From d1830f325870f93d76888af5f45de4b5302c8f4f Mon Sep 17 00:00:00 2001 From: root Date: Mon, 31 Oct 2022 00:53:21 +0800 Subject: [PATCH 01/24] doc update: fix hide_credentials description --- docs/zh/latest/plugins/basic-auth.md | 2 +- docs/zh/latest/plugins/jwt-auth.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/zh/latest/plugins/basic-auth.md b/docs/zh/latest/plugins/basic-auth.md index b324e128cc8e..dc2c597bb15d 100644 --- a/docs/zh/latest/plugins/basic-auth.md +++ b/docs/zh/latest/plugins/basic-auth.md @@ -46,7 +46,7 @@ Route 端: | 名称 | 类型 | 必选项 | 默认值 | 描述 | | ---------------- | ------- | ------ | ------ | --------------------------------------------------------------- | -| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则会将 Authorization 请求头传递给 Upstream。| +| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则不会将 Authorization 请求头传递给 Upstream。| ## 启用插件 diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index af7f1f1ca1b9..38913c2c009f 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -66,6 +66,7 @@ Route 端: | header | string | 否 | authorization | 设置我们从哪个 header 获取 token。 | | query | string | 否 | jwt | 设置我们从哪个 query string 获取 token,优先级低于 header。 | | cookie | string | 否 | jwt | 设置我们从哪个 cookie 获取 token,优先级低于 query。 | +| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则不会将含有认证信息的 header\query\cookie string 传递给 Upstream。| ## 接口 From 2c7d410f82acd67559771a828ac09e80046ffb58 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 31 Oct 2022 01:11:56 +0800 Subject: [PATCH 02/24] feat: support jwt-auth of hidding sensitive param --- apisix/plugins/jwt-auth.lua | 48 +++++++ t/plugin/jwt-auth3.t | 278 ++++++++++++++++++++++++++++++++++++ 2 files changed, 326 insertions(+) create mode 100644 t/plugin/jwt-auth3.t diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 36006975f5d3..324e8dcedaa8 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -48,6 +48,10 @@ local schema = { cookie = { type = "string", default = "jwt" + }, + hide_credentials = { + type = "boolean", + default = false } }, } @@ -357,8 +361,31 @@ local function algorithm_handler(consumer, method_only) end end +local function set_our_cookie(name, val) + core.response.add_header("Set-Cookie", name .. "=" .. val) +end + function _M.rewrite(conf, ctx) + local from_header = true + local header_key = core.request.header(ctx, conf.header) + + local from_query = true + + if not header_key then + from_header = false + local uri_args = core.request.get_uri_args(ctx) or {} + header_key = uri_args[conf.query] + if not header_key then + from_query = false + local cookie = ctx.var["cookie_" .. conf.cookie] + if not cookie then + core.log.info("failed to fetch JWT token") + return 401, {message = "Missing JWT token in request"} + end + end + end + local jwt_token, err = fetch_jwt_token(conf, ctx) if not jwt_token then core.log.info("failed to fetch JWT token: ", err) @@ -407,6 +434,27 @@ function _M.rewrite(conf, ctx) return 401, {message = "failed to verify jwt"} end + -- check for hiding `Authorization` request header if `hide_credentials` is `true` + if conf.hide_credentials then + -- hide sensitive field + if from_header then + -- hide for header + local temp_token = core.request.header(ctx, conf.header) + core.request.set_header(ctx, conf.header, nil) + + + elseif from_query then + -- hide for query + local args = core.request.get_uri_args(ctx) + args[conf.query] = nil + core.request.set_uri_args(ctx, args) + + else + -- hide for cookie + set_our_cookie(conf.cookie, "deleted; Max-Age=0") + end + end + consumer_mod.attach_consumer(ctx, consumer, consumer_conf) core.log.info("hit jwt-auth rewrite") end diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t new file mode 100644 index 000000000000..4cb40aca0494 --- /dev/null +++ b/t/plugin/jwt-auth3.t @@ -0,0 +1,278 @@ +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); + +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } +}); + +run_tests; + +__DATA__ + +=== TEST 1: add consumer with username and plugins +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "jwt-auth": { + "key": "user-key", + "secret": "my-secret-key" + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 2: enable jwt auth plugin using admin api with custom parameter +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed + + + +=== TEST 3: verify (in header) with not hidden auth +--- request +GET /echo +--- more_headers +jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_headers +jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs + + + +=== TEST 4: verify (in cookie) with not hidden auth +--- request +GET /echo +--- more_headers +Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_headers +Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs + + + +=== TEST 5: enable jwt auth plugin using admin api with not hide +# the `proxy-rewrite` play role as upstream to check sensitive param +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": false + }, + "proxy-rewrite": { + "uri": "/plugin_proxy_rewrite_args" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed + + + +=== TEST 6: verify (in query) not hidden auth +--- request +GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_body +uri: /plugin_proxy_rewrite_args +foo: bar +hello: world +jwt-query: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- no_error_log +[error] + + + +=== TEST 7: enable jwt auth plugin using admin api with hide auth +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": true + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed + + + +=== TEST 8: verify (in header) with hidden auth +--- request +GET /echo +--- more_headers +jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_headers +!jwt-header + + + +=== TEST 9: verify (in cookie) with hidden auth +--- request +GET /echo +--- more_headers +Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs; foo=bar +--- response_headers +Set-Cookie: jwt-cookie=deleted; Max-Age=0 + +=== TEST 10: enable jwt auth plugin using admin api with hidden auth +# the `proxy-rewrite` play role as upstream to check sensitive param +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": true + }, + "proxy-rewrite": { + "uri": "/plugin_proxy_rewrite_args" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed + + + +=== TEST 11: verify (in query) with hidden auth +--- request +GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_body +uri: /plugin_proxy_rewrite_args +foo: bar +hello: world +--- no_error_log +[error] + + From f0ffec88b6e802b63412fc1a5bf2ebf5bc07ce7f Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 31 Oct 2022 01:54:18 +0800 Subject: [PATCH 03/24] doc: update plugin param description for EN-US --- docs/en/latest/plugins/basic-auth.md | 2 +- docs/en/latest/plugins/jwt-auth.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/en/latest/plugins/basic-auth.md b/docs/en/latest/plugins/basic-auth.md index 687748391cf1..a55dd1467c53 100644 --- a/docs/en/latest/plugins/basic-auth.md +++ b/docs/en/latest/plugins/basic-auth.md @@ -46,7 +46,7 @@ For Route: | Name | Type | Required | Default | Description | |------------------|---------|----------|---------|------------------------------------------------------------------------| -| hide_credentials | boolean | False | false | Set to true to pass the authorization request headers to the Upstream. | +| hide_credentials | boolean | False | false | Set to true will not pass the authorization request headers to the Upstream. | ## Enabling the Plugin diff --git a/docs/en/latest/plugins/jwt-auth.md b/docs/en/latest/plugins/jwt-auth.md index 00e2d307d1ff..57bdf9d21b92 100644 --- a/docs/en/latest/plugins/jwt-auth.md +++ b/docs/en/latest/plugins/jwt-auth.md @@ -66,6 +66,7 @@ For Route: | header | string | False | authorization | The header to get the token from. | | query | string | False | jwt | The query string to get the token from. Lower priority than header. | | cookie | string | False | jwt | The cookie to get the token from. Lower priority than query. | +| hide_credentials | boolean | False | false | 该参数设置为 `true` 时,则不会将含有认证信息的 header\query\cookie string 传递给 Upstream。| ## API From 51dea0ff4ced2c3ebc611fcc79e32ddfa0b5c8c7 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 31 Oct 2022 09:00:39 +0800 Subject: [PATCH 04/24] doc: update plugin(jwt-auth) param description for EN-US --- docs/en/latest/plugins/jwt-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/latest/plugins/jwt-auth.md b/docs/en/latest/plugins/jwt-auth.md index 57bdf9d21b92..fffb01846119 100644 --- a/docs/en/latest/plugins/jwt-auth.md +++ b/docs/en/latest/plugins/jwt-auth.md @@ -66,7 +66,7 @@ For Route: | header | string | False | authorization | The header to get the token from. | | query | string | False | jwt | The query string to get the token from. Lower priority than header. | | cookie | string | False | jwt | The cookie to get the token from. Lower priority than query. | -| hide_credentials | boolean | False | false | 该参数设置为 `true` 时,则不会将含有认证信息的 header\query\cookie string 传递给 Upstream。| +| hide_credentials | boolean | False | false | Set to true will not pass the authorization request of header\query\cookie to the Upstream.