jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-03-06 17:40:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

key auth support multiple credentials (#1956)

Browse Source 
Co-authored-by: Kent Dong <ch3cho@qq.com>
This commit is contained in:
澄潭
2025-03-26 21:05:55 +08:00
committed by GitHub
parent 50cfa0bb4b
commit bd6708552d
6 changed files with 721 additions and 172 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/wasm-cpp/extensions/hmac_auth/plugin.cc
View File

@@ -294,7 +294,12 @@ bool PluginRootContext::checkConsumer(
}
auto key_to_name_iter = rule.key_to_name.find(std::string(ca_key));
if (key_to_name_iter != rule.key_to_name.end()) {
if (allow_set && !allow_set.value().empty()) {
if (allow_set) {
if (allow_set.value().empty()) {
LOG_DEBUG("allow set is empty, nobody is allowed");
deniedUnauthorizedConsumer();
return false;
}
if (allow_set.value().find(key_to_name_iter->second) ==
allow_set.value().end()) {
LOG_DEBUG(absl::StrCat("consumer is not allowed: ",
@@ -435,6 +440,7 @@ FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
auto config = rootCtx->getMatchAuthConfig();
config_ = config.first;
if (!config_) {
LOG_DEBUG("no matched config found");
return FilterHeadersStatus::Continue;
}
allow_set_ = config.second;

35
plugins/wasm-cpp/extensions/hmac_auth/plugin_test.cc
View File

@@ -624,6 +624,41 @@ TEST_F(HmacAuthTest, TimestampSecCheck) {
EXPECT_EQ(context_->onRequestBody(0, true), FilterDataStatus::Continue);
}
TEST_F(HmacAuthTest, EmptyAllowSet) {
headers_ = {
{":path", "/Third/Tools/checkSign"},
{":method", "GET"},
{"accept", "application/json"},
{"content-type", "application/json"},
{"x-ca-timestamp", "1646365291734"},
{"x-ca-nonce", "787dd0c2-7bd8-41cd-9c19-62c05ea524a2"},
{"x-ca-key", "appKey"},
{"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
{"x-ca-signature", "EdJSFAMOWyXZOpXhevZnjuS0ZafnwnCqaSk5hz+tXo8="},
};
HmacAuthConfigRule rule;
rule.credentials = {{"appKey", "appSecret"}};
// EXPECT_EQ(root_context_->checkPlugin(rule, std::nullopt), true);
std::string configuration = R"(
{
"consumers": [{"key": "appKey", "secret": "appSecret", "name": "consumer"}],
"_rules_": [
{
"_match_route_prefix_":["test"],
"allow":[]
}
]
})";
route_name_ = "test@op1";
config_.set(configuration);
EXPECT_TRUE(root_context_->configure(configuration.size()));
EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
testing::_, testing::_));
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopAllIterationAndBuffer);
}
} // namespace hmac_auth
} // namespace null_plugin
} // namespace proxy_wasm

