_params_ = true;
return FilterHeadersStatus::Continue;
}
return rootCtx->checkPlugin(ca_key_, signature_, signature_method_, path_,
date_, is_timestamp_, &str_to_sign_,
config_.value(), std::nullopt)
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
FilterDataStatus PluginContext::onRequestBody(size_t body_size,
bool end_stream) {
if (!config_) {
return FilterDataStatus::Continue;
}
if (body_md5_.empty() && !check_body_params_) {
return FilterDataStatus::Continue;
}
body_total_size_ += body_size;
if (body_total_size_ > MAX_BODY_SIZE) {
LOG_DEBUG("body_size is too large");
deniedBodyTooLarge();
return FilterDataStatus::StopIterationNoBuffer;
}
if (!end_stream) {
return FilterDataStatus::StopIterationAndBuffer;
}
auto body =
getBufferBytes(WasmBufferType::HttpRequestBody, 0, body_total_size_);
LOG_DEBUG("body: " + body->toString());
if (!body_md5_.empty()) {
if (body->size() == 0) {
LOG_DEBUG("got empty body");
deniedInvalidContentMD5();
return FilterDataStatus::StopIterationNoBuffer;
}
auto md5 = Wasm::Common::Crypto::getMD5Base64(body->view());
if (md5 != body_md5_) {
LOG_DEBUG(
absl::StrFormat("body md5 expect: %s, actual: %s", body_md5_, md5));
deniedInvalidContentMD5();
return FilterDataStatus::StopIterationNoBuffer;
}
}
if (check_body_params_) {
auto body_params = Wasm::Common::Http::parseFromBody(body->view());
auto* rootCtx = rootContext();
return rootCtx->checkPlugin(ca_key_, signature_, signature_method_, path_,
date_, is_timestamp_, &str_to_sign_,
config_.value(), body_params)
? FilterDataStatus::Continue
: FilterDataStatus::StopIterationNoBuffer;
}
return FilterDataStatus::Continue;
}
#ifdef NULL_PLUGIN
} // namespace hmac_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

105
plugins/wasm-cpp/extensions/hmac_auth/plugin.h Normal file
View File

@@ -0,0 +1,105 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <cstdint>
#include <functional>
#include <optional>
#include <string>
#include <unordered_map>
#include "common/http_util.h"
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace hmac_auth {
#endif
struct HmacAuthConfigRule {
std::unordered_map<std::string, std::string> credentials;
std::unordered_map<std::string, std::string> key_to_name;
int64_t date_nano_offset = -1;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<HmacAuthConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkPlugin(
const std::string& ca_key, const std::string& signature,
const std::string& signature_method, const std::string& path,
const std::string& date, bool is_timestamp, std::string* sts,
const HmacAuthConfigRule&,
std::optional<std::reference_wrapper<Wasm::Common::Http::QueryParams>>);
bool checkConsumer(const std::string&, const HmacAuthConfigRule&,
const std::optional<std::unordered_set<std::string>>&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, HmacAuthConfigRule&) override;
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
FilterDataStatus onRequestBody(size_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
std::string ca_key_;
std::string signature_;
std::string signature_method_;
std::string path_;
std::string date_;
std::string str_to_sign_;
std::string body_md5_;
bool is_timestamp_ = false;
std::optional<std::reference_wrapper<HmacAuthConfigRule>> config_;
std::optional<std::unordered_set<std::string>> allow_set_;
bool check_body_params_ = false;
size_t body_total_size_ = 0;
};
#ifdef NULL_PLUGIN
} // namespace hmac_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

