This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new d1c178d feat: Add ldap-auth plugin (#3894)
d1c178d is described below
commit d1c178daaa94eaaf5f490a20bc7bc34219e00aae
Author: jpgouin <[email protected]>
AuthorDate: Wed Oct 13 03:04:39 2021 +0200
feat: Add ldap-auth plugin (#3894)
---
.github/workflows/build.yml | 2 +-
.github/workflows/cli.yml | 2 +-
.github/workflows/fuzzing-ci.yaml | 2 +-
apisix/plugins/ldap-auth.lua | 160 +++++++++++++++++
ci/centos7-ci.sh | 2 +-
ci/install-ext-services-via-docker.sh | 3 +
conf/config-default.yaml | 1 +
docs/en/latest/config.json | 3 +-
docs/en/latest/install-dependencies.md | 10 +-
docs/en/latest/plugins/ldap-auth.md | 147 ++++++++++++++++
rockspec/apisix-master-0.rockspec | 1 +
t/admin/plugins.t | 4 +-
t/plugin/ldap-auth.t | 311 +++++++++++++++++++++++++++++++++
utils/linux-install-openresty.sh | 2 +-
14 files changed, 637 insertions(+), 13 deletions(-)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0da01bd..7881061 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -78,7 +78,7 @@ jobs:
tar zxvf ${{ steps.branch_env.outputs.fullname }}
- name: Linux Get dependencies
- run: sudo apt install -y cpanminus build-essential libncurses5-dev
libreadline-dev libssl-dev perl libpcre3 libpcre3-dev
+ run: sudo apt install -y cpanminus build-essential libncurses5-dev
libreadline-dev libssl-dev perl libpcre3 libpcre3-dev libldap2-dev
- name: Linux Before install
run: sudo ./ci/${{ matrix.os_name }}_runner.sh before_install
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
index f117c4d..53e1960 100644
--- a/.github/workflows/cli.yml
+++ b/.github/workflows/cli.yml
@@ -66,7 +66,7 @@ jobs:
key: ${{ runner.os }}-${{ env.cache-name }}-${{ matrix.job_name
}}-${{ hashFiles('rockspec/apisix-master-0.rockspec') }}
- name: Linux Get dependencies
- run: sudo apt install -y cpanminus build-essential libncurses5-dev
libreadline-dev libssl-dev perl libpcre3 libpcre3-dev
+ run: sudo apt install -y cpanminus build-essential libncurses5-dev
libreadline-dev libssl-dev perl libpcre3 libpcre3-dev libldap2-dev
- name: Linux Before install
run: sudo ./ci/${{ matrix.job_name }}_runner.sh before_install
diff --git a/.github/workflows/fuzzing-ci.yaml
b/.github/workflows/fuzzing-ci.yaml
index 71eaf8b..4fb223a 100644
--- a/.github/workflows/fuzzing-ci.yaml
+++ b/.github/workflows/fuzzing-ci.yaml
@@ -52,7 +52,7 @@ jobs:
sudo apt-get -y install software-properties-common
sudo add-apt-repository -y "deb http://openresty.org/package/ubuntu
$(lsb_release -sc) main"
sudo apt-get update
- sudo apt-get install -y git openresty curl openresty-openssl111-dev
unzip make gcc
+ sudo apt-get install -y git openresty curl openresty-openssl111-dev
unzip make gcc libldap2-dev
./utils/linux-install-luarocks.sh
make deps
diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua
new file mode 100644
index 0000000..6318523
--- /dev/null
+++ b/apisix/plugins/ldap-auth.lua
@@ -0,0 +1,160 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local ngx = ngx
+local ngx_re = require("ngx.re")
+local ipairs = ipairs
+local consumer_mod = require("apisix.consumer")
+local lualdap = require("lualdap")
+
+local lrucache = core.lrucache.new({
+ ttl = 300, count = 512
+})
+
+local schema = {
+ type = "object",
+ title = "work with route or service object",
+ properties = {
+ base_dn = { type = "string" },
+ ldap_uri = { type = "string" },
+ use_tls = { type = "boolean" },
+ uid = { type = "string" }
+ },
+ required = {"base_dn","ldap_uri"},
+}
+
+local consumer_schema = {
+ type = "object",
+ title = "work with consumer object",
+ properties = {
+ user_dn = { type = "string" },
+ },
+ required = {"user_dn"},
+}
+
+local plugin_name = "ldap-auth"
+
+local _M = {
+ version = 0.1,
+ priority = 2540,
+ type = 'auth',
+ name = plugin_name,
+ schema = schema,
+ consumer_schema = consumer_schema
+}
+
