jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-05-10 05:47:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add plugins (#27)

Browse Source
This commit is contained in:
澄潭
2022-11-04 17:46:43 +08:00
committed by GitHub
parent 5ac966495c
commit 1a0ed73cd5
92 changed files with 35435 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
plugins/wasm-cpp/extensions/jwt_auth/BUILD Normal file
View File

@@ -0,0 +1,68 @@
load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
load("//bazel:wasm.bzl", "declare_wasm_image_targets")
wasm_cc_binary(
name = "jwt_auth.wasm",
srcs = [
"plugin.cc",
"plugin.h",
"extractor.cc",
"extractor.h",
"//common:base64.h",
],
deps = [
"@com_github_google_jwt_verify//:jwt_verify_lib",
"@com_google_absl//absl/container:btree",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
"//common:http_util",
"//common:rule_util",
],
)
cc_library(
name = "jwt_auth_lib",
srcs = [
"plugin.cc",
"extractor.cc",
"//common:base64.h",
],
hdrs = [
"plugin.h",
"extractor.h",
],
copts = ["-DNULL_PLUGIN"],
deps = [
"@com_github_google_jwt_verify//:jwt_verify_lib",
"@com_google_absl//absl/container:btree",
"@com_google_absl//absl/strings",
"@com_google_absl//absl/strings:str_format",
"@com_google_absl//absl/time",
"//common:json_util",
"@proxy_wasm_cpp_host//:lib",
"//common:http_util_nullvm",
"//common:rule_util_nullvm",
],
)
cc_test(
name = "jwt_auth_test",
srcs = [
"plugin_test.cc",
],
copts = ["-DNULL_PLUGIN"],
deps = [
":jwt_auth_lib",
"@com_google_googletest//:gtest",
"@com_google_googletest//:gtest_main",
"@proxy_wasm_cpp_host//:lib",
],
)
declare_wasm_image_targets(
name = "jwt_auth",
wasm_file = ":jwt_auth.wasm",
)

306
plugins/wasm-cpp/extensions/jwt_auth/extractor.cc Normal file
View File

@@ -0,0 +1,306 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// modified base on envoy/source/extensions/filters/http/jwt_authn/extractor.cc
#include "extensions/jwt_auth/extractor.h"
#include <memory>
#include <tuple>
#include <unordered_map>
#include "absl/container/btree_map.h"
#include "common/http_util.h"
#include "extensions/jwt_auth/plugin.h"
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
#endif
namespace {
/**
* Check Claims specified in Provider
*/
class JwtClaimChecker {
public:
JwtClaimChecker(const ClaimsMap& claims) : allowed_claims_(claims) {}
// check if a jwt issuer is allowed
bool check(const std::string& key, const std::string& value) const {
if (allowed_claims_.empty()) {
return true;
}
auto it = allowed_claims_.find(key);
return it != allowed_claims_.end() && it->second == value;
}
private:
// Only these specified claims are allowed.
const ClaimsMap& allowed_claims_;
};
using JwtClaimCheckerPtr = std::unique_ptr<JwtClaimChecker>;
// A base JwtLocation object to store token and claim_checker.
class JwtLocationBase : public JwtLocation {
public:
JwtLocationBase(const std::string& token,
const JwtClaimChecker& claim_checker)
: token_(token), claim_checker_(claim_checker) {}
// Get the token string
const std::string& token() const override { return token_; }
// Check if an claim has specified the location.
bool isClaimAllowed(const std::string& key,
const std::string& value) const override {
return claim_checker_.check(key, value);
}
void addClaimToHeader(const std::string& header, const std::string& value,
bool override) const override {
claims_to_headers_.emplace_back(header, value, override);
}
void claimsToHeaders() const override {
for (const auto& claim_to_header : claims_to_headers_) {
const auto& header_key = std::get<0>(claim_to_header);
const auto& header_value = std::get<1>(claim_to_header);
if (std::get<2>(claim_to_header)) {
auto header_ptr = getRequestHeader(header_key);
if (!header_ptr->view().empty()) {
replaceRequestHeader(header_key, header_value);
continue;
}
}
addRequestHeader(header_key, header_value);
}
}
private:
mutable std::vector<std::tuple<std::string, std::string, bool>>
claims_to_headers_;
// Extracted token.
const std::string token_;
// Claim checker
const JwtClaimChecker& claim_checker_;
};
// The JwtLocation for header extraction.
class JwtHeaderLocation : public JwtLocationBase {
public:
JwtHeaderLocation(const std::string& token,
const JwtClaimChecker& claim_checker,
const std::string& header)
: JwtLocationBase(token, claim_checker), header_(header) {}
void removeJwt() const override { removeRequestHeader(header_); }
private:
// the header name the JWT is extracted from.
const std::string& header_;
};
// The JwtLocation for param extraction.
class JwtParamLocation : public JwtLocationBase {
public:
JwtParamLocation(const std::string& token,
const JwtClaimChecker& claim_checker, const std::string&)
: JwtLocationBase(token, claim_checker) {}
void removeJwt() const override {
// TODO(qiwzhang): remove JWT from parameter.