| ## API From 7ee2cd4b6cf19ee20991303cb522a77aa3251774 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 31 Oct 2022 09:26:10 +0800 Subject: [PATCH 05/24] lint: code reformat and reindex --- apisix/plugins/jwt-auth.lua | 1 - t/plugin/jwt-auth3.t | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 324e8dcedaa8..6b0ada9a8a40 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -439,7 +439,6 @@ function _M.rewrite(conf, ctx) -- hide sensitive field if from_header then -- hide for header - local temp_token = core.request.header(ctx, conf.header) core.request.set_header(ctx, conf.header, nil) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 4cb40aca0494..93f4ed97ebb3 100644 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -222,6 +222,8 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs --- response_headers Set-Cookie: jwt-cookie=deleted; Max-Age=0 + + === TEST 10: enable jwt auth plugin using admin api with hidden auth # the `proxy-rewrite` play role as upstream to check sensitive param --- config @@ -274,5 +276,3 @@ foo: bar hello: world --- no_error_log [error] - - From 06c2970948479d9fc521fd3c0d310134cbbd5f25 Mon Sep 17 00:00:00 2001 From: pixelpig <626995617@qq.com> Date: Mon, 31 Oct 2022 09:30:48 +0800 Subject: [PATCH 06/24] Update t/plugin/jwt-auth3.t update description Co-authored-by: Alex Zhang --- t/plugin/jwt-auth3.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 93f4ed97ebb3..6404776fb66e 100644 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -89,7 +89,7 @@ passed -=== TEST 3: verify (in header) with not hidden auth +=== TEST 3: verify (in header) with not hide credentials --- request GET /echo --- more_headers From 3440bfeba92ff438e9027000ef6697f77bbdbec5 Mon Sep 17 00:00:00 2001 From: pixelpig <626995617@qq.com> Date: Mon, 31 Oct 2022 09:31:58 +0800 Subject: [PATCH 07/24] Update t/plugin/jwt-auth3.t update description Co-authored-by: Alex Zhang --- t/plugin/jwt-auth3.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 6404776fb66e..0d212fd9c555 100644 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -99,7 +99,7 @@ jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs -=== TEST 4: verify (in cookie) with not hidden auth +=== TEST 4: verify (in cookie) with not hide credentials --- request GET /echo --- more_headers From e9519b894b213b8d1fdf1d8e134284af7a04798e Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 31 Oct 2022 09:41:05 +0800 Subject: [PATCH 08/24] code reformat --- apisix/plugins/jwt-auth.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 6b0ada9a8a40..8d9f7470adb6 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -441,7 +441,6 @@ function _M.rewrite(conf, ctx) -- hide for header core.request.set_header(ctx, conf.header, nil) - elseif from_query then -- hide for query local args = core.request.get_uri_args(ctx) From 8a24d8291be3410c479a9e21978eeba8dd6e038d Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 31 Oct 2022 12:12:16 +0800 Subject: [PATCH 09/24] format test file about trailing whitespace --- t/plugin/jwt-auth3.t | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) mode change 100644 => 100755 t/plugin/jwt-auth3.t diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t old mode 100644 new mode 100755 index 0d212fd9c555..f9dab7c63268 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -109,7 +109,7 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs -=== TEST 5: enable jwt auth plugin using admin api with not hide +=== TEST 5: enable jwt auth plugin using admin api with not hide credentials # the `proxy-rewrite` play role as upstream to check sensitive param --- config location /t { @@ -152,7 +152,7 @@ passed -=== TEST 6: verify (in query) not hidden auth +=== TEST 6: verify (in query) not hidden credentials --- request GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body @@ -204,7 +204,7 @@ passed -=== TEST 8: verify (in header) with hidden auth +=== TEST 8: verify (in header) with hidden credentials --- request GET /echo --- more_headers @@ -214,7 +214,7 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI -=== TEST 9: verify (in cookie) with hidden auth +=== TEST 9: verify (in cookie) with hidden credentials --- request GET /echo --- more_headers @@ -267,7 +267,7 @@ passed -=== TEST 11: verify (in query) with hidden auth +=== TEST 11: verify (in query) with hidden credentials --- request GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body From 493b24c29d03d8747337d9471bcc2f5024648b6f Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Tue, 1 Nov 2022 21:42:39 +0800 Subject: [PATCH 10/24] adjust the hide credentials logic code and update cookie setting way --- apisix/plugins/jwt-auth.lua | 68 +++++++++++++------------------------ t/plugin/jwt-auth3.t | 2 +- 2 files changed, 25 insertions(+), 45 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 8d9f7470adb6..f5286479c804 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -16,6 +16,7 @@ -- local core = require("apisix.core") local jwt = require("resty.jwt") +local ck = require("resty.cookie") local consumer_mod = require("apisix.consumer") local resty_random = require("resty.random") local vault = require("apisix.core.vault") @@ -196,6 +197,11 @@ end local function fetch_jwt_token(conf, ctx) local token = core.request.header(ctx, conf.header) if token then + if conf.hide_credentials then + -- hide for header + core.request.set_header(ctx, conf.header, nil) + end + local prefix = sub_str(token, 1, 7) if prefix == 'Bearer ' or prefix == 'bearer ' then return sub_str(token, 8) @@ -204,8 +210,14 @@ local function fetch_jwt_token(conf, ctx) return token end - token = ctx.var["arg_" .. conf.query] + local uri_args = core.request.get_uri_args(ctx) or {} + token = uri_args[conf.query] if token then + if conf.hide_credentials then + -- hide for query + uri_args[conf.query] = nil + core.request.set_uri_args(ctx, uri_args) + end return token end @@ -213,6 +225,16 @@ local function fetch_jwt_token(conf, ctx) if not val then return nil, "JWT not found in cookie" end + + if conf.hide_credentials then + -- hide for cookie + ck:new():set({ + key = conf.cookie, + value = "deleted", + max_age = 0 + }) + end + return val end @@ -361,31 +383,8 @@ local function algorithm_handler(consumer, method_only) end end -local function set_our_cookie(name, val) - core.response.add_header("Set-Cookie", name .. "=" .. val) -end - - function _M.rewrite(conf, ctx) - local from_header = true - local header_key = core.request.header(ctx, conf.header) - - local from_query = true - - if not header_key then - from_header = false - local uri_args = core.request.get_uri_args(ctx) or {} - header_key = uri_args[conf.query] - if not header_key then - from_query = false - local cookie = ctx.var["cookie_" .. conf.cookie] - if not cookie then - core.log.info("failed to fetch JWT token") - return 401, {message = "Missing JWT token in request"} - end - end - end - + -- fetch token and hide credentials if necessary local jwt_token, err = fetch_jwt_token(conf, ctx) if not jwt_token then core.log.info("failed to fetch JWT token: ", err) @@ -434,25 +433,6 @@ function _M.rewrite(conf, ctx) return 401, {message = "failed to verify jwt"} end - -- check for hiding `Authorization` request header if `hide_credentials` is `true` - if conf.hide_credentials then - -- hide sensitive field - if from_header then - -- hide for header - core.request.set_header(ctx, conf.header, nil) - - elseif from_query then - -- hide for query - local args = core.request.get_uri_args(ctx) - args[conf.query] = nil - core.request.set_uri_args(ctx, args) - - else - -- hide for cookie - set_our_cookie(conf.cookie, "deleted; Max-Age=0") - end - end - consumer_mod.attach_consumer(ctx, consumer, consumer_conf) core.log.info("hit jwt-auth rewrite") end diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index f9dab7c63268..f7d331416c3c 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -218,7 +218,7 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI --- request GET /echo --- more_headers -Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs; foo=bar +Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers Set-Cookie: jwt-cookie=deleted; Max-Age=0 From 6006c52eb3033cddeb8e4a2ffa5fb73453611b8f Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Wed, 2 Nov 2022 10:15:12 +0800 Subject: [PATCH 11/24] License Header Addition of test file --- t/plugin/jwt-auth3.t | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index f7d331416c3c..c9a6f6f019a7 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -1,3 +1,19 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# use t::APISIX 'no_plan'; repeat_each(1); From 64b6ddee526df554acee267d14ed3786d86f0509 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Sat, 5 Nov 2022 02:55:46 +0800 Subject: [PATCH 12/24] rewrite cookie updating way and import httpbin for testing related parameters --- apisix/plugins/jwt-auth.lua | 8 +--- t/plugin/jwt-auth3.t | 75 ++++++++++++++++++++++++++++--------- 2 files changed, 59 insertions(+), 24 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index f5286479c804..95664871682b 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -16,7 +16,6 @@ -- local core = require("apisix.core") local jwt = require("resty.jwt") -local ck = require("resty.cookie") local