+function _M.check_schema(conf, schema_type)
+ local ok, err
+ if schema_type == core.schema.TYPE_CONSUMER then
+ ok, err = core.schema.check(consumer_schema, conf)
+ else
+ ok, err = core.schema.check(schema, conf)
+ end
+
+ return ok, err
+end
+
+local create_consumer_cache
+do
+ local consumer_names = {}
+
+ function create_consumer_cache(consumers)
+ core.table.clear(consumer_names)
+
+ for _, consumer in ipairs(consumers.nodes) do
+ core.log.info("consumer node: ", core.json.delay_encode(consumer))
+ consumer_names[consumer.auth_conf.user_dn] = consumer
+ end
+
+ return consumer_names
+ end
+
+end -- do
+
+local function extract_auth_header(authorization)
+ local obj = { username = "", password = "" }
+
+ local m, err = ngx.re.match(authorization, "Basic\\s(.+)", "jo")
+ if err then
+ -- error authorization
+ return nil, err
+ end
+
+ local decoded = ngx.decode_base64(m[1])
+
+ if not decoded then
+ return nil, "failed to decode authentication header: " .. m[1]
+ end
+
+ local res
+ res, err = ngx_re.split(decoded, ":")
+ if err then
+ return nil, "split authorization err:" .. err
+ end
+ if #res < 2 then
+ return nil, "split authorization err: invalid decoded data: " ..
decoded
+ end
+
+ obj.username = ngx.re.gsub(res[1], "\\s+", "", "jo")
+ obj.password = ngx.re.gsub(res[2], "\\s+", "", "jo")
+
+ return obj, nil
+end
+
+function _M.rewrite(conf, ctx)
+ core.log.info("plugin rewrite phase, conf: ", core.json.delay_encode(conf))
+
+ -- 1. extract authorization from header
+ local auth_header = core.request.header(ctx, "Authorization")
+ if not auth_header then
+ core.response.set_header("WWW-Authenticate", "Basic realm='.'")
+ return 401, { message = "Missing authorization in request" }
+ end
+
+ local user, err = extract_auth_header(auth_header)
+ if err then
+ return 401, { message = err }
+ end
+
+ -- 2. try authenticate the user against the ldap server
+ local uid = "cn"
+ if conf.uid then
+ uid = conf.uid
+ end
+ local userdn = uid .. "=" .. user.username .. "," .. conf.base_dn
+ local ld = lualdap.open_simple (conf.ldap_uri, userdn, user.password,
conf.use_tls)
+ if not ld then
+ return 401, { message = "Invalid user authorization" }
+ end
+
+ -- 3. Retrieve consumer for authorization plugin
+ local consumer_conf = consumer_mod.plugin(plugin_name)
+ if not consumer_conf then
+ return 401, {message = "Missing related consumer"}
+ end
+ local consumers = lrucache("consumers_key", consumer_conf.conf_version,
+ create_consumer_cache, consumer_conf)
+ local consumer = consumers[userdn]
+ if not consumer then
+ return 401, {message = "Invalid API key in request"}
+ end
+ consumer_mod.attach_consumer(ctx, consumer, consumer_conf)
+
+ core.log.info("hit basic-auth access")
+end
+
+return _M
diff --git a/ci/centos7-ci.sh b/ci/centos7-ci.sh
index 19bdf18..744bed7 100755
--- a/ci/centos7-ci.sh
+++ b/ci/centos7-ci.sh
@@ -23,7 +23,7 @@ install_dependencies() {
# install development tools
yum install -y wget tar gcc automake autoconf libtool make unzip \
- curl git which sudo
+ curl git which sudo openldap-devel
# install openresty to make apisix's rpm test work
yum install -y yum-utils && yum-config-manager --add-repo
https://openresty.org/package/centos/openresty.repo
diff --git a/ci/install-ext-services-via-docker.sh
b/ci/install-ext-services-via-docker.sh
index 14aa9ee..498853b 100755
--- a/ci/install-ext-services-via-docker.sh
+++ b/ci/install-ext-services-via-docker.sh
@@ -38,6 +38,9 @@ docker run --rm --name skywalking -d -p 1234:1234 -p
11800:11800 -p 12800:12800
docker run --rm --name consul_1 -d -p 8500:8500 consul:1.7 consul agent
-server -bootstrap-expect=1 -client 0.0.0.0 -log-level info
-data-dir=/consul/data
docker run --rm --name consul_2 -d -p 8600:8500 consul:1.7 consul agent
-server -bootstrap-expect=1 -client 0.0.0.0 -log-level info
-data-dir=/consul/data
+# start openldap server
