This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new d7fda7e feat: support hide the authentication header in basic-auth
with a config (#6039)
d7fda7e is described below
commit d7fda7ee69246fed3c483f5b6afeb6afb081d182
Author: mango <[email protected]>
AuthorDate: Fri Jan 14 12:55:06 2022 +0800
feat: support hide the authentication header in basic-auth with a config
(#6039)
Co-authored-by: xuwei <>
---
apisix/plugins/basic-auth.lua | 12 ++++-
docs/en/latest/plugins/basic-auth.md | 12 ++++-
docs/zh/latest/plugins/basic-auth.md | 8 +++
t/plugin/basic-auth.t | 100 +++++++++++++++++++++++++++++++++++
4 files changed, 129 insertions(+), 3 deletions(-)
diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua
index 5e78056..235154f 100644
--- a/apisix/plugins/basic-auth.lua
+++ b/apisix/plugins/basic-auth.lua
@@ -30,7 +30,12 @@ local consumers_lrucache = core.lrucache.new({
local schema = {
type = "object",
title = "work with route or service object",
- properties = {},
+ properties = {
+ hide_credentials = {
+ type = "boolean",
+ default = false,
+ }
+ },
}
local consumer_schema = {
@@ -172,6 +177,11 @@ function _M.rewrite(conf, ctx)
return 401, { message = "Password is error" }
end
+ -- 5. hide `Authorization` request header if `hide_credentials` is `true`
+ if conf.hide_credentials then
+ core.request.set_header(ctx, "Authorization", nil)
+ end
+
consumer.attach_consumer(ctx, cur_consumer, consumer_conf)
core.log.info("hit basic-auth access")
diff --git a/docs/en/latest/plugins/basic-auth.md
b/docs/en/latest/plugins/basic-auth.md
index e618a58..f0b1480 100644
--- a/docs/en/latest/plugins/basic-auth.md
+++ b/docs/en/latest/plugins/basic-auth.md
@@ -39,11 +39,19 @@ For more information on Basic authentication, refer to
[Wiki](https://en.wikiped
## Attributes
+For consumer side:
+
| Name | Type | Requirement | Default | Valid | Description
|
| -------- | ------ | ----------- | ------- | ----- |
----------------------------------------------------------------------------------------------------------------------------------------------------------------
|
| username | string | required | | | Different `consumer`
should have different value which is unique. When different `consumer` use a
same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password
|
+For route side:
+
+| Name | Type | Requirement | Default | Valid | Description
|
+| -------- | ------ | ----------- | ------- | ----- |
----------------------------------------------------------------------------------------------------------------------------------------------------------------
|
+| hide_credentials | boolean | optional | false | | Whether to pass
the Authorization request headers to the upstream.
|
+
## How To Enable
### 1. set a consumer and config the value of the `basic-auth` option
@@ -129,8 +137,8 @@ hello, world
## Disable Plugin
When you want to disable the `basic-auth` plugin, it is very simple,
- you can delete the corresponding json configuration in the plugin
configuration,
- no need to restart the service, it will take effect immediately:
+you can delete the corresponding json configuration in the plugin
configuration,
+no need to restart the service, it will take effect immediately:
```shell
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
diff --git a/docs/zh/latest/plugins/basic-auth.md
b/docs/zh/latest/plugins/basic-auth.md
index 667721b..8f1b18a 100644
--- a/docs/zh/latest/plugins/basic-auth.md
+++ b/docs/zh/latest/plugins/basic-auth.md
@@ -39,11 +39,19 @@ title: basic-auth
## 属性
+consumer 端配置:
+
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述
|
| -------- | ------ | ------ | ------ | ------ |
------------------------------------------------------------------------------------------------------------------
|
| username | string | 必须 | | | 不同的 `consumer`
对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `username` ,将会出现请求匹配异常。 |
| password | string | 必须 | | | 用户的密码
|
+router 端配置:
+
+| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述
|
+| -------- | ------ | ------ | ------ | ------ |
------------------------------------------------------------------------------------------------------------------
|
+| hide_credentials | boolean | 可选 | false | | 是否将 Authorization
请求头传递给 upstream。
|
+
## 如何启用
### 1. 创建一个 consumer 对象,并设置插件 `basic-auth` 的值。
diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t
index a780f3b..c1edd83 100644
--- a/t/plugin/basic-auth.t
+++ b/t/plugin/basic-auth.t
@@ -395,3 +395,103 @@ GET /t
GET /t
--- no_error_log
[error]
+
+
+
+=== TEST 15: enable basic auth plugin using admin api, set hide_credentials =
true
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "basic-auth": {
+ "hide_credentials": true
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 16: verify Authorization request header is hidden
+--- request
+GET /echo
+--- more_headers
+Authorization: Basic Zm9vOmJhcg==
+--- response_headers
+!Authorization
+--- no_error_log
+[error]
+
+
+
+=== TEST 17: enable basic auth plugin using admin api, hide_credentials = false
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "basic-auth": {
+ "hide_credentials": false
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 18: verify Authorization request header should not hidden
+--- request
+GET /echo
+--- more_headers
+Authorization: Basic Zm9vOmJhcg==
+--- response_headers
+Authorization: Basic Zm9vOmJhcg==
+--- no_error_log
+[error]