599
plugins/wasm-cpp/extensions/hmac_auth/plugin_test.cc Normal file
View File

@@ -0,0 +1,599 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/hmac_auth/plugin.h"
#include <cstdint>
#include <optional>
#include "common/base64.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace hmac_auth {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_hmac_auth_plugin("hmac_auth", []() {
return std::make_unique<NullPlugin>(hmac_auth::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, addHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(uint64_t, getCurrentTimeNanoseconds, ());
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class HmacAuthTest : public ::testing::Test {
protected:
HmacAuthTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("hmac_auth");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
auto it = headers_.find(std::string(header));
if (it == headers_.end()) {
std::cerr << header << " not found.\n";
return WasmResult::NotFound;
}
*result = it->second;
return WasmResult::Ok;
});
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view key,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_, getBuffer(testing::_))
.WillByDefault([&](WasmBufferType type) {
if (type == WasmBufferType::HttpRequestBody) {
return &body_;
}
return &config_;
});
ON_CALL(*mock_context_, getCurrentTimeNanoseconds()).WillByDefault([&]() {
return current_time_;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~HmacAuthTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::map<std::string, std::string> headers_;
std::string route_name_;
BufferBase body_;
BufferBase config_;
uint64_t current_time_;
};
TEST_F(HmacAuthTest, Sign) {
headers_ = {
{":path",
"/http2test/test?param1=test&username=xiaoming&password=123456789"},
{":method", "POST"},
{"accept", "application/json; charset=utf-8"},
{"ca_version", "1"},
{"content-type", "application/x-www-form-urlencoded; charset=utf-8"},
{"x-ca-timestamp", "1525872629832"},
{"date", "Wed, 09 May 2018 13:30:29 GMT+00:00"},
{"user-agent", "ALIYUN-ANDROID-DEMO"},
{"x-ca-nonce", "c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44"},
{"content-length", "33"},
{"username", "xiaoming&password=123456789"},
{"x-ca-key", "203753385"},
{"x-ca-signature-method", "HmacSHA256"},
{"x-ca-signature", "xfX+bZxY2yl7EB/qdoDy9v/uscw3Nnj1pgoU+Bm6xdM="},
{"x-ca-signature-headers",
"x-ca-timestamp,x-ca-key,x-ca-nonce,x-ca-signature-method"},
};
// auto actual = root_context_->getStringToSign(
// "/http2test/test?param1=test&username=xiaoming&password=123456789",
// std::nullopt);
// EXPECT_EQ(actual, R"(POST
// application/json; charset=utf-8
// application/x-www-form-urlencoded; charset=utf-8
// Wed, 09 May 2018 13:30:29 GMT+00:00
// x-ca-key:203753385
// x-ca-nonce:c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44
// x-ca-signature-method:HmacSHA256
// x-ca-timestamp:1525872629832
// /http2test/test?param1=test&password=123456789&username=xiaoming)");
headers_ = {
{":path", "/Third/Tools/checkSign"},
{":method", "GET"},
{"accept", "application/json"},
{"content-type", "application/json"},
{"x-ca-timestamp", "1646365291734"},
{"x-ca-nonce", "787dd0c2-7bd8-41cd-9c19-62c05ea524a2"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "EdJSFAMOWyXZOpXhevZnjuS0ZafnwnCqaSk5hz+tXo8="},
};
HmacAuthConfigRule rule;
rule.credentials = {{"appKey", "appSecret"}};
// EXPECT_EQ(root_context_->checkPlugin(rule, std::nullopt), true);
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":["test"],
"credentials":[
{"key": "appKey", "secret": "appSecret"}
]
}
]
})";
route_name_ = "test";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(HmacAuthTest, SignWithConsumer) {
headers_ = {
{":path", "/Third/Tools/checkSign"},
{":method", "GET"},
{"accept", "application/json"},
{"content-type", "application/json"},
{"x-ca-timestamp", "1646365291734"},
{"x-ca-nonce", "787dd0c2-7bd8-41cd-9c19-62c05ea524a2"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "EdJSFAMOWyXZOpXhevZnjuS0ZafnwnCqaSk5hz+tXo8="},
};
HmacAuthConfigRule rule;
rule.credentials = {{"appKey", "appSecret"}};
// EXPECT_EQ(root_context_->checkPlugin(rule, std::nullopt), true);
std::string configuration = R"(
{
"consumers": [{"key": "appKey", "secret": "appSecret", "name": "consumer"}],
"_rules_": [
{
"_match_route_":["test"],
"allow":["consumer"]
}
]
})";
route_name_ = "test";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(HmacAuthTest, ParamInBody) {
headers_ = {
{":path", "/http2test/test?param1=test"},
{":method", "POST"},
{"accept", "application/json; charset=utf-8"},
{"ca_version", "1"},
{"content-type", "application/x-www-form-urlencoded; charset=utf-8"},
{"x-ca-timestamp", "1525872629832"},
{"date", "Wed, 09 May 2018 13:30:29 GMT+00:00"},
{"user-agent", "ALIYUN-ANDROID-DEMO"},
{"x-ca-nonce", "c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44"},
{"content-length", "33"},
{"username", "xiaoming&password=123456789"},
{"x-ca-key", "203753385"},
{"x-ca-signature-method", "HmacSHA256"},
{"x-ca-signature", "xfX+bZxY2yl7EB/qdoDy9v/uscw3Nnj1pgoU+Bm6xdM="},
{"x-ca-signature-headers",
"x-ca-timestamp,x-ca-key,x-ca-nonce,x-ca-signature-method"},
};
Wasm::Common::Http::QueryParams body_params = {{"username", "xiaoming"},
{"password", "123456789"}};
// auto actual =
// root_context_->getStringToSign("/http2test/test?param1=test",
// body_params);
// EXPECT_EQ(actual, R"(POST
// application/json; charset=utf-8
// application/x-www-form-urlencoded; charset=utf-8
// Wed, 09 May 2018 13:30:29 GMT+00:00
// x-ca-key:203753385
// x-ca-nonce:c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44
// x-ca-signature-method:HmacSHA256
// x-ca-timestamp:1525872629832
// /http2test/test?param1=test&password=123456789&username=xiaoming)");
headers_ = {
{":path", "/Third/User/getNyAccessToken"},
{":method", "POST"},
{"accept", "application/json"},
{"content-type", "application/x-www-form-urlencoded"},
{"x-ca-timestamp", "1646646682418"},
{"x-ca-nonce", "ca5a6753-b76c-4fff-a9d9-e5bb643e8cdf"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "gmf9xq0hc95Hmt+7G+OocS009ka3v1v0rvfshKzYc3w="},
};
HmacAuthConfigRule rule;
rule.credentials = {{"appKey", "appSecret"}};
body_params = {{"nickname", "nickname"},
{"room_id", "6893"},
{"uuid", "uuid"},
{"photo", "photo"}};
// EXPECT_EQ(root_context_->checkPlugin(rule, body_params), true);
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":["test"],
"credentials":[
{"key": "appKey", "secret": "appSecret"}
]
}
]
})";
route_name_ = "test";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
std::string body("nickname=nickname&room_id=6893&uuid=uuid&photo=photo");
body_.set(body);
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onRequestBody(body.size(), true),
FilterDataStatus::Continue);
}
TEST_F(HmacAuthTest, ParamInBodyWithConsumer) {
headers_ = {
{":path", "/Third/User/getNyAccessToken"},
{":method", "POST"},
{"accept", "application/json"},
{"content-type", "application/x-www-form-urlencoded"},
{"x-ca-timestamp", "1646646682418"},
{"x-ca-nonce", "ca5a6753-b76c-4fff-a9d9-e5bb643e8cdf"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "gmf9xq0hc95Hmt+7G+OocS009ka3v1v0rvfshKzYc3w="},
};
HmacAuthConfigRule rule;
rule.credentials = {{"appKey", "appSecret"}};
Wasm::Common::Http::QueryParams body_params = {{"nickname", "nickname"},
{"room_id", "6893"},
{"uuid", "uuid"},
{"photo", "photo"}};
// EXPECT_EQ(root_context_->checkPlugin(rule, body_params), true);
std::string configuration = R"(
{
"consumers": [{"key": "appKey", "secret": "appSecret", "name": "consumer"}],
"_rules_": [
{
"_match_route_":["test"],
"allow":["consumer"]
}
]
})";
route_name_ = "test";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
std::string body("nickname=nickname&room_id=6893&uuid=uuid&photo=photo");
body_.set(body);
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onRequestBody(body.size(), true),
FilterDataStatus::Continue);
}
TEST_F(HmacAuthTest, ParamInBodyWrongSignature) {
headers_ = {
{":path", "/Third/User/getNyAccessToken"},
{":method", "POST"},
{"accept", "application/json"},
{"content-type", "application/x-www-form-urlencoded"},
{"x-ca-timestamp", "1646646682418"},
{"x-ca-nonce", "ca5a6753-b76c-4fff-a9d9-e5bb643e8cdf"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "wrong"},
};
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":["test"],
"credentials":[
{"key": "appKey", "secret": "appSecret"}
]
}
]
})";
route_name_ = "test";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
std::string body("nickname=nickname&room_id=6893&uuid=uuid&photo=photo");
body_.set(body);
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_CALL(*mock_context_, sendLocalResponse(400, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestBody(body.size(), true),
FilterDataStatus::StopIterationNoBuffer);
}
TEST_F(HmacAuthTest, InvalidSecret) {
{
headers_ = {
{":path", "/Third/Tools/checkSign"},
{":method", "GET"},
{"accept", "application/json"},
{"content-type", "application/json"},
{"x-ca-timestamp", "1646365291734"},
{"x-ca-nonce", "787dd0c2-7bd8-41cd-9c19-62c05ea524a2"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "EdJSFAMOWyXZOpXhevZnjuS0ZafnwnCqaSk5hz+tXo8="},
};
std::string configuration = R"(
{
"credentials":[
{"key": "appKey", "secret": ""}
]
})";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
{
headers_ = {
{":path", "/Third/Tools/checkSign"},
{":method", "GET"},
{"accept", "application/json"},
{"content-type", "application/json"},
{"x-ca-timestamp", "1646365291734"},
{"x-ca-nonce", "787dd0c2-7bd8-41cd-9c19-62c05ea524a2"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "EdJSFAMOWyXZOpXhevZnjuS0ZafnwnCqaSk5hz+tXo8="},
};
std::string configuration = R"(
{
"consumers":[
{"key": "appKey", "secret": "", "name": "consumer1"}
]
})";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
}
TEST_F(HmacAuthTest, DuplicateKey) {
{
std::string configuration = R"(
{
"credentials":[
{"key": "appKey", "secret": ""},
{"key": "appKey", "secret": "123"}
]
})";
BufferBase buffer;
config_.set(configuration);
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
{
std::string configuration = R"(
{
"consumers":[
{"key": "appKey", "secret": "", "name": "consumer1"},
{"key": "appKey", "secret": "123", "name": "consumer2"}
]
})";
BufferBase buffer;
config_.set(configuration);
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(HmacAuthTest, BodyMD5) {
body_.set("abc");
headers_ = {{"content-md5", "kAFQmDzST7DWlj99KOF/cg=="}};
context_->onRequestHeaders(0, false);
EXPECT_EQ(context_->onRequestBody(3, true), FilterDataStatus::Continue);
headers_ = {};
context_->onRequestHeaders(0, false);
EXPECT_EQ(context_->onRequestBody(0, false), FilterDataStatus::Continue);
}
TEST_F(HmacAuthTest, DateCheck) {
std::string configuration = R"(
{
"credentials":[
{"key": "203753385", "secret": "123456"}
],
"date_offset": 3600
})";
BufferBase buffer;
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
headers_ = {
{":path",
"/http2test/test?param1=test&username=xiaoming&password=123456789"},
{":method", "POST"},
{"accept", "application/json; charset=utf-8"},
{"ca_version", "1"},
{"content-type", "application/x-www-form-urlencoded; charset=utf-8"},
{"x-ca-timestamp", "1525872629832"},
{"date", "Wed, 09 May 2018 13:30:29 GMT+00:00"},
{"user-agent", "ALIYUN-ANDROID-DEMO"},
{"x-ca-nonce", "c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44"},
{"content-length", "33"},
{"username", "xiaoming&password=123456789"},
{"x-ca-key", "203753385"},
{"x-ca-signature-method", "HmacSHA256"},
{"x-ca-signature", "FJbhmAFYz9zfl1FrThxzxBt79BvaHQIzy8Wpctn+xXE="},
{"x-ca-signature-headers",
"x-ca-timestamp,x-ca-key,x-ca-nonce,x-ca-signature-method"},
};
current_time_ = (uint64_t)1525876230 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onRequestBody(0, true),
FilterDataStatus::StopIterationNoBuffer);
current_time_ = (uint64_t)1525869027 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestBody(0, true),
FilterDataStatus::StopIterationNoBuffer);
current_time_ = (uint64_t)1525869029 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestBody(0, true), FilterDataStatus::Continue);
}
TEST_F(HmacAuthTest, TimestampCheck) {
std::string configuration = R"(
{
"credentials":[
{"key": "203753385", "secret": "123456"}
],
"date_offset": 3600
})";
BufferBase buffer;
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
headers_ = {
{":path",
"/http2test/test?param1=test&username=xiaoming&password=123456789"},
{":method", "POST"},
{"accept", "application/json; charset=utf-8"},
{"ca_version", "1"},
{"content-type", "application/x-www-form-urlencoded; charset=utf-8"},
{"x-ca-timestamp", "1525872629832"},
{"user-agent", "ALIYUN-ANDROID-DEMO"},
{"x-ca-nonce", "c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44"},
{"content-length", "33"},
{"username", "xiaoming&password=123456789"},
{"x-ca-key", "203753385"},
{"x-ca-signature-method", "HmacSHA256"},
{"x-ca-signature", "wcQC8014+HW0TumVfXy8+UXI4JDvkhjPlqp6rTE7cZo="},
{"x-ca-signature-headers",
"x-ca-timestamp,x-ca-key,x-ca-nonce,x-ca-signature-method"},
};
current_time_ = (uint64_t)1525876230 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onRequestBody(0, true),
FilterDataStatus::StopIterationNoBuffer);
current_time_ = (uint64_t)1525869027 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestBody(0, true),
FilterDataStatus::StopIterationNoBuffer);
current_time_ = (uint64_t)1525869029 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestBody(0, true), FilterDataStatus::Continue);
}
TEST_F(HmacAuthTest, TimestampSecCheck) {
std::string configuration = R"(
{
"credentials":[
{"key": "203753385", "secret": "123456"}
],
"date_offset": 3600
})";
BufferBase buffer;
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
headers_ = {
{":path",
"/http2test/test?param1=test&username=xiaoming&password=123456789"},
{":method", "POST"},
{"accept", "application/json; charset=utf-8"},
{"ca_version", "1"},
{"content-type", "application/x-www-form-urlencoded; charset=utf-8"},
{"x-ca-timestamp", "1525872629"},
{"user-agent", "ALIYUN-ANDROID-DEMO"},
{"x-ca-nonce", "c9f15cbf-f4ac-4a6c-b54d-f51abf4b5b44"},
{"content-length", "33"},
{"username", "xiaoming&password=123456789"},
{"x-ca-key", "203753385"},
{"x-ca-signature-method", "HmacSHA256"},
{"x-ca-signature", "7yl5Rba+3pnp9weLP3af1Hejz4K3RFp+BHL7N2w98/U="},
{"x-ca-signature-headers",
"x-ca-timestamp,x-ca-key,x-ca-nonce,x-ca-signature-method"},
};
current_time_ = (uint64_t)1525876230 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onRequestBody(0, true),
FilterDataStatus::StopIterationNoBuffer);
current_time_ = (uint64_t)1525869027 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestBody(0, true),
FilterDataStatus::StopIterationNoBuffer);
current_time_ = (uint64_t)1525869029 * 1000 * 1000 * 1000;
EXPECT_EQ(context_->onRequestBody(0, true), FilterDataStatus::Continue);
}
} // namespace hmac_auth
} // namespace null_plugin
} // namespace proxy_wasm

68
plugins/wasm-cpp/extensions/jwt_auth/BUILD Normal file
View File

@@ -0,0 +1,68 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "jwt_auth.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"extractor.cc",
"extractor.h",
"//common:base64.h",
],
deps = [
"@com_github_google_jwt_verify//:jwt_verify_lib",
"@com_google_absl//absl/container:btree",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "jwt_auth_lib",
srcs = [
"plugin.cc",
"extractor.cc",
"//common:base64.h",
],
hdrs = [
"plugin.h",
"extractor.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_github_google_jwt_verify//:jwt_verify_lib",
"@com_google_absl//absl/container:btree",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util_nullvm",
"//common:rule_util_nullvm",
],
)
cc_test(
name = "jwt_auth_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":jwt_auth_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "jwt_auth",
wasm_file = ":jwt_auth.wasm",
)