+docker run -d --rm --name openldap -p 1389:1389 -p 1636:1636 --env
LDAP_ADMIN_USERNAME=admin --env LDAP_ADMIN_PASSWORD=adminpassword --env
LDAP_USERS=user01,user02 --env LDAP_PASSWORDS=password1,password2
bitnami/openldap:latest
+
# start nacos server
docker network rm nacos_net
docker network create nacos_net
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 5232a28..7e45007 100644
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -312,6 +312,7 @@ plugins: # plugin list (sorted by
priority)
- openid-connect # priority: 2599
- authz-casbin # priority: 2560
- wolf-rbac # priority: 2555
+ - ldap-auth # priority: 2540
- hmac-auth # priority: 2530
- basic-auth # priority: 2520
- jwt-auth # priority: 2510
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index 33cf914..9045833 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -66,7 +66,8 @@
"plugins/wolf-rbac",
"plugins/openid-connect",
"plugins/hmac-auth",
- "plugins/authz-casbin"
+ "plugins/authz-casbin",
+ "plugins/ldap-auth"
]
},
{
diff --git a/docs/en/latest/install-dependencies.md
b/docs/en/latest/install-dependencies.md
index f638a1e..46353f0 100644
--- a/docs/en/latest/install-dependencies.md
+++ b/docs/en/latest/install-dependencies.md
@@ -58,7 +58,7 @@ sudo yum install yum-utils
sudo yum-config-manager --add-repo
https://openresty.org/package/centos/openresty.repo
# install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip
pcre pcre-devel
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip
pcre pcre-devel libldap2-dev
# install LuaRocks
curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash -
@@ -81,7 +81,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
sudo cp -a etcd etcdctl /usr/bin/
# install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel pcre
pcre-devel
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel pcre
pcre-devel libldap2-dev
# install LuaRocks
curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash -
@@ -107,7 +107,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
sudo cp -a etcd etcdctl /usr/bin/
# install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc
libpcre3 libpcre3-dev
+sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc
libpcre3 libpcre3-dev libldap2-dev
# install LuaRocks
curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash -
@@ -138,7 +138,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
sudo cp -a etcd etcdctl /usr/bin/
# install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl make openresty-openssl111-dev
libpcre3 libpcre3-dev
+sudo apt-get install -y git openresty curl make openresty-openssl111-dev
libpcre3 libpcre3-dev libldap2-dev
# install LuaRocks
curl
https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh
-sL | bash -
@@ -151,7 +151,7 @@ nohup etcd &
```shell
# install OpenResty, etcd and some compilation tools
-brew install openresty/brew/openresty luarocks [email protected] etcd curl git pcre
+brew install openresty/brew/openresty luarocks [email protected] etcd curl git pcre
openldap
# start etcd server
brew services start etcd
diff --git a/docs/en/latest/plugins/ldap-auth.md
b/docs/en/latest/plugins/ldap-auth.md
new file mode 100644
index 0000000..50d98f5
--- /dev/null
+++ b/docs/en/latest/plugins/ldap-auth.md
@@ -0,0 +1,147 @@
+---
+title: ldap-auth
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Summary
+
+- [**Name**](#name)
+- [**Attributes**](#attributes)
+- [**How To Enable**](#how-to-enable)
+- [**Test Plugin**](#test-plugin)
+- [**Disable Plugin**](#disable-plugin)
+
+## Name
+
+`ldap-auth` is an authentication plugin that can works with `consumer`. Add
Ldap Authentication to a `service` or `route`.
+
+The `consumer` then authenticate against the Ldap server using Basic
authentication.
+
+For more information on Basic authentication, refer to
[Wiki](https://en.wikipedia.org/wiki/Basic_access_authentication) for more
information.
