key auth support multiple credentials (#1956)

Co-authored-by: Kent Dong <ch3cho@qq.com>
2026-05-04 18:37:26 +08:00 · 2025-03-26 21:05:55 +08:00
parent 50cfa0bb4b
commit bd6708552d
6 changed files with 721 additions and 172 deletions
--- a/plugins/wasm-cpp/extensions/hmac_auth/plugin.cc
+++ b/plugins/wasm-cpp/extensions/hmac_auth/plugin.cc
@@ -294,7 +294,12 @@ bool PluginRootContext::checkConsumer(
  }
  auto key_to_name_iter = rule.key_to_name.find(std::string(ca_key));
  if (key_to_name_iter != rule.key_to_name.end()) {
-    if (allow_set && !allow_set.value().empty()) {
+    if (allow_set) {
+      if (allow_set.value().empty()) {
+        LOG_DEBUG("allow set is empty, nobody is allowed");
+        deniedUnauthorizedConsumer();
+        return false;
+      }
      if (allow_set.value().find(key_to_name_iter->second) ==
          allow_set.value().end()) {
        LOG_DEBUG(absl::StrCat("consumer is not allowed: ",
@@ -435,6 +440,7 @@ FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
  auto config = rootCtx->getMatchAuthConfig();
  config_ = config.first;
  if (!config_) {
+    LOG_DEBUG("no matched config found");
    return FilterHeadersStatus::Continue;
  }
  allow_set_ = config.second;
--- a/plugins/wasm-cpp/extensions/hmac_auth/plugin_test.cc
+++ b/plugins/wasm-cpp/extensions/hmac_auth/plugin_test.cc
@@ -624,6 +624,41 @@ TEST_F(HmacAuthTest, TimestampSecCheck) {
  EXPECT_EQ(context_->onRequestBody(0, true), FilterDataStatus::Continue);
 }

+TEST_F(HmacAuthTest, EmptyAllowSet) {
+  headers_ = {
+      {":path", "/Third/Tools/checkSign"},
+      {":method", "GET"},
+      {"accept", "application/json"},
+      {"content-type", "application/json"},
+      {"x-ca-timestamp", "1646365291734"},
+      {"x-ca-nonce", "787dd0c2-7bd8-41cd-9c19-62c05ea524a2"},
+      {"x-ca-key", "appKey"},
+      {"x-ca-signature-headers", "x-ca-key,x-ca-nonce,x-ca-timestamp"},
+      {"x-ca-signature", "EdJSFAMOWyXZOpXhevZnjuS0ZafnwnCqaSk5hz+tXo8="},
+  };
+  HmacAuthConfigRule rule;
+  rule.credentials = {{"appKey", "appSecret"}};
+  //  EXPECT_EQ(root_context_->checkPlugin(rule, std::nullopt), true);
+
+  std::string configuration = R"(
+{
+  "consumers": [{"key": "appKey", "secret": "appSecret", "name": "consumer"}],
+  "_rules_": [
+    {
+      "_match_route_prefix_":["test"],
+      "allow":[]
+    }
+  ]
+})";
+  route_name_ = "test@op1";
+  config_.set(configuration);
+  EXPECT_TRUE(root_context_->configure(configuration.size()));
+  EXPECT_CALL(*mock_context_, sendLocalResponse(403, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopAllIterationAndBuffer);
+}
+
 }  // namespace hmac_auth
 }  // namespace null_plugin
 }  // namespace proxy_wasm