feat(plugins/bk-user-restriction): add new plugin (#85)

TencentBlueKing · Nov 8, 2024 · 2c82c0e · 2c82c0e
1 parent ae74265
commit 2c82c0e
Show file tree

Hide file tree

Showing 5 changed files with 539 additions and 0 deletions.
diff --git a/src/apisix/plugins/README.md b/src/apisix/plugins/README.md
@@ -44,6 +44,7 @@
 - bk-break-recursive-call                   # priority: 17700  # 该插件应默认应用于所有路由
 - bk-body-limit                             # priority: 17690
 - bk-auth-validate                          # priority: 17680
+- bk-user-restriction                       # priority: 17679
 - bk-jwt                                    # priority: 17670
 - bk-ip-restriction                         # priority: 17662
 - bk-ip-group-restriction                   # priority: 17661 (will be deprecated)

diff --git a/src/apisix/plugins/bk-core/errorx.lua b/src/apisix/plugins/bk-core/errorx.lua
@@ -251,6 +251,20 @@ function _M.new_ip_not_allowed()
     return setmetatable(error, mt)
 end
 
+function _M.new_bk_user_not_allowed()
+    local error = {
+        error = {
+            code = 1640303,
+            code_name = "BK_USER_NOT_ALLOWED",
+            message = "Request rejected by bk-user restriction",
+            result = false,
+            data = cjson_null,
+        },
+        status = 403,
+    }
+    return setmetatable(error, mt)
+end
+
 function _M.new_request_body_size_exceed()
     local error = {
         error = {

diff --git a/src/apisix/plugins/bk-user-restriction.lua b/src/apisix/plugins/bk-user-restriction.lua
@@ -0,0 +1,123 @@
+--
+-- TencentBlueKing is pleased to support the open source community by making
+-- 蓝鲸智云 - API 网关(BlueKing - APIGateway) available.
+-- Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+-- Licensed under the MIT License (the "License"); you may not use this file except
+-- in compliance with the License. You may obtain a copy of the License at
+--
+--     http://opensource.org/licenses/MIT
+--
+-- Unless required by applicable law or agreed to in writing, software distributed under
+-- the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+-- either express or implied. See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- We undertake not to change the open source license (MIT license) applicable
+-- to the current version of the project delivered to anyone in the future.
+--
+
+local core = require("apisix.core")
+local errorx = require("apisix.plugins.bk-core.errorx")
+
+
+local schema = {
+        type = "object",
+        properties = {
+            whitelist = {
+                type = "array",
+                items = { type = "string" },
+                minItems = 1,
+            },
+            blacklist = {
+                type = "array",
+                items = { type = "string" },
+                minItems = 1,
+            },
+            message = {
+                type = "string",
+                default = "The bk-user is not allowed",
+                minLength = 1,
+                maxLength = 1024,
+            },
+        },
+        oneOf = {
+            { required = { "whitelist" } },
+            { required = { "blacklist" } },
+        },
+}
+
+local plugin_name = "bk-user-restriction"
+
+local _M = {
+    version = 0.1,
+    priority = 17679,
+    name = plugin_name,
+    schema = schema,
+}
+
+
+function _M.check_schema(conf)
+    if not core.schema.check(_M.schema, conf) then
+        return false
+    end
+
+    if conf.whitelist then
+        conf.whitelist_map = {}
+        for _, user in ipairs(conf.whitelist) do
+            conf.whitelist_map[user] = true
+        end
+    end
+
+    if conf.blacklist then
+        conf.blacklist_map = {}
+        for _, user in ipairs(conf.blacklist) do
+            conf.blacklist_map[user] = true
+        end
+    end
+
+    return true
+end
+
+---@param conf any
+---@param ctx apisix.Context
+function _M.access(conf, ctx)
+    -- Return directly if "bk-resource-auth" is not loaded by checking "bk_resource_auth"
+    if ctx.var.bk_resource_auth == nil then
+        return
+    end
+
+    -- not verified user required, return directly(do nothing)
+    if not ctx.var.bk_resource_auth:get_verified_user_required() then
+        return
+    end
+
+    -- if user is nil, return directly(do nothing)
+    if ctx.var.user == nil then
+        return
+    end
+
+    -- if user is not verified, return directly(do nothing)
+    if ctx.var.user.verified == false then
+        return
+    end
+
+    local bk_username = ctx.var.user.username
+
+    if conf.whitelist_map and not conf.whitelist_map[bk_username] then
+        return errorx.exit_with_apigw_err(
+            ctx,
+            errorx.new_bk_user_not_allowed():with_fields({ message = conf.message, bk_username = bk_username }),
+            _M
+        )
+    end
+
+    if conf.blacklist_map and conf.blacklist_map[bk_username] then
+        return errorx.exit_with_apigw_err(
+            ctx,
+            errorx.new_bk_user_not_allowed():with_fields({ message = conf.message, bk_username = bk_username }),
+            _M
+        )
+    end
+end
+
+return _M