}
};
// The JwtLocation for cookie extraction.
class JwtCookieLocation : public JwtLocationBase {
public:
JwtCookieLocation(const std::string& token,
const JwtClaimChecker& claim_checker)
: JwtLocationBase(token, claim_checker) {}
void removeJwt() const override {
// TODO(theshubhamp): remove JWT from cookies.
}
};
class ExtractorImpl : public Extractor {
public:
ExtractorImpl(const Consumer& provider);
std::vector<JwtLocationConstPtr> extract() const override;
private:
// add a header config
void addHeaderConfig(const ClaimsMap& claims, const std::string& header_name,
const std::string& value_prefix);
// add a query param config
void addQueryParamConfig(const ClaimsMap& claims, const std::string& param);
// add a query param config
void addCookieConfig(const ClaimsMap& claims, const std::string& cookie);
// ctor helper for a jwt provider config
void addProvider(const Consumer& provider);
// HeaderMap value type to store prefix and issuers that specified this
// header.
struct HeaderLocationSpec {
HeaderLocationSpec(const std::string& header,
const std::string& value_prefix)
: header_(header), value_prefix_(value_prefix) {}
// The header name.
std::string header_;
// The value prefix. e.g. for "Bearer <token>", the value_prefix is "Bearer
// ".
std::string value_prefix_;
// Issuers that specified this header.
JwtClaimCheckerPtr claim_checker_;
};
using HeaderLocationSpecPtr = std::unique_ptr<HeaderLocationSpec>;
// The map of (header + value_prefix) to HeaderLocationSpecPtr
std::map<std::string, HeaderLocationSpecPtr> header_locations_;
// ParamMap value type to store issuers that specified this header.
struct ParamLocationSpec {
// Issuers that specified this param.
JwtClaimCheckerPtr claim_checker_;
};
// The map of a parameter key to set of issuers specified the parameter
std::map<std::string, ParamLocationSpec> param_locations_;
// CookieMap value type to store issuers that specified this cookie.
struct CookieLocationSpec {
// Issuers that specified this param.
JwtClaimCheckerPtr claim_checker_;
};
// The map of a cookie key to set of issuers specified the cookie.
absl::btree_map<std::string, CookieLocationSpec> cookie_locations_;
};
ExtractorImpl::ExtractorImpl(const Consumer& provider) {
addProvider(provider);
}
void ExtractorImpl::addProvider(const Consumer& provider) {
for (const auto& header : provider.from_headers) {
addHeaderConfig(provider.allowd_claims, header.header, header.value_prefix);
}
for (const std::string& param : provider.from_params) {
addQueryParamConfig(provider.allowd_claims, param);
}
for (const std::string& cookie : provider.from_cookies) {
addCookieConfig(provider.allowd_claims, cookie);
}
}
void ExtractorImpl::addHeaderConfig(const ClaimsMap& claims,
const std::string& header_name,
const std::string& value_prefix) {
const std::string map_key = header_name + value_prefix;
auto& header_location_spec = header_locations_[map_key];
if (!header_location_spec) {
header_location_spec =
std::make_unique<HeaderLocationSpec>(header_name, value_prefix);
}
header_location_spec->claim_checker_ =
std::make_unique<JwtClaimChecker>(claims);
}
void ExtractorImpl::addQueryParamConfig(const ClaimsMap& claims,
const std::string& param) {
auto& param_location_spec = param_locations_[param];
param_location_spec.claim_checker_ =
std::make_unique<JwtClaimChecker>(claims);
}
void ExtractorImpl::addCookieConfig(const ClaimsMap& claims,
const std::string& cookie) {
auto& cookie_location_spec = cookie_locations_[cookie];
cookie_location_spec.claim_checker_ =
std::make_unique<JwtClaimChecker>(claims);
}
std::vector<JwtLocationConstPtr> ExtractorImpl::extract() const {
std::vector<JwtLocationConstPtr> tokens;
// Check header locations first
for (const auto& location_it : header_locations_) {
const auto& location_spec = location_it.second;
auto header = getRequestHeader(location_spec->header_)->toString();
if (!header.empty()) {
const auto pos = header.find(location_spec->value_prefix_);
if (pos == std::string::npos) {
continue;
}
auto header_strip =
header.substr(pos + location_spec->value_prefix_.length());
tokens.push_back(std::make_unique<const JwtHeaderLocation>(
header_strip, *location_spec->claim_checker_,
location_spec->header_));
}
}
// Check query parameter locations only if query parameter locations specified
// and Path() is not null
auto path = getRequestHeader(Wasm::Common::Http::Header::Path)->toString();
if (!param_locations_.empty() && !path.empty()) {
const auto& params = Wasm::Common::Http::parseAndDecodeQueryString(path);
for (const auto& location_it : param_locations_) {
const auto& param_key = location_it.first;
const auto& location_spec = location_it.second;
const auto& it = params.find(param_key);
if (it != params.end()) {
tokens.push_back(std::make_unique<const JwtParamLocation>(
it->second, *location_spec.claim_checker_, param_key));
}
}
}
// Check cookie locations.
