Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: do not expose internal errors to the client #6859

Merged
merged 7 commits into from
Apr 18, 2022
Merged

fix: do not expose internal errors to the client #6859

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f6bb7f0
fix: do not expose internal errors to the client
Apr 15, 2022
a88b25c
remove LAST
Apr 15, 2022
2e67ba4
fix wolf test
Apr 15, 2022
14d7238
fix wolf test
Apr 15, 2022
fc0a3d2
remove FIRST
Apr 15, 2022
b5cfe99
fix lint
Apr 15, 2022
aa3ab23
change errmsg
Apr 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions apisix/plugins/basic-auth.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,13 +151,15 @@ function _M.rewrite(conf, ctx)

local username, password, err = extract_auth_header(auth_header)
if err then
return 401, { message = err }
core.log.warn(err)
return 401, { message = "Invalid user authorization" }
soulbird marked this conversation as resolved.
Show resolved Hide resolved
end

-- 2. get user info from consumer plugin
local consumer_conf = consumer.plugin(plugin_name)
if not consumer_conf then
return 401, { message = "Missing related consumer" }
core.log.warn("Missing related consumer")
return 401, { message = "Invalid user authorization" }
end

local consumers = consumers_lrucache("consumers_key",
Expand Down
6 changes: 4 additions & 2 deletions apisix/plugins/ldap-auth.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,8 @@ function _M.rewrite(conf, ctx)

local user, err = extract_auth_header(auth_header)
if err then
return 401, { message = err }
core.log.warn(err)
return 401, { message = "Invalid user authorization" }
soulbird marked this conversation as resolved.
Show resolved Hide resolved
end

-- 2. try authenticate the user against the ldap server
Expand All @@ -146,7 +147,8 @@ function _M.rewrite(conf, ctx)
-- 3. Retrieve consumer for authorization plugin
local consumer_conf = consumer_mod.plugin(plugin_name)
if not consumer_conf then
return 401, {message = "Missing related consumer"}
core.log.warn("Missing related consumer")
return 401, { message = "Invalid user authorization" }
end
local consumers = lrucache("consumers_key", consumer_conf.conf_version,
create_consumer_cache, consumer_conf)
Expand Down
17 changes: 8 additions & 9 deletions apisix/plugins/wolf-rbac.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ local ngx_re = require("ngx.re")
local http = require("resty.http")
local ipairs = ipairs
local ngx = ngx
local tostring = tostring
local rawget = rawget
local rawset = rawset
local setmetatable = setmetatable
Expand Down Expand Up @@ -274,7 +273,7 @@ function _M.rewrite(conf, ctx)
core.log.info("token info: ", core.json.delay_encode(tokenInfo),
", err: ", err)
if err then
return 401, fail_response('invalid rbac token: parse failed')
return 401, fail_response('Invalid rbac token: parse failed')
soulbird marked this conversation as resolved.
Show resolved Hide resolved
end

local appid = tokenInfo.appid
Expand All @@ -284,7 +283,8 @@ function _M.rewrite(conf, ctx)

local consumer_conf = consumer.plugin(plugin_name)
if not consumer_conf then
return 401, fail_response("Missing related consumer")
core.log.warn("Missing related consumer")
return 401, fail_response("Invalid user authorization")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the error here is nothing about the Authorization header

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll reset this modification

end

local consumers = lrucache("consumers_key", consumer_conf.conf_version,
Expand Down Expand Up @@ -326,7 +326,7 @@ function _M.rewrite(conf, ctx)
core.log.error(" check_url_permission(",
core.json.delay_encode(perm_item),
") failed, res: ",core.json.delay_encode(res))
return 401, fail_response(res.err,
return 401, fail_response("Invalid user authorization",
soulbird marked this conversation as resolved.
Show resolved Hide resolved
{ username = username, nickname = nickname }
)
end
Expand Down Expand Up @@ -365,7 +365,7 @@ local function get_consumer(appid)
if not consumer then
core.log.info("request appid [", appid, "] not found")
core.response.exit(400,
fail_response("appid [" .. tostring(appid) .. "] not found")
fail_response("appid not found")
)
end
return consumer
Expand All @@ -386,7 +386,7 @@ local function request_to_wolf_server(method, uri, headers, body)
if not res then
core.log.error("request [", request_debug, "] failed! err: ", err)
return core.response.exit(500,
fail_response("request to wolf-server failed! " .. tostring(err))
fail_response("request to wolf-server failed!")
)
end
core.log.info("request [", request_debug, "] status: ", res.status,
Expand All @@ -396,8 +396,7 @@ local function request_to_wolf_server(method, uri, headers, body)
core.log.error("request [", request_debug, "] failed! status: ",
res.status)
return core.response.exit(500,
fail_response("request to wolf-server failed! status:"
.. tostring(res.status))
fail_response("request to wolf-server failed!")
)
end
local body, err = json.decode(res.body)
Expand All @@ -408,7 +407,7 @@ local function request_to_wolf_server(method, uri, headers, body)
if not body.ok then
core.log.error("request [", request_debug, "] failed! response body:",
core.json.delay_encode(body))
return core.response.exit(200, fail_response(body.reason))
return core.response.exit(200, fail_response("request to wolf-server failed!"))
end

core.log.info("request [", request_debug, "] success! response body:",
Expand Down
18 changes: 15 additions & 3 deletions t/plugin/basic-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,11 @@ GET /hello
Authorization: Bad_header YmFyOmJhcgo=
--- error_code: 401
--- response_body
{"message":"Invalid authorization header format"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/Invalid authorization header format/
--- grep_error_log_out
Invalid authorization header format
--- no_error_log
[error]

