A plugin that implements token parsing and authentication function based on wasm-go (#485)

2026-06-06 03:07:28 +08:00 · 2023-08-27 15:57:15 +08:00
parent 1051201e97
commit 2b9e3a14c2
8 changed files with 235 additions and 0 deletions
--- a/plugins/wasm-go/extensions/jwt-auth/README.md
+++ b/plugins/wasm-go/extensions/jwt-auth/README.md
@@ -0,0 +1,15 @@
+# 功能说明
+`jwt-auth`插件基于wasm-go实现了Token解析认证功能，可以判断Token是否有效，如果Token有效则继续访问后端微服务，Token无效或不存在直接拒绝并返回401
+
+# 配置字段
+|  名称 |  数据类型 | 填写要求  | 描述  |
+| ------------ | ------------ | ------------ | ------------ |
+|  token_secret_key | string  | 必填  |   配置Token解析使用的SecretKey|
+|  token_headers | string  | 必填  |   配置获取Token请求头名称|
+
+# 配置示例
+```yaml
+token_secret_key: Dav7kfq3iA8S!JUj8&CUkdnQe72E@Cw6
+token_headers: token
+```
+此例`token_secret_key`中指定的是认证服务生成Token的SecretKey;`token_headers`是携带Token访问的请求头名称；
--- a/plugins/wasm-go/extensions/jwt-auth/VERSION
+++ b/plugins/wasm-go/extensions/jwt-auth/VERSION
@@ -0,0 +1 @@
+1.0.0
--- a/plugins/wasm-go/extensions/jwt-auth/go.mod
+++ b/plugins/wasm-go/extensions/jwt-auth/go.mod
@@ -0,0 +1,18 @@
+module jwt-auth
+
+go 1.19
+
+require (
+	github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230811015533-49269b43032f
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0
+	github.com/tidwall/gjson v1.16.0
+)
+
+require (
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/magefile/mage v1.14.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/wasilibs/nottinygc v0.3.0 // indirect
+)
--- a/plugins/wasm-go/extensions/jwt-auth/go.sum
+++ b/plugins/wasm-go/extensions/jwt-auth/go.sum
@@ -0,0 +1,22 @@
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230811015533-49269b43032f h1:H+2fEuroddobcGs2Vom+osc8CE3SBHLz+JbM036Lo9w=
+github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230811015533-49269b43032f/go.mod h1:shD9qvrDS6xklAVjKYho8kHIVdW4A1vhNEOAL2miEEE=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo=
+github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M=
+github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI=
+github.com/tidwall/gjson v1.16.0 h1:SyXa+dsSPpUlcwEDuKuEBJEz5vzTvOea+9rjyYodQFg=
+github.com/tidwall/gjson v1.16.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/wasilibs/nottinygc v0.3.0 h1:0L1jsJ1MsyN5tdinmFbLfuEA0TnHRcqaBM9pDTJVJmU=
+github.com/wasilibs/nottinygc v0.3.0/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/plugins/wasm-go/extensions/jwt-auth/main.go
+++ b/plugins/wasm-go/extensions/jwt-auth/main.go
@@ -0,0 +1,76 @@
+package main
+
+import (
+	"encoding/json"
+	"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm"
+	"github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types"
+	"github.com/tidwall/gjson"
+)
+
+// 自定义插件配置
+
+func main() {
+	wrapper.SetCtx(
+		"jwt-auth", // 配置插件名称
+		wrapper.ParseConfigBy(parseConfig),
+		wrapper.ProcessRequestHeadersBy(onHttpRequestHeaders),
+	)
+}
+
+type Config struct {
+	TokenSecretKey string // 解析Token SecretKey
+	TokenHeaders   string // 定义获取Token请求头名称
+}
+
+type Res struct {
+	Code int    `json:"code"` // 返回状态码
+	Msg  string `json:"msg"`  // 返回信息
+}
+
+func parseConfig(json gjson.Result, config *Config, log wrapper.Log) error {
+	// 解析出配置，更新到config中
+	config.TokenSecretKey = json.Get("token_secret_key").String()
+	config.TokenHeaders = json.Get("token_headers").String()
+	return nil
+}
+
+func onHttpRequestHeaders(ctx wrapper.HttpContext, config Config, log wrapper.Log) types.Action {
