feat(plugin): implement golang version of plugin jwt-auth (#743)

Signed-off-by: Ink33 <Ink33@smlk.org>

plugins/wasm-go/extensions/jwt-auth/handler/handler.go

@@ -0,0 +1,159 @@
+// Copyright (c) 2023 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package handler
+
+import (
+	"time"
+
+	cfg "github.com/alibaba/higress/plugins/wasm-go/extensions/jwt-auth/config"
+	"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
+	"github.com/higress-group/proxy-wasm-go-sdk/proxywasm/types"
+)
+
+// jwt-auth 插件认证逻辑与 basic-auth 一致：
+// - global_auth == true 开启全局生效：
+//   - 若当前 domain/route 未配置 allow 列表，即未配置该插件：则在所有 consumers 中查找，如果找到则认证通过，否则认证失败 (1*)
+//   - 若当前 domain/route 配置了该插件：则在 allow 列表中查找，如果找到则认证通过，否则认证失败
+//
+// - global_auth == false 非全局生效：(2*)
+//   - 若当前 domain/route 未配置该插件：则直接放行
+//   - 若当前 domain/route 配置了该插件：则在 allow 列表中查找，如果找到则认证通过，否则认证失败
+//
+// - global_auth 未设置：
+//   - 若没有一个 domain/route 配置该插件：则遵循 (1*)
+//   - 若有至少一个 domain/route 配置该插件：则遵循 (2*)
+//
+// https://github.com/alibaba/higress/blob/e09edff827b94fa5bcc149bbeadc905361100c2a/plugins/wasm-go/extensions/basic-auth/main.go#L191
+func OnHTTPRequestHeaders(ctx wrapper.HttpContext, config cfg.JWTAuthConfig, log wrapper.Log) types.Action {
+	var (
+		noAllow            = len(config.Allow) == 0 // 未配置 allow 列表，表示插件在该 domain/route 未生效
+		globalAuthNoSet    = config.GlobalAuthCheck() == cfg.GlobalAuthNoSet
+		globalAuthSetTrue  = config.GlobalAuthCheck() == cfg.GlobalAuthTrue
+		globalAuthSetFalse = config.GlobalAuthCheck() == cfg.GlobalAuthFalse
+	)
+
+	// 不需要认证而直接放行的情况：
+	// - global_auth == false 且 当前 domain/route 未配置该插件
+	// - global_auth 未设置 且 有至少一个 domain/route 配置该插件 且 当前 domain/route 未配置该插件
+	if globalAuthSetFalse || (cfg.RuleSet && globalAuthNoSet) {
+		if noAllow {
+			log.Info("authorization is not required")
+			return types.ActionContinue
+		}
+	}
+
+	header := &proxywasmProvider{}
+	actionMap := map[string]func() types.Action{}
+	unAuthzConsumer := ""
+
+	// 匹配consumer
+	for i := range config.Consumers {
+		err := consumerVerify(config.Consumers[i], time.Now(), header, log)
+		if err != nil {
+			log.Warn(err.Error())
+			if v, ok := err.(*ErrDenied); ok {
+				actionMap[config.Consumers[i].Name] = v.denied
+			}
+			continue
+		}
+
+		// 全局生效：
+		// - global_auth == true 且 当前 domain/route 未配置该插件
+		// - global_auth 未设置 且 没有任何一个 domain/route 配置该插件
+		if (globalAuthSetTrue && noAllow) || (globalAuthNoSet && !cfg.RuleSet) {
+			log.Infof("consumer %q authenticated", config.Consumers[i].Name)
+			return authenticated(config.Consumers[i].Name)
+		}
+
+		// 全局生效，但当前 domain/route 配置了 allow 列表
+		if globalAuthSetTrue && !noAllow {
+			if !contains(config.Consumers[i].Name, config.Allow) {
+				log.Warnf("jwt verify failed, consumer %q not allow",
+					config.Consumers[i].Name)
+				actionMap[config.Consumers[i].Name] = deniedUnauthorizedConsumer
+				unAuthzConsumer = config.Consumers[i].Name
+				continue
+			}
+			log.Infof("consumer %q authenticated", config.Consumers[i].Name)
+			return authenticated(config.Consumers[i].Name)
+		}
+
+		// 非全局生效
+		if globalAuthSetFalse || (globalAuthNoSet && cfg.RuleSet) {
+			if !noAllow { // 配置了 allow 列表
+				if !contains(config.Consumers[i].Name, config.Allow) {
+					log.Warnf("jwt verify failed, consumer %q not allow",
+						config.Consumers[i].Name)
+					actionMap[config.Consumers[i].Name] = deniedUnauthorizedConsumer
+					unAuthzConsumer = config.Consumers[i].Name
+					continue
+				}
+				log.Infof("consumer %q authenticated", config.Consumers[i].Name)
+				return authenticated(config.Consumers[i].Name)
+			}
+		}
+
+		// switch config.GlobalAuthCheck() {
+
+		// case cfg.GlobalAuthNoSet:
+		// 	if !cfg.RuleSet {
+		// 		log.Infof("consumer %q authenticated", config.Consumers[i].Name)
+		// 		return authenticated(config.Consumers[i].Name)
+		// 	}
+		// case cfg.GlobalAuthTrue:
+		// 	if len(config.Allow) == 0 {
+		// 		log.Infof("consumer %q authenticated", config.Consumers[i].Name)
+		// 		return authenticated(config.Consumers[i].Name)
+		// 	}
+		// 	fallthrough // 若 allow 列表不为空，则 fallthrough 到需要检查 allow 列表的逻辑中
+
+		// // 全局生效设置为 false
+		// case cfg.GlobalAuthFalse:
+		// 	if !contains(config.Consumers[i].Name, config.Allow) {
+		// 		log.Warnf("jwt verify failed, consumer %q not allow",
+		// 			config.Consumers[i].Name)
+		// 		actionMap[config.Consumers[i].Name] = deniedUnauthorizedConsumer
+		// 		unAuthzConsumer = config.Consumers[i].Name
+		// 		continue
+		// 	}
+		// 	log.Infof("consumer %q authenticated", config.Consumers[i].Name)
+		// 	return authenticated(config.Consumers[i].Name)
+		// }
+	}
+
+	if len(config.Allow) == 1 {
+		if unAuthzConsumer != "" {
+			log.Warnf("consumer %q denied", unAuthzConsumer)
+			return deniedUnauthorizedConsumer()
+		}
+		if v, ok := actionMap[config.Allow[0]]; ok {
+			log.Warnf("consumer %q denied", config.Allow[0])
+			return v()
+		}
+	}
+
+	// 拒绝兜底
+	log.Warnf("all consumers verify failed")
+	return deniedNotAllow()
+}
+
+func contains(str string, arr []string) bool {
+	for _, i := range arr {
+		if i == str {
+			return true
+		}
+	}
+	return false
+}