306
plugins/wasm-cpp/extensions/jwt_auth/extractor.cc Normal file
View File

@@ -0,0 +1,306 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// modified base on envoy/source/extensions/filters/http/jwt_authn/extractor.cc
#include "extensions/jwt_auth/extractor.h"
#include <memory>
#include <tuple>
#include <unordered_map>
#include "absl/container/btree_map.h"
#include "common/http_util.h"
#include "extensions/jwt_auth/plugin.h"
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
#endif
namespace {
/**
* Check Claims specified in Provider
*/
class JwtClaimChecker {
public:
JwtClaimChecker(const ClaimsMap& claims) : allowed_claims_(claims) {}
// check if a jwt issuer is allowed
bool check(const std::string& key, const std::string& value) const {
if (allowed_claims_.empty()) {
return true;
}
auto it = allowed_claims_.find(key);
return it != allowed_claims_.end() && it->second == value;
}
private:
// Only these specified claims are allowed.
const ClaimsMap& allowed_claims_;
};
using JwtClaimCheckerPtr = std::unique_ptr<JwtClaimChecker>;
// A base JwtLocation object to store token and claim_checker.
class JwtLocationBase : public JwtLocation {
public:
JwtLocationBase(const std::string& token,
const JwtClaimChecker& claim_checker)
: token_(token), claim_checker_(claim_checker) {}
// Get the token string
const std::string& token() const override { return token_; }
// Check if an claim has specified the location.
bool isClaimAllowed(const std::string& key,
const std::string& value) const override {
return claim_checker_.check(key, value);
}
void addClaimToHeader(const std::string& header, const std::string& value,
bool override) const override {
claims_to_headers_.emplace_back(header, value, override);
}
void claimsToHeaders() const override {
for (const auto& claim_to_header : claims_to_headers_) {
const auto& header_key = std::get<0>(claim_to_header);
const auto& header_value = std::get<1>(claim_to_header);
if (std::get<2>(claim_to_header)) {
auto header_ptr = getRequestHeader(header_key);
if (!header_ptr->view().empty()) {
replaceRequestHeader(header_key, header_value);
continue;
}
}
addRequestHeader(header_key, header_value);
}
}
private:
mutable std::vector<std::tuple<std::string, std::string, bool>>
claims_to_headers_;
// Extracted token.
const std::string token_;
// Claim checker
const JwtClaimChecker& claim_checker_;
};
// The JwtLocation for header extraction.
class JwtHeaderLocation : public JwtLocationBase {
public:
JwtHeaderLocation(const std::string& token,
const JwtClaimChecker& claim_checker,
const std::string& header)
: JwtLocationBase(token, claim_checker), header_(header) {}
void removeJwt() const override { removeRequestHeader(header_); }
private:
// the header name the JWT is extracted from.
const std::string& header_;
};
// The JwtLocation for param extraction.
class JwtParamLocation : public JwtLocationBase {
public:
JwtParamLocation(const std::string& token,
const JwtClaimChecker& claim_checker, const std::string&)
: JwtLocationBase(token, claim_checker) {}
void removeJwt() const override {
// TODO(qiwzhang): remove JWT from parameter.
}
};
// The JwtLocation for cookie extraction.
class JwtCookieLocation : public JwtLocationBase {
public:
JwtCookieLocation(const std::string& token,
const JwtClaimChecker& claim_checker)
: JwtLocationBase(token, claim_checker) {}
void removeJwt() const override {
// TODO(theshubhamp): remove JWT from cookies.
}
};
class ExtractorImpl : public Extractor {
public:
ExtractorImpl(const Consumer& provider);
std::vector<JwtLocationConstPtr> extract() const override;
private:
// add a header config
void addHeaderConfig(const ClaimsMap& claims, const std::string& header_name,
const std::string& value_prefix);
// add a query param config
void addQueryParamConfig(const ClaimsMap& claims, const std::string& param);
// add a query param config
void addCookieConfig(const ClaimsMap& claims, const std::string& cookie);
// ctor helper for a jwt provider config
void addProvider(const Consumer& provider);
// HeaderMap value type to store prefix and issuers that specified this
// header.
struct HeaderLocationSpec {
HeaderLocationSpec(const std::string& header,
const std::string& value_prefix)
: header_(header), value_prefix_(value_prefix) {}
// The header name.
std::string header_;
// The value prefix. e.g. for "Bearer <token>", the value_prefix is "Bearer
// ".
std::string value_prefix_;
// Issuers that specified this header.
JwtClaimCheckerPtr claim_checker_;
};
using HeaderLocationSpecPtr = std::unique_ptr<HeaderLocationSpec>;
// The map of (header + value_prefix) to HeaderLocationSpecPtr
std::map<std::string, HeaderLocationSpecPtr> header_locations_;
// ParamMap value type to store issuers that specified this header.
struct ParamLocationSpec {
// Issuers that specified this param.
JwtClaimCheckerPtr claim_checker_;
};
// The map of a parameter key to set of issuers specified the parameter
std::map<std::string, ParamLocationSpec> param_locations_;
// CookieMap value type to store issuers that specified this cookie.
struct CookieLocationSpec {
// Issuers that specified this param.
JwtClaimCheckerPtr claim_checker_;
};
// The map of a cookie key to set of issuers specified the cookie.
absl::btree_map<std::string, CookieLocationSpec> cookie_locations_;
};
ExtractorImpl::ExtractorImpl(const Consumer& provider) {
addProvider(provider);
}
void ExtractorImpl::addProvider(const Consumer& provider) {
for (const auto& header : provider.from_headers) {
addHeaderConfig(provider.allowd_claims, header.header, header.value_prefix);
}
for (const std::string& param : provider.from_params) {
addQueryParamConfig(provider.allowd_claims, param);
}
for (const std::string& cookie : provider.from_cookies) {
addCookieConfig(provider.allowd_claims, cookie);
}
}
void ExtractorImpl::addHeaderConfig(const ClaimsMap& claims,
const std::string& header_name,
const std::string& value_prefix) {
const std::string map_key = header_name + value_prefix;
auto& header_location_spec = header_locations_[map_key];
if (!header_location_spec) {
header_location_spec =
std::make_unique<HeaderLocationSpec>(header_name, value_prefix);
}
header_location_spec->claim_checker_ =
std::make_unique<JwtClaimChecker>(claims);
}
void ExtractorImpl::addQueryParamConfig(const ClaimsMap& claims,
const std::string& param) {
auto& param_location_spec = param_locations_[param];
param_location_spec.claim_checker_ =
std::make_unique<JwtClaimChecker>(claims);
}
void ExtractorImpl::addCookieConfig(const ClaimsMap& claims,
const std::string& cookie) {
auto& cookie_location_spec = cookie_locations_[cookie];
cookie_location_spec.claim_checker_ =
std::make_unique<JwtClaimChecker>(claims);
}
std::vector<JwtLocationConstPtr> ExtractorImpl::extract() const {
std::vector<JwtLocationConstPtr> tokens;
// Check header locations first
for (const auto& location_it : header_locations_) {
const auto& location_spec = location_it.second;
auto header = getRequestHeader(location_spec->header_)->toString();
if (!header.empty()) {
const auto pos = header.find(location_spec->value_prefix_);
if (pos == std::string::npos) {
continue;
}
auto header_strip =
header.substr(pos + location_spec->value_prefix_.length());
tokens.push_back(std::make_unique<const JwtHeaderLocation>(
header_strip, *location_spec->claim_checker_,
location_spec->header_));
}
}
// Check query parameter locations only if query parameter locations specified
// and Path() is not null
auto path = getRequestHeader(Wasm::Common::Http::Header::Path)->toString();
if (!param_locations_.empty() && !path.empty()) {
const auto& params = Wasm::Common::Http::parseAndDecodeQueryString(path);
for (const auto& location_it : param_locations_) {
const auto& param_key = location_it.first;
const auto& location_spec = location_it.second;
const auto& it = params.find(param_key);
if (it != params.end()) {
tokens.push_back(std::make_unique<const JwtParamLocation>(
it->second, *location_spec.claim_checker_, param_key));
}
}
}
// Check cookie locations.
if (!cookie_locations_.empty()) {
const auto& cookies =
Wasm::Common::Http::parseCookies([&](absl::string_view k) -> bool {
return cookie_locations_.contains(k);
});
for (const auto& location_it : cookie_locations_) {
const auto& cookie_key = location_it.first;
const auto& location_spec = location_it.second;
const auto& it = cookies.find(cookie_key);
if (it != cookies.end()) {
tokens.push_back(std::make_unique<const JwtCookieLocation>(
it->second, *location_spec.claim_checker_));
}
}
}
return tokens;
}
} // namespace
ExtractorConstPtr Extractor::create(const Consumer& provider) {
return std::make_unique<ExtractorImpl>(provider);
}
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

125
plugins/wasm-cpp/extensions/jwt_auth/extractor.h Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// modified base on envoy/source/extensions/filters/http/jwt_authn/extractor.h
#pragma once
#include <map>
#include <memory>
#include <string>
#include <vector>
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
#endif
#define PURE = 0
/**
* JwtLocation stores following token information:
*
* * extracted token string,
* * the location where the JWT is extracted from,
* * list of issuers specified the location.
*
*/
class JwtLocation {
public:
virtual ~JwtLocation() = default;
// Get the token string
virtual const std::string& token() const PURE;
// Check if claim has specified the location.
virtual bool isClaimAllowed(const std::string& key,
const std::string& value) const PURE;
// Remove the token from the headers
virtual void removeJwt() const PURE;
// Store the claim to header
virtual void addClaimToHeader(const std::string& header,
const std::string& value,
bool override) const PURE;
// Set claim to request header
virtual void claimsToHeaders() const PURE;
};
using JwtLocationConstPtr = std::unique_ptr<const JwtLocation>;
class Extractor;
using ExtractorConstPtr = std::unique_ptr<const Extractor>;
struct Consumer;
/**
* Extracts JWT from locations specified in the config.
*
* Usage example:
*
* auto extractor = Extractor::create(config);
* auto tokens = extractor->extract(headers);
* for (token : tokens) {
* Jwt jwt;
* if (jwt.parseFromString(token->token()) != Status::Ok) {
* // Handle JWT parsing failure.
* }
*
* if (need_to_remove) {
* // remove the JWT
* token->removeJwt(headers);
* }
* }
*
*/
class Extractor {
public:
virtual ~Extractor() = default;
/**
* Extract all JWT tokens from the headers. If set of header_keys or
* param_keys is not empty only those in the matching locations will be
* returned.
*
* @param headers is the HTTP request headers.
* @return list of extracted Jwt location info.
*/
virtual std::vector<JwtLocationConstPtr> extract() const PURE;
/**
* Create an instance of Extractor for a given config.
* @param from_headers header location config.
* @param from_params query param location config.
* @return the extractor object.
*/
static ExtractorConstPtr create(const Consumer& provider);
};
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