+	var res Res
+	if config.TokenHeaders == "" || config.TokenSecretKey == "" {
+		res.Code = 401
+		res.Msg = "参数不足"
+		data, _ := json.Marshal(res)
+		_ = proxywasm.SendHttpResponse(401, nil, data, -1)
+		return types.ActionContinue
+	}
+
+	token, err := proxywasm.GetHttpRequestHeader(config.TokenHeaders)
+	if err != nil {
+		res.Code = 401
+		res.Msg = "认证失败"
+		data, _ := json.Marshal(res)
+		_ = proxywasm.SendHttpResponse(401, nil, data, -1)
+		return types.ActionContinue
+	}
+	valid := ParseTokenValid(token, config.TokenSecretKey)
+	if valid {
+		_ = proxywasm.ResumeHttpRequest()
+		return types.ActionPause
+	} else {
+		res.Code = 401
+		res.Msg = "认证失败"
+		data, _ := json.Marshal(res)
+		_ = proxywasm.SendHttpResponse(401, nil, data, -1)
+		return types.ActionContinue
+	}
+}
+
+func ParseTokenValid(tokenString, TokenSecretKey string) bool {
+	token, _ := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		// 在这里提供用于验证签名的密钥
+		return []byte(TokenSecretKey), nil
+	})
+	return token.Valid
+}
--- a/test/e2e/conformance/tests/jwt-auth.go
+++ b/test/e2e/conformance/tests/jwt-auth.go
@@ -0,0 +1,59 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tests
+
+import (
+	"testing"
+
+	"github.com/alibaba/higress/test/e2e/conformance/utils/http"
+	"github.com/alibaba/higress/test/e2e/conformance/utils/suite"
+)
+
+func init() {
+	HigressConformanceTests = append(HigressConformanceTests, WasmPluginsJwtAuth)
+}
+
+var WasmPluginsJwtAuth = suite.ConformanceTest{
+	ShortName:   "WasmPluginsJwtAuth",
+	Description: "The Ingress in the higress-conformance-infra namespace test the jwt-auth wasmplugins.",
+	Manifests:   []string{"tests/jwt-auth.yaml"},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		testcases := []http.Assertion{
+			{
+				Meta: http.AssertionMeta{
+					TargetBackend:   "infra-backend-v1",
+					TargetNamespace: "higress-conformance-infra",
+				},
+				Request: http.AssertionRequest{
+					ActualRequest: http.Request{
+						Host:             "foo.com",
+						Path:             "/info",
+						UnfollowRedirect: true,
+					},
+				},
+				Response: http.AssertionResponse{
+					ExpectedResponse: http.Response{
+						StatusCode: 401,
+					},
+				},
+			},
+		}
+		t.Run("WasmPlugins jwt-auth", func(t *testing.T) {
+			for _, testcase := range testcases {
+				http.MakeRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, suite.GatewayAddress, testcase)
+			}
+		})
+	},
+}
--- a/test/e2e/conformance/tests/jwt-auth.yaml
+++ b/test/e2e/conformance/tests/jwt-auth.yaml
@@ -0,0 +1,43 @@
+# Copyright (c) 2022 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+  name: httproute-app-root
+  namespace: higress-conformance-infra
+spec:
+  ingressClassName: higress
+  rules:
+  - host: "foo.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: infra-backend-v1
+            port:
+              number: 8080
+---
+apiVersion: extensions.higress.io/v1alpha1
+kind: WasmPlugin
+metadata:
+  name: jwt-auth
+  namespace: higress-system
+spec:
+  defaultConfig:
+    token_headers: token
+    token_secret_key: Dav7kfq3iA8S!JUj8&CUkdnQe72E@Cw6
+  url: file:///opt/plugins/wasm-go/extensions/jwt-auth/plugin.wasm
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@@ -67,6 +67,7 @@ func TestHigressConformanceTests(t *testing.T) {
 		} else {
 			higressTests = []suite.ConformanceTest{
 				tests.WasmPluginsRequestBlock,
+				tests.WasmPluginsJwtAuth,
 			}
 		}
 	} else {