This is an automated email from the ASF dual-hosted git repository.
bzp2010 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 4a66b79 feat: support send APISIX data to assist decision in OPA
plugin (#5874)
4a66b79 is described below
commit 4a66b798038bf4dd9834798051d0138e49b40708
Author: Zeping Bai <[email protected]>
AuthorDate: Wed Dec 29 20:19:02 2021 +0800
feat: support send APISIX data to assist decision in OPA plugin (#5874)
---
apisix/plugins/opa.lua | 8 +-
apisix/plugins/opa/helper.lua | 67 +++++++++++++--
ci/pod/docker-compose.yml | 5 +-
ci/pod/opa/echo.rego | 20 +++++
t/plugin/opa2.t | 187 ++++++++++++++++++++++++++++++++++++++++++
5 files changed, 278 insertions(+), 9 deletions(-)
diff --git a/apisix/plugins/opa.lua b/apisix/plugins/opa.lua
index cfe0b58..b56403b 100644
--- a/apisix/plugins/opa.lua
+++ b/apisix/plugins/opa.lua
@@ -38,7 +38,10 @@ local schema = {
},
keepalive = {type = "boolean", default = true},
keepalive_timeout = {type = "integer", minimum = 1000, default =
60000},
- keepalive_pool = {type = "integer", minimum = 1, default = 5}
+ keepalive_pool = {type = "integer", minimum = 1, default = 5},
+ with_route = {type = "boolean", default = false},
+ with_service = {type = "boolean", default = false},
+ with_consumer = {type = "boolean", default = false},
},
required = {"host", "policy"}
}
@@ -59,9 +62,10 @@ end
function _M.access(conf, ctx)
local body = helper.build_opa_input(conf, ctx, "http")
+
local params = {
method = "POST",
- body = body,
+ body = core.json.encode(body),
headers = {
["Content-Type"] = "application/json",
},
diff --git a/apisix/plugins/opa/helper.lua b/apisix/plugins/opa/helper.lua
index 059ea08..dc3d12d 100644
--- a/apisix/plugins/opa/helper.lua
+++ b/apisix/plugins/opa/helper.lua
@@ -15,12 +15,15 @@
-- limitations under the License.
--
-local core = require("apisix.core")
-local ngx_time = ngx.time
+local core = require("apisix.core")
+local get_service = require("apisix.http.service").get
+local ngx_time = ngx.time
local _M = {}
+-- build a table of Nginx variables with some generality
+-- between http subsystem and stream subsystem
local function build_var(conf, ctx)
return {
server_addr = ctx.var.server_addr,
@@ -45,16 +48,68 @@ local function build_http_request(conf, ctx)
end
-function _M.build_opa_input(conf, ctx, subsystem)
- local request = build_http_request(conf, ctx)
+local function build_http_route(conf, ctx, remove_upstream)
+ local route = core.table.clone(ctx.matched_route).value
+
+ if remove_upstream and route and route.upstream then
+ route.upstream = nil
+ end
+
+ return route
+end
+
+
+local function build_http_service(conf, ctx)
+ local service_id = ctx.service_id
+
+ -- possible that there is no service bound to the route
+ if service_id then
+ local service = core.table.clone(get_service(service_id)).value
+
+ if service then
+ if service.upstream then
+ service.upstream = nil
+ end
+ return service
+ end
+ end
+
+ return nil
+end
+
+local function build_http_consumer(conf, ctx)
+ -- possible that there is no consumer bound to the route
+ if ctx.consumer then
+ return core.table.clone(ctx.consumer)
+ end
+
+ return nil
+end
+
+
+function _M.build_opa_input(conf, ctx, subsystem)
local data = {
type = subsystem,
- request = request,
+ request = build_http_request(conf, ctx),
var = build_var(conf, ctx)
}
- return core.json.encode({input = data})
+ if conf.with_route then
+ data.route = build_http_route(conf, ctx, true)
+ end
+
+ if conf.with_consumer then
+ data.consumer = build_http_consumer(conf, ctx)
+ end
+