+
+This authentication plugin use [lualdap](https://lualdap.github.io/lualdap/)
plugin to connect against the ldap server
+
+## Attributes
+
+| Name | Type | Requirement | Default | Valid | Description
|
+| -------- | ------ | ----------- | ------- | ----- |
----------------------------------------------------------------------------------------------------------------------------------------------------------------
|
+| base_dn | string | required | | | the base dn of the `ldap`
server (example : `ou=users,dc=example,dc=org`) |
+| ldap_uri | string | required | | | the uri of the ldap
server |
+| use_tls | boolean | optional | `true` | | Boolean flag
indicating if Transport Layer Security (TLS) should be used. |
+| uid | string | optional | `cn` | | the `uid` attribute |
+
+## How To Enable
+
+### 1. set a consumer and config the value of the `ldap-auth` option
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "foo",
+ "plugins": {
+ "ldap-auth": {
+ "user_dn": "cn=user01,ou=users,dc=example,dc=org"
+ }
+ }
+}'
+```
+
+### 2. add a Route or add a Service, and enable the `ldap-auth` plugin
+
+```shell
+curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "methods": ["GET"],
+ "uri": "/hello",
+ "plugins": {
+ "ldap-auth": {
+ "base_dn": "ou=users,dc=example,dc=org",
+ "ldap_uri": "localhost:1389",
+ "uid": "cn"
+ },
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "127.0.0.1:1980": 1
+ }
+ }
+}'
+```
+
+## Test Plugin
+
+- missing Authorization header
+
+```shell
+$ curl -i http://127.0.0.1:9080/hello
+HTTP/1.1 401 Unauthorized
+...
+{"message":"Missing authorization in request"}
+```
+
+- user is not exists:
+
+```shell
+$ curl -i -uuser:password1 http://127.0.0.1:9080/hello
+HTTP/1.1 401 Unauthorized
+...
+{"message":"Invalid user key in authorization"}
+```
+
+- password is invalid:
+
+```shell
+$ curl -i -uuser01:passwordfalse http://127.0.0.1:9080/hello
+HTTP/1.1 401 Unauthorized
+...
+{"message":"Password is error"}
+```
+
+- success:
+
+```shell
+$ curl -i -uuser01:password1 http://127.0.0.1:9080/hello
+HTTP/1.1 200 OK
+...
+hello, world
+```
+
+## Disable Plugin
+
+When you want to disable the `ldap-auth` plugin, it is very simple,
+ you can delete the corresponding json configuration in the plugin
configuration,
+ no need to restart the service, it will take effect immediately:
+
+```shell
+$ curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value='
+{
+ "methods": ["GET"],
+ "uri": "/hello",
+ "plugins": {},
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "127.0.0.1:1980": 1
+ }
+ }
+}'
+```
diff --git a/rockspec/apisix-master-0.rockspec
b/rockspec/apisix-master-0.rockspec
index e8ca0cf..cb8569b 100644
--- a/rockspec/apisix-master-0.rockspec
+++ b/rockspec/apisix-master-0.rockspec
@@ -71,6 +71,7 @@ dependencies = {
"casbin = 1.26.0",
"api7-snowflake = 2.0-1",
"inspect == 3.1.1",
+ "lualdap = 1.2.6-1",
}
build = {
diff --git a/t/admin/plugins.t b/t/admin/plugins.t
index 57a33bc..b0d5d8f 100644
--- a/t/admin/plugins.t
+++ b/t/admin/plugins.t
@@ -40,7 +40,7 @@ __DATA__
--- request
GET /apisix/admin/plugins/list
--- response_body_like eval
-qr/\["real-ip","client-control","ext-plugin-pre-req","zipkin","request-id","fault-injection","serverless-pre-function","batch-requests","cors","ip-restriction","ua-restriction","referer-restriction","uri-blocker","request-validation","openid-connect","authz-casbin","wolf-rbac","hmac-auth","basic-auth","jwt-auth","key-auth","consumer-restriction","authz-keycloak","proxy-mirror","proxy-cache","proxy-rewrite","api-breaker","limit-conn","limit-count","limit-req","gzip","server-info","traffic
[...]
+qr/\["real-ip","client-control","ext-plugin-pre-req","zipkin","request-id","fault-injection","serverless-pre-function","batch-requests","cors","ip-restriction","ua-restriction","referer-restriction","uri-blocker","request-validation","openid-connect","authz-casbin","wolf-rbac","ldap-auth","hmac-auth","basic-auth","jwt-auth","key-auth","consumer-restriction","authz-keycloak","proxy-mirror","proxy-cache","proxy-rewrite","api-breaker","limit-conn","limit-count","limit-req","gzip","server-in
[...]
