feat: add forward-auth plugin

[bzp2010]

What this PR does / why we need it:

Add the forward-auth plugin.

Fix #6007
Fix #5475

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[shuaijinchao]

Should the request method be mapped to the client request method?

[bzp2010]

I don't think it's needed unless we provide other special features for this, the implementation in other software is the same.

[bzp2010]

In our or other forward-auth plugins, authentication-related data is sent via fixed requests, not POST data, so I think that's enough too.

ping @shuaijinchao

[shuaijinchao]

OK, use GET as a fixed request method you should remove it because the default request method is GET

[bzp2010]

OK, use GET as a fixed request method you should remove it because the default request method is GET

Oh, I get it. Modify will be made later.

[bzp2010]

removed

[shuaijinchao]

Suggested change

	if not res or err then
	core.log.error("failed to process forward auth, err: ", err)
	return 403
	end
	if not res then
	core.log.error("failed to process forward auth, err: ", err)
	return 403
	end

Would it be better to judge this way?

[bzp2010]

I don't understand how to do it really right, I noticed that in other plugin implementations there are those that use not res alone, those that use err alone and those that use not res or err, which one should we take?

apisix/apisix/plugins/authz-keycloak.lua

Lines 251 to 254 in 58fec8f

	local res, error = httpc:request_uri(conf.discovery, params)
	if not res then
	err = "Accessing discovery URL (" .. conf.discovery .. ") failed: " .. error

apisix/apisix/plugins/serverless/generic-upstream.lua

Lines 110 to 113 in 58fec8f

	local res, err = httpc:request_uri(conf.function_uri, params)
	if not res or err then
	core.log.error("failed to process ", plugin_name, ", err: ", err)

apisix/apisix/plugins/wolf-rbac.lua

Lines 145 to 147 in 58fec8f

	local res, err = httpc:request_uri(uri, params)
	if err then
	core.log.error("FAIL REQUEST [ ",core.json.delay_encode(

I hope to get your guidance.
cc @spacewander

[spacewander]

I read through each branch of https://github.com/api7/lua-resty-http/blob/b63a9bbf2a3361836b2322e3c689d6d7fd83ec55/lib/resty/http.lua#L900, look like there are only two cases:

1. nil, err
2. res, nil, while res is a table

[bzp2010]

Referring to the way it is usually used, I will check if err is not nil.

if err then
    xxx
end

[bzp2010]

changed

[bzp2010]

Also, I think there needs to make a rules that developers should follow to handle error checking (at least on the http client), the mix of different usages is confusing.

[spacewander]

Currently, we have to enforce it with code review. Maybe we can invest in linter in the future.

[shuaijinchao]

I think it should be used

if res then
     err
end

instead of

if err then
     err
end

this way of writing may be more suitable for languages such as Go

the common exception function return in OpenResty is return nil, err, the first value is enough to know whether to handle err, and you can refer to more code and test cases in lua-resty-core, such as: https://github.com/openresty/lua-resty-core/blob/e5217414669c100b334940b250d5340911a02dd0/t/ctx.t#L133-L143

[bzp2010]

changed

[spacewander]

We should not add a common method that is only used by a place. Actually, I think we should remove the get_path too.

It is strange that get_path fetches $uri but get_uri fetches $request_uri. Look like it is a premature optimization that brings inconsistent names.

[bzp2010]

So I should just use ctx.var.request_uri instead of wrapping it? Can I merge the functionality of get_path into get_uri and add a with_args parameter indicating whether or not I need to carry queries.

[spacewander]

Don't make thing complex!
The name of request_uri and uri already show the difference. There is no need to wrap them into a function which is rarely used. Premature optimization is the source of evil.

[spacewander]

We can remove the get_path in the next PR. Better to get rid of it before the release, so that people won't ask why we use get_path in one place but use ctx.var.uri in the most elsewhere.

[bzp2010]

removed, I will remove get_path in a later PR.

[spacewander]

Suggested change

	description = "client request header that will be sent to the authorization"
	description = "client request header that will be sent to the authorization service"

[bzp2010]

changed

[spacewander]

Suggested change

	.. "the client when authorize failure"
	.. "the client when authorizing failed"

[bzp2010]

changed

[spacewander]

Better not trust the client's X-Forwarded-XX by default

[bzp2010]

fixed, because auth_headers has been set in our concern headers, after the judgment, the request header from the client can not override them, that's not trust the client header. L89-L91

apisix/apisix/plugins/forward-auth.lua

Lines 78 to 93 in 8a853d3

	local auth_headers = {
	["X-Forwarded-Proto"] = core.request.get_scheme(ctx),
	["X-Forwarded-Method"] = core.request.get_method(),
	["X-Forwarded-Host"] = core.request.get_host(ctx),
	["X-Forwarded-Uri"] = core.request.get_uri(ctx),
	["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx),
	}
	-- append headers that need to be get from the client request header
	if #conf.request_headers > 0 then
	for _, header in ipairs(conf.request_headers) do
	if not auth_headers[header] then
	auth_headers[header] = core.request.header(ctx, header)
	end
	end
	else

[spacewander]

Ditto

[bzp2010]

Because, merge the list of defined headers into the client request header, any key headers passed in by the client are overwritten, so I implement the untrusted client header.

