Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support hide credentials for jwt-auth plugin #8206

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
d1830f3
doc update: fix hide_credentials description
Oct 30, 2022
2c7d410
feat: support jwt-auth of hidding sensitive param
pixeldin Oct 30, 2022
51eb733
Merge branch 'master' of https://github.com/apache/apisix into jwt-au…
pixeldin Oct 30, 2022
f0ffec8
doc: update plugin param description for EN-US
pixeldin Oct 30, 2022
51dea0f
doc: update plugin(jwt-auth) param description for EN-US
pixeldin Oct 31, 2022
7ee2cd4
lint: code reformat and reindex
pixeldin Oct 31, 2022
06c2970
Update t/plugin/jwt-auth3.t
pixeldin Oct 31, 2022
3440bfe
Update t/plugin/jwt-auth3.t
pixeldin Oct 31, 2022
e9519b8
code reformat
pixeldin Oct 31, 2022
8a24d82
format test file about trailing whitespace
pixeldin Oct 31, 2022
493b24c
adjust the hide credentials logic code and update cookie setting way
pixeldin Nov 1, 2022
41b52b2
Merge branch 'master' of https://github.com/apache/apisix into jwt-au…
pixeldin Nov 1, 2022
6006c52
License Header Addition of test file
pixeldin Nov 2, 2022
64b6dde
rewrite cookie updating way and import httpbin for testing related pa…
pixeldin Nov 4, 2022
dac50b5
Merge branch 'master' of https://github.com/apache/apisix into jwt-au…
pixeldin Nov 4, 2022
da2f64b
fix expected final newline
pixeldin Nov 5, 2022
5179af6
adjusting unit test and hiding credential in cookie with regex pattern
pixeldin Nov 7, 2022
fa9081c
Merge branch 'master' of https://github.com/apache/apisix into jwt-au…
pixeldin Nov 7, 2022
f0d11f7
Update docs/zh/latest/plugins/jwt-auth.md
pixeldin Nov 8, 2022
fc1eaf9
reset cookie val with table.concat() way and reformat test file
pixeldin Nov 8, 2022
c09dfc3
Merge branch 'jwt-auth-plugin-supporting-hide-credentials' of https:/…
pixeldin Nov 8, 2022
3a42895
use Lua local func tools for string and table
pixeldin Nov 9, 2022
b1c6fa0
reformat test file about jwt-auth
pixeldin Nov 9, 2022
cddc27f
use ngx.re specification as cookie match way
pixeldin Nov 9, 2022
3c8a9e1
consider abnormal case and reformat test
pixeldin Nov 10, 2022
a55846a
fix trim trailing whitespace
pixeldin Nov 10, 2022
284c428
Update apisix/plugins/jwt-auth.lua
pixeldin Nov 11, 2022
b5bc8c7
adjust test file and print cover cookie case
pixeldin Nov 11, 2022
b2a1e7d
define default block for test file
pixeldin Nov 15, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 55 additions & 2 deletions apisix/plugins/jwt-auth.lua
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,17 @@ local jwt = require("resty.jwt")
local consumer_mod = require("apisix.consumer")
local resty_random = require("resty.random")
local vault = require("apisix.core.vault")
local new_tab = require ("table.new")

local ngx_encode_base64 = ngx.encode_base64
local ngx_decode_base64 = ngx.decode_base64
local ipairs = ipairs
local ngx = ngx
local ngx_time = ngx.time
local sub_str = string.sub
local table_insert = table.insert
local table_concat = table.concat
local ngx_re_gmatch = ngx.re.gmatch
local plugin_name = "jwt-auth"
local pcall = pcall