if (!cookie_locations_.empty()) {
const auto& cookies =
Wasm::Common::Http::parseCookies([&](absl::string_view k) -> bool {
return cookie_locations_.contains(k);
});
for (const auto& location_it : cookie_locations_) {
const auto& cookie_key = location_it.first;
const auto& location_spec = location_it.second;
const auto& it = cookies.find(cookie_key);
if (it != cookies.end()) {
tokens.push_back(std::make_unique<const JwtCookieLocation>(
it->second, *location_spec.claim_checker_));
}
}
}
return tokens;
}
} // namespace
ExtractorConstPtr Extractor::create(const Consumer& provider) {
return std::make_unique<ExtractorImpl>(provider);
}
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

125
plugins/wasm-cpp/extensions/jwt_auth/extractor.h Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// modified base on envoy/source/extensions/filters/http/jwt_authn/extractor.h
#pragma once
#include <map>
#include <memory>
#include <string>
#include <vector>
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
#endif
#define PURE = 0
/**
* JwtLocation stores following token information:
*
* * extracted token string,
* * the location where the JWT is extracted from,
* * list of issuers specified the location.
*
*/
class JwtLocation {
public:
virtual ~JwtLocation() = default;
// Get the token string
virtual const std::string& token() const PURE;
// Check if claim has specified the location.
virtual bool isClaimAllowed(const std::string& key,
const std::string& value) const PURE;
// Remove the token from the headers
virtual void removeJwt() const PURE;
// Store the claim to header
virtual void addClaimToHeader(const std::string& header,
const std::string& value,
bool override) const PURE;
// Set claim to request header
virtual void claimsToHeaders() const PURE;
};
using JwtLocationConstPtr = std::unique_ptr<const JwtLocation>;
class Extractor;
using ExtractorConstPtr = std::unique_ptr<const Extractor>;
struct Consumer;
/**
* Extracts JWT from locations specified in the config.
*
* Usage example:
*
* auto extractor = Extractor::create(config);
* auto tokens = extractor->extract(headers);
* for (token : tokens) {
* Jwt jwt;
* if (jwt.parseFromString(token->token()) != Status::Ok) {
* // Handle JWT parsing failure.
* }
*
* if (need_to_remove) {
* // remove the JWT
* token->removeJwt(headers);
* }
* }
*
*/
class Extractor {
public:
virtual ~Extractor() = default;
/**
* Extract all JWT tokens from the headers. If set of header_keys or
* param_keys is not empty only those in the matching locations will be
* returned.
*
* @param headers is the HTTP request headers.
* @return list of extracted Jwt location info.
*/
virtual std::vector<JwtLocationConstPtr> extract() const PURE;
/**
* Create an instance of Extractor for a given config.
* @param from_headers header location config.
* @param from_params query param location config.
* @return the extractor object.
*/
static ExtractorConstPtr create(const Consumer& provider);
};
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

397
plugins/wasm-cpp/extensions/jwt_auth/plugin.cc Normal file
View File

@@ -0,0 +1,397 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/jwt_auth/plugin.h"
#include <algorithm>
#include <array>
#include <cstdint>
#include <string>
#include <unordered_set>
#include <utility>
#include "absl/strings/str_cat.h"
#include "absl/strings/str_format.h"
#include "absl/strings/str_join.h"
#include "absl/strings/str_split.h"
#include "common/common_util.h"
#include "common/http_util.h"
#include "common/json_util.h"
using ::nlohmann::json;
using ::Wasm::Common::JsonArrayIterate;
using ::Wasm::Common::JsonGetField;
using ::Wasm::Common::JsonObjectIterate;
using ::Wasm::Common::JsonValueAs;
#ifdef NULL_PLUGIN
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
PROXY_WASM_NULL_PLUGIN_REGISTRY
#endif
namespace {
constexpr absl::string_view InvalidTokenErrorString =
", error=\"invalid_token\"";
constexpr uint32_t MaximumUriLength = 256;
constexpr std::string_view kRcDetailJwtAuthnPrefix = "jwt_authn_access_denied";
std::string generateRcDetails(std::string_view error_msg) {
// Replace space with underscore since RCDetails may be written to access log.