[spacewander]

Suggested change

	3. **client_headers** Send `authorization` service response header to `client` when authorize failure
	3. **client_headers** Send `authorization` service response header to `client` when authorizing failed

[bzp2010]

changed

[spacewander]

Let's log down the X-Forwarded-XX received by the service. And better to break down the very long code.

[bzp2010]

I used another method to record these heads. I also added a simple echo function under /auth route.

[spacewander]

Let's add a test that the client passes X-Forwarded-XX by itself

[bzp2010]

added, I added a test case to demonstrate that these client-side incoming key headers are indeed dropped in APISIX.

[spacewander]

Let's doc the behavior when this field is empty

[bzp2010]

added

[spacewander]

Ditto

[bzp2010]

added

[spacewander]

Let's indent the code. Like:

diff --git t/plugin/forward-auth.t t/plugin/forward-auth.t
index dca35b76..285e60fb 100644
--- t/plugin/forward-auth.t
+++ t/plugin/forward-auth.t
@@ -74,7 +74,12 @@ property "request_headers" validation failed: wrong type: expected array, got st
                             "serverless-pre-function": {
                                 "phase": "rewrite",
                                 "functions": [
-                                    "return function (conf, ctx) local core = require(\"apisix.core\"); if core.request.header(ctx, \"Authorization\") == \"111\" then core.response.exit(200); end end",
+                                    "return function (conf, ctx)
+                                    local core = require(\"apisix.core\");
+                                    if core.request.header(ctx, \"Authorization\") == \"111\" then
+                                        core.response.exit(200)
+                                    end
+                                    end",
                                     "return function (conf, ctx) local core = require(\"apisix.core\"); if core.request.header(ctx, \"Authorization\") == \"222\" then core.response.set_header(\"X-User-ID\", \"i-am-an-user\"); core.response.exit(200); end end",
                                     "return function (conf, ctx) local core = require(\"apisix.core\"); if core.request.header(ctx, \"Authorization\") == \"333\" then core.response.set_header(\"Location\", \"http://example.com/auth\"); core.response.exit(403); end end",
                                     "return function (conf, ctx) local core = require(\"apisix.core\"); if core.request.header(ctx, \"Authorization\") == \"444\" then core.response.exit(403, core.request.headers(ctx)); end end"

[spacewander]

Would be better to log down the "X-Forwarded-XX" headers and check it

[bzp2010]

Log check for X-Forwarded-XX, I will add it later.

[bzp2010]

Splitting the single line long code is done, which uses ]]..[[ truncates the data code, the code is so long that it cannot be parsed, so I modified it by referring to the explanation in this issue.

openresty/lua-nginx-module#1622

[bzp2010]

Log check for X-Forwarded-XX, I will add it later.

In the session of adding more cases, I found out that we won't actually use it, and that the function to print the request header is already implemented using /echo.

[spacewander]

Look like we can't support forward no headers from the client?
If this field is empty, all headers are forwarded. What about don't provide a default value? (Use empty array if no headers are need)

[bzp2010]

I think it's rightfully so, and that's an oversight on my part. I have reversed the meaning of request_headers and client_headers, if the user does not set this parameter, APISIX will send nothing.

[spacewander]

IMHO, would be better to use allowlist? If no client_headers, no headers will be returned to the client. Some headers are not expected to be overridden, like Server / Date.

[bzp2010]

Ditto, changed

[spacewander]

Need to update the doc

[bzp2010]

updated

[spacewander]

Would be better to log down the APISIX generated "X-Forwarded-XX" headers and check it

[bzp2010]

I've merged it with the checkcase for overriding user input requests, which will check all APISIX generated headers at once. TEST 6: hit route (check APISIX generated headers and ignore client headers), It is provided by our echo function.

apisix/t/plugin/forward-auth.t

Lines 221 to 225 in beea582

	--- error_code: 403
	--- response_body eval
	qr/\"x-forwarded-proto\":\"http\"/ and qr/\"x-forwarded-method\":\"GET\"/ and
	qr/\"x-forwarded-host\":\"localhost\"/ and qr/\"x-forwarded-uri\":\"\\\/hello\"/ and
	qr/\"x-forwarded-for\":\"127.0.0.1\"/

[spacewander]

Let's provide a list of the X-Forwarded-XXX headers

[bzp2010]

the Data Definition section added