333
plugins/wasm-cpp/extensions/key_auth/plugin.cc
View File

@@ -45,15 +45,13 @@ namespace {
const std::string OriginalAuthKey("X-HI-ORIGINAL-AUTH");
void deniedInvalidCredentials(const std::string& realm) {
sendLocalResponse(401, "Request denied by Key Auth check. Invalid API key",
"",
sendLocalResponse(401, "Request denied by Key Auth check. Invalid API key", "",
{{"WWW-Authenticate", absl::StrCat("Key realm=", realm)}});
}
void deniedUnauthorizedConsumer(const std::string& realm) {
sendLocalResponse(
403, "Request denied by Key Auth check. Unauthorized consumer", "",
{{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
sendLocalResponse(403, "Request denied by Key Auth check. Unauthorized consumer", "",
{{"WWW-Authenticate", absl::StrCat("Basic realm=", realm)}});
}
} // namespace
@@ -62,12 +60,16 @@ bool PluginRootContext::parsePluginConfig(const json& configuration,
KeyAuthConfigRule& rule) {
if ((configuration.find("consumers") != configuration.end()) &&
(configuration.find("credentials") != configuration.end())) {
LOG_WARN(
"The consumers field and the credentials field cannot appear at the "
"same level");
LOG_WARN("The consumers field and the credentials field cannot appear at the same level");
return false;
}
if (!JsonArrayIterate(
if ((configuration.find("consumers") == configuration.end()) &&
(configuration.find("credentials") == configuration.end())) {
LOG_WARN("No consumers and no credentials");
return false;
}
if (configuration.find("credentials") != configuration.end()) {
if (!JsonArrayIterate(
configuration, "credentials", [&](const json& credentials) -> bool {
auto credential = JsonValueAs<std::string>(credentials);
if (credential.second != Wasm::Common::JsonParserResultDetail::OK) {
@@ -76,34 +78,93 @@ bool PluginRootContext::parsePluginConfig(const json& configuration,
rule.credentials.insert(credential.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (!JsonArrayIterate(configuration, "keys", [&](const json& item) -> bool {
auto key = JsonValueAs<std::string>(item);
if (key.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
rule.keys.push_back(key.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for keys.");
return false;
}
if (rule.keys.empty()) {
LOG_WARN("at least one key has to be configured for a rule.");
return false;
}
rule.keys.push_back(OriginalAuthKey);
auto it = configuration.find("realm");
if (it != configuration.end()) {
auto realm_string = JsonValueAs<std::string>(it.value());
if (realm_string.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
rule.realm = realm_string.first.value();
}
it = configuration.find("in_query");
if (it != configuration.end()) {
auto in_query = JsonValueAs<bool>(it.value());
if (in_query.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_query.first) {
LOG_WARN("failed to parse 'in_query' field in filter configuration.");
return false;
}
rule.in_query = in_query.first.value();
}
it = configuration.find("in_header");
if (it != configuration.end()) {
auto in_header = JsonValueAs<bool>(it.value());
if (in_header.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_header.first) {
LOG_WARN("failed to parse 'in_header' field in filter configuration.");
return false;
}
rule.in_header = in_header.first.value();
}
if (!rule.in_query && !rule.in_header) {
LOG_WARN("at least one of 'in_query' and 'in_header' must set to true");
return false;
}
// LOG_DEBUG(rule.debugString("parse phase, credentials branch"));
}
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
Consumer c;
auto item = consumer.find("name");
if (item == consumer.end()) {
LOG_WARN("can't find 'name' field in consumer.");
return false;
}
auto name = JsonValueAs<std::string>(item.value());
if (name.second != Wasm::Common::JsonParserResultDetail::OK ||
!name.first) {
return false;
}
c.name = name.first.value();
item = consumer.find("credential");
if (item == consumer.end()) {
LOG_WARN("can't find 'credential' field in consumer.");
return false;
}
if (configuration.find("consumers") != configuration.end()) {
bool need_global_keys = false;
if (!JsonArrayIterate(
configuration, "consumers", [&](const json& consumer) -> bool {
Consumer c;
auto item = consumer.find("name");
if (item == consumer.end()) {
LOG_WARN("can't find 'name' field in consumer.");
return false;
}
auto name = JsonValueAs<std::string>(item.value());
if (name.second != Wasm::Common::JsonParserResultDetail::OK ||
!name.first) {
return false;
}
c.name = name.first.value();
if (consumer.find("credential") != consumer.end() &&
consumer.find("credentials") != consumer.end()) {
LOG_WARN("'credential' and 'credentials' can't appear at the same time.");
return false;
}
if (consumer.find("credential") == consumer.end() &&
consumer.find("credentials") == consumer.end()) {
LOG_WARN("at least one of 'credential' and 'credentials' should be set.");
return false;
}
item = consumer.find("credential");
if (item != consumer.end()) {
auto credential = JsonValueAs<std::string>(item.value());
if (credential.second != Wasm::Common::JsonParserResultDetail::OK ||
!credential.first) {
return false;
}
c.credential = credential.first.value();
c.credentials.insert(credential.first.value());
if (rule.credential_to_name.find(credential.first.value()) !=
rule.credential_to_name.end()) {
LOG_WARN(absl::StrCat("duplicate consumer credential: ",
@@ -113,106 +174,118 @@ bool PluginRootContext::parsePluginConfig(const json& configuration,
rule.credentials.insert(credential.first.value());
rule.credential_to_name.emplace(
std::make_pair(credential.first.value(), name.first.value()));
item = consumer.find("keys");
if (item != consumer.end()) {
c.keys = std::vector<std::string>{OriginalAuthKey};
}
item = consumer.find("credentials");
if (item != consumer.end()) {
if (!JsonArrayIterate(
consumer, "keys", [&](const json& key_json) -> bool {
auto key = JsonValueAs<std::string>(key_json);
if (key.second !=
Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
c.keys->push_back(key.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for consumer keys.");
consumer, "credentials", [&](const json& credential_json) -> bool {
auto credential = JsonValueAs<std::string>(credential_json);
if (credential.second != Wasm::Common::JsonParserResultDetail::OK ||
!credential.first) {
return false;
}
c.credentials.insert(credential.first.value());
if (rule.credential_to_name.find(credential.first.value()) !=
rule.credential_to_name.end()) {
LOG_WARN(absl::StrCat("duplicate consumer credential: ",
credential.first.value()));
return false;
}
rule.credentials.insert(credential.first.value());
