feat(wasm-plugin): add hmac-auth-apisix plugin (#2815)

2026-06-02 00:57:28 +08:00 · 2025-08-26 21:10:43 +08:00
parent c0ddbccbfe
commit b2ffeff7b8
5 changed files with 997 additions and 0 deletions
--- a/plugins/wasm-go/extensions/hmac-auth-apisix/config/config_test.go
+++ b/plugins/wasm-go/extensions/hmac-auth-apisix/config/config_test.go
@@ -0,0 +1,388 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/tidwall/gjson"
+)
+
+func TestParseGlobalConfig(t *testing.T) {
+	tests := []struct {
+		name        string
+		jsonConfig  string
+		expectError bool
+		validate    func(*testing.T, *HmacAuthConfig)
+	}{
+		{
+			name: "Valid config with named consumers",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"name": "consumer1",
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					},
+					{
+						"name": "consumer2",
+						"access_key": "ak2",
+						"secret_key": "sk2"
+					}
+				]
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, 2, len(config.Consumers))
+				assert.Equal(t, "consumer1", config.Consumers[0].Name)
+				assert.Equal(t, "ak1", config.Consumers[0].AccessKey)
+				assert.Equal(t, "sk1", config.Consumers[0].SecretKey)
+				assert.Equal(t, "consumer2", config.Consumers[1].Name)
+				assert.Equal(t, "ak2", config.Consumers[1].AccessKey)
+				assert.Equal(t, "sk2", config.Consumers[1].SecretKey)
+
+				// 默认值检查
+				assert.Equal(t, []string{"hmac-sha1", "hmac-sha256", "hmac-sha512"}, config.AllowedAlgorithms)
+				assert.Equal(t, 300, config.ClockSkew)
+			},
+		},
+		{
+			name: "Valid config without names (use access_key as name)",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					},
+					{
+						"access_key": "ak2",
+						"secret_key": "sk2"
+					}
+				]
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, 2, len(config.Consumers))
+				assert.Equal(t, "ak1", config.Consumers[0].Name)
+				assert.Equal(t, "ak1", config.Consumers[0].AccessKey)
+				assert.Equal(t, "ak2", config.Consumers[1].Name)
+				assert.Equal(t, "ak2", config.Consumers[1].AccessKey)
+			},
+		},
+		{
+			name: "Missing consumers",
+			jsonConfig: `{
+				"other_field": "value"
+			}`,
+			expectError: true,
+		},
+		{
+			name: "Empty consumers array",
+			jsonConfig: `{
+				"consumers": []
+			}`,
+			expectError: true,
+		},
+		{
+			name: "Missing access_key",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"secret_key": "sk1"
+					}
+				]
+			}`,
+			expectError: true,
+		},
+		{
+			name: "Missing secret_key",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1"
+					}
+				]
+			}`,
+			expectError: true,
+		},
+		{
+			name: "Duplicate access_key",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					},
+					{
+						"access_key": "ak1",
+						"secret_key": "sk2"
+					}
+				]
+			}`,
+			expectError: true,
+		},
+		{
+			name: "Valid global_auth",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"global_auth": true
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.NotNil(t, config.GlobalAuth)
+				assert.True(t, *config.GlobalAuth)
+			},
+		},
+		{
+			name: "Valid allowed_algorithms",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"allowed_algorithms": ["hmac-sha256"]
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, []string{"hmac-sha256"}, config.AllowedAlgorithms)
+			},
+		},
+		{
+			name: "Invalid allowed_algorithms",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"allowed_algorithms": ["invalid-algorithm"]
+			}`,
+			expectError: true,
+		},
+		{
+			name: "Valid clock_skew",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"clock_skew": 600
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, 600, config.ClockSkew)
+			},
+		},
+		{
+			name: "Valid signed_headers",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"signed_headers": ["host", "date"]
