This is an automated email from the ASF dual-hosted git repository.
wenming pushed a commit to branch release/3.9
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/release/3.9 by this push:
new 1b11b88ad fix: add post request headers only if auth request method is
post (#11175)
1b11b88ad is described below
commit 1b11b88adabda7e4d3c8803210607666756bbfb5
Author: YuanSheng Wang <[email protected]>
AuthorDate: Sun Apr 21 20:47:30 2024 +0800
fix: add post request headers only if auth request method is post (#11175)
author: suryaprabhakark
---
apisix/plugins/forward-auth.lua | 10 ++-
t/plugin/forward-auth2.t | 185 ++++++++++++++++++++++++++++++++++++++++
2 files changed, 192 insertions(+), 3 deletions(-)
diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
index 69dc48de6..95f04994c 100644
--- a/apisix/plugins/forward-auth.lua
+++ b/apisix/plugins/forward-auth.lua
@@ -89,11 +89,15 @@ function _M.access(conf, ctx)
["X-Forwarded-Host"] = core.request.get_host(ctx),
["X-Forwarded-Uri"] = ctx.var.request_uri,
["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx),
- ["Expect"] = core.request.header(ctx, "expect"),
- ["Content-Length"] = core.request.header(ctx, "content-length"),
- ["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding")
}
+ if conf.request_method == "POST" then
+ auth_headers["Content-Length"] = core.request.header(ctx,
"content-length")
+ auth_headers["Expect"] = core.request.header(ctx, "expect")
+ auth_headers["Transfer-Encoding"] = core.request.header(ctx,
"transfer-encoding")
+ auth_headers["Content-Encoding"] = core.request.header(ctx,
"content-encoding")
+ end
+
-- append headers that need to be get from the client request header
if #conf.request_headers > 0 then
for _, header in ipairs(conf.request_headers) do
diff --git a/t/plugin/forward-auth2.t b/t/plugin/forward-auth2.t
new file mode 100644
index 000000000..f90841ede
--- /dev/null
+++ b/t/plugin/forward-auth2.t
@@ -0,0 +1,185 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: setup route with plugin
+--- config
+ location /t {
+ content_by_lua_block {
+ local data = {
+ {
+ url = "/apisix/admin/upstreams/u1",
+ data = [[{
+ "nodes": {
+ "127.0.0.1:1984": 1
+ },
+ "type": "roundrobin"
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/auth",
+ data = {
+ plugins = {
+ ["serverless-pre-function"] = {
+ phase = "rewrite",
+ functions = {
+ [[return function(conf, ctx)
+ local core = require("apisix.core");
+ local token = "token-headers-test";
+ if core.request.header(ctx,
"Authorization") == token then
+ if core.request.get_method() ==
"POST" then
+ if core.request.header(ctx,
"Content-Length") or
+ core.request.header(ctx,
"Transfer-Encoding") or
+ core.request.header(ctx,
"Content-Encoding") then
+ core.response.exit(200)
+ else
+ core.response.exit(403)
+ end
+ else
+ if core.request.header(ctx,
"Content-Length") or
+ core.request.header(ctx,
"Transfer-Encoding") or
+ core.request.header(ctx,
"Content-Encoding") then
+ core.response.exit(403)
+ else
+ core.response.exit(200)
+ end
+ end
+ end
+ end]]
+ }
+ }
+ },
+ uri = "/auth"
+ },
+ },
+ {
+ url = "/apisix/admin/routes/echo",
+ data = [[{
+ "plugins": {
+ "serverless-pre-function": {
+ "phase": "rewrite",
+ "functions": [
+ "return function (conf, ctx)
+ local core = require(\"apisix.core\");
+ core.response.exit(200,
core.request.headers(ctx));
+ end"
+ ]
+ }
+ },
+ "uri": "/echo"
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/1",
+ data = [[{
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.0.0.1:1984/auth";,
+ "request_headers": ["Authorization"],
+ "request_method": "POST"
+ },
+ "proxy-rewrite": {
+ "uri": "/echo"
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/verify-auth-post"
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/2",
+ data = [[{
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.0.0.1:1984/auth";,
+ "request_headers": ["Authorization"],
+ "request_method": "GET"
+ },
+ "proxy-rewrite": {
+ "uri": "/echo"
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/verify-auth-get"
+ }]],
+ }
+ }
+
+ local t = require("lib.test_admin").test
+
+ for _, data in ipairs(data) do
+ local code, body = t(data.url, ngx.HTTP_PUT, data.data)
+ ngx.say(body)
+ end
+ }
+ }
+--- response_body eval
+"passed\n" x 5
+
+
+
+=== TEST 2: verify auth server forward headers for request_method=GET
+--- request
+GET /verify-auth-get
+--- more_headers
+Authorization: token-headers-test
+--- error_code: 200
+
+
+
+=== TEST 3: verify auth server forward headers for request_method=POST for GET
upstream
+--- request
+GET /verify-auth-post
+--- more_headers
+Authorization: token-headers-test
+--- error_code: 200
+
+
+
+=== TEST 4: verify auth server forward headers for request_method=POST
+--- request
+POST /verify-auth-post
+{"authorization": "token-headers-test"}
+--- more_headers
+Authorization: token-headers-test
+--- error_code: 200
+
+
+
+=== TEST 5: verify auth server forward headers for request_method=GET for POST
upstream
+--- request
+POST /verify-auth-get
+{"authorization": "token-headers-test"}
+--- more_headers
+Authorization: token-headers-test
+--- error_code: 200
