leslie-tsang commented on a change in pull request #6382: URL: https://github.com/apache/apisix/pull/6382#discussion_r828701154
########## File path: apisix/plugins/authz-casdoor.lua ########## @@ -0,0 +1,150 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local session = require("resty.session") +local ngx = ngx +local rand = math.random + +local plugin_name = "authz-casdoor" +local schema = { + type = "object", + properties = { + -- Note: endpoint_addr and callback_url should not end with '/' + endpoint_addr = {type = "string", pattern = "^[^%?]+[^/]$"}, + client_id = {type = "string"}, + client_secret = {type = "string"}, + callback_url = {type = "string", pattern = "^[^%?]+[^/]$"} + }, + required = { + "callback_url", "endpoint_addr", "client_id", "client_secret" + } +} + +local _M = { + version = 0.1, + priority = 2559, + name = plugin_name, + schema = schema +} + +local function fetch_access_token(ctx, conf, state_in_session) + local args = core.request.get_uri_args(ctx) + if not args or not args.code or not args.state then + return nil, "failed when accessing token. Invalid code or state" + end + if not args.state == state_in_session then + return nil, "invalid state" + end + local client = http.new() + local url = conf.endpoint_addr .. "/api/login/oauth/access_token" + + local res, err = client:request_uri(url, { + method = "POST", + query = { + code = args.code, + grant_type = "authorization_code", + client_id = conf.client_id, + client_secret = conf.client_secret + } + }) + + if not res then return nil, err end + local data, err = core.json.decode(res.body) + + if err or not data then + err = "failed to parse casdoor response data: " .. err + return nil, err + end + + if not data.access_token then + return nil, "failed when accessing token: no access_token contained" + end + if not data.expires_in or data.expires_in == 0 then + return nil, "failed when accessing token: invalid access_token" + end + + return data.access_token, nil +end + +function _M.check_schema(conf) return core.schema.check(schema, conf) end Review comment: ```suggestion function _M.check_schema(conf) return core.schema.check(schema, conf) end ``` Hello there, we have a [CODE_STYLE](https://github.com/apache/apisix/blob/master/CODE_STYLE.md#blank-line) to follow. :) ########## File path: apisix/plugins/authz-casdoor.lua ########## @@ -0,0 +1,150 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local session = require("resty.session") +local ngx = ngx +local rand = math.random + +local plugin_name = "authz-casdoor" +local schema = { + type = "object", + properties = { + -- Note: endpoint_addr and callback_url should not end with '/' + endpoint_addr = {type = "string", pattern = "^[^%?]+[^/]$"}, + client_id = {type = "string"}, + client_secret = {type = "string"}, + callback_url = {type = "string", pattern = "^[^%?]+[^/]$"} + }, + required = { + "callback_url", "endpoint_addr", "client_id", "client_secret" + } +} + +local _M = { + version = 0.1, + priority = 2559, + name = plugin_name, + schema = schema +} + +local function fetch_access_token(ctx, conf, state_in_session) + local args = core.request.get_uri_args(ctx) + if not args or not args.code or not args.state then + return nil, "failed when accessing token. Invalid code or state" + end + if not args.state == state_in_session then + return nil, "invalid state" + end + local client = http.new() + local url = conf.endpoint_addr .. "/api/login/oauth/access_token" + + local res, err = client:request_uri(url, { + method = "POST", + query = { + code = args.code, + grant_type = "authorization_code", + client_id = conf.client_id, + client_secret = conf.client_secret + } + }) + + if not res then return nil, err end Review comment: ```suggestion if not res then return nil, err end ``` Hello there, we have a [CODE_STYLE](https://github.com/apache/apisix/blob/master/CODE_STYLE.md#blank-line) to follow. :) ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end Review comment: Ditto ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end Review comment: Ditto ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end + + local conf3 = { + callback_url = callback_url, + endpoint_addr = fake_uri .. "/", + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok3, err3 = plugin.check_schema(conf3) + if ok3 then ngx.say(err) end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 2: enable plugin test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local fake_uri = "http://127.0.0.1:10420"; + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ + "methods": ["GET"], + "uri": "/anything/*", + "plugins": { + "authz-casdoor": { + "callback_url":"]] .. callback_url .. [[", + "endpoint_addr":"]] .. fake_uri .. [[", + "client_id":"7ceb9b7fda4a9061ec1c", + "client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "httpbin.org:80": 1 + } + } + }]]) + if not code == 200 then ngx.say("failed to set up routing rule") end + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 3: test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local code, body = t('/anything/d?param1=foo¶m2=bar', ngx.HTTP_GET, [[]]) + if not code == 302 then ngx.say("should have redirected") end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 4: enable fake casdoor +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/2', + ngx.HTTP_PUT, + [[{ + + "uri": "/api/login/oauth/access_token", + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + } + }]] + ) + + if not code == 200 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 5: test fake casdoor +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + local httpc = require("resty.http").new() + local cjson = require("cjson") + local fake_uri = "http://127.0.0.1:10420/api/login/oauth/access_token"; + + local res, err = httpc:request_uri(fake_uri, {method = "GET"}) + if not res then ngx.say(err) end + + local data = cjson.decode(res.body) + if not data then ngx.say("invalid res.body") end + + if not data.access_token == "aaaaaaaaaaaaaaaa" then ngx.say("invalid token") end Review comment: ```suggestion if not res then ngx.say(err) end local data = cjson.decode(res.body) if not data then ngx.say("invalid res.body") end if not data.access_token == "aaaaaaaaaaaaaaaa" then ngx.say("invalid token") end ``` ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end + + local conf3 = { + callback_url = callback_url, + endpoint_addr = fake_uri .. "/", + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok3, err3 = plugin.check_schema(conf3) + if ok3 then ngx.say(err) end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 2: enable plugin test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local fake_uri = "http://127.0.0.1:10420"; + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ + "methods": ["GET"], + "uri": "/anything/*", + "plugins": { + "authz-casdoor": { + "callback_url":"]] .. callback_url .. [[", + "endpoint_addr":"]] .. fake_uri .. [[", + "client_id":"7ceb9b7fda4a9061ec1c", + "client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "httpbin.org:80": 1 + } + } + }]]) + if not code == 200 then ngx.say("failed to set up routing rule") end + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 3: test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local code, body = t('/anything/d?param1=foo¶m2=bar', ngx.HTTP_GET, [[]]) + if not code == 302 then ngx.say("should have redirected") end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 4: enable fake casdoor +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/2', + ngx.HTTP_PUT, + [[{ + + "uri": "/api/login/oauth/access_token", + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + } + }]] + ) + + if not code == 200 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 5: test fake casdoor +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + local httpc = require("resty.http").new() + local cjson = require("cjson") + local fake_uri = "http://127.0.0.1:10420/api/login/oauth/access_token"; + + local res, err = httpc:request_uri(fake_uri, {method = "GET"}) + if not res then ngx.say(err) end + + local data = cjson.decode(res.body) + if not data then ngx.say("invalid res.body") end + + if not data.access_token == "aaaaaaaaaaaaaaaa" then ngx.say("invalid token") end + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 6: test code handling +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + local cjson = require("cjson") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/d?param1=foo¶m2=bar" + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback?code=aaa&state=" + + local httpc = require("resty.http").new() + local res1, err1 = httpc:request_uri(fake_uri, {method = "GET"}) + if not res1 then ngx.say(err1) end + + local cookie = res1.headers["Set-Cookie"] + local re_url = res1.headers["Location"] + local m,err=ngx.re.match(re_url, "state=([0-9]*)") + if err or not m then + log.error(err) + end + state=m[1] Review comment: ```suggestion local m, err = ngx.re.match(re_url, "state=([0-9]*)") if err or not m then log.error(err) ngx.exit() end state = m[1] ``` ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end + + local conf3 = { + callback_url = callback_url, + endpoint_addr = fake_uri .. "/", + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok3, err3 = plugin.check_schema(conf3) + if ok3 then ngx.say(err) end Review comment: Ditto ########## File path: apisix/plugins/authz-casdoor.lua ########## @@ -0,0 +1,150 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local session = require("resty.session") +local ngx = ngx +local rand = math.random + +local plugin_name = "authz-casdoor" +local schema = { + type = "object", + properties = { + -- Note: endpoint_addr and callback_url should not end with '/' + endpoint_addr = {type = "string", pattern = "^[^%?]