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, []string{"host", "date"}, config.SignedHeaders)
+			},
+		},
+		{
+			name: "Valid validate_request_body",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"validate_request_body": true
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.True(t, config.ValidateRequestBody)
+			},
+		},
+		{
+			name: "Valid hide_credentials",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"hide_credentials": true
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.True(t, config.HideCredentials)
+			},
+		},
+		{
+			name: "Valid anonymous_consumer",
+			jsonConfig: `{
+				"consumers": [
+					{
+						"access_key": "ak1",
+						"secret_key": "sk1"
+					}
+				],
+				"anonymous_consumer": "anonymous"
+			}`,
+			expectError: false,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, "anonymous", config.AnonymousConsumer)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			jsonData := gjson.Parse(tt.jsonConfig)
+			config := &HmacAuthConfig{}
+
+			defer func() {
+				if r := recover(); r != nil {
+					// 忽略日志相关的 panic
+				}
+			}()
+
+			err := ParseGlobalConfig(jsonData, config)
+
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				if tt.validate != nil {
+					tt.validate(t, config)
+				}
+			}
+		})
+	}
+}
+
+func TestParseOverrideRuleConfig(t *testing.T) {
+	globalConfig := HmacAuthConfig{
+		Consumers: []Consumer{
+			{
+				Name:      "consumer1",
+				AccessKey: "ak1",
+				SecretKey: "sk1",
+			},
+			{
+				Name:      "consumer2",
+				AccessKey: "ak2",
+				SecretKey: "sk2",
+			},
+		},
+		AllowedAlgorithms: []string{"hmac-sha1", "hmac-sha256", "hmac-sha512"},
+		ClockSkew:         300,
+	}
+
+	tests := []struct {
+		name        string
+		jsonConfig  string
+		validate    func(*testing.T, *HmacAuthConfig)
+		expectError bool
+	}{
+		{
+			name: "Default values when no overrides",
+			jsonConfig: `{
+				"some_other_field": "value"
+			}`,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, []string{"hmac-sha1", "hmac-sha256", "hmac-sha512"}, config.AllowedAlgorithms)
+				assert.Equal(t, 300, config.ClockSkew)
+				assert.Equal(t, 2, len(config.Consumers))
+			},
+			expectError: false,
+		},
+		{
+			name: "Valid allow list",
+			jsonConfig: `{
+				"allow": ["consumer1", "consumer2"]
+			}`,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, []string{"consumer1", "consumer2"}, config.Allow)
+			},
+			expectError: false,
+		},
+		{
+			name: "Allow list with non-existent consumer",
+			jsonConfig: `{
+				"allow": ["consumer1", "nonexistent"]
+			}`,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, []string{"consumer1", "nonexistent"}, config.Allow)
+			},
+			expectError: false,
+		},
+		{
+			name: "Empty allow list",
+			jsonConfig: `{
+				"allow": []
+			}`,
+			validate: func(t *testing.T, config *HmacAuthConfig) {
+				assert.Equal(t, []string{}, config.Allow)
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			jsonData := gjson.Parse(tt.jsonConfig)
+			config := &HmacAuthConfig{}
+
+			defer func() {
+				if r := recover(); r != nil {
+					// 忽略日志相关的 panic
+				}
+			}()
+
+			err := ParseOverrideRuleConfig(jsonData, globalConfig, config)
+
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				if tt.validate != nil {
+					tt.validate(t, config)
+				}
+			}
+		})
+	}
+}
+
+func TestValidAlgorithms(t *testing.T) {
+	tests := []struct {
+		algorithm string
+		valid     bool
+	}{
+		{"hmac-sha1", true},
+		{"hmac-sha256", true},
+		{"hmac-sha512", true},
+		{"invalid-algorithm", false},
+		{"", false},
+		{"hmac-md5", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.algorithm, func(t *testing.T) {
+			_, exists := validAlgorithms[tt.algorithm]
+			assert.Equal(t, tt.valid, exists)
+		})
+	}
+}