mirror of
https://github.com/alibaba/higress.git
synced 2026-06-26 02:35:02 +08:00
feat: ext auth forward_auth endpoint_mode enhancement (#1180)
This commit is contained in:
韩贤涛
GitHub
@@ -41,12 +41,12 @@ description: Ext 认证插件实现了调用外部授权服务进行认证鉴权
|
|||||||
|
|
||||||
`authorization_request`中每一项的配置字段说明
|
`authorization_request`中每一项的配置字段说明
|
||||||
|
|
||||||
| 名称 | 数据类型 | 必填 | 默认值 | 描述 |
|
| 名称 | 数据类型 | 必填 | 默认值 | 描述 |
|
||||||
| ------------------------ | ---------------------- | ---- | ------ | ------------------------------------------------------------ |
|
| ------------------------ | ---------------------- | ---- | ------ |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| `allowed_headers` | array of StringMatcher | 否 | - | 当设置后,具有相应匹配项的客户端请求头将添加到授权服务请求中的请求头中。除了用户自定义的头部匹配规则外,授权服务请求中会自动包含`Host`, `Method`, `Path`, `Content-Length` 和 `Authorization`这几个关键的HTTP头 |
|
| `allowed_headers` | array of StringMatcher | 否 | - | 当设置后,具有相应匹配项的客户端请求头将添加到授权服务请求中的请求头中。除了用户自定义的头部匹配规则外,授权服务请求中会自动包含 `Authorization` 这个HTTP头( `endpoint_mode` 为 `forward_auth` 时,会把原始请求的请求路径设置到 `X-Original-Uri` ,原始请求的HTTP Method设置到 `X-Original-Method` ) |
|
||||||
| `headers_to_add` | `map[string]string` | 否 | - | 设置将包含在授权服务请求中的请求头列表。请注意,同名的客户端请求头将被覆盖 |
|
| `headers_to_add` | `map[string]string` | 否 | - | 设置将包含在授权服务请求中的请求头列表。请注意,同名的客户端请求头将被覆盖 |
|
||||||
| `with_request_body` | bool | 否 | false | 缓冲客户端请求体,并将其发送至鉴权请求中(HTTP Method为GET、OPTIONS、HEAD请求时不生效) |
|
| `with_request_body` | bool | 否 | false | 缓冲客户端请求体,并将其发送至鉴权请求中(HTTP Method为GET、OPTIONS、HEAD请求时不生效) |
|
||||||
| `max_request_body_bytes` | int | 否 | 10MB | 设置在内存中保存客户端请求体的最大尺寸。当客户端请求体达到在此字段中设置的数值时,将会返回HTTP 413状态码,并且不会启动授权过程。注意,这个设置会优先于 `failure_mode_allow` 的配置 |
|
| `max_request_body_bytes` | int | 否 | 10MB | 设置在内存中保存客户端请求体的最大尺寸。当客户端请求体达到在此字段中设置的数值时,将会返回HTTP 413状态码,并且不会启动授权过程。注意,这个设置会优先于 `failure_mode_allow` 的配置 |
|
||||||
|
|
||||||
`authorization_response`中每一项的配置字段说明
|
`authorization_response`中每一项的配置字段说明
|
||||||
|
|
||||||
@@ -192,7 +192,7 @@ http_service:
|
|||||||
使用如下请求网关,当开启 `ext-auth` 插件后:
|
使用如下请求网关,当开启 `ext-auth` 插件后:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
curl -i http://localhost:8082/users -X GET -H "foo: bar" -H "Authorization: xxx"
|
curl -i http://localhost:8082/users?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -X GET -H "foo: bar" -H "Authorization: xxx"
|
||||||
```
|
```
|
||||||
|
|
||||||
**请求 `ext-auth` 服务成功:**
|
**请求 `ext-auth` 服务成功:**
|
||||||
@@ -203,6 +203,8 @@ curl -i http://localhost:8082/users -X GET -H "foo: bar" -H "Authorization: xxx"
|
|||||||
POST /auth HTTP/1.1
|
POST /auth HTTP/1.1
|
||||||
Host: ext-auth
|
Host: ext-auth
|
||||||
Authorization: xxx
|
Authorization: xxx
|
||||||
|
X-Original-Uri: /users?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5
|
||||||
|
X-Original-Method: GET
|
||||||
Content-Length: 0
|
Content-Length: 0
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -252,7 +254,7 @@ http_service:
|
|||||||
使用如下请求网关,当开启 `ext-auth` 插件后:
|
使用如下请求网关,当开启 `ext-auth` 插件后:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
curl -i http://localhost:8082/users -X GET -H "foo: bar" -H "Authorization: xxx" -H "X-Auth-Version: 1.0"
|
curl -i http://localhost:8082/users?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -X GET -H "foo: bar" -H "Authorization: xxx" -H "X-Auth-Version: 1.0"
|
||||||
```
|
```
|
||||||
|
|
||||||
`ext-auth` 服务将接收到如下的鉴权请求:
|
`ext-auth` 服务将接收到如下的鉴权请求:
|
||||||
@@ -261,6 +263,8 @@ curl -i http://localhost:8082/users -X GET -H "foo: bar" -H "Authorization: xxx"
|
|||||||
POST /auth HTTP/1.1
|
POST /auth HTTP/1.1
|
||||||
Host: ext-auth
|
Host: ext-auth
|
||||||
Authorization: xxx
|
Authorization: xxx
|
||||||
|
X-Original-Uri: /users?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5
|
||||||
|
X-Original-Method: GET
|
||||||
X-Auth-Version: 1.0
|
X-Auth-Version: 1.0
|
||||||
x-envoy-header: true
|
x-envoy-header: true
|
||||||
Content-Length: 0
|
Content-Length: 0
|
||||||
|
|||||||
@@ -45,7 +45,10 @@ type HttpService struct {
|
|||||||
|
|
||||||
type AuthorizationRequest struct {
|
type AuthorizationRequest struct {
|
||||||
// allowedHeaders In addition to the user’s supplied matchers,
|
// allowedHeaders In addition to the user’s supplied matchers,
|
||||||
// Host, Method, Path, Content-Length, and Authorization are automatically included to the list.
