jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-02-25 13:10:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add plugins (#27)

Browse Source
This commit is contained in:
澄潭
2022-11-04 17:46:43 +08:00
committed by GitHub
parent 5ac966495c
commit 1a0ed73cd5
92 changed files with 35435 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
plugins/wasm-cpp/extensions/basic_auth/BUILD Normal file
View File

@@ -0,0 +1,61 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "basic_auth.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"//common:base64.h",
],
deps = [
"//common:rule_util",
"//common:json_util",
"//common:crypto_util",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
],
)
cc_library(
name = "basic_auth_lib",
srcs = [
"plugin.cc",
"//common:base64.h",
],
hdrs = [
"plugin.h",
],
copts = ["-DNULL_PLUGIN"],
visibility = ["//visibility:public"],
alwayslink = 1,
deps = [
"//common:rule_util",
"//common:json_util",
"//common:crypto_util",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/time",
"@proxy_wasm_cpp_host//:lib",
],
)
cc_test(
name = "basic_auth_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":basic_auth_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
linkopts = ["-lcrypt"],
)
declare_wasm_image_targets(
name = "basic_auth",
wasm_file = ":basic_auth.wasm",
)

351
plugins/wasm-cpp/extensions/basic_auth/plugin.cc Normal file
View File

@@ -0,0 +1,351 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/basic_auth/plugin.h"
#include <array>
#include <functional>
#include <optional>
#include <utility>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_split.h"
#include "common/base64.h"
#include "common/common_util.h"
#include "common/crypto_util.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace basic_auth {
PROXY_WASM_NULL_PLUGIN_REGISTRY
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_basic_auth_plugin(
"envoy.wasm.basic_auth", []() {
return std::make_unique<NullPlugin>(basic_auth::context_registry_);
});
#endif
static RegisterContextFactory register_BasicAuth(
CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
namespace {
void deniedNoBasicAuthData(const std::string& realm) {
sendLocalResponse(
401,
"Request denied by Basic Auth check. No Basic "
"Authentication information found.",
"", {{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
void deniedInvalidCredentials(const std::string& realm) {
sendLocalResponse(
401,
"Request denied by Basic Auth check. Invalid "
"username and/or password",
"", {{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
void deniedUnauthorizedConsumer(const std::string& realm) {
sendLocalResponse(
403, "Request denied by Basic Auth check. Unauthorized consumer", "",
{{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
} // namespace
bool PluginRootContext::parsePluginConfig(const json& configuration,
BasicAuthConfigRule& rule) {
if ((configuration.find("consumers") != configuration.end()) &&
(configuration.find("credentials") != configuration.end())) {
LOG_WARN(
"The consumers field and the credentials field cannot appear at the "
"same level");
return false;
}
auto it = configuration.find("encrypted");
if (it != configuration.end()) {
auto passwd_encrypted = JsonValueAs<bool>(it.value());
if (passwd_encrypted.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse passwd_encrypted");
return false;
}
rule.passwd_encrypted = passwd_encrypted.first.value();
}
// no consumer name
if (!JsonArrayIterate(
configuration, "credentials", [&](const json& credentials) -> bool {
auto credential = JsonValueAs<std::string>(credentials);
if (credential.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("credential cannot be parsed");
return false;
}
// Check if credential has `:` in it. If it has, it needs to be
// base64 encoded.
if (absl::StrContains(credential.first.value(), ":")) {
return addBasicAuthConfigRule(rule, credential.first.value(),
std::nullopt, false);
}
if (rule.passwd_encrypted) {
LOG_WARN("colon not found in encrypted credential");
return false;
}
// Otherwise, try base64 decode and insert into credential list if
// it can be decoded.
