diff --git a/src/apisix/editions/ee/plugins/bk-cache/access-token.lua b/src/apisix/editions/ee/plugins/bk-cache/access-token.lua index a4838b9..5ceebe1 100644 --- a/src/apisix/editions/ee/plugins/bk-cache/access-token.lua +++ b/src/apisix/editions/ee/plugins/bk-cache/access-token.lua @@ -17,7 +17,7 @@ -- local core = require("apisix.core") local access_token_define = require("apisix.plugins.bk-define.access-token") -local bkauth_component = require("apisix.plugins.bk-components.bkauth") +-- local bkauth_component = require("apisix.plugins.bk-components.bkauth") local ssm_component = require("apisix.plugins.bk-components.ssm") local ACCESS_TOKEN_CACHE_TTL = 600 @@ -34,12 +34,15 @@ local access_token_lrucache = core.lrucache.new( local _M = {} local function get_access_token(access_token) - local bkauth_token, err = bkauth_component.verify_access_token(access_token) - if bkauth_token ~= nil then - return { - token = access_token_define.new(bkauth_token.bk_app_code, bkauth_token.username, bkauth_token.expires_in), - } - end + local err + err = "authentication based on access_token is not supported" + + -- local bkauth_token, err = bkauth_component.verify_access_token(access_token) + -- if bkauth_token ~= nil then + -- return { + -- token = access_token_define.new(bkauth_token.bk_app_code, bkauth_token.username, bkauth_token.expires_in) + -- } + -- end if ssm_component.is_configured() then local ssm_token @@ -58,7 +61,10 @@ end function _M.get_access_token(access_token) local key = access_token - local result = access_token_lrucache(key, nil, get_access_token, access_token) + local result, err = access_token_lrucache(key, nil, get_access_token, access_token) + if result == nil then + return nil, err + end return result.token, result.err end diff --git a/src/apisix/editions/ee/plugins/bk-cache/bk-token.lua b/src/apisix/editions/ee/plugins/bk-cache/bk-token.lua index 589455a..a9fae1b 100644 --- a/src/apisix/editions/ee/plugins/bk-cache/bk-token.lua +++ b/src/apisix/editions/ee/plugins/bk-cache/bk-token.lua @@ -36,9 +36,8 @@ function _M.get_username_by_bk_token(bk_token) local result, err = bk_token_lrucache(key, nil, bklogin_component.get_username_by_bk_token, bk_token) if result == nil then return nil, err - else - return result.username, result.error_message end + return result.username, result.error_message end return _M diff --git a/src/apisix/editions/ee/tests/bk-cache/test-access-token.lua b/src/apisix/editions/ee/tests/bk-cache/test-access-token.lua index 197c7a3..38a3a10 100644 --- a/src/apisix/editions/ee/tests/bk-cache/test-access-token.lua +++ b/src/apisix/editions/ee/tests/bk-cache/test-access-token.lua @@ -15,35 +15,23 @@ -- We undertake not to change the open source license (MIT license) applicable -- to the current version of the project delivered to anyone in the future. -- - local access_token_cache = require("apisix.plugins.bk-cache.access-token") -local bkauth_component = require("apisix.plugins.bk-components.bkauth") local ssm_component = require("apisix.plugins.bk-components.ssm") local uuid = require("resty.jit-uuid") describe( "access_token cache", function() - local bkauth_verify_access_token_result - local bkauth_verify_access_token_err local ssm_verify_access_token_result local ssm_verify_access_token_err local ssm_is_configured before_each( function() - bkauth_verify_access_token_result = nil - bkauth_verify_access_token_err = nil ssm_verify_access_token_result = nil ssm_verify_access_token_err = nil ssm_is_configured = false - stub( - bkauth_component, "verify_access_token", function() - return bkauth_verify_access_token_result, bkauth_verify_access_token_err - end - ) - stub( ssm_component, "verify_access_token", function() return ssm_verify_access_token_result, ssm_verify_access_token_err @@ -60,7 +48,6 @@ describe( after_each( function() - bkauth_component.verify_access_token:revert() ssm_component.verify_access_token:revert() ssm_component.is_configured:revert() end @@ -69,30 +56,7 @@ describe( context( "local get_access_token", function() it( - "bkauth verify ok", function() - bkauth_verify_access_token_result = { - bk_app_code = "my-app", - username = "admin", - expires_in = 10, - } - bkauth_verify_access_token_err = nil - - local result = access_token_cache._get_access_token("fake-access-token") - assert.is_same( - result.token, { - app_code = "my-app", - user_id = "admin", - expires_in = 10, - } - ) - assert.is_nil(result.err) - end - ) - - it( - "bkauth verify fail, ssm verify ok", function() - bkauth_verify_access_token_result = nil - bkauth_verify_access_token_err = "bkauth err" + "ssm verify ok", function() ssm_verify_access_token_result = { bk_app_code = "my-foo", username = "kitty", @@ -114,9 +78,7 @@ describe( ) it( - "bkauth verify fail, ssm verify fail", function() - bkauth_verify_access_token_result = nil - bkauth_verify_access_token_err = "bkauth error" + "ssm verify fail, and is configured", function() ssm_verify_access_token_result = nil ssm_verify_access_token_err = "ssm error" ssm_is_configured = true @@ -128,23 +90,19 @@ describe( ) it( - "bkauth verify fail, ssm is not configured", function() - bkauth_verify_access_token_result = nil - bkauth_verify_access_token_err = "bkauth error" + "ssm verify fail, but not configured", function() ssm_verify_access_token_result = nil ssm_verify_access_token_err = "ssm error" ssm_is_configured = nil local result = access_token_cache._get_access_token("fake-access-token") assert.is_nil(result.token) - assert.is_equal(result.err, "bkauth error") + assert.is_equal(result.err, "authentication based on access_token is not supported") end ) it( - "bkauth verify fail, ssm is not configured", function() - bkauth_verify_access_token_result = nil - bkauth_verify_access_token_err = "bkauth error" + "ssm verify ok, but not configured", function() ssm_verify_access_token_result = { bk_app_code = "my-foo", username = "kitty", @@ -155,7 +113,7 @@ describe( local result = access_token_cache._get_access_token("fake-access-token") assert.is_nil(result.token) - assert.is_equal(result.err, "bkauth error") + assert.is_equal(result.err, "authentication based on access_token is not supported") end ) end @@ -165,7 +123,8 @@ describe( "get_access_token", function() it( "get access_token from cache, ok", function() - bkauth_verify_access_token_result = { + ssm_is_configured = true + ssm_verify_access_token_result = { bk_app_code = "my-app", username = "admin", expires_in = 100, @@ -181,15 +140,15 @@ describe( } ) assert.is_nil(err) - assert.stub(bkauth_component.verify_access_token).was_called_with(access_token) + assert.stub(ssm_component.verify_access_token).was_called_with(access_token) -- get from cache access_token_cache.get_access_token(access_token) - assert.stub(bkauth_component.verify_access_token).was_called(1) + assert.stub(ssm_component.verify_access_token).was_called(1) -- get from func access_token_cache.get_access_token(uuid.generate_v4()) - assert.stub(bkauth_component.verify_access_token).was_called(2) + assert.stub(ssm_component.verify_access_token).was_called(2) end ) @@ -199,20 +158,20 @@ describe( bkauth_verify_access_token_err = "bkauth error" ssm_verify_access_token_result = nil ssm_verify_access_token_err = "ssm error" - ssm_is_configured = false + ssm_is_configured = true local access_token = uuid.generate_v4() local result, err = access_token_cache.get_access_token(access_token) assert.is_nil(result) - assert.is_equal(err, "bkauth error") + assert.is_not_nil(err) -- get from cache access_token_cache.get_access_token(access_token) - assert.stub(bkauth_component.verify_access_token).was_called(1) + assert.stub(ssm_component.verify_access_token).was_called(1) -- get from func access_token_cache.get_access_token(uuid.generate_v4()) - assert.stub(bkauth_component.verify_access_token).was_called(2) + assert.stub(ssm_component.verify_access_token).was_called(2) end ) end diff --git a/src/build/patches/002_upstream_parse_domain_for_nodes.patch b/src/build/patches/002_upstream_parse_domain_for_nodes.patch new file mode 100644 index 0000000..a42083f --- /dev/null +++ b/src/build/patches/002_upstream_parse_domain_for_nodes.patch @@ -0,0 +1,19 @@ +diff --git a/apisix/utils/upstream.lua b/apisix/utils/upstream.lua +index c39d4cce..5d23ce49 100644 +--- a/apisix/utils/upstream.lua ++++ b/apisix/utils/upstream.lua +@@ -82,6 +82,14 @@ local function parse_domain_for_nodes(nodes) + core.table.insert(new_nodes, node) + end + end ++ ++ -- patch for: https://github.com/apache/apisix/issues/10093#issuecomment-1738381865 ++ if #new_nodes == 0 then ++ local err = "no valid ip found" ++ core.log.error("parse domain for nodes: ", core.json.delay_encode(nodes), " error: ", err) ++ return nil, err ++ end ++ + return new_nodes + end + _M.parse_domain_for_nodes = parse_domain_for_nodes diff --git a/src/build/patches/003_patch_no_valid_ip_found_502.patch b/src/build/patches/003_patch_no_valid_ip_found_502.patch new file mode 100644 index 0000000..a853aa2 --- /dev/null +++ b/src/build/patches/003_patch_no_valid_ip_found_502.patch @@ -0,0 +1,17 @@ +diff --git a/apisix/init.lua b/apisix/init.lua +index 388af426..9899c332 100644 +--- a/apisix/init.lua ++++ b/apisix/init.lua +@@ -431,6 +431,12 @@ function _M.handle_upstream(api_ctx, route, enable_websocket) + route, err = parse_domain_in_route(route) + if err then + core.log.error("failed to get resolved route: ", err) ++ ++ -- if the dns resolve get no valid ips, return 502 , treat it as `pick_server` fail ++ if err == "no valid ip found" then ++ return core.response.exit(502) ++ end ++ + return core.response.exit(500) + end +