mirror of
https://github.com/alibaba/higress.git
synced 2026-02-25 05:01:19 +08:00
139 lines
4.0 KiB
Go
139 lines
4.0 KiB
Go
// Copyright (c) 2023 Alibaba Group Holding Ltd.
|
||
//
|
||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||
// you may not use this file except in compliance with the License.
|
||
// You may obtain a copy of the License at
|
||
//
|
||
// http://www.apache.org/licenses/LICENSE-2.0
|
||
//
|
||
// Unless required by applicable law or agreed to in writing, software
|
||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
// See the License for the specific language governing permissions and
|
||
// limitations under the License.
|
||
|
||
package config
|
||
|
||
import (
|
||
"encoding/json"
|
||
"fmt"
|
||
|
||
"github.com/alibaba/higress/plugins/wasm-go/pkg/wrapper"
|
||
"github.com/go-jose/go-jose/v3"
|
||
"github.com/tidwall/gjson"
|
||
)
|
||
|
||
// RuleSet 插件是否至少在一个 domain 或 route 上生效
|
||
var RuleSet bool
|
||
|
||
// ParseGlobalConfig 从wrapper提供的配置中解析并转换到插件运行时需要使用的配置。
|
||
// 此处解析的是全局配置,域名和路由级配置由 ParseRuleConfig 负责。
|
||
func ParseGlobalConfig(json gjson.Result, config *JWTAuthConfig, log wrapper.Log) error {
|
||
RuleSet = false
|
||
consumers := json.Get("consumers")
|
||
if !consumers.IsArray() {
|
||
return fmt.Errorf("failed to parse configuration for consumers: consumers is not a array")
|
||
}
|
||
|
||
consumerNames := map[string]struct{}{}
|
||
for _, v := range consumers.Array() {
|
||
c, err := ParseConsumer(v, consumerNames)
|
||
if err != nil {
|
||
log.Warn(err.Error())
|
||
continue
|
||
}
|
||
config.Consumers = append(config.Consumers, c)
|
||
}
|
||
if len(config.Consumers) == 0 {
|
||
return fmt.Errorf("at least one consumer should be configured for a rule")
|
||
}
|
||
|
||
return nil
|
||
}
|
||
|
||
// ParseRuleConfig 从wrapper提供的配置中解析并转换到插件运行时需要使用的配置。
|
||
// 此处解析的是域名和路由级配置,全局配置由 ParseConfig 负责。
|
||
func ParseRuleConfig(json gjson.Result, global JWTAuthConfig, config *JWTAuthConfig, log wrapper.Log) error {
|
||
// override config via global
|
||
*config = global
|
||
|
||
allow := json.Get("allow")
|
||
if !allow.Exists() {
|
||
return fmt.Errorf("allow is required")
|
||
}
|
||
|
||
if len(allow.Array()) == 0 {
|
||
return fmt.Errorf("allow cannot be empty")
|
||
}
|
||
|
||
for _, item := range allow.Array() {
|
||
config.Allow = append(config.Allow, item.String())
|
||
}
|
||
|
||
RuleSet = true
|
||
return nil
|
||
}
|
||
|
||
func ParseConsumer(consumer gjson.Result, names map[string]struct{}) (c *Consumer, err error) {
|
||
c = &Consumer{}
|
||
|
||
// 从gjson中取得原始JSON字符串,并使用标准库反序列化,以降低代码复杂度。
|
||
err = json.Unmarshal([]byte(consumer.Raw), c)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("failed to parse consumer: %s", err.Error())
|
||
}
|
||
|
||
// 检查consumer是否重复
|
||
if _, ok := names[c.Name]; ok {
|
||
return nil, fmt.Errorf("consumer already exists: %s", c.Name)
|
||
}
|
||
|
||
// 检查JWKs是否合法
|
||
jwks := &jose.JSONWebKeySet{}
|
||
err = json.Unmarshal([]byte(c.JWKs), jwks)
|
||
if err != nil {
|
||
return nil, fmt.Errorf("jwks is invalid, consumer:%s, status:%s, jwks:%s", c.Name, err.Error(), c.JWKs)
|
||
}
|
||
|
||
// 检查是否需要使用默认jwt抽取来源
|
||
if c.FromHeaders == nil && c.FromParams == nil && c.FromCookies == nil {
|
||
c.FromHeaders = &DefaultFromHeader
|
||
c.FromParams = &DefaultFromParams
|
||
c.FromCookies = &DefaultFromCookies
|
||
}
|
||
|
||
// 检查ClaimsToHeaders
|
||
if c.ClaimsToHeaders != nil {
|
||
// header去重
|
||
c2h := map[string]struct{}{}
|
||
|
||
// 此处需要先把指针解引用到临时变量
|
||
tmp := *c.ClaimsToHeaders
|
||
for i := range tmp {
|
||
if _, ok := c2h[tmp[i].Header]; ok {
|
||
return nil, fmt.Errorf("claim to header already exists: %s", c2h[tmp[i].Header])
|
||
}
|
||
c2h[tmp[i].Header] = struct{}{}
|
||
|
||
// 为Override填充默认值
|
||
if tmp[i].Override == nil {
|
||
tmp[i].Override = &DefaultClaimToHeaderOverride
|
||
}
|
||
}
|
||
}
|
||
|
||
// 为ClockSkewSeconds填充默认值
|
||
if c.ClockSkewSeconds == nil {
|
||
c.ClockSkewSeconds = &DefaultClockSkewSeconds
|
||
}
|
||
|
||
// 为KeepToken填充默认值
|
||
if c.KeepToken == nil {
|
||
c.KeepToken = &DefaultKeepToken
|
||
}
|
||
|
||
// consumer合法,记录consumer名称
|
||
names[c.Name] = struct{}{}
|
||
return c, nil
|
||
}
|