// Some log processors assume each log segment is separated by whitespace.
return absl::StrCat(kRcDetailJwtAuthnPrefix, "{",
absl::StrJoin(absl::StrSplit(error_msg, ' '), "_"), "}");
}
} // namespace
static RegisterContextFactory register_JwtAuth(CONTEXT_FACTORY(PluginContext),
ROOT_FACTORY(PluginRootContext));
#define JSON_FIND_FIELD(dict, field) \
auto dict##_##field##_json = dict.find(#field); \
if (dict##_##field##_json == dict.end()) { \
LOG_WARN("can't find '" #field "' in " #dict); \
return false; \
}
#define JSON_VALUE_AS(type, src, dst, err_msg) \
auto dst##_v = JsonValueAs<type>(src); \
if (dst##_v.second != Wasm::Common::JsonParserResultDetail::OK || \
!dst##_v.first) { \
LOG_WARN(#err_msg); \
return false; \
} \
auto& dst = dst##_v.first.value();
#define JSON_FIELD_VALUE_AS(type, dict, field) \
JSON_VALUE_AS(type, dict##_##field##_json.value(), dict##_##field, \
"'" #field "' field in " #dict "convert to " #type " failed")
bool PluginRootContext::parsePluginConfig(const json& configuration,
JwtAuthConfigRule& rule) {
std::unordered_set<std::string> name_set;
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
Consumer c;
JSON_FIND_FIELD(consumer, name);
JSON_FIELD_VALUE_AS(std::string, consumer, name);
if (name_set.count(consumer_name) != 0) {
LOG_WARN("consumer already exists: " + consumer_name);
return false;
}
c.name = consumer_name;
JSON_FIND_FIELD(consumer, jwks);
JSON_FIELD_VALUE_AS(std::string, consumer, jwks);
c.jwks = google::jwt_verify::Jwks::createFrom(
consumer_jwks, google::jwt_verify::Jwks::JWKS);
if (c.jwks->getStatus() != Status::Ok) {
LOG_WARN(absl::StrFormat(
"jwks is invalid, consumer:%s, status:%s, jwks:%s",
consumer_name,
google::jwt_verify::getStatusString(c.jwks->getStatus()),
consumer_jwks));
return false;
}
std::unordered_map<std::string, std::string> claims;
auto consumer_claims_json = consumer.find("claims");
if (consumer_claims_json != consumer.end()) {
JSON_FIELD_VALUE_AS(Wasm::Common::JsonObject, consumer, claims);
if (!JsonObjectIterate(
consumer_claims, [&](std::string key) -> bool {
auto claims_claim_json = consumer_claims.find(key);
JSON_FIELD_VALUE_AS(std::string, claims, claim);
claims.emplace(std::make_pair(
key, Wasm::Common::trim(claims_claim)));
return true;
})) {
LOG_WARN("failed to parse 'claims' in consumer: " +
consumer_name);
return false;
}
}
auto consumer_issuer_json = consumer.find("issuer");
if (consumer_issuer_json != consumer.end()) {
JSON_FIELD_VALUE_AS(std::string, consumer, issuer);
claims.emplace(
std::make_pair("iss", Wasm::Common::trim(consumer_issuer)));
}
c.allowd_claims = std::move(claims);
std::vector<FromHeader> from_headers;
if (!JsonArrayIterate(
consumer, "from_headers",
[&](const json& from_header) -> bool {
JSON_FIND_FIELD(from_header, name);
JSON_FIELD_VALUE_AS(std::string, from_header, name);
JSON_FIND_FIELD(from_header, value_prefix);
JSON_FIELD_VALUE_AS(std::string, from_header,
value_prefix);
from_headers.push_back(FromHeader{
from_header_name, from_header_value_prefix});
return true;
})) {
LOG_WARN("failed to parse 'from_headers' in consumer: " +
consumer_name);
return false;
}
std::vector<std::string> from_params;
if (!JsonArrayIterate(consumer, "from_params",
[&](const json& from_param_json) -> bool {
JSON_VALUE_AS(std::string, from_param_json,
from_param, "invalid item");
from_params.push_back(from_param);
return true;
})) {
LOG_WARN("failed to parse 'from_params' in consumer: " +
consumer_name);
return false;
}
std::vector<std::string> from_cookies;
if (!JsonArrayIterate(consumer, "from_cookies",
[&](const json& from_cookie_json) -> bool {
JSON_VALUE_AS(std::string, from_cookie_json,
from_cookie, "invalid item");
from_cookies.push_back(from_cookie);
return true;
})) {
LOG_WARN("failed to parse 'from_cookies' in consumer: " +
consumer_name);
return false;
}
if (!from_headers.empty() || !from_params.empty() ||
!from_cookies.empty()) {
c.from_headers = std::move(from_headers);
c.from_params = std::move(from_params);
c.from_cookies = std::move(from_cookies);
}
std::unordered_map<std::string, ClaimToHeader> claims_to_headers;