consumer_mod = require("apisix.consumer") local resty_random = require("resty.random") local vault = require("apisix.core.vault") @@ -228,11 +227,8 @@ local function fetch_jwt_token(conf, ctx) if conf.hide_credentials then -- hide for cookie - ck:new():set({ - key = conf.cookie, - value = "deleted", - max_age = 0 - }) + local reset_val = conf.cookie .. "=deleted; Max-Age=0" + core.request.set_header(ctx, "Cookie", reset_val) end return val diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index c9a6f6f019a7..7535bcfaa087 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -105,7 +105,7 @@ passed -=== TEST 3: verify (in header) with not hide credentials +=== TEST 3: verify (in header) not hiding credentials --- request GET /echo --- more_headers @@ -115,7 +115,7 @@ jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs -=== TEST 4: verify (in cookie) with not hide credentials +=== TEST 4: verify (in cookie) not hiding credentials --- request GET /echo --- more_headers @@ -125,7 +125,7 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs -=== TEST 5: enable jwt auth plugin using admin api with not hide credentials +=== TEST 5: enable jwt auth plugin using admin api without hiding credentials # the `proxy-rewrite` play role as upstream to check sensitive param --- config location /t { @@ -168,7 +168,7 @@ passed -=== TEST 6: verify (in query) not hidden credentials +=== TEST 6: verify (in query) without hiding credentials --- request GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body @@ -181,7 +181,7 @@ jwt-query: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6 -=== TEST 7: enable jwt auth plugin using admin api with hide auth +=== TEST 7: enable jwt auth plugin using admin api with hiding credentials --- config location /t { content_by_lua_block { @@ -220,7 +220,7 @@ passed -=== TEST 8: verify (in header) with hidden credentials +=== TEST 8: verify (in header) with hiding credentials --- request GET /echo --- more_headers @@ -230,17 +230,7 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI -=== TEST 9: verify (in cookie) with hidden credentials ---- request -GET /echo ---- more_headers -Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs ---- response_headers -Set-Cookie: jwt-cookie=deleted; Max-Age=0 - - - -=== TEST 10: enable jwt auth plugin using admin api with hidden auth +=== TEST 9: enable jwt auth plugin using admin api with hiding credentials # the `proxy-rewrite` play role as upstream to check sensitive param --- config location /t { @@ -283,7 +273,7 @@ passed -=== TEST 11: verify (in query) with hidden credentials +=== TEST 10: verify (in query) with hiding credentials --- request GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body @@ -292,3 +282,52 @@ foo: bar hello: world --- no_error_log [error] + + + +=== TEST 11: verify (in cookie) with hiding credentials +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": true + } + }, + "upstream": { + "nodes": { + "httpbin.org:80": 1 + }, + "type": "roundrobin" + }, + "uri": "/get" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed + + + +=== TEST 12: verify (in cookie) with hiding credentials +--- request +GET /get +--- more_headers +Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_body eval +qr/"Cookie": "jwt-cookie=deleted; Max-Age=0"/ \ No newline at end of file From da2f64be504c7dc4e4e091e5200666345790d5f8 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Sat, 5 Nov 2022 22:17:41 +0800 Subject: [PATCH 13/24] fix expected final newline --- t/plugin/jwt-auth3.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 7535bcfaa087..da23d839e73e 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -330,4 +330,4 @@ GET /get --- more_headers Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body eval -qr/"Cookie": "jwt-cookie=deleted; Max-Age=0"/ \ No newline at end of file +qr/"Cookie": "jwt-cookie=deleted; Max-Age=0"/ From 5179af64f779fea8c475cadf2ec24df609553661 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Mon, 7 Nov 2022 21:59:58 +0800 Subject: [PATCH 14/24] adjusting unit test and hiding credential in cookie with regex pattern --- apisix/plugins/jwt-auth.lua | 21 ++++++++++++++++++++- t/plugin/jwt-auth3.t | 16 +++++----------- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 95664871682b..0996ecd1f015 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -192,6 +192,24 @@ function _M.check_schema(conf, schema_type) return true end +local function remove_specified_cookie(src, key) + local ret = "" + local append = false + local cookie_key_pattern = "([a-zA-Z0-9-_]*)" + local cookie_val_pattern = "([a-zA-Z0-9-._]*)" + + for