if (!Base64::decodeWithoutPadding(credential.first.value())
.empty()) {
return addBasicAuthConfigRule(rule, credential.first.value(),
std::nullopt, true);
}
return false;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
// with consumer name
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
auto item = consumer.find("name");
if (item == consumer.end()) {
LOG_WARN("can't find 'name' field in consumer.");
return false;
}
auto name = JsonValueAs<std::string>(item.value());
if (name.second != Wasm::Common::JsonParserResultDetail::OK ||
!name.first) {
LOG_WARN("'name' cannot be parsed");
return false;
}
item = consumer.find("credential");
if (item == consumer.end()) {
LOG_WARN("can't find 'credential' field in consumer.");
return false;
}
auto credential = JsonValueAs<std::string>(item.value());
if (credential.second != Wasm::Common::JsonParserResultDetail::OK ||
!credential.first) {
LOG_WARN("field 'credential' cannot be parsed");
return false;
}
// Check if credential has `:` in it. If it has, it needs to be
// base64 encoded.
if (absl::StrContains(credential.first.value(), ":")) {
return addBasicAuthConfigRule(rule, credential.first.value(),
name.first, false);
}
if (rule.passwd_encrypted) {
LOG_WARN("colon not found in encrypted credential");
return false;
}
// Otherwise, try base64 decode and insert into credential list if
// it can be decoded.
if (!Base64::decodeWithoutPadding(credential.first.value())
.empty()) {
return addBasicAuthConfigRule(rule, credential.first.value(),
name.first, true);
}
return false;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (rule.encoded_credentials.empty() && rule.encrypted_credentials.empty()) {
LOG_INFO("at least one credential has to be configured for a rule.");
return false;
}
it = configuration.find("realm");
if (it != configuration.end()) {
auto realm_string = JsonValueAs<std::string>(it.value());
if (realm_string.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("cannot parse realm");
return false;
}
rule.realm = realm_string.first.value();
}
return true;
}
bool PluginRootContext::addBasicAuthConfigRule(
BasicAuthConfigRule& rule, const std::string& credential,
const std::optional<std::string>& name, bool base64_encoded) {
std::string stored_str;
const std::string* stored_ptr = nullptr;
if (!base64_encoded && !rule.passwd_encrypted) {
stored_str = Base64::encode(credential.data(), credential.size());
stored_ptr = &stored_str;
} else {
stored_ptr = &credential;
}
if (!rule.passwd_encrypted) {
rule.encoded_credentials.insert(*stored_ptr);
} else {
std::vector<std::string> pair =
absl::StrSplit(*stored_ptr, absl::MaxSplits(":", 2));
if (pair.size() != 2) {
LOG_WARN(absl::StrCat("invalid encrypted credential: ", *stored_ptr));
return false;
}
rule.encrypted_credentials.emplace(
std::make_pair(std::move(pair[0]), std::move(pair[1])));
}
if (name) {
if (rule.credential_to_name.find(*stored_ptr) !=
rule.credential_to_name.end()) {
LOG_WARN(absl::StrCat("duplicate consumer credential: ", *stored_ptr));
return false;
}
rule.credential_to_name.emplace(std::make_pair(*stored_ptr, name.value()));
}
return true;
}
bool PluginRootContext::checkPlugin(
const BasicAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
auto authorization_header = getRequestHeader("authorization");
auto authorization = authorization_header->view();
// Check if the Basic auth header starts with "Basic "
if (!absl::StartsWith(Wasm::Common::stdToAbsl(authorization), "Basic ")) {
deniedNoBasicAuthData(rule.realm);
return false;
}
auto authorization_strip =
absl::StripPrefix(Wasm::Common::stdToAbsl(authorization), "Basic ");
std::string to_find_name;
if (!rule.passwd_encrypted) {
auto auth_credential_iter =
rule.encoded_credentials.find(std::string(authorization_strip));
// Check if encoded credential is part of the credential_to_name
// map from our container to grant or deny access.