+[^/]$"}, + client_id = {type = "string"}, + client_secret = {type = "string"}, + callback_url = {type = "string", pattern = "^[^%?]+[^/]$"} + }, + required = { + "callback_url", "endpoint_addr", "client_id", "client_secret" + } +} + +local _M = { + version = 0.1, + priority = 2559, + name = plugin_name, + schema = schema +} + +local function fetch_access_token(ctx, conf, state_in_session) + local args = core.request.get_uri_args(ctx) + if not args or not args.code or not args.state then + return nil, "failed when accessing token. Invalid code or state" + end + if not args.state == state_in_session then + return nil, "invalid state" + end + local client = http.new() + local url = conf.endpoint_addr .. "/api/login/oauth/access_token" + + local res, err = client:request_uri(url, { + method = "POST", + query = { + code = args.code, + grant_type = "authorization_code", + client_id = conf.client_id, + client_secret = conf.client_secret + } + }) + + if not res then return nil, err end + local data, err = core.json.decode(res.body) + + if err or not data then + err = "failed to parse casdoor response data: " .. err + return nil, err + end + + if not data.access_token then + return nil, "failed when accessing token: no access_token contained" + end + if not data.expires_in or data.expires_in == 0 then + return nil, "failed when accessing token: invalid access_token" + end + + return data.access_token, nil +end + +function _M.check_schema(conf) return core.schema.check(schema, conf) end + +function _M.access(conf, ctx) + local current_uri = ctx.var.uri + local session_obj_read, session_present = session.open() + -- step 1: check whether hits the callback + local m, err = ngx.re.match(conf.callback_url, ".+//[^/]+(/.*)") Review comment: ```suggestion local m, err = ngx.re.match(conf.callback_url, ".+//[^/]+(/.*)", "jo") ``` Would be better to add "jo" option ? ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end + + local conf3 = { + callback_url = callback_url, + endpoint_addr = fake_uri .. "/", + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok3, err3 = plugin.check_schema(conf3) + if ok3 then ngx.say(err) end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 2: enable plugin test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local fake_uri = "http://127.0.0.1:10420"; + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ + "methods": ["GET"], + "uri": "/anything/*", + "plugins": { + "authz-casdoor": { + "callback_url":"]] .. callback_url .. [[", + "endpoint_addr":"]] .. fake_uri .. [[", + "client_id":"7ceb9b7fda4a9061ec1c", + "client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "httpbin.org:80": 1 + } + } + }]]) + if not code == 200 then ngx.say("failed to set up routing rule") end Review comment: Ditto ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end + + local conf3 = { + callback_url = callback_url, + endpoint_addr = fake_uri .. "/", + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok3, err3 = plugin.check_schema(conf3) + if ok3 then ngx.say(err) end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 2: enable plugin test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local fake_uri = "http://127.0.0.1:10420"; + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ + "methods": ["GET"], + "uri": "/anything/*", + "plugins": { + "authz-casdoor": { + "callback_url":"]] .. callback_url .. [[", + "endpoint_addr":"]] .. fake_uri .. [[", + "client_id":"7ceb9b7fda4a9061ec1c", + "client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "httpbin.org:80": 1 + } + } + }]]) Review comment: ```suggestion local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "methods": ["GET"], "uri": "/anything/*", "plugins": { "authz-casdoor": { "callback_url":"]] .. callback_url .. [[", "endpoint_addr":"]] .. fake_uri .. [[", "client_id":"7ceb9b7fda4a9061ec1c", "client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04" } }, "upstream": { "type": "roundrobin", "nodes": { "httpbin.org:80": 1 } } }]] ) ``` ########## File path: apisix/plugins/authz-casdoor.lua ########## @@ -0,0 +1,150 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local session = require("resty.session") +local ngx = ngx +local rand = math.random + +local plugin_name = "authz-casdoor" +local schema = { + type = "object", + properties = { + -- Note: endpoint_addr and callback_url should not end with '/' + endpoint_addr = {type = "string", pattern = "^[^%?]