397
plugins/wasm-cpp/extensions/jwt_auth/plugin.cc Normal file
View File

@@ -0,0 +1,397 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/jwt_auth/plugin.h"
#include <algorithm>
#include <array>
#include <cstdint>
#include <string>
#include <unordered_set>
#include <utility>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_format.h"
#include "absl/strings/str_join.h"
#include "absl/strings/str_split.h"
#include "common/common_util.h"
#include "common/http_util.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
namespace {
constexpr absl::string_view InvalidTokenErrorString =
", error=\"invalid_token\"";
constexpr uint32_t MaximumUriLength = 256;
constexpr std::string_view kRcDetailJwtAuthnPrefix = "jwt_authn_access_denied";
std::string generateRcDetails(std::string_view error_msg) {
// Replace space with underscore since RCDetails may be written to access log.
// Some log processors assume each log segment is separated by whitespace.
return absl::StrCat(kRcDetailJwtAuthnPrefix, "{",
absl::StrJoin(absl::StrSplit(error_msg, ' '), "_"), "}");
}
} // namespace
static RegisterContextFactory register_JwtAuth(CONTEXT_FACTORY(PluginContext),
ROOT_FACTORY(PluginRootContext));
#define JSON_FIND_FIELD(dict, field) \
auto dict##_##field##_json = dict.find(#field); \
if (dict##_##field##_json == dict.end()) { \
LOG_WARN("can't find '" #field "' in " #dict); \
return false; \
}
#define JSON_VALUE_AS(type, src, dst, err_msg) \
auto dst##_v = JsonValueAs<type>(src); \
if (dst##_v.second != Wasm::Common::JsonParserResultDetail::OK || \
!dst##_v.first) { \
LOG_WARN(#err_msg); \
return false; \
} \
auto& dst = dst##_v.first.value();
#define JSON_FIELD_VALUE_AS(type, dict, field) \
JSON_VALUE_AS(type, dict##_##field##_json.value(), dict##_##field, \
"'" #field "' field in " #dict "convert to " #type " failed")
bool PluginRootContext::parsePluginConfig(const json& configuration,
JwtAuthConfigRule& rule) {
std::unordered_set<std::string> name_set;
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
Consumer c;
JSON_FIND_FIELD(consumer, name);
JSON_FIELD_VALUE_AS(std::string, consumer, name);
if (name_set.count(consumer_name) != 0) {
LOG_WARN("consumer already exists: " + consumer_name);
return false;
}
c.name = consumer_name;
JSON_FIND_FIELD(consumer, jwks);
JSON_FIELD_VALUE_AS(std::string, consumer, jwks);
c.jwks = google::jwt_verify::Jwks::createFrom(
consumer_jwks, google::jwt_verify::Jwks::JWKS);
if (c.jwks->getStatus() != Status::Ok) {
LOG_WARN(absl::StrFormat(
"jwks is invalid, consumer:%s, status:%s, jwks:%s",
consumer_name,
google::jwt_verify::getStatusString(c.jwks->getStatus()),
consumer_jwks));
return false;
}
std::unordered_map<std::string, std::string> claims;
auto consumer_claims_json = consumer.find("claims");
if (consumer_claims_json != consumer.end()) {
JSON_FIELD_VALUE_AS(Wasm::Common::JsonObject, consumer, claims);
if (!JsonObjectIterate(
consumer_claims, [&](std::string key) -> bool {
auto claims_claim_json = consumer_claims.find(key);
JSON_FIELD_VALUE_AS(std::string, claims, claim);
claims.emplace(std::make_pair(
key, Wasm::Common::trim(claims_claim)));
return true;
})) {
LOG_WARN("failed to parse 'claims' in consumer: " +
consumer_name);
return false;
}
}
auto consumer_issuer_json = consumer.find("issuer");
if (consumer_issuer_json != consumer.end()) {
JSON_FIELD_VALUE_AS(std::string, consumer, issuer);
claims.emplace(
std::make_pair("iss", Wasm::Common::trim(consumer_issuer)));
}
c.allowd_claims = std::move(claims);
std::vector<FromHeader> from_headers;
if (!JsonArrayIterate(
consumer, "from_headers",
[&](const json& from_header) -> bool {
JSON_FIND_FIELD(from_header, name);
JSON_FIELD_VALUE_AS(std::string, from_header, name);
JSON_FIND_FIELD(from_header, value_prefix);
JSON_FIELD_VALUE_AS(std::string, from_header,
value_prefix);
from_headers.push_back(FromHeader{
from_header_name, from_header_value_prefix});
return true;
})) {
LOG_WARN("failed to parse 'from_headers' in consumer: " +
consumer_name);
return false;
}
std::vector<std::string> from_params;
if (!JsonArrayIterate(consumer, "from_params",
[&](const json& from_param_json) -> bool {
JSON_VALUE_AS(std::string, from_param_json,
from_param, "invalid item");
from_params.push_back(from_param);
return true;
})) {
LOG_WARN("failed to parse 'from_params' in consumer: " +
consumer_name);
return false;
}
std::vector<std::string> from_cookies;
if (!JsonArrayIterate(consumer, "from_cookies",
[&](const json& from_cookie_json) -> bool {
JSON_VALUE_AS(std::string, from_cookie_json,
from_cookie, "invalid item");
from_cookies.push_back(from_cookie);
return true;
})) {
LOG_WARN("failed to parse 'from_cookies' in consumer: " +
consumer_name);
return false;
}
if (!from_headers.empty() || !from_params.empty() ||
!from_cookies.empty()) {
c.from_headers = std::move(from_headers);
c.from_params = std::move(from_params);
c.from_cookies = std::move(from_cookies);
}
std::unordered_map<std::string, ClaimToHeader> claims_to_headers;
if (!JsonArrayIterate(
consumer, "claims_to_headers",
[&](const json& item_json) -> bool {
JSON_VALUE_AS(Wasm::Common::JsonObject, item_json, item,
"invalid item");
JSON_FIND_FIELD(item, claim);
JSON_FIELD_VALUE_AS(std::string, item, claim);
auto c2h_it = claims_to_headers.find(item_claim);
if (c2h_it != claims_to_headers.end()) {
LOG_WARN("claim to header already exists: " +
item_claim);
return false;
}
auto& c2h = claims_to_headers[item_claim];
JSON_FIND_FIELD(item, header);
JSON_FIELD_VALUE_AS(std::string, item, header);
c2h.header = std::move(item_header);
auto item_override_json = item.find("override");
if (item_override_json != item.end()) {
JSON_FIELD_VALUE_AS(bool, item, override);
c2h.override = item_override;
}
return true;
})) {
LOG_WARN("failed to parse 'claims_to_headers' in consumer: " +
consumer_name);
return false;
}
c.claims_to_headers = std::move(claims_to_headers);
auto consumer_clock_skew_seconds_json =
consumer.find("clock_skew_seconds");
if (consumer_clock_skew_seconds_json != consumer.end()) {
JSON_FIELD_VALUE_AS(uint64_t, consumer, clock_skew_seconds);
c.clock_skew = consumer_clock_skew_seconds;
}
auto consumer_keep_token_json = consumer.find("keep_token");
if (consumer_keep_token_json != consumer.end()) {
JSON_FIELD_VALUE_AS(bool, consumer, keep_token);
c.keep_token = consumer_keep_token;
}
c.extractor = Extractor::create(c);
rule.consumers.push_back(std::move(c));
name_set.insert(consumer_name);
return true;
})) {
LOG_WARN("failed to parse configuration for consumers.");
return false;
}
if (rule.consumers.empty()) {
LOG_INFO("at least one consumer has to be configured for a rule.");
return false;
}
return true;
}
Status PluginRootContext::consumerVerify(
const Consumer& consumer, uint64_t now,
std::vector<JwtLocationConstPtr>& jwt_tokens) {
auto tokens = consumer.extractor->extract();
if (tokens.empty()) {
return Status::JwtMissed;
}
for (auto& token : tokens) {
google::jwt_verify::Jwt jwt;
Status status = jwt.parseFromString(token->token());
if (status != Status::Ok) {
LOG_INFO(absl::StrFormat(
"jwt parse failed, consumer:%s, token:%s, status:%s", consumer.name,
token->token(), google::jwt_verify::getStatusString(status)));
return status;
}
StructUtils payload_getter(jwt.payload_pb_);
if (!consumer.allowd_claims.empty()) {
for (const auto& claim : consumer.allowd_claims) {
std::string value;
if (payload_getter.GetString(claim.first, &value) ==
StructUtils::WRONG_TYPE) {
LOG_INFO(absl::StrFormat(
"jwt payload invalid, consumer:%s, token:%s, claim:%s",
consumer.name, jwt.payload_str_, claim.first));
return Status::JwtVerificationFail;
}
if (value != claim.second) {
LOG_INFO(absl::StrFormat(
"jwt payload invalid, consumer:%s, claim:%s, value:%s, expect:%s",
consumer.name, claim.first, value, claim.second));
return Status::JwtVerificationFail;
}
}
}
status = jwt.verifyTimeConstraint(now, consumer.clock_skew);
if (status != Status::Ok) {
LOG_DEBUG(absl::StrFormat(
"jwt verify time failed, consumer:%s, token:%s, status:%s",
consumer.name, token->token(),
google::jwt_verify::getStatusString(status)));
return status;
}
status =
google::jwt_verify::verifyJwtWithoutTimeChecking(jwt, *consumer.jwks);
if (status != Status::Ok) {
LOG_DEBUG(absl::StrFormat(
"jwt verify failed, consumer:%s, token:%s, status:%s", consumer.name,
token->token(), google::jwt_verify::getStatusString(status)));
return status;
}
for (const auto& claim_to_header : consumer.claims_to_headers) {
std::string value;
if (payload_getter.GetString(claim_to_header.first, &value) !=
StructUtils::WRONG_TYPE) {
token->addClaimToHeader(claim_to_header.second.header, value,
claim_to_header.second.override);
} else {
uint64_t num_value;
if (payload_getter.GetUInt64(claim_to_header.first, &num_value) !=
StructUtils::WRONG_TYPE) {
token->addClaimToHeader(claim_to_header.second.header,
std::to_string((unsigned long long)num_value),
claim_to_header.second.override);
}
}
}
}
jwt_tokens = std::move(tokens);
return Status::Ok;
}
bool PluginRootContext::checkPlugin(
const JwtAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
std::optional<Status> err_status;
bool verified = false;
uint64_t now = getCurrentTimeNanoseconds() / 1e9;
for (const auto& consumer : rule.consumers) {
std::vector<JwtLocationConstPtr> tokens;
auto status = consumerVerify(consumer, now, tokens);
if (status == Status::Ok) {
verified = true;
// global config without allow_set field allows any consumers
if (!allow_set ||
allow_set.value().find(consumer.name) != allow_set.value().end()) {
addRequestHeader("X-Mse-Consumer", consumer.name);
for (auto& token : tokens) {
if (!consumer.keep_token) {
token->removeJwt();
}
token->claimsToHeaders();
}
return true;
}
}
// use the first status
if (!err_status) {
err_status = status;
}
}
if (!verified) {
auto status = err_status ? err_status.value() : Status::JwtMissed;
auto err_str = google::jwt_verify::getStatusString(status);
auto authn_value = absl::StrCat(
"Bearer realm=\"",
Wasm::Common::Http::buildOriginalUri(MaximumUriLength), "\"");
if (status != Status::JwtMissed) {
absl::StrAppend(&authn_value, InvalidTokenErrorString);
}
sendLocalResponse(401, generateRcDetails(err_str), err_str,
{{"WWW-Authenticate", authn_value}});
} else {
sendLocalResponse(403, kRcDetailJwtAuthnPrefix, "Access Denied", {});
}
return false;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseAuthRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkAuthRule(
[rootCtx](const auto& config, const auto& allow_set) {
return rootCtx->checkPlugin(config, allow_set);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