k, v in string.gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern) do + if k ~= key then + if append then + ret = ret .. "; " + end + ret = ret .. k .. "=" .. v + append = true + end + end + + return ret +end local function fetch_jwt_token(conf, ctx) local token = core.request.header(ctx, conf.header) @@ -227,7 +245,8 @@ local function fetch_jwt_token(conf, ctx) if conf.hide_credentials then -- hide for cookie - local reset_val = conf.cookie .. "=deleted; Max-Age=0" + local src = core.request.header(ctx, "Cookie") + local reset_val = remove_specified_cookie(src, conf.cookie) core.request.set_header(ctx, "Cookie", reset_val) end diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index da23d839e73e..5325b6b238b6 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -140,9 +140,6 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": false - }, - "proxy-rewrite": { - "uri": "/plugin_proxy_rewrite_args" } }, "upstream": { @@ -170,7 +167,7 @@ passed === TEST 6: verify (in query) without hiding credentials --- request -GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +GET /plugin_proxy_rewrite_args?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body uri: /plugin_proxy_rewrite_args foo: bar @@ -245,9 +242,6 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": true - }, - "proxy-rewrite": { - "uri": "/plugin_proxy_rewrite_args" } }, "upstream": { @@ -256,7 +250,7 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI }, "type": "roundrobin" }, - "uri": "/echo" + "uri": "/plugin_proxy_rewrite_args" }]] ) @@ -275,7 +269,7 @@ passed === TEST 10: verify (in query) with hiding credentials --- request -GET /echo?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +GET /plugin_proxy_rewrite_args?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body uri: /plugin_proxy_rewrite_args foo: bar @@ -328,6 +322,6 @@ passed --- request GET /get --- more_headers -Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +Cookie: hello=world; jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs; foo=bar --- response_body eval -qr/"Cookie": "jwt-cookie=deleted; Max-Age=0"/ +qr/^(?:(?!jwt-cookie).)*\z/s From f0d11f7e42392d027ef3cf52ca01b7534ffdab7e Mon Sep 17 00:00:00 2001 From: pixelpig <626995617@qq.com> Date: Tue, 8 Nov 2022 16:58:00 +0800 Subject: [PATCH 15/24] Update docs/zh/latest/plugins/jwt-auth.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit docs: description supplement Co-authored-by: 罗泽轩 --- docs/zh/latest/plugins/jwt-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index 38913c2c009f..b4582f64263b 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -66,7 +66,7 @@ Route 端: | header | string | 否 | authorization | 设置我们从哪个 header 获取 token。 | | query | string | 否 | jwt | 设置我们从哪个 query string 获取 token,优先级低于 header。 | | cookie | string | 否 | jwt | 设置我们从哪个 cookie 获取 token,优先级低于 query。 | -| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则不会将含有认证信息的 header\query\cookie string 传递给 Upstream。| +| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则不会将含有认证信息的 header\query\cookie 传递给 Upstream。| ## 接口 From fc1eaf9d8b27de01c437cdd1446221886f9ffdb0 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Tue, 8 Nov 2022 23:33:53 +0800 Subject: [PATCH 16/24] reset cookie val with table.concat() way and reformat test file --- apisix/plugins/jwt-auth.lua | 11 +++-------- t/plugin/jwt-auth3.t | 18 +----------------- 2 files changed, 4 insertions(+), 25 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0996ecd1f015..15871aab8c42 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -193,22 +193,17 @@ function _M.check_schema(conf, schema_type) end local function remove_specified_cookie(src, key) - local ret = "" - local append = false local cookie_key_pattern = "([a-zA-Z0-9-_]*)" local cookie_val_pattern = "([a-zA-Z0-9-._]*)" + local t = {} for k, v in string.gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern) do if k ~= key then - if append then - ret = ret .. "; " - end - ret = ret .. k .. "=" .. v - append = true + table.insert(t, k .. "=" .. v) end end - return ret + return table.concat(t, "; ") end local function fetch_jwt_token(conf, ctx) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 5325b6b238b6..4fad6c0c738e 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -148,7 +148,7 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs }, "type": "roundrobin" }, - "uri": "/echo" + "uri": "/plugin_proxy_rewrite_args" }]] ) @@ -158,10 +158,6 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs ngx.say(body) } } ---- request -GET /t ---- response_body -passed @@ -210,10 +206,6 @@ jwt-query: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6 ngx.say(body) } } ---- request -GET /t ---- response_body -passed @@ -260,10 +252,6 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI ngx.say(body) } } ---- request -GET /t ---- response_body -passed @@ -311,10 +299,6 @@ hello: world ngx.say(body) } } ---- request -GET /t ---- response_body -passed From 3a4289587b1e95ed3424cb1528a2fff45fda04de Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Wed, 9 Nov 2022 11:14:09 +0800 Subject: [PATCH 17/24] use Lua local func tools for string and table --- apisix/plugins/jwt-auth.lua | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 15871aab8c42..0cb681716b5f 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -19,6 +19,7 @@ local jwt = require("resty.jwt") local consumer_mod = require("apisix.consumer") local resty_random = require("resty.random") local vault = require("apisix.core.vault") +local new_tab = require ("table.new") local ngx_encode_base64 = ngx.encode_base64 local ngx_decode_base64 = ngx.decode_base64 @@ -26,6 +27,9 @@ local ipairs = ipairs local ngx = ngx local ngx_time = ngx.time local sub_str = string.sub +local table_insert = table.insert +local table_concat = table.concat +local str_gmatch = string.gmatch local plugin_name = "jwt-auth" local pcall = pcall @@ -195,15 +199,15 @@ end local function remove_specified_cookie(src, key) local cookie_key_pattern = "([a-zA-Z0-9-_]*)" local cookie_val_pattern = "([a-zA-Z0-9-._]*)" - local t = {} + local t = new_tab(1, 0) - for k, v in string.gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern) do + for k, v in str_gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern) do if k ~= key then - table.insert(t, k .. "=" .. v) + table_insert(t, k .. "=" .. v) end end - return table.concat(t, "; ") + return table_concat(t, "; ") end local function fetch_jwt_token(conf, ctx) From b1c6fa025551c27d468e6f74148c0755c539a40b Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Wed, 9 Nov 2022 15:01:35 +0800 Subject: [PATCH 18/24] reformat test file about jwt-auth --- t/plugin/jwt-auth3.t | 8 -------- 1 file changed, 8 deletions(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 4fad6c0c738e..d19fe5313d74 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -98,10 +98,6 @@ passed ngx.say(body) } } ---- request -GET /t ---- response_body -passed @@ -169,8 +165,6 @@ uri: /plugin_proxy_rewrite_args foo: bar hello: world jwt-query: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs ---- no_error_log -[error] @@ -262,8 +256,6 @@ GET /plugin_proxy_rewrite_args?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiI uri: /plugin_proxy_rewrite_args foo: bar hello: world ---- no_error_log -[error] From cddc27f3a2d2a1dfac4f8d5a8a846580270ebe5c Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Wed, 9 Nov 2022 16:46:19 +0800 Subject: [PATCH 19/24] use ngx.re specification as cookie match way --- apisix/plugins/jwt-auth.lua | 21 +++++++++++++++++---- t/plugin/jwt-auth3.t | 2 -- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0cb681716b5f..0b3a1df2417e 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -29,7 +29,7 @@ local ngx_time = ngx.time local sub_str = string.sub local table_insert = table.insert local table_concat = table.concat -local str_gmatch = string.gmatch +local ngx_re_gmatch = ngx.re.gmatch local plugin_name = "jwt-auth" local pcall = pcall @@ -201,9 +201,22 @@ local function remove_specified_cookie(src, key) local cookie_val_pattern = "([a-zA-Z0-9-._]*)" local t = new_tab(1, 0) - for k, v in str_gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern) do - if k ~= key then - table_insert(t, k .. "=" .. v) + local it, err = ngx_re_gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern, "jo") + if not it then + core.log.error("match origins failed: ", err) + return nil + end + while true do + local m, err = it() + if err then + core.log.error("iterate origins failed: ", err) + return nil + end + if not m then + break + end + if m[1] ~= key then + table_insert(t, m[0]) end end diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index d19fe5313d74..7afe31aab8f6 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -122,7 +122,6 @@ Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs === TEST 5: enable jwt auth plugin using admin api without hiding credentials -# the `proxy-rewrite` play role as upstream to check sensitive param --- config location /t { content_by_lua_block { @@ -214,7 +213,6 @@ jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI === TEST 9: enable jwt auth plugin using admin api with hiding credentials -# the `proxy-rewrite` play role