|
// Authorization are automatically included to the list.
|
||||||
|
// When the endpoint_mode is set to forward_auth,
|
||||||
|
// the original request's path is set in the X-Original-Uri header,
|
||||||
|
// and the original request's HTTP method is set in the X-Original-Method header.
|
||||||
allowedHeaders expr.Matcher
|
allowedHeaders expr.Matcher
|
||||||
headersToAdd map[string]string
|
headersToAdd map[string]string
|
||||||
withRequestBody bool
|
withRequestBody bool
|
||||||
|
|||||||
@@ -34,6 +34,8 @@ func main() {
|
|||||||
const (
|
const (
|
||||||
HeaderAuthorization string = "authorization"
|
HeaderAuthorization string = "authorization"
|
||||||
HeaderFailureModeAllow string = "x-envoy-auth-failure-mode-allowed"
|
HeaderFailureModeAllow string = "x-envoy-auth-failure-mode-allowed"
|
||||||
|
HeaderOriginalMethod string = "x-original-method"
|
||||||
|
HeaderOriginalUri string = "x-original-uri"
|
||||||
)
|
)
|
||||||
|
|
||||||
func onHttpRequestHeaders(ctx wrapper.HttpContext, config ExtAuthConfig, log wrapper.Log) types.Action {
|
func onHttpRequestHeaders(ctx wrapper.HttpContext, config ExtAuthConfig, log wrapper.Log) types.Action {
|
||||||
@@ -88,6 +90,12 @@ func checkExtAuth(ctx wrapper.HttpContext, config ExtAuthConfig, body []byte, lo
|
|||||||
extAuthReqHeaders.Set(HeaderAuthorization, authorization)
|
extAuthReqHeaders.Set(HeaderAuthorization, authorization)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// when endpoint_mode is forward_auth, add x-original-method and x-original-uri headers
|
||||||
|
if httpServiceConfig.endpointMode == EndpointModeForwardAuth {
|
||||||
|
extAuthReqHeaders.Set(HeaderOriginalMethod, ctx.Method())
|
||||||
|
extAuthReqHeaders.Set(HeaderOriginalUri, ctx.Path())
|
||||||
|
}
|
||||||
|
|
||||||
requestMethod := httpServiceConfig.requestMethod
|
requestMethod := httpServiceConfig.requestMethod
|
||||||
requestPath := httpServiceConfig.path
|
requestPath := httpServiceConfig.path
|
||||||
if httpServiceConfig.endpointMode == EndpointModeEnvoy {
|
if httpServiceConfig.endpointMode == EndpointModeEnvoy {
|
||||||
@@ -142,8 +150,8 @@ func callExtAuthServerErrorHandler(config ExtAuthConfig, statusCode int, extAuth
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Rejects client requests with statusOnError on extAuth unavailability or 5xx.
|
// rejects client requests with statusOnError on extAuth unavailability or 5xx.
|
||||||
// Otherwise, uses the extAuth's returned status code to reject requests.
|
// otherwise, uses the extAuth's returned status code to reject requests
|
||||||
statusToUse := statusCode
|
statusToUse := statusCode
|
||||||
if statusCode >= http.StatusInternalServerError {
|
if statusCode >= http.StatusInternalServerError {
|
||||||
statusToUse = int(config.statusOnError)
|
statusToUse = int(config.statusOnError)
|
||||||
|
|||||||
Reference in New Issue
Block a user