if (!JsonArrayIterate(
consumer, "claims_to_headers",
[&](const json& item_json) -> bool {
JSON_VALUE_AS(Wasm::Common::JsonObject, item_json, item,
"invalid item");
JSON_FIND_FIELD(item, claim);
JSON_FIELD_VALUE_AS(std::string, item, claim);
auto c2h_it = claims_to_headers.find(item_claim);
if (c2h_it != claims_to_headers.end()) {
LOG_WARN("claim to header already exists: " +
item_claim);
return false;
}
auto& c2h = claims_to_headers[item_claim];
JSON_FIND_FIELD(item, header);
JSON_FIELD_VALUE_AS(std::string, item, header);
c2h.header = std::move(item_header);
auto item_override_json = item.find("override");
if (item_override_json != item.end()) {
JSON_FIELD_VALUE_AS(bool, item, override);
c2h.override = item_override;
}
return true;
})) {
LOG_WARN("failed to parse 'claims_to_headers' in consumer: " +
consumer_name);
return false;
}
c.claims_to_headers = std::move(claims_to_headers);
auto consumer_clock_skew_seconds_json =
consumer.find("clock_skew_seconds");
if (consumer_clock_skew_seconds_json != consumer.end()) {
JSON_FIELD_VALUE_AS(uint64_t, consumer, clock_skew_seconds);
c.clock_skew = consumer_clock_skew_seconds;
}
auto consumer_keep_token_json = consumer.find("keep_token");
if (consumer_keep_token_json != consumer.end()) {
JSON_FIELD_VALUE_AS(bool, consumer, keep_token);
c.keep_token = consumer_keep_token;
}
c.extractor = Extractor::create(c);
rule.consumers.push_back(std::move(c));
name_set.insert(consumer_name);
return true;
})) {
LOG_WARN("failed to parse configuration for consumers.");
return false;
}
if (rule.consumers.empty()) {
LOG_INFO("at least one consumer has to be configured for a rule.");
return false;
}
return true;
}
Status PluginRootContext::consumerVerify(
const Consumer& consumer, uint64_t now,
std::vector<JwtLocationConstPtr>& jwt_tokens) {
auto tokens = consumer.extractor->extract();
if (tokens.empty()) {
return Status::JwtMissed;
}
for (auto& token : tokens) {
google::jwt_verify::Jwt jwt;
Status status = jwt.parseFromString(token->token());
if (status != Status::Ok) {
LOG_INFO(absl::StrFormat(
"jwt parse failed, consumer:%s, token:%s, status:%s", consumer.name,
token->token(), google::jwt_verify::getStatusString(status)));
return status;
}
StructUtils payload_getter(jwt.payload_pb_);
if (!consumer.allowd_claims.empty()) {
for (const auto& claim : consumer.allowd_claims) {
std::string value;
if (payload_getter.GetString(claim.first, &value) ==
StructUtils::WRONG_TYPE) {
LOG_INFO(absl::StrFormat(
"jwt payload invalid, consumer:%s, token:%s, claim:%s",
consumer.name, jwt.payload_str_, claim.first));
return Status::JwtVerificationFail;
}
if (value != claim.second) {
LOG_INFO(absl::StrFormat(
"jwt payload invalid, consumer:%s, claim:%s, value:%s, expect:%s",
consumer.name, claim.first, value, claim.second));
return Status::JwtVerificationFail;
}
}
}
status = jwt.verifyTimeConstraint(now, consumer.clock_skew);
if (status != Status::Ok) {
LOG_DEBUG(absl::StrFormat(
"jwt verify time failed, consumer:%s, token:%s, status:%s",
consumer.name, token->token(),
google::jwt_verify::getStatusString(status)));
return status;
}
status =
google::jwt_verify::verifyJwtWithoutTimeChecking(jwt, *consumer.jwks);
if (status != Status::Ok) {
LOG_DEBUG(absl::StrFormat(
"jwt verify failed, consumer:%s, token:%s, status:%s", consumer.name,
token->token(), google::jwt_verify::getStatusString(status)));
return status;
}
for (const auto& claim_to_header : consumer.claims_to_headers) {
std::string value;
if (payload_getter.GetString(claim_to_header.first, &value) !=
StructUtils::WRONG_TYPE) {
token->addClaimToHeader(claim_to_header.second.header, value,
claim_to_header.second.override);
} else {
uint64_t num_value;
if (payload_getter.GetUInt64(claim_to_header.first, &num_value) !=
StructUtils::WRONG_TYPE) {
token->addClaimToHeader(claim_to_header.second.header,
std::to_string((unsigned long long)num_value),
claim_to_header.second.override);
}
}
}
}
jwt_tokens = std::move(tokens);
return Status::Ok;
}
bool PluginRootContext::checkPlugin(
const JwtAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