if (auth_credential_iter == rule.encoded_credentials.end()) {
deniedInvalidCredentials(rule.realm);
return false;
}
to_find_name = std::string(authorization_strip);
} else {
auto user_and_passwd = Base64::decodeWithoutPadding(
Wasm::Common::abslToStd(authorization_strip));
if (user_and_passwd.empty()) {
LOG_WARN(
absl::StrCat("invalid base64 authorization: ", authorization_strip));
deniedInvalidCredentials(rule.realm);
return false;
}
std::vector<std::string> pair =
absl::StrSplit(user_and_passwd, absl::MaxSplits(":", 2));
if (pair.size() != 2) {
LOG_WARN(
absl::StrCat("invalid decoded authorization: ", user_and_passwd));
deniedInvalidCredentials(rule.realm);
return false;
}
auto encrypted_iter = rule.encrypted_credentials.find(pair[0]);
if (encrypted_iter == rule.encrypted_credentials.end()) {
LOG_DEBUG(absl::StrCat("username not found: ", pair[0]));
deniedInvalidCredentials(rule.realm);
return false;
}
auto expect_encrypted = encrypted_iter->second;
std::string actual_encrypted;
if (!Wasm::Common::Crypto::crypt(pair[1], expect_encrypted,
actual_encrypted)) {
LOG_DEBUG(absl::StrCat("crypt failed, expect: ", pair[1]));
deniedInvalidCredentials(rule.realm);
return false;
}
LOG_DEBUG(absl::StrCat("expect_encrypted: ", expect_encrypted,
", actual_encrypted: ", actual_encrypted));
if (expect_encrypted != actual_encrypted) {
LOG_DEBUG(absl::StrCat("invalid encrypted: ", actual_encrypted,
", expect: ", expect_encrypted));
deniedInvalidCredentials(rule.realm);
return false;
}
to_find_name = absl::StrCat(pair[0], ":", expect_encrypted);
}
// Check if this credential has a consumer name. If so, check if this
// consumer is allowed to access. If allow_set is empty, allow all consumers.
auto credential_to_name_iter = rule.credential_to_name.find(to_find_name);
if (credential_to_name_iter != rule.credential_to_name.end()) {
if (allow_set && !allow_set.value().empty()) {
if (allow_set.value().find(credential_to_name_iter->second) ==
allow_set.value().end()) {
deniedUnauthorizedConsumer(rule.realm);
return false;
}
}
addRequestHeader("X-Mse-Consumer", credential_to_name_iter->second);
}
return true;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
Wasm::Common::stdToAbsl(configuration_data->view())));
return false;
}
if (!parseAuthRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
Wasm::Common::stdToAbsl(configuration_data->view())));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkAuthRule(
[rootCtx](const auto& config, const auto& allow_set) {
return rootCtx->checkPlugin(config, allow_set);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace basic_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

87
plugins/wasm-cpp/extensions/basic_auth/plugin.h Normal file
View File

@@ -0,0 +1,87 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_set>
#include "common/route_rule_matcher.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace basic_auth {
#endif
struct BasicAuthConfigRule {
std::unordered_map<std::string, std::string> encrypted_credentials;
std::unordered_set<std::string> encoded_credentials;
std::unordered_map<std::string, std::string> credential_to_name;
std::string realm = "MSE Gateway";
bool passwd_encrypted = false;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<BasicAuthConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkPlugin(const BasicAuthConfigRule&,
const std::optional<std::unordered_set<std::string>>&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, BasicAuthConfigRule&) override;
bool addBasicAuthConfigRule(BasicAuthConfigRule& rule,
const std::string& credential,
const std::optional<std::string>& name,
bool base64_encoded);
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace basic_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

969
plugins/wasm-cpp/extensions/basic_auth/plugin_test.cc Normal file
View File

@@ -0,0 +1,969 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/basic_auth/plugin.h"
#include "common/base64.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace basic_auth {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_basic_auth_plugin("basic_auth", []() {
return std::make_unique<NullPlugin>(basic_auth::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, addHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* key */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class BasicAuthTest : public ::testing::Test {
protected:
BasicAuthTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("basic_auth");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == "authorization") {
if (authorization_header_.empty()) {
authorization_header_ =
"Basic " + Base64::encode(cred_.data(), cred_.size());
}
*result = authorization_header_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view key,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~BasicAuthTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string authority_;
std::string cred_;
std::string route_name_;
std::string authorization_header_;
};
TEST_F(BasicAuthTest, OnConfigureSuccess) {
// without consumer
{
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2",
"YWRtaW4zOmFkbWluMw==" ],