Expand All @@ -48,6 +52,10 @@ local schema = {
cookie = {
type = "string",
default = "jwt"
},
hide_credentials = {
type = "boolean",
default = false
}
},
}
Expand Down Expand Up @@ -188,10 +196,41 @@ function _M.check_schema(conf, schema_type)
return true
end

local function remove_specified_cookie(src, key)
local cookie_key_pattern = "([a-zA-Z0-9-_]*)"
local cookie_val_pattern = "([a-zA-Z0-9-._]*)"
local t = new_tab(1, 0)

local it, err = ngx_re_gmatch(src, cookie_key_pattern .. "=" .. cookie_val_pattern, "jo")
if not it then
core.log.error("match origins failed: ", err)
return src
end
while true do
local m, err = it()
if err then
core.log.error("iterate origins failed: ", err)
return src
end
if not m then
break
end
if m[1] ~= key then
table_insert(t, m[0])
end
end

return table_concat(t, "; ")
end

local function fetch_jwt_token(conf, ctx)
local token = core.request.header(ctx, conf.header)
if token then
if conf.hide_credentials then
-- hide for header
core.request.set_header(ctx, conf.header, nil)
end

local prefix = sub_str(token, 1, 7)
if prefix == 'Bearer ' or prefix == 'bearer ' then
return sub_str(token, 8)
Expand All @@ -200,15 +239,29 @@ local function fetch_jwt_token(conf, ctx)
return token
end

token = ctx.var["arg_" .. conf.query]
local uri_args = core.request.get_uri_args(ctx) or {}
token = uri_args[conf.query]
if token then
if conf.hide_credentials then
-- hide for query
uri_args[conf.query] = nil
core.request.set_uri_args(ctx, uri_args)
end
return token
end

local val = ctx.var["cookie_" .. conf.cookie]
if not val then
return nil, "JWT not found in cookie"
end

if conf.hide_credentials then
-- hide for cookie
local src = core.request.header(ctx, "Cookie")
local reset_val = remove_specified_cookie(src, conf.cookie)
core.request.set_header(ctx, "Cookie", reset_val)
end

return val
end

Expand Down Expand Up @@ -357,8 +410,8 @@ local function algorithm_handler(consumer, method_only)
end
end


function _M.rewrite(conf, ctx)
-- fetch token and hide credentials if necessary
local jwt_token, err = fetch_jwt_token(conf, ctx)
if not jwt_token then
core.log.info("failed to fetch JWT token: ", err)
Expand Down
2 changes: 1 addition & 1 deletion docs/en/latest/plugins/basic-auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ For Route:

| Name | Type | Required | Default | Description |
|------------------|---------|----------|---------|------------------------------------------------------------------------|
| hide_credentials | boolean | False | false | Set to true to pass the authorization request headers to the Upstream. |
| hide_credentials | boolean | False | false | Set to true will not pass the authorization request headers to the Upstream. |

## Enabling the Plugin

Expand Down
1 change: 1 addition & 0 deletions docs/en/latest/plugins/jwt-auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ For Route:
| header | string | False | authorization | The header to get the token from. |
| query | string | False | jwt | The query string to get the token from. Lower priority than header. |
| cookie | string | False | jwt | The cookie to get the token from. Lower priority than query. |
| hide_credentials | boolean | False | false | Set to true will not pass the authorization request of header\query\cookie to the Upstream.|

## API

Expand Down
2 changes: 1 addition & 1 deletion docs/zh/latest/plugins/basic-auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ Route 端:

| 名称 | 类型 | 必选项 | 默认值 | 描述 |
| ---------------- | ------- | ------ | ------ | --------------------------------------------------------------- |
| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则会将 Authorization 请求头传递给 Upstream。|
| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则不会将 Authorization 请求头传递给 Upstream。|

## 启用插件

Expand Down
1 change: 1 addition & 0 deletions docs/zh/latest/plugins/jwt-auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ Route 端:
| header | string | 否 | authorization | 设置我们从哪个 header 获取 token。 |
| query | string | 否 | jwt | 设置我们从哪个 query string 获取 token,优先级低于 header。 |
| cookie | string | 否 | jwt | 设置我们从哪个 cookie 获取 token,优先级低于 query。 |
| hide_credentials | boolean | 否 | false | 该参数设置为 `true` 时,则不会将含有认证信息的 header\query\cookie 传递给 Upstream。|

## 接口

Expand Down
Loading