std::optional<Status> err_status;
bool verified = false;
uint64_t now = getCurrentTimeNanoseconds() / 1e9;
for (const auto& consumer : rule.consumers) {
std::vector<JwtLocationConstPtr> tokens;
auto status = consumerVerify(consumer, now, tokens);
if (status == Status::Ok) {
verified = true;
// global config without allow_set field allows any consumers
if (!allow_set ||
allow_set.value().find(consumer.name) != allow_set.value().end()) {
addRequestHeader("X-Mse-Consumer", consumer.name);
for (auto& token : tokens) {
if (!consumer.keep_token) {
token->removeJwt();
}
token->claimsToHeaders();
}
return true;
}
}
// use the first status
if (!err_status) {
err_status = status;
}
}
if (!verified) {
auto status = err_status ? err_status.value() : Status::JwtMissed;
auto err_str = google::jwt_verify::getStatusString(status);
auto authn_value = absl::StrCat(
"Bearer realm=\"",
Wasm::Common::Http::buildOriginalUri(MaximumUriLength), "\"");
if (status != Status::JwtMissed) {
absl::StrAppend(&authn_value, InvalidTokenErrorString);
}
sendLocalResponse(401, generateRcDetails(err_str), err_str,
{{"WWW-Authenticate", authn_value}});
} else {
sendLocalResponse(403, kRcDetailJwtAuthnPrefix, "Access Denied", {});
}
return false;
}
bool PluginRootContext::onConfigure(size_t size) {
// Parse configuration JSON string.
if (size > 0 && !configure(size)) {
LOG_WARN("configuration has errors initialization will not continue.");
setInvalidConfig();
return true;
}
return true;
}
bool PluginRootContext::configure(size_t configuration_size) {
auto configuration_data = getBufferBytes(WasmBufferType::PluginConfiguration,
0, configuration_size);
// Parse configuration JSON string.
auto result = ::Wasm::Common::JsonParse(configuration_data->view());
if (!result) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
if (!parseAuthRuleConfig(result.value())) {
LOG_WARN(absl::StrCat("cannot parse plugin configuration JSON string: ",
configuration_data->view()));
return false;
}
return true;
}
FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto* rootCtx = rootContext();
return rootCtx->checkAuthRule(
[rootCtx](const auto& config, const auto& allow_set) {
return rootCtx->checkPlugin(config, allow_set);
})
? FilterHeadersStatus::Continue
: FilterHeadersStatus::StopIteration;
}
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

117
plugins/wasm-cpp/extensions/jwt_auth/plugin.h Normal file
View File

@@ -0,0 +1,117 @@
/*
* Copyright (c) 2022 Alibaba Group Holding Ltd.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <assert.h>
#include <string>
#include <unordered_map>
#include <unordered_set>
#include "common/route_rule_matcher.h"
#include "extensions/jwt_auth/extractor.h"
#include "jwt_verify_lib/check_audience.h"
#include "jwt_verify_lib/jwt.h"
#include "jwt_verify_lib/status.h"
#include "jwt_verify_lib/struct_utils.h"
#include "jwt_verify_lib/verify.h"
#define ASSERT(_X) assert(_X)
#ifndef NULL_PLUGIN
#include "proxy_wasm_intrinsics.h"
#else
#include "include/proxy-wasm/null_plugin.h"
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
#endif
using ::google::jwt_verify::Status;
using ::google::jwt_verify::StructUtils;
struct FromHeader {
std::string header;
std::string value_prefix;
};
struct ClaimToHeader {
std::string header;
bool override = true;
};
using ClaimsMap =
std::unordered_map<std::string /*claim*/, std::string /*claim value*/>;
struct Consumer {
std::string name;
google::jwt_verify::JwksPtr jwks;
ClaimsMap allowd_claims;
std::vector<FromHeader> from_headers = {{"Authorization", "Bearer "}};
std::vector<std::string> from_params = {"access_token"};
std::vector<std::string> from_cookies;
uint64_t clock_skew = 60;
bool keep_token = true;
std::unordered_map<std::string /*claim*/, ClaimToHeader> claims_to_headers;
ExtractorConstPtr extractor;
};
struct JwtAuthConfigRule {
std::vector<Consumer> consumers;
};
// PluginRootContext is the root context for all streams processed by the
// thread. It has the same lifetime as the worker thread and acts as target for
// interactions that outlives individual stream, e.g. timer, async calls.