"_rules_": [
{
"_match_route_":[ "abc", "test" ],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2",
"YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin:admin", "admin2:admin2", "ok:test",
"YWRtaW4zOmFkbWluMw==" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"},
{"credential" : "postuser1:123456", "name" : "consumer3"},
{"credential" : "postuser2:123456", "name" : "consumer4"}
],
"_rules_" : [
{
"_match_route_" : ["route-1"],
"allow" : [ "consumer1", "consumer2" ]
},
{
"_match_domain_" : ["*.example.com"],
"allow" : [ "consumer3", "consumer4" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureNoRules) {
// without consumer
{
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"},
{"credential" : "postuser1:123456", "name" : "consumer3"},
{"credential" : "postuser2:123456", "name" : "consumer4"}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureOnlyRules) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_":[ "test.com.*"],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_" : [
{
"_match_route_" : ["route-1"],
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"}
]
},
{
"_match_domain_" : ["*.example.com"],
"consumers" : [
{"credential" : "postuser1:123456", "name" : "consumer3"},
{"credential" : "postuser2:123456", "name" : "consumer4"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureEmptyRules) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_" : [
{
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureDuplicateRules) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_": ["abc.com"],
"_match_route_": ["abc"],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_": ["abc.com"],
"_match_route_": ["abc"],
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"},
{"credential" : "getuser2:123456", "name" : "consumer2"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureNoCredentials) {
// without consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":[ "abc", "test" ],
"credentials":[ ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
{
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":[ "abc", "test" ],
"consumers":[ ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureEmptyConfig) {
std::string configuration = "{}";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
TEST_F(BasicAuthTest, OnConfigureDuplicateCredential) {
// without consumer
// "admin:admin" base64 encoded is "YWRtaW46YWRtaW4="
{
std::string configuration = R"(
{
"credentials":[ "admin:admin", "YWRtaW46YWRtaW4=" ]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
// with consumer
// a consumer credential cannot be mapped to two name
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "admin:admin", "name" : "consumer1"},
{"credential" : "YWRtaW46YWRtaW4=", "name" : "consumer2"},
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
// with consumer
// two consumer credentials can be mapped to the same name
{
std::string configuration = R"(
{
"consumers" : [
{"credential" : "admin:admin", "name" : "consumer"},
{"credential" : "admin2:admin2", "name" : "consumer"}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
}
}
TEST_F(BasicAuthTest, OnConfigureCredentialsWithConsumers) {
std::string configuration = R"(
{
"_rules_" : [
{
"_match_route_" : ["route-1"],
"consumers" : [
{"credential" : "getuser1:123456", "name" : "consumer1"}
],
"credentials" : ["ok:test", "admin:admin", "admin2:admin2"]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_FALSE(root_context_->configure(configuration.size()));
}
TEST_F(BasicAuthTest, RuleAllow) {
std::string configuration = R"(
{
"_rules_": [
{
"_match_route_":[ "test", "config" ],
"credentials":[ "ok:test", "admin2:admin2", "YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin:admin"]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "config";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "nope";
authority_ = "www.example.com:8080";
cred_ = "admin:admin";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, RuleWithConsumerAllow) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin2:admin2", "name" : "consumer2"},
{"credential" : "YWRtaW4zOmFkbWluMw==", "name" : "consumer3"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test", "config"],
"allow" : [ "consumer_ok", "consumer2", "consumer3"]
},
{
"_match_domain_" : ["test.com", "*.example.com"],
"allow" : [ "consumer" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "config";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "nope";
authority_ = "www.example.com:8080";
cred_ = "admin:admin";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, RuleWithEncryptedConsumerAllow) {
std::string configuration = R"(
{
"encrypted": true,
"consumers" : [
{"credential" : "myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC", "name": "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test_allow"],
"allow" : [ "consumer"]
},
{
"_match_route_" : ["test_deny"],
"allow" : []
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test_allow";
cred_ = "myName:myPassword";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test_deny";
cred_ = "abc:123";
authorization_header_ = "";