117
plugins/wasm-cpp/extensions/jwt_auth/plugin.h Normal file
View File

@@ -0,0 +1,117 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_map>
#include <unordered_set>
#include "common/route_rule_matcher.h"
#include "extensions/jwt_auth/extractor.h"
#include "jwt_verify_lib/check_audience.h"
#include "jwt_verify_lib/jwt.h"
#include "jwt_verify_lib/status.h"
#include "jwt_verify_lib/struct_utils.h"
#include "jwt_verify_lib/verify.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
#endif
using ::google::jwt_verify::Status;
using ::google::jwt_verify::StructUtils;
struct FromHeader {
std::string header;
std::string value_prefix;
};
struct ClaimToHeader {
std::string header;
bool override = true;
};
using ClaimsMap =
std::unordered_map<std::string /*claim*/, std::string /*claim value*/>;
struct Consumer {
std::string name;
google::jwt_verify::JwksPtr jwks;
ClaimsMap allowd_claims;
std::vector<FromHeader> from_headers = {{"Authorization", "Bearer "}};
std::vector<std::string> from_params = {"access_token"};
std::vector<std::string> from_cookies;
uint64_t clock_skew = 60;
bool keep_token = true;
std::unordered_map<std::string /*claim*/, ClaimToHeader> claims_to_headers;
ExtractorConstPtr extractor;
};
struct JwtAuthConfigRule {
std::vector<Consumer> consumers;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<JwtAuthConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkPlugin(const JwtAuthConfigRule&,
const std::optional<std::unordered_set<std::string>>&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, JwtAuthConfigRule&) override;
Status consumerVerify(const Consumer&, uint64_t,
std::vector<JwtLocationConstPtr>&);
std::string extractCredential(const JwtAuthConfigRule&);
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

269
plugins/wasm-cpp/extensions/jwt_auth/plugin_test.cc Normal file
View File

@@ -0,0 +1,269 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/jwt_auth/plugin.h"
#include "common/base64.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_jwt_auth_plugin("jwt_auth", []() {
return std::make_unique<NullPlugin>(jwt_auth::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* jwt */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, addHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* jwt */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(uint64_t, getCurrentTimeNanoseconds, ());
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class JwtAuthTest : public ::testing::Test {
protected:
JwtAuthTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("jwt_auth");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == ":path") {
*result = path_;
}
if (header == "Authorization") {
*result = jwt_header_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view jwt,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_, getCurrentTimeNanoseconds()).WillByDefault([&]() {
return current_time_;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~JwtAuthTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string path_;
std::string authority_;
std::string route_name_;
std::string jwt_header_;
uint64_t current_time_;
};
TEST_F(JwtAuthTest, RSA) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-1",
"issuer": "abc",
"jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"123\",\"alg\":\"RS256\",\"n\":\"i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw\"}]}"
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmMiLCJzdWIiOiJ0ZXN0IiwiaWF0IjoxNjY1NjYwNTI3LCJleHAiOjE2NjU2NzM4MTl9.FwSnlW9NjZ_5w6cm-YqteUy4LjKCXfQCWVCGcM3RsaqBhcHTz_IFOFMLnjI9QAG_IhxPP4s0ln7-duESns4YogkmqWV0ckMKZo9OEYOLpD6kXaA6H6g9RaLedogReKk1bDauFWFBrqMwvnxIqOIPj2ZOEQcKDVxO08mPSXb5-cxbvCA2rcmBk8_JHD8DBW990IfUCrsUFP4w4Zy3HlU__ZZhaCqzukI1ZOOgwu2_wMifvdv2n2PvqRNcmpjuGJ-FUXhAduCTPO9ZLGBOZcxkPl4U28Frfb1hSEV83NfK3iPBoLjC3u-M7kc1FJHcUORy_Bof6mzBX7npYckbsb-SJA)";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(JwtAuthTest, OCT) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-2",
"issuer": "abcd",
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(JwtAuthTest, AuthZ) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-1",
"issuer": "abc",
"jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"123\",\"alg\":\"RS256\",\"n\":\"i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw\"}]}"
},
{
"name": "consumer-2",
"issuer": "abcd",
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
}
],
"_rules_": [{
"_match_route_": [
"test1"
],
"allow": [
"consumer-1"
]
},
{
"_match_route_": [
"test2"
],
"allow": [
"consumer-2"
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
route_name_ = "test1";
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "test2";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(JwtAuthTest, ClaimToHeader) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-2",
"issuer": "abcd",
"claims_to_headers": [
{
"claim": "sub",
"header": "x-sub"
},
{
"claim": "exp",
"header": "x-exp"
}
],
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
EXPECT_CALL(*mock_context_,
addHeaderMapValue(testing::_, std::string_view("x-sub"),
std::string_view("test")));
EXPECT_CALL(*mock_context_,
addHeaderMapValue(testing::_, std::string_view("x-exp"),
std::string_view("1665673819")));
EXPECT_CALL(*mock_context_,
addHeaderMapValue(testing::_, std::string_view("X-Mse-Consumer"),
std::string_view("consumer-2")));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm

58
plugins/wasm-cpp/extensions/key_auth/BUILD Normal file
View File

@@ -0,0 +1,58 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "key_auth.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"//common:base64.h",
],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "key_auth_lib",
srcs = [
"plugin.cc",
"//common:base64.h",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util",
"//common:rule_util",
],
)
cc_test(
name = "key_auth_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":key_auth_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "key_auth",
wasm_file = ":key_auth.wasm",
)

279
plugins/wasm-cpp/extensions/key_auth/plugin.cc Normal file
View File

@@ -0,0 +1,279 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/key_auth/plugin.h"
#include <array>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "common/http_util.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace key_auth {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
static RegisterContextFactory register_KeyAuth(CONTEXT_FACTORY(PluginContext),
ROOT_FACTORY(PluginRootContext));
namespace {
void deniedNoKeyAuthData(const std::string& realm) {
sendLocalResponse(401, "No API key found in request", "",
{{"WWW-Authenticate", absl::StrCat("Key realm=", realm)}});
}
void deniedInvalidCredentials(const std::string& realm) {
sendLocalResponse(401, "Request denied by Key Auth check. Invalid API key",
"",
{{"WWW-Authenticate", absl::StrCat("Key realm=", realm)}});
}
void deniedUnauthorizedConsumer(const std::string& realm) {
sendLocalResponse(
403, "Request denied by Key Auth check. Unauthorized consumer", "",
{{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
} // namespace
bool PluginRootContext::parsePluginConfig(const json& configuration,
KeyAuthConfigRule& rule) {
if ((configuration.find("consumers") != configuration.end()) &&
(configuration.find("credentials") != configuration.end())) {
LOG_WARN(
"The consumers field and the credentials field cannot appear at the "
"same level");
return false;
}
if (!JsonArrayIterate(
configuration, "credentials", [&](const json& credentials) -> bool {
auto credential = JsonValueAs<std::string>(credentials);
if (credential.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
rule.credentials.insert(credential.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
auto item = consumer.find("name");
if (item == consumer.end()) {
LOG_WARN("can't find 'name' field in consumer.");
return false;
}
auto name = JsonValueAs<std::string>(item.value());
if (name.second != Wasm::Common::JsonParserResultDetail::OK ||
!name.first) {
return false;
}
item = consumer.find("credential");
if (item == consumer.end()) {
LOG_WARN("can't find 'credential' field in consumer.");
return false;
}
auto credential = JsonValueAs<std::string>(item.value());
if (credential.second != Wasm::Common::JsonParserResultDetail::OK ||
!credential.first) {
return false;
}
if (rule.credential_to_name.find(credential.first.value()) !=
rule.credential_to_name.end()) {
LOG_WARN(absl::StrCat("duplicate consumer credential: ",
credential.first.value()));
return false;
}
rule.credentials.insert(credential.first.value());
rule.credential_to_name.emplace(
std::make_pair(credential.first.value(), name.first.value()));
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (rule.credentials.empty()) {
LOG_INFO("at least one credential has to be configured for a rule.");
return false;
}
if (!JsonArrayIterate(configuration, "keys", [&](const json& item) -> bool {
auto key = JsonValueAs<std::string>(item);
if (key.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
rule.keys.push_back(key.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for keys.");
return false;
}
if (rule.keys.empty()) {
LOG_WARN("at least one key has to be configured for a rule.");
return false;
}
auto it = configuration.find("realm");
if (it != configuration.end()) {
auto realm_string = JsonValueAs<std::string>(it.value());
if (realm_string.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
rule.realm = realm_string.first.value();
}
it = configuration.find("in_query");
if (it != configuration.end()) {
auto in_query = JsonValueAs<bool>(it.value());
if (in_query.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_query.first) {
LOG_WARN("failed to parse 'in_query' field in filter configuration.");
return false;
}
rule.in_query = in_query.first.value();
}
it = configuration.find("in_header");
if (it != configuration.end()) {
auto in_header = JsonValueAs<bool>(it.value());
if (in_header.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_header.first) {
LOG_WARN("failed to parse 'in_header' field in filter configuration.");
return false;
}
rule.in_header = in_header.first.value();
}
if (!rule.in_query && !rule.in_header) {
LOG_WARN("at least one of 'in_query' and 'in_header' must set to true");
return false;
}
return true;
}
bool PluginRootContext::checkPlugin(
const KeyAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
auto credential = extractCredential(rule);
if (credential.empty()) {
LOG_DEBUG("empty credential");
deniedNoKeyAuthData(rule.realm);
return false;
}
auto auth_credential_iter = rule.credentials.find(std::string(credential));
// Check if the credential is part of the credentials
// set from our container to grant or deny access.
if (auth_credential_iter == rule.credentials.end()) {
LOG_DEBUG(absl::StrCat("api key not found: ", credential));
deniedInvalidCredentials(rule.realm);
return false;
}
// Check if this credential has a consumer name. If so, check if this
// consumer is allowed to access. If allow_set is empty, allow all consumers.
auto credential_to_name_iter =
rule.credential_to_name.find(std::string(std::string(credential)));
if (credential_to_name_iter != rule.credential_to_name.end()) {
if (allow_set && !allow_set.value().empty()) {
if (allow_set.value().find(credential_to_name_iter->second) ==
allow_set.value().end()) {
deniedUnauthorizedConsumer(rule.realm);
LOG_DEBUG(credential_to_name_iter->second);
return false;
}
}
addRequestHeader("X-Mse-Consumer", credential_to_name_iter->second);
}
return true;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseAuthRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
std::string PluginRootContext::extractCredential(
const KeyAuthConfigRule& rule) {
auto request_path_header = getRequestHeader(":path");
auto path = request_path_header->view();
LOG_DEBUG(std::string(path));
if (rule.in_query) {
auto params = Wasm::Common::Http::parseAndDecodeQueryString(path);
for (const auto& key : rule.keys) {
auto it = params.find(key);
if (it != params.end()) {
return it->second;
}
}
}
if (rule.in_header) {
for (const auto& key : rule.keys) {
auto header = getRequestHeader(key);
if (header->size() != 0) {
return header->toString();
}
}
}
return "";
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkAuthRule(
[rootCtx](const auto& config, const auto& allow_set) {
return rootCtx->checkPlugin(config, allow_set);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace key_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