rule.credential_to_name.emplace(
std::make_pair(credential.first.value(), name.first.value()));
return true;
})) {
LOG_WARN(absl::StrCat("failed to parse credentials for consumer: ", c.name));
return false;
}
item = consumer.find("in_query");
if (item != consumer.end()) {
auto in_query = JsonValueAs<bool>(item.value());
if (in_query.second !=
Wasm::Common::JsonParserResultDetail::OK ||
!in_query.first) {
LOG_WARN(
"failed to parse 'in_query' field in consumer "
"configuration.");
return false;
}
c.in_query = in_query.first;
}
item = consumer.find("in_header");
if (item != consumer.end()) {
auto in_header = JsonValueAs<bool>(item.value());
if (in_header.second !=
Wasm::Common::JsonParserResultDetail::OK ||
!in_header.first) {
LOG_WARN(
"failed to parse 'in_header' field in consumer "
"configuration.");
return false;
}
c.in_header = in_header.first;
}
}
item = consumer.find("keys");
if (item == consumer.end()) {
LOG_WARN("not found keys configuration for consumer " + c.name + ", will use global configuration to extract keys");
need_global_keys = true;
} else {
c.keys = std::vector<std::string>{OriginalAuthKey};
if (!JsonArrayIterate(
consumer, "keys", [&](const json& key_json) -> bool {
auto key = JsonValueAs<std::string>(key_json);
if (key.second !=
Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
c.keys->push_back(key.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for consumer keys.");
return false;
}
rule.consumers.push_back(std::move(c));
item = consumer.find("in_query");
if (item != consumer.end()) {
auto in_query = JsonValueAs<bool>(item.value());
if (in_query.second != Wasm::Common::JsonParserResultDetail::OK || !in_query.first) {
LOG_WARN("failed to parse 'in_query' field in consumer configuration.");
return false;
}
c.in_query = in_query.first;
}
item = consumer.find("in_header");
if (item != consumer.end()) {
auto in_header = JsonValueAs<bool>(item.value());
if (in_header.second !=
Wasm::Common::JsonParserResultDetail::OK ||
!in_header.first) {
LOG_WARN(
"failed to parse 'in_header' field in consumer "
"configuration.");
return false;
}
c.in_header = in_header.first;
}
}
rule.consumers.push_back(std::move(c));
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
if (need_global_keys) {
if (!JsonArrayIterate(configuration, "keys", [&](const json& item) -> bool {
auto key = JsonValueAs<std::string>(item);
if (key.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
}
rule.keys.push_back(key.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for credentials.");
return false;
}
// if (rule.credentials.empty()) {
// LOG_INFO("at least one credential has to be configured for a rule.");
// return false;
// }
if (!JsonArrayIterate(configuration, "keys", [&](const json& item) -> bool {
auto key = JsonValueAs<std::string>(item);
if (key.second != Wasm::Common::JsonParserResultDetail::OK) {
LOG_WARN("failed to parse configuration for keys.");
return false;
}
auto it = configuration.find("in_query");
if (it != configuration.end()) {
auto in_query = JsonValueAs<bool>(it.value());
if (in_query.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_query.first) {
LOG_WARN("failed to parse 'in_query' field in filter configuration.");
return false;
}
rule.keys.push_back(key.first.value());
return true;
})) {
LOG_WARN("failed to parse configuration for keys.");
return false;
}
if (rule.keys.empty()) {
LOG_WARN("at least one key has to be configured for a rule.");
return false;
}
rule.keys.push_back(OriginalAuthKey);
auto it = configuration.find("realm");
if (it != configuration.end()) {
auto realm_string = JsonValueAs<std::string>(it.value());
if (realm_string.second != Wasm::Common::JsonParserResultDetail::OK) {
return false;
rule.in_query = in_query.first.value();
}
it = configuration.find("in_header");
if (it != configuration.end()) {
auto in_header = JsonValueAs<bool>(it.value());
if (in_header.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_header.first) {
LOG_WARN("failed to parse 'in_header' field in filter configuration.");
return false;
}
rule.in_header = in_header.first.value();
}
if (!rule.in_query && !rule.in_header) {
LOG_WARN("at least one of 'in_query' and 'in_header' must set to true");
return false;
}
}
rule.realm = realm_string.first.value();
}
it = configuration.find("in_query");
if (it != configuration.end()) {
auto in_query = JsonValueAs<bool>(it.value());
if (in_query.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_query.first) {
LOG_WARN("failed to parse 'in_query' field in filter configuration.");
return false;
}
rule.in_query = in_query.first.value();
}
it = configuration.find("in_header");
if (it != configuration.end()) {
auto in_header = JsonValueAs<bool>(it.value());
if (in_header.second != Wasm::Common::JsonParserResultDetail::OK ||
!in_header.first) {
LOG_WARN("failed to parse 'in_header' field in filter configuration.");
return false;
}
rule.in_header = in_header.first.value();
}
if (!rule.in_query && !rule.in_header) {
LOG_WARN("at least one of 'in_query' and 'in_header' must set to true");
return false;
// LOG_DEBUG(rule.debugString("parse phase, consumers branch"));
}
return true;
}
@@ -220,6 +293,7 @@ bool PluginRootContext::parsePluginConfig(const json& configuration,
bool PluginRootContext::checkPlugin(
const KeyAuthConfigRule& rule,
const std::optional<std::unordered_set<std::string>>& allow_set) {
// LOG_DEBUG(rule.debugString("check phase"));
if (rule.consumers.empty()) {
for (const auto& key : rule.keys) {
auto credential = extractCredential(rule.in_header, rule.in_query, key);
@@ -263,9 +337,8 @@ bool PluginRootContext::checkPlugin(
continue;
}
if (credential != consumer.credential) {
LOG_DEBUG("credential does not match the consumer's credential: " +
credential);
if (consumer.credentials.find(credential) == consumer.credentials.end()) {
LOG_DEBUG("credential " + credential + " does not match the consumer " + consumer.name);
continue;
}
@@ -277,9 +350,13 @@ bool PluginRootContext::checkPlugin(
auto credential_to_name_iter = rule.credential_to_name.find(credential);
if (credential_to_name_iter != rule.credential_to_name.end()) {
if (allow_set && !allow_set->empty()) {
if (allow_set->find(credential_to_name_iter->second) ==
allow_set->end()) {
if (allow_set) {
if (allow_set->empty()) {
LOG_DEBUG("allow set is empty, nobody is allowed");
deniedUnauthorizedConsumer(rule.realm);
return false;
}
if (allow_set->find(credential_to_name_iter->second) == allow_set->end()) {
deniedUnauthorizedConsumer(rule.realm);
LOG_DEBUG("unauthorized consumer: " +
credential_to_name_iter->second);