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, RuleDeny) {
std::string configuration = R"(
{
"_rules_": [
{
"_match_domain_":[ "test.com", "example.*" ],
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
authority_ = "example.com";
cred_ = "wrong-cred";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "example.com";
cred_ = "admin2:admin2";
authorization_header_ = Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, RuleWithConsumerDeny) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_domain_" : ["test.com", "*.example.com"],
"allow" : [ "consumer" ]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
authority_ = "www.example.com";
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "www.example.com";
cred_ = "admin:admin";
authorization_header_ = Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, GlobalAllow) {
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ],
"_rules_": [
{
"_match_route_":[ "test", "config" ],
"credentials":[ "admin3:admin3", "YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin4:admin4"]
},
{
"_match_route_":["crypt"],
"credentials": ["myName:rqXexS6ZhobKA"],
"encrypted": true
},
{
"_match_route_":["bcrypt"],
"credentials": ["myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC"],
"encrypted": true
},
{
"_match_route_":["apr1"],
"credentials": ["myName:$apr1$EXfBN1bF$nuywSFTnPTcqbH5z4x6IG/"],
"encrypted": true
},
{
"_match_route_":["plain"],
"credentials": ["myName:{PLAIN}myPassword"],
"encrypted": true
},
{
"_match_route_":["sha"],
"credentials": ["myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE="],
"encrypted": true
},
{
"_match_route_":["ssha"],
"credentials": ["myName:{SSHA}98JUfJee5Wb13m5683sLku40P3Y2VjNX"],
"encrypted": true
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "test.com";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test";
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "";
authorization_header_ = "";
cred_ = "myName:myPassword";
route_name_ = "crypt";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "bcrypt";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "apr1";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "plain";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "sha";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "ssha";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, GlobalWithConsumerAllow) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin2:admin2", "name" : "consumer2"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test", "config"],
"consumers" : [
{"credential" : "admin3:admin3", "name" : "consumer3"},
{"credential" : "YWRtaW41OmFkbWluNQ==", "name" : "consumer5"}
]
},
{
"_match_domain_" : ["test.com", "*.example.com"],
"consumers" : [
{"credential" : "admin4:admin4", "name" : "consumer4"}
]
},
{
"_match_route_" : ["crypt"],
"encrypted" : true,
"consumers" : [
{"credential" : "myName:$2y$05$c4WoMPo3SXsafkva.HHa6uXQZWr7oboPiC2bT/r7q1BB8I2s0BRqC", "name": "consumer crypt"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "ok:test";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authority_ = "test.com";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "test";
cred_ = "admin3:admin3";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
authorization_header_ = "";
authority_ = "";
route_name_ = "crypt";
cred_ = "myName:myPassword";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(BasicAuthTest, GlobalDeny) {
std::string configuration = R"(
{
"credentials":[ "ok:test", "admin:admin", "admin2:admin2" ],
"_rules_": [
{
"_match_route_":[ "test", "config" ],
"credentials":[ "admin3:admin3", "YWRtaW4zOmFkbWluMw==" ]
},
{
"_match_domain_":[ "test.com", "*.example.com" ],
"credentials":[ "admin4:admin4"]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "wrong-cred";
route_name_ = "config";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "www.example.com";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "config";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(BasicAuthTest, GlobalWithConsumerDeny) {
std::string configuration = R"(
{
"consumers" : [
{"credential" : "ok:test", "name" : "consumer_ok"},
{"credential" : "admin2:admin2", "name" : "consumer2"},
{"credential" : "admin:admin", "name" : "consumer"}
],
"_rules_" : [
{
"_match_route_" : ["test", "config"],
"consumers" : [
{"credential" : "admin3:admin3", "name" : "consumer3"},
{"credential" : "YWRtaW41OmFkbWluNQ==", "name" : "consumer5"}
]
},
{
"_match_domain_" : ["test.com", "*.example.com"],
"consumers" : [
{"credential" : "admin4:admin4", "name" : "consumer4"}
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
cred_ = "wrong-cred";
route_name_ = "config";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
authority_ = "www.example.com";
cred_ = "admin2:admin2";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "config";
cred_ = "admin4:admin4";
authorization_header_ = "Basic " + Base64::encode(cred_.data(), cred_.size());
EXPECT_CALL(*mock_context_, sendLocalResponse(401, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
} // namespace basic_auth
} // namespace null_plugin
} // namespace proxy_wasm