class PluginRootContext : public RootContext,
public RouteRuleMatcher<JwtAuthConfigRule> {
public:
PluginRootContext(uint32_t id, std::string_view root_id)
: RootContext(id, root_id) {}
~PluginRootContext() {}
bool onConfigure(size_t) override;
bool checkPlugin(const JwtAuthConfigRule&,
const std::optional<std::unordered_set<std::string>>&);
bool configure(size_t);
private:
bool parsePluginConfig(const json&, JwtAuthConfigRule&) override;
Status consumerVerify(const Consumer&, uint64_t,
std::vector<JwtLocationConstPtr>&);
std::string extractCredential(const JwtAuthConfigRule&);
};
// Per-stream context.
class PluginContext : public Context {
public:
explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
private:
inline PluginRootContext* rootContext() {
return dynamic_cast<PluginRootContext*>(this->root());
}
};
#ifdef NULL_PLUGIN
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm
#endif

269
plugins/wasm-cpp/extensions/jwt_auth/plugin_test.cc Normal file
View File

@@ -0,0 +1,269 @@
// Copyright (c) 2022 Alibaba Group Holding Ltd.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "extensions/jwt_auth/plugin.h"
#include "common/base64.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include "include/proxy-wasm/context.h"
#include "include/proxy-wasm/null.h"
namespace proxy_wasm {
namespace null_plugin {
namespace jwt_auth {
NullPluginRegistry* context_registry_;
RegisterNullVmPluginFactory register_jwt_auth_plugin("jwt_auth", []() {
return std::make_unique<NullPlugin>(jwt_auth::context_registry_);
});
class MockContext : public proxy_wasm::ContextBase {
public:
MockContext(WasmBase* wasm) : ContextBase(wasm) {}
MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
MOCK_METHOD(WasmResult, getHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* jwt */,
std::string_view* /*result */));
MOCK_METHOD(WasmResult, addHeaderMapValue,
(WasmHeaderMapType /* type */, std::string_view /* jwt */,
std::string_view /* value */));
MOCK_METHOD(WasmResult, sendLocalResponse,
(uint32_t /* response_code */, std::string_view /* body */,
Pairs /* additional_headers */, uint32_t /* grpc_status */,
std::string_view /* details */));
MOCK_METHOD(uint64_t, getCurrentTimeNanoseconds, ());
MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
};
class JwtAuthTest : public ::testing::Test {
protected:
JwtAuthTest() {
// Initialize test VM
test_vm_ = createNullVm();
wasm_base_ = std::make_unique<WasmBase>(
std::move(test_vm_), "test-vm", "", "",
std::unordered_map<std::string, std::string>{},
AllowedCapabilitiesMap{});
wasm_base_->load("jwt_auth");
wasm_base_->initialize();
// Initialize host side context
mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
current_context_ = mock_context_.get();
ON_CALL(*mock_context_, log(testing::_, testing::_))
.WillByDefault([](uint32_t, std::string_view m) {
std::cerr << m << "\n";
return WasmResult::Ok;
});
ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view header,
std::string_view* result) {
if (header == ":authority") {
*result = authority_;
}
if (header == ":path") {
*result = path_;
}
if (header == "Authorization") {
*result = jwt_header_;
}
return WasmResult::Ok;
});
ON_CALL(*mock_context_, addHeaderMapValue(WasmHeaderMapType::RequestHeaders,
testing::_, testing::_))
.WillByDefault([&](WasmHeaderMapType, std::string_view jwt,
std::string_view value) { return WasmResult::Ok; });
ON_CALL(*mock_context_, getCurrentTimeNanoseconds()).WillByDefault([&]() {
return current_time_;
});
ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
.WillByDefault([&](std::string_view path, std::string* result) {
*result = route_name_;
return WasmResult::Ok;
});
// Initialize Wasm sandbox context
root_context_ = std::make_unique<PluginRootContext>(0, "");
context_ = std::make_unique<PluginContext>(1, root_context_.get());