+ if conf.with_service then
+ data.service = build_http_service(conf, ctx)
+ end
+
+ return {
+ input = data,
+ }
end
diff --git a/ci/pod/docker-compose.yml b/ci/pod/docker-compose.yml
index 16497f2..e7eabcf 100644
--- a/ci/pod/docker-compose.yml
+++ b/ci/pod/docker-compose.yml
@@ -402,12 +402,15 @@ services:
restart: unless-stopped
ports:
- 8181:8181
- command: run -s /example.rego /data.json
+ command: run -s /example.rego /echo.rego /data.json
volumes:
- type: bind
source: ./ci/pod/opa/example.rego
target: /example.rego
- type: bind
+ source: ./ci/pod/opa/echo.rego
+ target: /echo.rego
+ - type: bind
source: ./ci/pod/opa/data.json
target: /data.json
networks:
diff --git a/ci/pod/opa/echo.rego b/ci/pod/opa/echo.rego
new file mode 100644
index 0000000..611f64f
--- /dev/null
+++ b/ci/pod/opa/echo.rego
@@ -0,0 +1,20 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+package echo
+
+allow = false
+reason = input
diff --git a/t/plugin/opa2.t b/t/plugin/opa2.t
new file mode 100644
index 0000000..c9ad7f2
--- /dev/null
+++ b/t/plugin/opa2.t
@@ -0,0 +1,187 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+});
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: setup all-in-one test
+--- config
+ location /t {
+ content_by_lua_block {
+ local datas = {
+ {
+ url = "/apisix/admin/upstreams/u1",
+ data = [[{
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ }]],
+ },
+ {
+ url = "/apisix/admin/consumers",
+ data = [[{
+ "username": "test",
+ "plugins": {
+ "key-auth": {
+ "disable": false,
+ "key": "test-key"
+ }
+ }
+ }]],
+ },
+ {
+ url = "/apisix/admin/services/s1",
+ data = [[{
+ "name": "s1",
+ "plugins": {
+ "key-auth": {
+ "disable": false
+ }
+ }
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/1",
+ data = [[{
+ "plugins": {
+ "opa": {
+ "host": "http://127.0.0.1:8181";,
+ "policy": "echo",
+ "with_route": true,
+ "with_consumer": true,
+ "with_service": true
+ }
+ },
+ "upstream_id": "u1",
+ "service_id": "s1",
+ "uri": "/hello"
+ }]],
+ },
+ }
+
+ local t = require("lib.test_admin").test
+
+ for _, data in ipairs(datas) do
+ local code, body = t(data.url, ngx.HTTP_PUT, data.data)
+ ngx.say(code..body)
+ end
+ }
+ }
+--- response_body eval
+"201passed\n" x 4
+
+
+
+=== TEST 2: hit route (test route data)
+--- request
+GET /hello
+--- more_headers
+test-header: only-for-test
+apikey: test-key
+--- error_code: 403
+--- response_body eval
+qr/\"route\":/ and qr/\"id\":\"r1\"/ and qr/\"plugins\":\{\"opa\"/ and
+qr/\"with_route\":true/
+
+
+
+=== TEST 3: hit route (test consumer data)
+--- request
+GET /hello
+--- more_headers
+test-header: only-for-test
+apikey: test-key
+--- error_code: 403
+--- response_body eval
+qr/\"consumer\":/ and qr/\"username\":\"test\"/ and qr/\"key\":\"test-key\"/
+
+
+
+=== TEST 4: hit route (test service data)
+--- request
+GET /hello
+--- more_headers
+test-header: only-for-test
+apikey: test-key
+--- error_code: 403
+--- response_body eval
+qr/\"service\":/ and qr/\"id\":\"s1\"/ and qr/\"query\":\"apikey\"/ and
+qr/\"header\":\"apikey\"/
+
+
+
+=== TEST 5: setup route without service
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "opa": {
+ "host": "http://127.0.0.1:8181";,
+ "policy": "echo",
+ "with_route": true,
+ "with_consumer": true,
+ "with_service": true
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 6: hit route (test without service and consumer)
+--- request
+GET /hello
+--- more_headers
+test-header: only-for-test
+apikey: test-key
+--- error_code: 403
+--- response_body_unlike eval
+qr/\"service\"/ and qr/\"consumer\"/
