Skip to content

Commit

Permalink
允许不从请求参数获取认证参数 (#65)
Browse files Browse the repository at this point in the history
  • Loading branch information
alex-smile authored Nov 27, 2023
1 parent 39db8e6 commit 04ea6d4
Show file tree
Hide file tree
Showing 14 changed files with 975 additions and 68 deletions.
18 changes: 17 additions & 1 deletion src/apisix/plugins/bk-auth-verify.lua
Original file line number Diff line number Diff line change
Expand Up @@ -118,11 +118,25 @@ local function get_auth_params_from_request(ctx, authorization_keys)
if err ~= nil then
return nil, err
elseif auth_params ~= nil then
-- 记录认证参数位置,便于统计哪些请求将认证参数放到请求参数,推动优化
ctx.var.auth_params_location = "header"
return auth_params, nil
end

if not ctx.var.bk_api_auth:allow_get_auth_params_from_parameters() then
-- 不允许从请求参数获取认证参数,直接返回
return {}, nil
end

-- from the querystring and body
return get_auth_params_from_parameters(ctx, authorization_keys), nil
auth_params = get_auth_params_from_parameters(ctx, authorization_keys)

if not pl_types.is_empty(auth_params) then
-- 记录认证参数位置,便于统计哪些请求将认证参数放到请求参数,推动优化
ctx.var.auth_params_location = "params"
end

return auth_params
end
-- utils end

Expand Down Expand Up @@ -174,6 +188,8 @@ function _M.rewrite(conf, ctx) -- luacheck: no unused
ctx.var.bk_user = user
ctx.var.bk_app_code = app["app_code"]
ctx.var.bk_username = user["username"]
-- 记录认证参数位置,便于统计哪些请求将认证参数放到请求参数,推动优化
ctx.var.auth_params_location = ctx.var.auth_params_location or ""
end

if _TEST then -- luacheck: ignore
Expand Down
14 changes: 12 additions & 2 deletions src/apisix/plugins/bk-define/context-api-bkauth.lua
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,8 @@ function ContextApiBkAuth.new(bk_api_auth)
api_type = bk_api_auth.api_type,
unfiltered_sensitive_keys = bk_api_auth.unfiltered_sensitive_keys or {},
include_system_headers_mapping = include_system_headers_mapping,
allow_auth_from_params = bk_api_auth.allow_auth_from_params,
allow_delete_sensitive_params = bk_api_auth.allow_delete_sensitive_params,
uin_conf = UinConf.new(bk_api_auth.uin_conf),
rtx_conf = RtxConf.new(bk_api_auth.rtx_conf),
user_conf = UserConf.new(bk_api_auth.user_conf),
Expand All @@ -123,6 +125,13 @@ function ContextApiBkAuth.get_api_type(self)
return self.api_type
end

---Allow get auth_params from request parameters, such as querystring, body
---@return boolean
function ContextApiBkAuth.allow_get_auth_params_from_parameters(self)
-- 默认允许从参数获取认证信息
return self.allow_auth_from_params ~= false
end

---Get the unfiltered sensitive keys.
---@return table
function ContextApiBkAuth.get_unfiltered_sensitive_keys(self)
Expand All @@ -147,8 +156,9 @@ end

---Filter the sensitive params or not, do the filter if api_type is not ESB.
---@return boolean
function ContextApiBkAuth.is_filter_sensitive_params(self)
return self.api_type ~= ESB
function ContextApiBkAuth.should_delete_sensitive_params(self)
-- 非 esb,且允许删除敏感参数(默认允许删除)
return self.api_type ~= ESB and self.allow_delete_sensitive_params ~= false
end

function ContextApiBkAuth.is_user_type_uin(self)
Expand Down
13 changes: 11 additions & 2 deletions src/apisix/plugins/bk-delete-sensitive.lua
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ local core = require("apisix.core")
local bk_core = require("apisix.plugins.bk-core.init")
local ngx = ngx -- luacheck: ignore
local ipairs = ipairs
local tostring = tostring

local plugin_name = "bk-delete-sensitive"

Expand All @@ -55,7 +56,6 @@ function _M.check_schema(conf)
return core.schema.check(schema, conf)
end