--- no_error_log
[error]
@@ -232,7 +232,7 @@
qr/\{"metadata_schema":\{"properties":\{"ikey":\{"minimum":0,"type":"number"\},"
}
}
--- response_body eval
-qr/\[\{"name":"wolf-rbac","priority":2555\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"key-auth","priority":2500\}\]/
+qr/\[\{"name":"wolf-rbac","priority":2555\},\{"name":"ldap-auth","priority":2540\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"key-auth","priority":2500\}\]/
--- no_error_log
[error]
diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t
new file mode 100644
index 0000000..8232d9b
--- /dev/null
+++ b/t/plugin/ldap-auth.t
@@ -0,0 +1,311 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(2);
+no_long_string();
+no_root_location();
+no_shuffle();
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!$block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+});
+
+run_tests();
+
+
+__DATA__
+
+=== TEST 1: sanity
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local plugin = require("apisix.plugins.ldap-auth")
+ local ok, err = plugin.check_schema({user_dn = 'foo'},
core.schema.TYPE_CONSUMER)
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+done
+
+
+
+=== TEST 2: wrong type of string
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.ldap-auth")
+ local ok, err = plugin.check_schema({base_dn = 123, ldap_uri =
"127.0.0.1:1389"})
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body_like eval
+qr/wrong type: expected string, got number
+done
+/
+
+
+
+=== TEST 3: add consumer with username and plugins
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "user01",
+ "plugins": {
+ "ldap-auth": {
+ "user_dn": "cn=user01,ou=users,dc=example,dc=org"
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "user01",
+ "plugins": {
+ "ldap-auth": {
+ "user_dn":
"cn=user01,ou=users,dc=example,dc=org"
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 4: enable basic auth plugin using admin api
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "ldap-auth": {
+ "base_dn": "ou=users,dc=example,dc=org",
+ "ldap_uri": "127.0.0.1:1389",
+ "uid": "cn"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 5: verify, missing authorization
+--- request
+GET /hello
+--- error_code: 401
+--- response_body
+{"message":"Missing authorization in request"}
+
+
+
+=== TEST 6: verify, invalid password
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic Zm9vOmZvbwo=
+--- error_code: 401
+--- response_body
+{"message":"Invalid user authorization"}
+
+
+
+=== TEST 7: verify
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ==
+--- response_body
+hello world
+--- error_log
+find consumer user01
+
+
+
+=== TEST 8: enable basic auth plugin using admin api
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "ldap-auth": {
+ "base_dn": "ou=users,dc=example,dc=org",
+ "ldap_uri": "127.0.0.1:1389",
+ "uid": "cn"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 9: verify
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ==
+--- response_body
+hello world
+--- error_log
+find consumer user01
+
+
+
+=== TEST 10: invalid schema
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ for _, case in ipairs({
+ {},
+ "blah"
+ }) do
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ {
+ username = "foo",
+ plugins = {
+ ["ldap-auth"] = case
+ }
+ }
+ )
+ ngx.print(body)
+ end
+ }
+ }
+--- response_body
+{"error_msg":"invalid plugins configuration: failed to check the configuration
of plugin ldap-auth err: property \"user_dn\" is required"}
+{"error_msg":"invalid plugins configuration: invalid plugin conf \"blah\" for
plugin [ldap-auth]"}
+
+
+
+=== TEST 11: get the default schema
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/schema/plugins/ldap-auth',
+ ngx.HTTP_GET,
+ nil,
+ [[
+{"title":"work with route or service
object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"disable":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}
+ ]]
+ )
+ ngx.status = code
+ }
+ }
+
+
+
+=== TEST 12: get the schema by schema_type
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body =
t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer',
+ ngx.HTTP_GET,
+ nil,
+ [[
+{"title":"work with consumer
object","required":["user_dn"],"properties":{"user_dn":{"type":"string"}},"type":"object"}
+ ]]
+ )
+ ngx.status = code
+ }
+ }
+
+
+
+=== TEST 13: get the schema by error schema_type
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body =
t('/apisix/admin/schema/plugins/ldap-auth?schema_type=consumer123123',
+ ngx.HTTP_GET,
+ nil,
+ [[
+{"title":"work with route or service
object","required":["base_dn","ldap_uri"],"properties":{"base_dn":{"type":"string"},"ldap_uri":{"type":"string"},"use_tls":{"type":"boolean"},"disable":{"type":"boolean"},"uid":{"type":"string"}},"type":"object"}
]]
+ )
+ ngx.status = code
+ }
+ }
\ No newline at end of file
diff --git a/utils/linux-install-openresty.sh b/utils/linux-install-openresty.sh
index 3f1acb8..8dbb716 100755
--- a/utils/linux-install-openresty.sh
+++ b/utils/linux-install-openresty.sh
@@ -40,4 +40,4 @@ else
openresty="openresty-debug=$OPENRESTY_VERSION*"
fi
-sudo apt-get install "$openresty" lua5.1 liblua5.1-0-dev
openresty-openssl111-debug-dev
+sudo apt-get install "$openresty" lua5.1 liblua5.1-0-dev
openresty-openssl111-debug-dev libldap2-dev
