apache · spacewander · Oct 13, 2021 · Mar 16, 2021 · Mar 16, 2021 · Mar 16, 2021
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -78,7 +78,7 @@ jobs:
           tar zxvf ${{ steps.branch_env.outputs.fullname }}
 
       - name: Linux Get dependencies
-        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev
+        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev libldap2-dev
 
       - name: Linux Before install
         run: sudo ./ci/${{ matrix.os_name }}_runner.sh before_install

diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
@@ -65,7 +65,7 @@ jobs:
           key: ${{ runner.os }}-${{ env.cache-name }}-${{ matrix.job_name }}-${{ hashFiles('rockspec/apisix-master-0.rockspec') }}
 
       - name: Linux Get dependencies
-        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev
+        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev libldap2-dev
 
       - name: Linux Before install
         run: sudo ./ci/${{ matrix.job_name }}_runner.sh before_install

diff --git a/.github/workflows/fuzzing-ci.yaml b/.github/workflows/fuzzing-ci.yaml
@@ -52,7 +52,7 @@ jobs:
         sudo apt-get -y install software-properties-common
         sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"
         sudo apt-get update
-        sudo apt-get install -y git openresty curl openresty-openssl111-dev unzip make gcc
+        sudo apt-get install -y git openresty curl openresty-openssl111-dev unzip make gcc libldap2-dev
         ./utils/linux-install-luarocks.sh
 
         make deps

diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua
@@ -0,0 +1,160 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local ngx = ngx
+local ngx_re = require("ngx.re")
+local ipairs = ipairs
+local consumer_mod = require("apisix.consumer")
+local lualdap = require("lualdap")
+
+local lrucache = core.lrucache.new({
+    ttl = 300, count = 512
+})
+
+local schema = {
+    type = "object",
+    title = "work with route or service object",
+    properties = {
+        base_dn = { type = "string" },
+        ldap_uri = { type = "string" },
+        use_tls = { type = "boolean" },
+        uid = { type = "string" }
+    },
+    required = {"base_dn","ldap_uri"},
+}
+
+local consumer_schema = {
+    type = "object",
+    title = "work with consumer object",
+    properties = {
+        user_dn = { type = "string" },
+    },
+    required = {"user_dn"},
+}
+
+local plugin_name = "ldap-auth"
+
+local _M = {
+    version = 0.1,
+    priority = 2540,
+    type = 'auth',
+    name = plugin_name,
+    schema = schema,
+    consumer_schema = consumer_schema
+}
+
+function _M.check_schema(conf, schema_type)
+    local ok, err
+    if schema_type == core.schema.TYPE_CONSUMER then
+        ok, err = core.schema.check(consumer_schema, conf)
+    else
+        ok, err = core.schema.check(schema, conf)
+    end
+
+    return ok, err
+end
+
+local create_consumer_cache
+do
+    local consumer_names = {}
+
+    function create_consumer_cache(consumers)
+        core.table.clear(consumer_names)
+
+        for _, consumer in ipairs(consumers.nodes) do
+            core.log.info("consumer node: ", core.json.delay_encode(consumer))
+            consumer_names[consumer.auth_conf.user_dn] = consumer
+        end
+
+        return consumer_names
+    end
+
+end -- do
+
+local function extract_auth_header(authorization)
+    local obj = { username = "", password = "" }
+
+    local m, err = ngx.re.match(authorization, "Basic\\s(.+)", "jo")
+    if err then
+        -- error authorization
+        return nil, err
+    end
+
+    local decoded = ngx.decode_base64(m[1])
+
+    if not decoded then
+        return nil, "failed to decode authentication header: " .. m[1]
+    end
+
+    local res
+    res, err = ngx_re.split(decoded, ":")
 local decoded = ngx.decode_base64(m[1]) 
 local decoded = ngx.decode_base64(m[1]) 
+    if err then
+        return nil, "split authorization err:" .. err
+    end
+    if #res < 2 then
+        return nil, "split authorization err: invalid decoded data: " .. decoded
+    end
+
+    obj.username = ngx.re.gsub(res[1], "\\s+", "", "jo")
+    obj.password = ngx.re.gsub(res[2], "\\s+", "", "jo")
+
+    return obj, nil
+end
+
+function _M.rewrite(conf, ctx)
+    core.log.info("plugin rewrite phase, conf: ", core.json.delay_encode(conf))
+
+    -- 1. extract authorization from header
+    local auth_header = core.request.header(ctx, "Authorization")
+    if not auth_header then
+        core.response.set_header("WWW-Authenticate", "Basic realm='.'")
+        return 401, { message = "Missing authorization in request" }
+    end
+
+    local user, err = extract_auth_header(auth_header)
+    if err then
+        return 401, { message = err }
+    end
+
+    -- 2. try authenticate the user against the ldap server
+    local uid = "cn"
+    if conf.uid then
+        uid = conf.uid
+    end
+    local userdn =  uid .. "=" .. user.username .. "," .. conf.base_dn
+    local ld = lualdap.open_simple (conf.ldap_uri, userdn, user.password, conf.use_tls)
+    if not ld then
+        return 401, { message = "Invalid user authorization" }
+    end
+
+    -- 3. Retrieve consumer for authorization plugin
+    local consumer_conf = consumer_mod.plugin(plugin_name)
+    if not consumer_conf then
+        return 401, {message = "Missing related consumer"}
+    end
+    local consumers = lrucache("consumers_key", consumer_conf.conf_version,
+        create_consumer_cache, consumer_conf)
+    local consumer = consumers[userdn]
+    if not consumer then
+        return 401, {message = "Invalid API key in request"}
+    end
+    consumer_mod.attach_consumer(ctx, consumer, consumer_conf)
+
+    core.log.info("hit basic-auth access")
+end
+
+return _M
diff --git a/ci/centos7-ci.sh b/ci/centos7-ci.sh
@@ -23,7 +23,7 @@ install_dependencies() {
 