+[^/]$"}, + client_id = {type = "string"}, + client_secret = {type = "string"}, + callback_url = {type = "string", pattern = "^[^%?]+[^/]$"} + }, + required = { + "callback_url", "endpoint_addr", "client_id", "client_secret" + } +} + +local _M = { + version = 0.1, + priority = 2559, + name = plugin_name, + schema = schema +} + +local function fetch_access_token(ctx, conf, state_in_session) + local args = core.request.get_uri_args(ctx) + if not args or not args.code or not args.state then + return nil, "failed when accessing token. Invalid code or state" + end + if not args.state == state_in_session then + return nil, "invalid state" + end + local client = http.new() + local url = conf.endpoint_addr .. "/api/login/oauth/access_token" + + local res, err = client:request_uri(url, { + method = "POST", + query = { + code = args.code, + grant_type = "authorization_code", + client_id = conf.client_id, + client_secret = conf.client_secret + } + }) + + if not res then return nil, err end + local data, err = core.json.decode(res.body) + + if err or not data then + err = "failed to parse casdoor response data: " .. err Review comment: Would it be better to record the `res.body` at the same time to help the user figure out what's going on ? ########## File path: t/plugin/authz-casdoor.t ########## @@ -0,0 +1,338 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +add_block_preprocessor(sub { + my ($block) = @_; + + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { + $block->set_value("no_error_log", "[error]"); + } + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } + + my $http_config = $block->http_config // <<_EOC_; + server { + listen 10420; + location /api/login/oauth/access_token { + content_by_lua_block { + local json_encode = require("toolkit.json").encode + ngx.status = 200 + ngx.say(json_encode({ access_token = "aaaaaaaaaaaaaaaa", expires_in = 1000000 })) + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); +}); +run_tests(); + +__DATA__ + +=== TEST 1: sanity +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local fake_uri = "http://127.0.0.1:"; .. ngx.var.server_port + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local conf = { + callback_url = callback_url, + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok, err = plugin.check_schema(conf) + if not ok then ngx.say(err) end + + local conf2 = { + callback_url = callback_url .. "/?code=aaa", + endpoint_addr = fake_uri, + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok2, err2 = plugin.check_schema(conf2) + if ok2 then ngx.say(err) end + + local conf3 = { + callback_url = callback_url, + endpoint_addr = fake_uri .. "/", + client_id = "7ceb9b7fda4a9061ec1c", + client_secret = "3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + local ok3, err3 = plugin.check_schema(conf3) + if ok3 then ngx.say(err) end + + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 2: enable plugin test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local fake_uri = "http://127.0.0.1:10420"; + local callback_url = "http://127.0.0.1:"; .. ngx.var.server_port .. + "/anything/callback" + local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ + "methods": ["GET"], + "uri": "/anything/*", + "plugins": { + "authz-casdoor": { + "callback_url":"]] .. callback_url .. [[", + "endpoint_addr":"]] .. fake_uri .. [[", + "client_id":"7ceb9b7fda4a9061ec1c", + "client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04" + } + }, + "upstream": { + "type": "roundrobin", + "nodes": { + "httpbin.org:80": 1 + } + } + }]]) + if not code == 200 then ngx.say("failed to set up routing rule") end + ngx.say("done") + + } + } +--- response_body +done + + + +=== TEST 3: test redirect +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-casdoor") + local core = require("apisix.core") + local log = core.log + local t = require("lib.test_admin").test + + local code, body = t('/anything/d?param1=foo¶m2=bar', ngx.HTTP_GET, [[]]) + if not code == 302 then ngx.say("should have redirected") end Review comment: Ditto -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