as upstream to check sensitive param --- config location /t { content_by_lua_block { From 3c8a9e102f722f4002ea34443c97f81961340d28 Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Thu, 10 Nov 2022 15:29:37 +0800 Subject: [PATCH 20/24] consider abnormal case and reformat test --- apisix/plugins/jwt-auth.lua | 4 ++-- t/plugin/jwt-auth3.t | 13 +++++++++++-- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0b3a1df2417e..fd3e5d440ae0 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -204,13 +204,13 @@ local function remove_specified_cookie(src, key) local it, err = ngx_re_gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern, "jo") if not it then core.log.error("match origins failed: ", err) - return nil + return src end while true do local m, err = it() if err then core.log.error("iterate origins failed: ", err) - return nil + return src end if not m then break diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 7afe31aab8f6..1c04ab8d9ce9 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -31,6 +31,11 @@ add_block_preprocessor(sub { if (!defined $block->request) { $block->set_value("request", "GET /t"); } + + if (!$block->response_body) { + $block->set_value("response_body", "passed\n"); + } + }); run_tests; @@ -61,8 +66,6 @@ __DATA__ ngx.say(body) } } ---- response_body -passed @@ -108,6 +111,8 @@ GET /echo jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_body eval +qr/^$/ @@ -118,6 +123,8 @@ GET /echo Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_body eval +qr/^$/ @@ -209,6 +216,8 @@ GET /echo jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers !jwt-header +--- response_body eval +qr/^$/ From a55846a1daadb3892f9d9e653ba5df36b8cbc0ac Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Thu, 10 Nov 2022 17:19:59 +0800 Subject: [PATCH 21/24] fix trim trailing whitespace --- t/plugin/jwt-auth3.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 1c04ab8d9ce9..b5ef3ba12eaa 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -35,7 +35,6 @@ add_block_preprocessor(sub { if (!$block->response_body) { $block->set_value("response_body", "passed\n"); } - }); run_tests; From 284c428c701a39cf1a9315947ceae8f0dd37716c Mon Sep 17 00:00:00 2001 From: pixelpig <626995617@qq.com> Date: Fri, 11 Nov 2022 15:53:41 +0800 Subject: [PATCH 22/24] Update apisix/plugins/jwt-auth.lua MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: 罗泽轩 --- apisix/plugins/jwt-auth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index fd3e5d440ae0..a3c366f1ffda 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -29,7 +29,7 @@ local ngx_time = ngx.time local sub_str = string.sub local table_insert = table.insert local table_concat = table.concat -local ngx_re_gmatch = ngx.re.gmatch +local ngx_re_gmatch = ngx.re.gmatch local plugin_name = "jwt-auth" local pcall = pcall From b5bc8c77f80663a6b21e0481ff2d12487e3757ae Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Fri, 11 Nov 2022 16:08:38 +0800 Subject: [PATCH 23/24] adjust test file and print cover cookie case --- t/plugin/jwt-auth3.t | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index b5ef3ba12eaa..c0a1961dfd9b 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -33,7 +33,7 @@ add_block_preprocessor(sub { } if (!$block->response_body) { - $block->set_value("response_body", "passed\n"); + $block->set_value("response_body eval", "qr/^$/"); } }); @@ -110,8 +110,6 @@ GET /echo jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs ---- response_body eval -qr/^$/ @@ -122,8 +120,6 @@ GET /echo Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs ---- response_body eval -qr/^$/ @@ -215,8 +211,6 @@ GET /echo jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers !jwt-header ---- response_body eval -qr/^$/ @@ -306,4 +300,4 @@ GET /get --- more_headers Cookie: hello=world; jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs; foo=bar --- response_body eval -qr/^(?:(?!jwt-cookie).)*\z/s +qr/hello=world; foo=bar/ From b2a1e7dd5ec367ce2f7e31ddbbee6039633ac0bd Mon Sep 17 00:00:00 2001 From: pixeldin <626995617@qq.com> Date: Tue, 15 Nov 2022 15:09:25 +0800 Subject: [PATCH 24/24] define default block for test file --- t/plugin/jwt-auth3.t | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index c0a1961dfd9b..6a97771320a4 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -30,10 +30,9 @@ add_block_preprocessor(sub { if (!defined $block->request) { $block->set_value("request", "GET /t"); - } - - if (!$block->response_body) { - $block->set_value("response_body eval", "qr/^$/"); + if (!$block->response_body) { + $block->set_value("response_body", "passed\n"); + } } });