Expand All @@ -170,7 +174,11 @@ GET /hello
Authorization: Basic aca_a
--- error_code: 401
--- response_body
{"message":"Failed to decode authentication header: aca_a"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/Failed to decode authentication header: aca_a/
--- grep_error_log_out
Failed to decode authentication header: aca_a
--- no_error_log
[error]

Expand All @@ -183,7 +191,11 @@ GET /hello
Authorization: Basic YmFy
--- error_code: 401
--- response_body
{"message":"Split authorization err: invalid decoded data: bar"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/Split authorization err: invalid decoded data: bar/
--- grep_error_log_out
Split authorization err: invalid decoded data: bar
--- no_error_log
[error]

Expand Down
18 changes: 15 additions & 3 deletions t/plugin/ldap-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,11 @@ GET /hello
Authorization: Bad_header Zm9vOmZvbwo=
--- error_code: 401
--- response_body
{"message":"Invalid authorization header format"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/Invalid authorization header format/
--- grep_error_log_out
Invalid authorization header format



Expand All @@ -167,7 +171,11 @@ GET /hello
Authorization: Basic aca_a
--- error_code: 401
--- response_body
{"message":"Failed to decode authentication header: aca_a"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/Failed to decode authentication header: aca_a/
--- grep_error_log_out
Failed to decode authentication header: aca_a



Expand All @@ -178,7 +186,11 @@ GET /hello
Authorization: Basic Zm9v
--- error_code: 401
--- response_body
{"message":"Split authorization err: invalid decoded data: foo"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/Split authorization err: invalid decoded data: foo/
--- grep_error_log_out
Split authorization err: invalid decoded data: foo



Expand Down
42 changes: 34 additions & 8 deletions t/plugin/wolf-rbac.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,7 @@ appid=not-found&username=admin&password=123456
Content-Type: application/x-www-form-urlencoded
--- error_code: 400
--- response_body_like eval
qr/appid \[not-found\] not found/
qr/appid not found/
--- no_error_log
[error]

Expand All @@ -224,7 +224,11 @@ appid=wolf-rbac-app&password=123456
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
--- response_body_like eval
--- response_body
{"message":"request to wolf-server failed!"}
--- grep_error_log eval
qr/ERR_USERNAME_MISSING/
--- grep_error_log_out eval
qr/ERR_USERNAME_MISSING/


Expand All @@ -236,7 +240,11 @@ appid=wolf-rbac-app&username=admin
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
--- response_body_like eval
--- response_body
{"message":"request to wolf-server failed!"}
--- grep_error_log eval
qr/ERR_PASSWORD_MISSING/
--- grep_error_log_out eval
qr/ERR_PASSWORD_MISSING/


Expand All @@ -248,7 +256,11 @@ appid=wolf-rbac-app&username=not-found&password=123456
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
--- response_body_like eval
--- response_body
{"message":"request to wolf-server failed!"}
--- grep_error_log eval
qr/ERR_USER_NOT_FOUND/
--- grep_error_log_out eval
qr/ERR_USER_NOT_FOUND/


Expand All @@ -260,7 +272,11 @@ appid=wolf-rbac-app&username=admin&password=wrong-password
--- more_headers
Content-Type: application/x-www-form-urlencoded
--- error_code: 200
--- response_body_like eval
--- response_body
{"message":"request to wolf-server failed!"}
--- grep_error_log eval
qr/ERR_PASSWORD_ERROR/
--- grep_error_log_out eval
qr/ERR_PASSWORD_ERROR/


Expand Down Expand Up @@ -306,7 +322,7 @@ GET /hello
--- more_headers
x-rbac-token: invalid-rbac-token
--- response_body
{"message":"invalid rbac token: parse failed"}
{"message":"Invalid rbac token: parse failed"}
--- no_error_log
[error]

Expand All @@ -330,7 +346,13 @@ GET /hello1
--- more_headers
x-rbac-token: V1#wolf-rbac-app#wolf-rbac-token
--- response_body
{"message":"no permission to access"}
{"message":"Invalid user authorization"}
--- grep_error_log eval
qr/no permission to access */
--- grep_error_log_out
no permission to access
no permission to access
no permission to access



Expand Down Expand Up @@ -449,7 +471,11 @@ PUT /apisix/plugin/wolf-rbac/change_pwd
Content-Type: application/json
Cookie: x-rbac-token=V1#wolf-rbac-app#wolf-rbac-token
--- error_code: 200
--- response_body_like eval
--- response_body
{"message":"request to wolf-server failed!"}
--- grep_error_log eval
qr/ERR_OLD_PASSWORD_INCORRECT/
--- grep_error_log_out eval
qr/ERR_OLD_PASSWORD_INCORRECT/


Expand Down