85
plugins/wasm-cpp/extensions/key_auth/plugin.h Normal file
View File

@@ -0,0 +1,85 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_set>
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace key_auth {
#endif
struct KeyAuthConfigRule {
std::unordered_set<std::string> credentials;
std::unordered_map<std::string, std::string> credential_to_name;
std::string realm = "MSE Gateway";
std::vector<std::string> keys;
bool in_query = true;
bool in_header = true;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<KeyAuthConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkPlugin(const KeyAuthConfigRule&,
const std::optional<std::unordered_set<std::string>>&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, KeyAuthConfigRule&) override;
std::string extractCredential(const KeyAuthConfigRule&);
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace key_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

245
plugins/wasm-cpp/extensions/key_auth/plugin_test.cc Normal file
View File

@@ -0,0 +1,245 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/key_auth/plugin.h"
#include "common/base64.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace key_auth {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_key_auth_plugin("key_auth", []() {
return std::make_unique<NullPlugin>(key_auth::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, addHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class KeyAuthTest : public ::testing::Test {
protected:
KeyAuthTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("key_auth");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == ":path") {
*result = path_;
}
if (header == "x-api-key") {
*result = key_header_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view key,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~KeyAuthTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string path_;
std::string authority_;
std::string route_name_;
std::string key_header_;
};
TEST_F(KeyAuthTest, InQuery) {
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_": ["test"],
"credentials":["abc"],
"keys": ["apiKey", "x-api-key"]
}
]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
path_ = "/test?hello=123&apiKey=abc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?hello=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/test?hello=123&apiKey=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(KeyAuthTest, InQueryWithConsumer) {
std::string configuration = R"(
{
"consumers" : [ {"credential" : "abc", "name" : "consumer1"} ],
"keys" : [ "apiKey", "x-api-key" ],
"_rules_" : [ {"_match_route_" : ["test"], "allow" : ["consumer1"]} ]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
path_ = "/test?hello=1&apiKey=abc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?hello=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/test?hello=123&apiKey=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(KeyAuthTest, InHeader) {
std::string configuration = R"(
{
"credentials":["abc", "xyz"],
"keys": ["x-api-key"]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
path_ = "/test?hello=123";
key_header_ = "abc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?hello=123";
key_header_ = "xyz";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?hello=123";
key_header_ = "";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/test?hello=123";
key_header_ = "123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(KeyAuthTest, InHeaderWithConsumer) {
std::string configuration = R"(
{
"consumers" : [ {"credential" : "abc", "name" : "consumer1"},
{"credential" : "xyz", "name" : "consumer1"} ],
"keys": ["x-api-key"]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
path_ = "/test?hello=123";
key_header_ = "abc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?hello=123";
key_header_ = "xyz";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?hello=123";
key_header_ = "";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/test?hello=123";
key_header_ = "123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
} // namespace key_auth
} // namespace null_plugin
} // namespace proxy_wasm

59
plugins/wasm-cpp/extensions/key_rate_limit/BUILD Normal file
View File

@@ -0,0 +1,59 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "key_rate_limit.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"bucket.h",
"bucket.cc",
],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "key_rate_limit_lib",
srcs = [
"plugin.cc",
"bucket.cc",
],
hdrs = [
"plugin.h",
"bucket.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_google_absl//absl/strings",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util",
"//common:rule_util",
],
)
cc_test(
name = "key_rate_limit_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":key_rate_limit_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "key_rate_limit",
wasm_file = ":key_rate_limit.wasm",
)

177
plugins/wasm-cpp/extensions/key_rate_limit/bucket.cc Normal file
View File

@@ -0,0 +1,177 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/key_rate_limit/bucket.h"
#include <string>
#include <unordered_map>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_join.h"
namespace {
const int maxGetTokenRetry = 20;
// Key-prefix for token bucket shared data.
std::string tokenBucketPrefix = "mse.token_bucket";
// Key-prefix for token bucket last updated time.
std::string lastRefilledPrefix = "mse.last_refilled";
} // namespace
bool getToken(int rule_id, const std::string &key) {
WasmDataPtr token_bucket_data;
uint32_t cas;
std::string tokenBucketKey =
std::to_string(rule_id) + tokenBucketPrefix + key;
for (int i = 0; i < maxGetTokenRetry; i++) {
if (WasmResult::Ok !=
getSharedData(tokenBucketKey, &token_bucket_data, &cas)) {
return false;
}
uint64_t token_left =
*reinterpret_cast<const uint64_t *>(token_bucket_data->data());
if (token_left == 0) {
return false;
}
token_left -= 1;
auto res = setSharedData(
tokenBucketKey,
{reinterpret_cast<const char *>(&token_left), sizeof(token_left)}, cas);
if (res == WasmResult::Ok) {
return true;
}
if (res == WasmResult::CasMismatch) {
continue;
}
return false;
}
LOG_WARN("get token failed with cas mismatch");
return true;
}
void refillToken(const std::vector<std::pair<int, LimitItem>> &rules) {
uint32_t last_update_cas;
WasmDataPtr last_update_data;
for (const auto &rule : rules) {
auto id = std::to_string(rule.first);
std::string lastRefilledKey = id + lastRefilledPrefix + rule.second.key;
std::string tokenBucketKey = id + tokenBucketPrefix + rule.second.key;
auto result =
getSharedData(lastRefilledKey, &last_update_data, &last_update_cas);
if (result != WasmResult::Ok) {
LOG_WARN(
absl::StrCat("failed to get last update time of the local rate limit "
"token bucket ",
toString(result)));
continue;
}
uint64_t last_update =
*reinterpret_cast<const uint64_t *>(last_update_data->data());
uint64_t now = getCurrentTimeNanoseconds();
if (now - last_update < rule.second.refill_interval_nanosec) {
continue;
}
// Otherwise, try set last updated time. If updated failed because of cas
// mismatch, the bucket is going to be refilled by other VMs.
auto res = setSharedData(
lastRefilledKey, {reinterpret_cast<const char *>(&now), sizeof(now)},
last_update_cas);
if (res == WasmResult::CasMismatch) {
continue;
}
do {
if (WasmResult::Ok !=
getSharedData(tokenBucketKey, &last_update_data, &last_update_cas)) {
LOG_WARN("failed to get current local rate limit token bucket");
break;
}
uint64_t token_left =
*reinterpret_cast<const uint64_t *>(last_update_data->data());
// Refill tokens, and update bucket with cas. If update failed because of
// cas mismatch, retry refilling.
token_left += rule.second.tokens_per_refill;
if (token_left > rule.second.max_tokens) {
token_left = rule.second.max_tokens;
}
if (WasmResult::CasMismatch ==
setSharedData(
tokenBucketKey,
{reinterpret_cast<const char *>(&token_left), sizeof(token_left)},
last_update_cas)) {
continue;
}
break;
} while (true);
}
}
bool initializeTokenBucket(
const std::vector<std::pair<int, LimitItem>> &rules) {
uint32_t last_update_cas;
WasmDataPtr last_update_data;
uint64_t initial_value = 0;
for (const auto &rule : rules) {
auto id = std::to_string(rule.first);
std::string lastRefilledKey = id + lastRefilledPrefix + rule.second.key;
std::string tokenBucketKey = id + tokenBucketPrefix + rule.second.key;
auto res =
getSharedData(lastRefilledKey, &last_update_data, &last_update_cas);
if (res == WasmResult::NotFound) {
setSharedData(lastRefilledKey,
{reinterpret_cast<const char *>(&initial_value),
sizeof(initial_value)});
setSharedData(tokenBucketKey,
{reinterpret_cast<const char *>(&rule.second.max_tokens),
sizeof(uint64_t)});
continue;
}
// reconfigure
do {
if (WasmResult::Ok !=
getSharedData(lastRefilledKey, &last_update_data, &last_update_cas)) {
LOG_WARN("failed to get lastRefilled");
return false;
}
if (WasmResult::CasMismatch ==
setSharedData(lastRefilledKey,
{reinterpret_cast<const char *>(&initial_value),
sizeof(initial_value)},
last_update_cas)) {
continue;
}
break;
} while (true);
do {
if (WasmResult::Ok !=
getSharedData(tokenBucketKey, &last_update_data, &last_update_cas)) {
LOG_WARN("failed to get tokenBucket");
return false;
}
if (WasmResult::CasMismatch ==
setSharedData(
tokenBucketKey,
{reinterpret_cast<const char *>(&rule.second.max_tokens),
sizeof(uint64_t)},
last_update_cas)) {
continue;
}
break;
} while (true);
}
return true;
}

40
plugins/wasm-cpp/extensions/key_rate_limit/bucket.h Normal file
View File

@@ -0,0 +1,40 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
using namespace proxy_wasm::null_plugin;
using proxy_wasm::WasmResult;
#endif
struct LimitItem {
std::string key;
uint64_t tokens_per_refill;
uint64_t refill_interval_nanosec;
uint64_t max_tokens;
};
bool getToken(int rule_id, const std::string& key);
void refillToken(const std::vector<std::pair<int, LimitItem>>& rules);
bool initializeTokenBucket(const std::vector<std::pair<int, LimitItem>>& rules);