42
plugins/wasm-cpp/extensions/key_auth/plugin.h
View File

@@ -38,10 +38,26 @@ namespace key_auth {
struct Consumer {
std::string name;
std::string credential;
std::unordered_set<std::string> credentials;
std::optional<std::vector<std::string>> keys;
std::optional<bool> in_query = std::nullopt;
std::optional<bool> in_header = std::nullopt;
// std::string debugString() const {
// std::string msg;
// msg += "name: " + name + "\n";
// msg += " keys: \n";
// if (keys.has_value()) {
// for (const auto& item : keys.value()) {
// msg += " - " + item + "\n";
// }
// }
// msg += " credentials: \n";
// for (const auto& item : credentials) {
// msg += " - " + item + "\n";
// }
// return msg;
// }
};
struct KeyAuthConfigRule {
@@ -52,6 +68,30 @@ struct KeyAuthConfigRule {
std::vector<std::string> keys;
bool in_query = true;
bool in_header = true;
// std::string debugString(std::string prompt="") const {
// std::string msg;
// msg += prompt + "\n";
// msg += "realm: " + realm + "\n";
// msg += "keys: \n";
// for (const auto& item : keys) {
// msg += "- " + item + "\n";
// }
// msg += "credentials: \n";
// for (const auto& item : credentials) {
// msg += "- " + item + "\n";
// }
// msg += "credential_to_name: \n";
// for (const auto& item : credential_to_name) {
// msg += "- " + item.first + ": " + item.second + "\n";
// }
// msg += "consumers: \n";
// for (const auto& item : consumers) {
// msg += "- " + item.debugString();
// }
// return msg;
// }
};
// PluginRootContext is the root context for all streams processed by the