---Delete the sensitive parameters in the request header, uri args and body,
---it will check the first, then do the modification.
---@param ctx apisix.Context
Expand Down Expand Up @@ -103,6 +103,15 @@ local function delete_sensitive_params(ctx, sensitive_keys, unfiltered_sensitive
::continue::
end

if ctx.var.auth_params_location == "header" and (query_changed or form_changed or body_changed) then
core.log.warn(
"auth params are present in both header and request parameters, request_id: " ..
tostring(ctx.var.bk_request_id)
)
-- 记录认证参数位置,便于统计哪些请求将认证参数放到请求参数,推动优化
ctx.var.auth_params_location = "header_and_params"
end

if check_query and query_changed then
core.request.set_uri_args(ctx, uri_args)
end
Expand All @@ -127,7 +136,7 @@ local function delete_sensitive_headers()
end

function _M.rewrite(conf, ctx) -- luacheck: no unused
if ctx.var.bk_api_auth and ctx.var.bk_api_auth:is_filter_sensitive_params() then
if ctx.var.bk_api_auth and ctx.var.bk_api_auth:should_delete_sensitive_params() then
delete_sensitive_params(
ctx, bk_core.config.get_sensitive_keys(), ctx.var.bk_api_auth:get_unfiltered_sensitive_keys()
)
Expand Down
17 changes: 10 additions & 7 deletions src/apisix/plugins/bk-stage-context.lua
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@
-- We undertake not to change the open source license (MIT license) applicable
-- to the current version of the project delivered to anyone in the future.
--

local core = require("apisix.core")
local bk_core = require("apisix.plugins.bk-core.init")
local context_api_bkauth = require("apisix.plugins.bk-define.context-api-bkauth")
Expand Down Expand Up @@ -63,6 +62,14 @@ local schema = {
type = "string",
},
},
allow_auth_from_params = {
type = "boolean",
default = true,
},
allow_delete_sensitive_params = {
type = "boolean",
default = true,
},
uin_conf = {
type = "object",
properties = {
Expand Down Expand Up @@ -132,20 +139,17 @@ local _M = {
schema = schema,
}


---@param jwt_private_key string: JWT private key (encoded in Base64)
---@return string|nil, string: The decoded JWT private key, or nil and error message if the decoding fails
---@return string|nil, string|nil: The decoded JWT private key, or nil and error message if the decoding fails
local function decode_jwt_private_key(jwt_private_key)
local decoded_private_key = ngx_decode_base64(jwt_private_key)
if not decoded_private_key then
core.log.error("failed to decode jwt_private_key with base64. jwt_private_key=", jwt_private_key)
return nil, "failed to decode jwt_private_key with base64"
end
return decoded_private_key
return decoded_private_key, nil
end



---@param conf table: The user-provided configuration for the plugin instance
---@return boolean, string|nil: true and nil if the configuration is valid, false and error message if not
function _M.check_schema(conf)
Expand All @@ -165,7 +169,6 @@ function _M.check_schema(conf)
return true
end


---@param conf table: The user-provided configuration for the plugin instance
---@param ctx api.Context: The request context
function _M.rewrite(conf, ctx)
Expand Down
2 changes: 1 addition & 1 deletion src/apisix/t/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@
- [apisix source code : t](https://github.com/apache/apisix/tree/master/t)
- [test-nginx](https://github.com/openresty/test-nginx)
- [test-nginx doc: user guide](https://openresty.gitbooks.io/programming-openresty/content/testing/index.html)

- [Test::Nginx::Socket](https://metacpan.org/pod/Test::Nginx::Socket)
52 changes: 52 additions & 0 deletions src/apisix/t/bk-auth-validate.t
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#
# TencentBlueKing is pleased to support the open source community by making
# 蓝鲸智云 - API 网关(BlueKing - APIGateway) available.
# Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
# Licensed under the MIT License (the "License"); you may not use this file except
# in compliance with the License. You may obtain a copy of the License at
#
# http://opensource.org/licenses/MIT
#
# Unless required by applicable law or agreed to in writing, software distributed under
# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
# either express or implied. See the License for the specific language governing permissions and
# limitations under the License.
#
# We undertake not to change the open source license (MIT license) applicable
# to the current version of the project delivered to anyone in the future.
#

use t::APISIX 'no_plan';

repeat_each(1);
no_long_string();
no_root_location();
no_shuffle();

add_block_preprocessor(sub {
my ($block) = @_;

if (!defined $block->request) {
$block->set_value("request", "GET /t");
}
});

run_tests;

__DATA__
=== TEST 1: sanity
--- config
location /t {
content_by_lua_block {
local plugin = require("apisix.plugins.bk-auth-validate")
local ok, err = plugin.check_schema({})
if not ok then
ngx.say(err)
end
ngx.say("done")
}
}
--- response_body
done
Loading

0 comments on commit 04ea6d4

Please sign in to comment.