     # install development tools
     yum install -y wget tar gcc automake autoconf libtool make unzip \
-        curl git which sudo
+        curl git which sudo openldap-devel
 
     # install openresty to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo

diff --git a/ci/install-ext-services-via-docker.sh b/ci/install-ext-services-via-docker.sh
@@ -38,6 +38,9 @@ docker run --rm --name skywalking -d -p 1234:1234 -p 11800:11800 -p 12800:12800
 docker run --rm --name consul_1 -d -p 8500:8500 consul:1.7 consul agent -server -bootstrap-expect=1 -client 0.0.0.0 -log-level info -data-dir=/consul/data
 docker run --rm --name consul_2 -d -p 8600:8500 consul:1.7 consul agent -server -bootstrap-expect=1 -client 0.0.0.0 -log-level info -data-dir=/consul/data
 
+# start openldap server
+docker run -d --rm --name openldap -p 1389:1389 -p 1636:1636 --env LDAP_ADMIN_USERNAME=admin --env LDAP_ADMIN_PASSWORD=adminpassword --env LDAP_USERS=user01,user02 --env LDAP_PASSWORDS=password1,password2 bitnami/openldap:latest
+
 # start nacos server
 docker network rm nacos_net
 docker network create nacos_net

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -312,6 +312,7 @@ plugins:                          # plugin list (sorted by priority)
   - openid-connect                 # priority: 2599
   - authz-casbin                   # priority: 2560
   - wolf-rbac                      # priority: 2555
+  - ldap-auth                      # priority: 2540
   - hmac-auth                      # priority: 2530
   - basic-auth                     # priority: 2520
   - jwt-auth                       # priority: 2510

diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
@@ -66,7 +66,8 @@
             "plugins/wolf-rbac",
             "plugins/openid-connect",
             "plugins/hmac-auth",
-            "plugins/authz-casbin"
+            "plugins/authz-casbin",
+            "plugins/ldap-auth"
           ]
         },
         {

diff --git a/docs/en/latest/install-dependencies.md b/docs/en/latest/install-dependencies.md
@@ -58,7 +58,7 @@ sudo yum install yum-utils
 sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
 
 # install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip pcre pcre-devel
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip pcre pcre-devel libldap2-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -81,7 +81,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel pcre pcre-devel
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel pcre pcre-devel libldap2-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -107,7 +107,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc libpcre3 libpcre3-dev
+sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc libpcre3 libpcre3-dev libldap2-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -138,7 +138,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl make openresty-openssl111-dev libpcre3 libpcre3-dev
+sudo apt-get install -y git openresty curl make openresty-openssl111-dev libpcre3 libpcre3-dev libldap2-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -151,7 +151,7 @@ nohup etcd &
 
 ```shell
 # install OpenResty, etcd and some compilation tools
-brew install openresty/brew/openresty luarocks lua@5.1 etcd curl git pcre
+brew install openresty/brew/openresty luarocks lua@5.1 etcd curl git pcre openldap
 
 # start etcd server
 brew services start etcd