159
plugins/wasm-cpp/extensions/key_auth/plugin_test.cc
View File

@@ -148,6 +148,11 @@ TEST_F(KeyAuthTest, InQuery) {
path_ = "/test?hello=123&apiKey=123&x-api-key=def";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "pass";
path_ = "/pass?hello=123&apiKey=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(KeyAuthTest, InQueryWithConsumer) {
@@ -177,6 +182,35 @@ TEST_F(KeyAuthTest, InQueryWithConsumer) {
FilterHeadersStatus::StopIteration);
}
TEST_F(KeyAuthTest, EmptyAllowSet) {
std::string configuration = R"(
{
"consumers" : [{"credential" : "abc", "name" : "consumer1"}],
"keys" : [ "apiKey", "x-api-key" ],
"_rules_" : [ {"_match_route_" : ["test"], "allow" : []}, {"_match_route_prefix_" : ["prefix"], "allow" : []} ]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
path_ = "/test?hello=1&apiKey=abc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
route_name_ = "noauth";
path_ = "/test?hello=1&apiKey=abc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
route_name_ = "prefix@operation";
path_ = "/test?hello=1";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(KeyAuthTest, EmptyConsumer) {
std::string configuration = R"(
{
@@ -301,6 +335,131 @@ TEST_F(KeyAuthTest, ConsumerDifferentKey) {
FilterHeadersStatus::Continue);
}
TEST_F(KeyAuthTest, ConsumerMultiCredentials) {
std::string configuration = R"(
{
"global_auth": false,
"consumers": [
{
"name": "c1",
"credentials":["123","345"],
"keys": ["c1key"],
"in_header": false,
"in_query": true
},
{
"name": "c2",
"credentials":["abc","def"],
"keys": ["c2key"],
"in_header": false,
"in_query": true
}
],
"_rules_": [
{
"_match_route_": ["test"],
"allow": ["c1"]
}
]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
path_ = "/test?c1key=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
path_ = "/test?c2key=adc";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
}
TEST_F(KeyAuthTest, ConsumerDefaultKey) {
std::string configuration = R"(
{
"global_auth": false,
"consumers": [
{
"name": "c1",
"credentials":["123","345"],
"keys": ["c1key"],
"in_header": false,
"in_query": true
},
{
"name": "c2",
"credentials":["abc","def"]
}
],
"_rules_": [
{
"_match_route_": ["test"],
"allow": ["c2"]
}
],
"keys": ["defaultkey"]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
path_ = "/test?c1key=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/test?defaultkey=def";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
TEST_F(KeyAuthTest, NoGlobalKeySetting) {
std::string configuration = R"(
{
"global_auth": false,
"consumers": [
{
"name": "c1",
"credentials":["123","345"],
"keys": ["c1key"],
"in_header": false,
"in_query": true
},
{
"name": "c2",
"credentials":["abc","def"],
"keys": ["c2key"]
}
],
"_rules_": [
{
"_match_route_": ["test"],
"allow": ["c2"]
}
]
})";
BufferBase buffer;
buffer.set(configuration);
EXPECT_CALL(*mock_context_, getBuffer(WasmBufferType::PluginConfiguration))
.WillOnce([&buffer](WasmBufferType) { return &buffer; });
EXPECT_TRUE(root_context_->configure(configuration.size()));
route_name_ = "test";
path_ = "/test?c1key=123";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::StopIteration);
path_ = "/test?c2key=def";
EXPECT_EQ(context_->onRequestHeaders(0, false),
FilterHeadersStatus::Continue);
}
} // namespace key_auth
} // namespace null_plugin
} // namespace proxy_wasm