}
~JwtAuthTest() override {}
std::unique_ptr<WasmBase> wasm_base_;
std::unique_ptr<WasmVm> test_vm_;
std::unique_ptr<MockContext> mock_context_;
std::unique_ptr<PluginRootContext> root_context_;
std::unique_ptr<PluginContext> context_;
std::string path_;
std::string authority_;
std::string route_name_;
std::string jwt_header_;
uint64_t current_time_;
};
TEST_F(JwtAuthTest, RSA) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-1",
"issuer": "abc",
"jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"123\",\"alg\":\"RS256\",\"n\":\"i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw\"}]}"
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmMiLCJzdWIiOiJ0ZXN0IiwiaWF0IjoxNjY1NjYwNTI3LCJleHAiOjE2NjU2NzM4MTl9.FwSnlW9NjZ_5w6cm-YqteUy4LjKCXfQCWVCGcM3RsaqBhcHTz_IFOFMLnjI9QAG_IhxPP4s0ln7-duESns4YogkmqWV0ckMKZo9OEYOLpD6kXaA6H6g9RaLedogReKk1bDauFWFBrqMwvnxIqOIPj2ZOEQcKDVxO08mPSXb5-cxbvCA2rcmBk8_JHD8DBW990IfUCrsUFP4w4Zy3HlU__ZZhaCqzukI1ZOOgwu2_wMifvdv2n2PvqRNcmpjuGJ-FUXhAduCTPO9ZLGBOZcxkPl4U28Frfb1hSEV83NfK3iPBoLjC3u-M7kc1FJHcUORy_Bof6mzBX7npYckbsb-SJA)";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(JwtAuthTest, OCT) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-2",
"issuer": "abcd",
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(JwtAuthTest, AuthZ) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-1",
"issuer": "abc",
"jwks": "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"123\",\"alg\":\"RS256\",\"n\":\"i0B67f1jggT9QJlZ_8QL9QQ56LfurrqDhpuu8BxtVcfxrYmaXaCtqTn7OfCuca7cGHdrJIjq99rz890NmYFZuvhaZ-LMt2iyiSb9LZJAeJmHf7ecguXS_-4x3hvbsrgUDi9tlg7xxbqGYcrco3anmalAFxsbswtu2PAXLtTnUo6aYwZsWA6ksq4FL3-anPNL5oZUgIp3HGyhhLTLdlQcC83jzxbguOim-0OEz-N4fniTYRivK7MlibHKrJfO3xa_6whBS07HW4Ydc37ZN3Rx9Ov3ZyV0idFblU519nUdqp_inXj1eEpynlxH60Ys_aTU2POGZh_25KXGdF_ZC_MSRw\"}]}"
},
{
"name": "consumer-2",
"issuer": "abcd",
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
}
],
"_rules_": [{
"_match_route_": [
"test1"
],
"allow": [
"consumer-1"
]
},
{
"_match_route_": [
"test2"
],
"allow": [
"consumer-2"
]
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
route_name_ = "test1";
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "test2";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(JwtAuthTest, ClaimToHeader) {
std::string configuration = R"(
{
"consumers": [
{
"name": "consumer-2",
"issuer": "abcd",
"claims_to_headers": [
{
"claim": "sub",
"header": "x-sub"
},
{
"claim": "exp",
"header": "x-exp"
}
],
"jwks": "{\"keys\":[{\"kty\":\"oct\",\"kid\":\"123\",\"k\":\"hM0k3AbXBPpKOGg__Ql2Obcq7s60myWDpbHXzgKUQdYo7YCRp0gUqkCnbGSvZ2rGEl4YFkKqIqW7mTHdj-bcqXpNr-NOznEyMpVPOIlqG_NWVC3dydBgcsIZIdD-MR2AQceEaxriPA_VmiUCwfwL2Bhs6_i7eolXoY11EapLQtutz0BV6ZxQQ4dYUmct--7PLNb4BWJyQeWu0QfbIthnvhYllyl2dgeLTEJT58wzFz5HeNMNz8ohY5K0XaKAe5cepryqoXLhA-V-O1OjSG8lCNdKS09OY6O0fkyweKEtuDfien5tHHSsHXoAxYEHPFcSRL4bFPLZ0orTt1_4zpyfew\",\"alg\":\"HS256\"}]}"
}
]
})";
BufferBase buffer;
buffer.set({configuration.data(), configuration.size()});
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
current_time_ = 1665673819 * 1e9;
jwt_header_ =
R"(Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEyMyJ9.eyJpc3MiOiJhYmNkIiwic3ViIjoidGVzdCIsImlhdCI6MTY2NTY2MDUyNywiZXhwIjoxNjY1NjczODE5fQ.7BVJOAobz_xYjsenu_CsYhYbgF1gMcqZSpaeQ8HwKmc)";
EXPECT_CALL(*mock_context_,
addHeaderMapValue(testing::_, std::string_view("x-sub"),
std::string_view("test")));
EXPECT_CALL(*mock_context_,
addHeaderMapValue(testing::_, std::string_view("x-exp"),
std::string_view("1665673819")));
EXPECT_CALL(*mock_context_,
addHeaderMapValue(testing::_, std::string_view("X-Mse-Consumer"),
std::string_view("consumer-2")));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
} // namespace jwt_auth
} // namespace null_plugin
} // namespace proxy_wasm