231
plugins/wasm-cpp/extensions/key_rate_limit/plugin.cc Normal file
View File

@@ -0,0 +1,231 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/key_rate_limit/plugin.h"
#include <array>
#include <vector>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace key_rate_limit {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
static RegisterContextFactory register_KeyRateLimit(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
namespace {
constexpr uint64_t second_nano = 1000 * 1000 * 1000;
constexpr uint64_t minute_nano = 60 * second_nano;
constexpr uint64_t hour_nano = 60 * minute_nano;
constexpr uint64_t day_nano = 24 * hour_nano;
// tooManyRequest returns a 429 response code.
void tooManyRequest() {
sendLocalResponse(429, "Too many requests", "rate_limited", {});
}
} // namespace
bool PluginRootContext::parsePluginConfig(const json& configuration,
KeyRateLimitConfigRule& rule) {
if (!JsonArrayIterate(
configuration, "limit_keys", [&](const json& item) -> bool {
std::string key =
Wasm::Common::JsonGetField<std::string>(item, "key").value();
uint64_t qps =
Wasm::Common::JsonGetField<uint64_t>(item, "query_per_second")
.value_or(0);
if (qps > 0) {
rule.limit_keys.emplace(key, LimitItem{
key,
qps,
second_nano,
qps,
});
return true;
}
uint64_t qpm =
Wasm::Common::JsonGetField<uint64_t>(item, "query_per_minute")
.value_or(0);
if (qpm > 0) {
rule.limit_keys.emplace(key, LimitItem{
key,
qpm,
minute_nano,
qpm,
});
return true;
}
uint64_t qph =
Wasm::Common::JsonGetField<uint64_t>(item, "query_per_hour")
.value_or(0);
if (qph > 0) {
rule.limit_keys.emplace(key, LimitItem{
key,
qph,
hour_nano,
qph,
});
return true;
}
uint64_t qpd =
Wasm::Common::JsonGetField<uint64_t>(item, "query_per_day")
.value_or(0);
if (qpd > 0) {
rule.limit_keys.emplace(key, LimitItem{
key,
qpd,
day_nano,
qpd,
});
return true;
}
LOG_WARN(
"one of 'query_per_second', 'query_per_minute', "
"'query_per_hour' or 'query_per_day' must be set");
return false;
})) {
LOG_WARN("failed to parse configuration for limit_keys.");
return false;
}
if (rule.limit_keys.empty()) {
LOG_WARN("no limit keys found in configuration");
return false;
}
auto it = configuration.find("limit_by_header");
if (it != configuration.end()) {
auto limit_by_header = JsonValueAs<std::string>(it.value());
if (limit_by_header.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse limit_by_header");
return false;
}
rule.limit_by_header = limit_by_header.first.value();
}
it = configuration.find("limit_by_param");
if (it != configuration.end()) {
auto limit_by_param = JsonValueAs<std::string>(it.value());
if (limit_by_param.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse limit_by_param");
return false;
}
rule.limit_by_param = limit_by_param.first.value();
}
auto emptyHeader = rule.limit_by_header.empty();
auto emptyParam = rule.limit_by_param.empty();
if ((emptyHeader && emptyParam) || (!emptyHeader && !emptyParam)) {
LOG_WARN("only one of 'limit_by_param' and 'limit_by_header' can be set");
return false;
}
return true;
}
bool PluginRootContext::checkPlugin(int rule_id,
const KeyRateLimitConfigRule& config) {
const auto& headerKey = config.limit_by_header;
const auto& paramKey = config.limit_by_param;
std::string key;
if (!headerKey.empty()) {
GET_HEADER_VIEW(headerKey, header);
key = header;
} else {
// use paramKey which must not be empty
GET_HEADER_VIEW(":path", path);
const auto& params = Wasm::Common::Http::parseQueryString(path);
auto it = params.find(paramKey);
if (it != params.end()) {
key = it->second;
}
}
const auto& limit_keys = config.limit_keys;
if (limit_keys.find(key) == limit_keys.end()) {
return true;
}
if (!getToken(rule_id, key)) {
tooManyRequest();
return false;
}
return true;
}
void PluginRootContext::onTick() { refillToken(limits_); }
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
const auto& rules = getRules();
for (const auto& rule : rules) {
for (auto& keyItem : rule.second.get().limit_keys) {
limits_.emplace_back(rule.first, keyItem.second);
}
}
initializeTokenBucket(limits_);
proxy_set_tick_period_milliseconds(1000);
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result.has_value()) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkRuleWithId([rootCtx](auto rule_id, const auto& config) {
return rootCtx->checkPlugin(rule_id, config);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace key_rate_limit
} // namespace null_plugin
} // namespace proxy_wasm
#endif

89
plugins/wasm-cpp/extensions/key_rate_limit/plugin.h Normal file
View File

@@ -0,0 +1,89 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <cstdint>
#include <string>
#include <unordered_map>
#include "bucket.h"
#include "common/http_util.h"
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace key_rate_limit {
#endif
struct KeyRateLimitConfigRule {
std::unordered_map<std::string, LimitItem> limit_keys;
std::string limit_by_header;
std::string limit_by_param;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<KeyRateLimitConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
void onTick() override;
bool checkPlugin(int, const KeyRateLimitConfigRule&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, KeyRateLimitConfigRule&) override;
std::vector<std::pair<int, LimitItem>> limits_;
friend class KeyRateLimitTest_Config_Test;
friend class KeyRateLimitTest_RuleConfig_Test;
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace key_rate_limit
} // namespace null_plugin
} // namespace proxy_wasm
#endif

206
plugins/wasm-cpp/extensions/key_rate_limit/plugin_test.cc Normal file
View File

@@ -0,0 +1,206 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/key_rate_limit/plugin.h"
#include "absl/strings/str_join.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace key_rate_limit {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_key_rate_limit_plugin(
"key_rate_limit", []() {
return std::make_unique<NullPlugin>(key_rate_limit::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class KeyRateLimitTest : public ::testing::Test {
protected:
KeyRateLimitTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("key_rate_limit");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_,
getHeaderMapValue(WasmHeaderMapType::ResponseHeaders, testing::_,
testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":status") {
*result = status_code_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~KeyRateLimitTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string authority_;
std::string route_name_;
std::string status_code_;
};
TEST_F(KeyRateLimitTest, Config) {
std::string configuration = R"(
{
"limit_by_header": "x-api-key",
"limit_keys": [
{
"key": "a",
"query_per_second": 1
},
{
"key": "b",
"query_per_minute": 1
},
{
"key": "c",
"query_per_hour": 1
},
{
"key": "d",
"query_per_day": 1
}
],
"_rules_" : [
{
"_match_route_":["test"],
"limit_by_param": "apikey",
"limit_keys": [
{
"key": "a",
"query_per_second": 10
}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->onConfigure(configuration.size()));
EXPECT_EQ(root_context_->limits_.size(), 5);
EXPECT_EQ(root_context_->limits_[0].first, 0);
EXPECT_EQ(root_context_->limits_[1].first, 0);
EXPECT_EQ(root_context_->limits_[2].first, 0);
EXPECT_EQ(root_context_->limits_[3].first, 0);
EXPECT_EQ(root_context_->limits_[4].first, 1);
}
TEST_F(KeyRateLimitTest, RuleConfig) {
std::string configuration = R"(
{
"_rules_" : [
{
"_match_route_":["test"],
"limit_by_param": "apikey",
"limit_keys": [
{
"key": "a",
"query_per_second": 10
}
]
},
{
"_match_route_":["abc"],
"limit_by_param": "apikey",
"limit_keys": [
{
"key": "a",
"query_per_second": 100
}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->onConfigure(configuration.size()));
EXPECT_EQ(root_context_->limits_.size(), 2);
EXPECT_EQ(root_context_->limits_[0].first, 1);
EXPECT_EQ(root_context_->limits_[1].first, 2);
}
} // namespace key_rate_limit
} // namespace null_plugin
} // namespace proxy_wasm

55
plugins/wasm-cpp/extensions/request_block/BUILD Normal file
View File

@@ -0,0 +1,55 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "request_block.wasm",
srcs = [
"plugin.cc",
"plugin.h",
],
deps = [
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "request_block_lib",
srcs = [
"plugin.cc",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_google_absl//absl/strings",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util",
"//common:rule_util",
],
)
cc_test(
name = "request_block_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":request_block_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "request_block",
wasm_file = ":request_block.wasm",
)

266
plugins/wasm-cpp/extensions/request_block/plugin.cc Normal file
View File

@@ -0,0 +1,266 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/request_block/plugin.h"
#include <array>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_join.h"
#include "absl/strings/str_split.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace request_block {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
static RegisterContextFactory register_RequestBlock(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
static constexpr size_t MAX_BODY_SIZE = 32 * 1024 * 1024;
bool PluginRootContext::parsePluginConfig(const json& configuration,
RequestBlockConfigRule& rule) {
auto it = configuration.find("blocked_code");
if (it != configuration.end()) {
auto blocked_code = JsonValueAs<int64_t>(it.value());
if (blocked_code.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse status code");
return false;
}
rule.blocked_code = blocked_code.first.value();
}
it = configuration.find("blocked_message");
if (it != configuration.end()) {
auto blocked_message = JsonValueAs<std::string>(it.value());
if (blocked_message.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse blocked_message");
return false;
}
rule.blocked_message = blocked_message.first.value();
}
it = configuration.find("case_sensitive");
if (it != configuration.end()) {
auto case_sensitive = JsonValueAs<bool>(it.value());
if (case_sensitive.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse case_sensitive");
return false;
}
rule.case_sensitive = case_sensitive.first.value();
}
if (!JsonArrayIterate(
configuration, "block_urls", [&](const json& item) -> bool {
auto url = JsonValueAs<std::string>(item);
if (url.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse block_urls");
return false;
}
if (rule.case_sensitive) {
rule.block_urls.push_back(std::move(url.first.value()));
} else {
rule.block_urls.push_back(
absl::AsciiStrToLower(url.first.value()));
}
return true;
})) {
LOG_WARN("failed to parse configuration for block_urls.");
return false;
}
if (!JsonArrayIterate(
configuration, "block_headers", [&](const json& item) -> bool {
auto header = JsonValueAs<std::string>(item);
if (header.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse block_headers");
return false;
}
if (rule.case_sensitive) {
rule.block_headers.push_back(std::move(header.first.value()));
} else {
rule.block_headers.push_back(
absl::AsciiStrToLower(header.first.value()));
}
return true;
})) {
LOG_WARN("failed to parse configuration for block_headers.");
return false;
}
if (!JsonArrayIterate(
configuration, "block_bodys", [&](const json& item) -> bool {
auto body = JsonValueAs<std::string>(item);
if (body.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse block_bodys");
return false;
}
if (rule.case_sensitive) {
rule.block_bodys.push_back(std::move(body.first.value()));
} else {
rule.block_bodys.push_back(
absl::AsciiStrToLower(body.first.value()));
}
return true;
})) {
LOG_WARN("failed to parse configuration for block_bodys.");
return false;
}
if (rule.block_bodys.empty() && rule.block_headers.empty() &&
rule.block_urls.empty()) {
LOG_WARN("there is no block rules");
return false;
}
return true;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result.has_value()) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
bool PluginRootContext::checkHeader(const RequestBlockConfigRule& rule,
bool& check_body) {
if (!rule.block_urls.empty()) {
std::string urlstr;
std::string_view url;
GET_HEADER_VIEW(":path", request_url);
if (rule.case_sensitive) {
url = request_url;
} else {
urlstr = absl::AsciiStrToLower(request_url);
url = urlstr;
}
for (const auto& block_url : rule.block_urls) {
if (absl::StrContains(url, block_url)) {
sendLocalResponse(rule.blocked_code, "", rule.blocked_message, {});
return false;
}
}
}
if (!rule.block_headers.empty()) {
auto headersPtr = getRequestHeaderPairs();
std::string headerstr;
std::string_view headers;
if (rule.case_sensitive) {
headers = headersPtr->view();
} else {
headerstr = absl::AsciiStrToLower(headersPtr->view());
headers = headerstr;
}
for (const auto& block_header : rule.block_headers) {
if (absl::StrContains(headers, block_header)) {
sendLocalResponse(rule.blocked_code, "", rule.blocked_message, {});
return false;
}
}
}
if (!rule.block_bodys.empty()) {
check_body = true;
}
return true;
}
bool PluginRootContext::checkBody(const RequestBlockConfigRule& rule,
std::string_view request_body) {
std::string bodystr;
std::string_view body;
if (rule.case_sensitive) {
body = request_body;
} else {
bodystr = absl::AsciiStrToLower(request_body);
body = bodystr;
}
for (const auto& block_body : rule.block_bodys) {
if (absl::StrContains(body, block_body)) {
sendLocalResponse(rule.blocked_code, "", rule.blocked_message, {});
return false;
}
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
auto config = rootCtx->getMatchConfig();
config_ = config.second;
if (!config_) {
return FilterHeadersStatus::Continue;
}
return rootCtx->checkHeader(config_.value(), check_body_)
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
FilterDataStatus PluginContext::onRequestBody(size_t body_size,
bool end_stream) {
if (!config_) {
return FilterDataStatus::Continue;
}
if (!check_body_) {
return FilterDataStatus::Continue;
}
body_total_size_ += body_size;
if (body_total_size_ > MAX_BODY_SIZE) {
LOG_DEBUG("body_size is too large");
return FilterDataStatus::Continue;
}
if (!end_stream) {
return FilterDataStatus::StopIterationAndBuffer;
}
auto body =
getBufferBytes(WasmBufferType::HttpRequestBody, 0, body_total_size_);
auto* rootCtx = rootContext();
return rootCtx->checkBody(config_.value(), body->view())
? FilterDataStatus::Continue
: FilterDataStatus::StopIterationNoBuffer;
}
#ifdef NULL_PLUGIN
} // namespace request_block
} // namespace null_plugin
} // namespace proxy_wasm
#endif

