From f916024d5352484f32c69c338adaf9b0d9a06496 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Wed, 13 Mar 2024 14:38:42 -0400 Subject: [PATCH 1/6] feat: pass-throughs for specific non-authz service endpoints --- src/proxy_auth_v2.lua | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua index fcfabbf..65d2f48 100644 --- a/src/proxy_auth_v2.lua +++ b/src/proxy_auth_v2.lua @@ -39,6 +39,27 @@ local err_500_and_log = function(detail, err) end -- END FUNCTION DEFINITIONS -----–-----–-----–-----–-----–-----–-----–-----–-----–------- +local req = ngx.req +local req_method = req.get_method() +local req_uri = ngx.var.request_uri -- pre-rewrite URI +local uri = ngx.var.uri -- post-rewrite URI + +-- BEGIN OPEN ENDPOINT LOGIC ------------------------------------------------------------ + +-- Pass through all endpoint calls which used to be proxied by bento_public +-- TODO: replace this with properly authorization-compatible services + +if req_method == "GET" and ( + uri == "/service-info" or + req_uri == "/api/metadata/api/public" or + req_uri == "/api/metadata/api/public_search_fields" or + req_uri == "/api/metadata/api/public_dataset" +) then + goto script_end +end + +-- END OPEN ENDPOINT LOGIC -------------------------------------------------------------- + -- BEGIN AUTHORIZATION LOGIC ------------------------------------------------------------ local bento_debug = os.getenv("BENTO_DEBUG") @@ -54,11 +75,10 @@ local user_role -- Check bearer token if set -- Adapted from https://github.com/zmartzone/lua-resty-openidc/issues/266#issuecomment-542771402 -local req = ngx.req local auth_header = req.get_headers()["Authorization"] -- Tokens can also be passed in the form of POST body form data -if req.get_method() == "POST" then +if req_method == "POST" then req.read_body() local req_body = req.get_post_args() if req_body ~= nil and req_body["token"] then From fee649997ff6500604bfa85660a38717169e2152 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Wed, 13 Mar 2024 14:46:58 -0400 Subject: [PATCH 2/6] chore: add missing katsu public_overview passthrough --- src/proxy_auth_v2.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua index 65d2f48..dbefcc4 100644 --- a/src/proxy_auth_v2.lua +++ b/src/proxy_auth_v2.lua @@ -52,6 +52,7 @@ local uri = ngx.var.uri -- post-rewrite URI if req_method == "GET" and ( uri == "/service-info" or req_uri == "/api/metadata/api/public" or + req_uri == "/api/metadata/api/public_overview" or req_uri == "/api/metadata/api/public_search_fields" or req_uri == "/api/metadata/api/public_dataset" ) then From 38d9235923bd42db8854e1894b76528de3882380 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Thu, 14 Mar 2024 15:35:28 -0400 Subject: [PATCH 3/6] make GET /projects endpoint public --- src/proxy_auth_v2.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua index dbefcc4..147b97c 100644 --- a/src/proxy_auth_v2.lua +++ b/src/proxy_auth_v2.lua @@ -51,6 +51,7 @@ local uri = ngx.var.uri -- post-rewrite URI if req_method == "GET" and ( uri == "/service-info" or + req_uri == "/api/metadata/api/projects" or req_uri == "/api/metadata/api/public" or req_uri == "/api/metadata/api/public_overview" or req_uri == "/api/metadata/api/public_search_fields" or From 23d3c1049138a854faeddf492b13d320d6aab192 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Fri, 15 Mar 2024 13:45:19 -0400 Subject: [PATCH 4/6] chore: check req_uri with no query params for passthrough --- src/proxy_auth_v2.lua | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua index 147b97c..f34641f 100644 --- a/src/proxy_auth_v2.lua +++ b/src/proxy_auth_v2.lua @@ -41,7 +41,13 @@ end local req = ngx.req local req_method = req.get_method() -local req_uri = ngx.var.request_uri -- pre-rewrite URI + +local req_uri_no_qp = ngx.var.request_uri -- pre-rewrite URI +local qp = req_uri_no_qp:find("?") +if qp ~= nil then + req_uri_no_qp = req_uri_no_qp:sub(1, qp - 1) +end + local uri = ngx.var.uri -- post-rewrite URI -- BEGIN OPEN ENDPOINT LOGIC ------------------------------------------------------------ @@ -51,11 +57,11 @@ local uri = ngx.var.uri -- post-rewrite URI if req_method == "GET" and ( uri == "/service-info" or - req_uri == "/api/metadata/api/projects" or - req_uri == "/api/metadata/api/public" or - req_uri == "/api/metadata/api/public_overview" or - req_uri == "/api/metadata/api/public_search_fields" or - req_uri == "/api/metadata/api/public_dataset" + req_uri_no_qp == "/api/metadata/api/projects" or + req_uri_no_qp == "/api/metadata/api/public" or + req_uri_no_qp == "/api/metadata/api/public_overview" or + req_uri_no_qp == "/api/metadata/api/public_search_fields" or + req_uri_no_qp == "/api/metadata/api/public_dataset" ) then goto script_end end From 8a2b68f71239fb6f01600820808bdf6454e6c5f0 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Fri, 15 Mar 2024 13:47:22 -0400 Subject: [PATCH 5/6] docs: comment query param removal --- src/proxy_auth_v2.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua index f34641f..ba71433 100644 --- a/src/proxy_auth_v2.lua +++ b/src/proxy_auth_v2.lua @@ -43,6 +43,7 @@ local req = ngx.req local req_method = req.get_method() local req_uri_no_qp = ngx.var.request_uri -- pre-rewrite URI +-- remove query parameters if we have any: local qp = req_uri_no_qp:find("?") if qp ~= nil then req_uri_no_qp = req_uri_no_qp:sub(1, qp - 1) From 430050e82d42ff8a02349acbaf962f8d4edb0eb8 Mon Sep 17 00:00:00 2001 From: David Lougheed Date: Fri, 15 Mar 2024 13:48:54 -0400 Subject: [PATCH 6/6] docs: comment on uri vs req_uri --- src/proxy_auth_v2.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/proxy_auth_v2.lua b/src/proxy_auth_v2.lua index ba71433..7c97766 100644 --- a/src/proxy_auth_v2.lua +++ b/src/proxy_auth_v2.lua @@ -57,7 +57,7 @@ local uri = ngx.var.uri -- post-rewrite URI -- TODO: replace this with properly authorization-compatible services if req_method == "GET" and ( - uri == "/service-info" or + uri == "/service-info" or -- any service-info endpoint; rewritten from original /api/.../service-info req_uri_no_qp == "/api/metadata/api/projects" or req_uri_no_qp == "/api/metadata/api/public" or req_uri_no_qp == "/api/metadata/api/public_overview" or