92
plugins/wasm-cpp/extensions/request_block/plugin.h Normal file
View File

@@ -0,0 +1,92 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <functional>
#include <optional>
#include <string>
#include <unordered_map>
#include "common/http_util.h"
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace request_block {
#endif
struct RequestBlockConfigRule {
int blocked_code = 403;
std::string blocked_message;
bool case_sensitive = true;
std::vector<std::string> block_urls;
std::vector<std::string> block_headers;
std::vector<std::string> block_bodys;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<RequestBlockConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkHeader(const RequestBlockConfigRule&, bool&);
bool checkBody(const RequestBlockConfigRule&, std::string_view);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, RequestBlockConfigRule&) override;
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
FilterDataStatus onRequestBody(size_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
size_t body_total_size_ = 0;
bool check_body_ = false;
std::optional<std::reference_wrapper<RequestBlockConfigRule>> config_;
};
#ifdef NULL_PLUGIN
} // namespace request_block
} // namespace null_plugin
} // namespace proxy_wasm
#endif

237
plugins/wasm-cpp/extensions/request_block/plugin_test.cc Normal file
View File

@@ -0,0 +1,237 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/request_block/plugin.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace request_block {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_request_block_plugin(
"request_block", []() {
return std::make_unique<NullPlugin>(request_block::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, getHeaderMapPairs, (WasmHeaderMapType, Pairs*));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class RequestBlockTest : public ::testing::Test {
protected:
RequestBlockTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("request_block");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == ":path") {
*result = path_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
ON_CALL(*mock_context_,
getHeaderMapPairs(WasmHeaderMapType::RequestHeaders, testing::_))
.WillByDefault([&](WasmHeaderMapType, Pairs* result) {
*result = headers_;
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getBuffer(testing::_))
.WillByDefault([&](WasmBufferType type) {
if (type == WasmBufferType::HttpRequestBody) {
return &body_;
}
return &config_;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~RequestBlockTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string authority_;
std::string route_name_;
std::string path_;
Pairs headers_;
BufferBase body_;
BufferBase config_;
};
TEST_F(RequestBlockTest, CaseSensitive) {
std::string configuration = R"(
{
"block_urls": ["?foo=bar", "swagger.html"],
"block_headers": ["headerKey", "headerValue"],
"block_bodys": ["Hello World"]
})";
config_.set({configuration.data(), configuration.size()});
EXPECT_TRUE(root_context_->configure(configuration.size()));
path_ = "/?foo=BAR";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/?foo=bar";
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/swagger.html?foo=BAR";
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "";
headers_ = {{"headerKey", "123"}};
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
headers_ = {{"abc", "headerValue"}};
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
headers_ = {{"abc", "123"}};
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
body_.set("Hello World");
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestBody(11, true),
FilterDataStatus::StopIterationNoBuffer);
body_.set("hello world");
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_EQ(context_->onRequestBody(11, true), FilterDataStatus::Continue);
}
TEST_F(RequestBlockTest, CaseInsensitive) {
std::string configuration = R"(
{
"case_sensitive": false,
"blocked_code": 404,
"block_urls": ["?foo=bar", "swagger.html"],
"block_headers": ["headerKey", "headerValue"],
"block_bodys": ["Hello World"]
})";
config_.set({configuration.data(), configuration.size()});
EXPECT_TRUE(root_context_->configure(configuration.size()));
path_ = "/?foo=BAR";
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/swagger.html?foo=bar";
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "";
headers_ = {{"headerkey", "123"}};
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
headers_ = {{"abc", "headervalue"}};
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
headers_ = {{"abc", "123"}};
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
body_.set("hello world");
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
EXPECT_CALL(*mock_context_, sendLocalResponse(404, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestBody(11, true),
FilterDataStatus::StopIterationNoBuffer);
}
} // namespace request_block
} // namespace null_plugin
} // namespace proxy_wasm

55
plugins/wasm-cpp/extensions/sni_misdirect/BUILD Normal file
View File

@@ -0,0 +1,55 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "sni_misdirect.wasm",
srcs = [
"plugin.cc",
"plugin.h",
],
deps = [
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/strings",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
],
)
cc_library(
name = "sni_misdirect_lib",
srcs = [
"plugin.cc",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
visibility = ["//visibility:public"],
alwayslink = 1,
deps = [
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/strings",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util",
],
)
cc_test(
name = "sni_misdirect_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":sni_misdirect_lib",
"@com_google_absl//absl/strings:str_format",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "sni_misdirect",
wasm_file = ":sni_misdirect.wasm",
)

111
plugins/wasm-cpp/extensions/sni_misdirect/plugin.cc Normal file
View File

@@ -0,0 +1,111 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/sni_misdirect/plugin.h"
#include "absl/strings/match.h"
#include "absl/strings/str_format.h"
#include "common/http_util.h"
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace sni_misdirect {
PROXY_WASM_NULL_PLUGIN_REGISTRY
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_sni_misdirect_plugin(
"envoy.wasm.sni_misdirect", []() {
return std::make_unique<NullPlugin>(sni_misdirect::context_registry_);
});
#endif
static RegisterContextFactory register_SNIMisdirect(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
namespace {
void misdirectedRequest() {
sendLocalResponse(421, "Misdirected Request", "", {});
}
} // namespace
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
std::string protocol;
// no need to check HTTP/1.0 and HTTP/1.1
if (getValue({"request", "protocol"}, &protocol) &&
absl::StartsWith(protocol, "HTTP/1")) {
return FilterHeadersStatus::Continue;
}
// no need to check http scheme
std::string scheme;
if (getValue({"request", "scheme"}, &scheme) && scheme != "https") {
return FilterHeadersStatus::Continue;
}
// no need to check grpc
auto content_type_header =
getRequestHeader(Wasm::Common::Http::Header::ContentType);
auto content_type = content_type_header->view();
auto grpc_value =
absl::string_view(Wasm::Common::Http::ContentTypeValues::Grpc.data(),
Wasm::Common::Http::ContentTypeValues::Grpc.size());
if (absl::StartsWith(
absl::string_view(content_type.data(), content_type.size()),
grpc_value) &&
(content_type.size() == grpc_value.size() ||
content_type.at(grpc_value.size()) == '+')) {
LOG_DEBUG("ignore grpc");
return FilterHeadersStatus::Continue;
}
std::string sni;
if (!getValue({"connection", "requested_server_name"}, &sni) || sni.empty()) {
LOG_DEBUG("failed to get sni");
return FilterHeadersStatus::Continue;
}
auto host_header = getRequestHeader(":authority");
auto host = host_header->view();
if (host.empty()) {
LOG_CRITICAL("failed to get authority");
return FilterHeadersStatus::Continue;
}
host = Wasm::Common::Http::stripPortFromHost(host);
LOG_DEBUG(absl::StrFormat("sni:%s authority:%s", sni, host));
if (sni == host) {
return FilterHeadersStatus::Continue;
}
auto isWildcardSNI = absl::StartsWith(sni, "*.");
if (!isWildcardSNI) {
misdirectedRequest();
return FilterHeadersStatus::StopIteration;
}
if (!absl::StrContains(absl::string_view(host.data(), host.size()),
sni.substr(1))) {
misdirectedRequest();
return FilterHeadersStatus::StopIteration;
}
return FilterHeadersStatus::Continue;
}
#ifdef NULL_PLUGIN
} // namespace sni_misdirect
} // namespace null_plugin
} // namespace proxy_wasm
#endif

60
plugins/wasm-cpp/extensions/sni_misdirect/plugin.h Normal file
View File

@@ -0,0 +1,60 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_set>
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace sni_misdirect {
#endif
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
};
#ifdef NULL_PLUGIN
} // namespace sni_misdirect
} // namespace null_plugin
} // namespace proxy_wasm
#endif

197
plugins/wasm-cpp/extensions/sni_misdirect/plugin_test.cc Normal file
View File

@@ -0,0 +1,197 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/sni_misdirect/plugin.h"
#include <initializer_list>
#include "absl/strings/str_format.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace sni_misdirect {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_sni_misdirect_plugin(
"sni_misdirect", []() {
return std::make_unique<NullPlugin>(sni_misdirect::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class SNIMisdirectTest : public ::testing::Test {
protected:
SNIMisdirectTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("sni_misdirect");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == "content-type") {
*result = content_type_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
if (path == absl::StrFormat("%s%c%s%c", "connection", 0,
"requested_server_name", 0)) {
*result = sni_;
}
if (path ==
absl::StrFormat("%s%c%s%c", "request", 0, "protocol", 0)) {
*result = protocol_;
}
if (path == absl::StrFormat("%s%c%s%c", "request", 0, "scheme", 0)) {
*result = scheme_;
}
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~SNIMisdirectTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string protocol_ = "HTTP/2";
std::string authority_;
std::string sni_;
std::string content_type_;
std::string scheme_ = "https";
};
TEST_F(SNIMisdirectTest, OnMatch) {
authority_ = "a.example.com";
sni_ = "b.example.com";
EXPECT_CALL(*mock_context_, sendLocalResponse(421, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "a.example.com";
sni_ = "a.example.com";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.example.com:80";
sni_ = "a.example.com";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.test.com";
sni_ = "*.example.com";
EXPECT_CALL(*mock_context_, sendLocalResponse(421, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "a.example.com";
sni_ = "*.example.com";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.example.com";
sni_ = "b.example.com";
protocol_ = "HTTP/1.1";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.example.com";
sni_ = "";
protocol_ = "HTTP/2";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.example.com";
sni_ = "b.example.com";
protocol_ = "HTTP/2";
content_type_ = "application/grpc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.example.com";
sni_ = "b.example.com";
protocol_ = "HTTP/2";
content_type_ = "application/grpc+";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "a.example.com";
sni_ = "b.example.com";
protocol_ = "HTTP/2";
content_type_ = "application/grpc-web";
EXPECT_CALL(*mock_context_, sendLocalResponse(421, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "a.example.com";
sni_ = "b.example.com";
protocol_ = "HTTP/2";
scheme_ = "http";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
} // namespace sni_misdirect
} // namespace null_plugin
} // namespace proxy_wasm