This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 382e710e9 feat: just change uri args or headers when hiding
credentials (#6991)
382e710e9 is described below
commit 382e710e99341cf693ed5a5aa226657deed0bdc5
Author: LetsGO <[email protected]>
AuthorDate: Sat May 7 10:20:51 2022 +0800
feat: just change uri args or headers when hiding credentials (#6991)
Co-authored-by: Alex Zhang <[email protected]>
---
apisix/plugins/key-auth.lua | 13 +++++++----
docs/en/latest/plugins/key-auth.md | 10 ++++-----
docs/zh/latest/plugins/key-auth.md | 10 ++++-----
t/plugin/key-auth.t | 44 +++++++++++++++++++++++++++++++-------
4 files changed, 55 insertions(+), 22 deletions(-)
diff --git a/apisix/plugins/key-auth.lua b/apisix/plugins/key-auth.lua
index bf451d292..3c0f8a97a 100644
--- a/apisix/plugins/key-auth.lua
+++ b/apisix/plugins/key-auth.lua
@@ -89,11 +89,13 @@ end
function _M.rewrite(conf, ctx)
+ local from_header = true
local key = core.request.header(ctx, conf.header)
if not key then
local uri_args = core.request.get_uri_args(ctx) or {}
key = uri_args[conf.query]
+ from_header = false
end
if not key then
@@ -115,10 +117,13 @@ function _M.rewrite(conf, ctx)
core.log.info("consumer: ", core.json.delay_encode(consumer))
if conf.hide_credentials then
- core.request.set_header(ctx, conf.header, nil)
- local args = core.request.get_uri_args(ctx)
- args[conf.query] = nil
- core.request.set_uri_args(ctx, args)
+ if from_header then
+ core.request.set_header(ctx, conf.header, nil)
+ else
+ local args = core.request.get_uri_args(ctx)
+ args[conf.query] = nil
+ core.request.set_uri_args(ctx, args)
+ end
end
consumer_mod.attach_consumer(ctx, consumer, consumer_conf)
diff --git a/docs/en/latest/plugins/key-auth.md
b/docs/en/latest/plugins/key-auth.md
index c2b47d71a..f495c60d7 100644
--- a/docs/en/latest/plugins/key-auth.md
+++ b/docs/en/latest/plugins/key-auth.md
@@ -43,11 +43,11 @@ For Consumer:
For Route:
-| Name | Type | Requirement | Default | Valid | Description
|
-|--------|--------|-------------|---------|-------|-------------------------------------------------------------------|
-| header | string | optional | apikey | | The header to get the key
from. |
-| query | string | optional | apikey | | The query string to get
the key from. Lower priority than header. |
-| hide_credentials | bool | optional | false | | When set to
`false` passes the request header containing authentication information to the
Upstream. |
+| Name | Type | Requirement | Default | Valid | Description
|
+|--------|--------|-------------|---------|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| header | string | optional | apikey | | The header to get the key
from.
|
+| query | string | optional | apikey | | The query string to get
the key from. Lower priority than header.
|
+| hide_credentials | bool | optional | false | | Apache
APISIX will pass the request header or query string that contains the
authentication information to the Upstream if `hide_credentials` is `false`.
Otherwise the authentication information will be removed before proxying.|
## Enabling the Plugin
diff --git a/docs/zh/latest/plugins/key-auth.md
b/docs/zh/latest/plugins/key-auth.md
index 254bc203c..610d3fda4 100644
--- a/docs/zh/latest/plugins/key-auth.md
+++ b/docs/zh/latest/plugins/key-auth.md
@@ -43,11 +43,11 @@ Consumer 端:
Router 端:
-| 名称 | 类型 | 必选项 | 默认值 | 描述
|
-| ----------------- | ------ | ----- | ------
|-------------------------------------------------------------------------------------------------------------
|
-| header | string | 否 | apikey | 设置我们从哪个 header 获取 key。 |
-| query | string | 否 | apikey | 设置我们从哪个 query string 获取
key,优先级低于 `header`。 |
-| hide_credentials | bool | 否 | false | 当设置为 `false` 时将含有认证信息的请求头传递给
Upstream。 |
+| 名称 | 类型 | 必选项 | 默认值 | 描述
|
+| ----------------- | ------ | ----- | ------
|----------------------------------------------------------------------------------------------------------------------------------------------------------|
+| header | string | 否 | apikey | 设置我们从哪个 header 获取 key。
|
+| query | string | 否 | apikey | 设置我们从哪个 query string 获取
key,优先级低于 `header`。
|
+| hide_credentials | bool | 否 | false | 当设置为 `false` 时将含有认证信息的 header 或
query string 传递给 Upstream。 如果为 `true` 时将删除对应的 header 或 query
string,具体删除哪一个取决于是从 header 获取 key 还是从 query string 获取 key。 |
## 启用插件
diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t
index 66b1b307e..a3483573a 100644
--- a/t/plugin/key-auth.t
+++ b/t/plugin/key-auth.t
@@ -451,7 +451,21 @@ test: auth-two
-=== TEST 19: customize query string, set hide_credentials = true
+=== TEST 19: when apikey both in header and query string, verify apikey
request header is hidden but request args is not hidden
+--- request
+GET /echo?apikey=auth-one
+--- more_headers
+apikey: auth-one
+--- response_headers
+!apikey
+--- response_args
+apikey: auth-one
+--- no_error_log
+[error]
+
+
+
+=== TEST 20: customize query string, set hide_credentials = true
--- config
location /t {
content_by_lua_block {
@@ -471,7 +485,7 @@ test: auth-two
},
"type": "roundrobin"
},
- "uri": "/hello"
+ "uri": "/echo"
}]]
)
@@ -490,9 +504,9 @@ passed
-=== TEST 20: verify auth request args is hidden
+=== TEST 21: verify auth request args is hidden
--- request
-GET /hello?auth=auth-one
+GET /echo?auth=auth-one
--- response_args
!auth
--- no_error_log
@@ -500,9 +514,9 @@ GET /hello?auth=auth-one
-=== TEST 21: verify that only the keys in the query parameters are deleted
+=== TEST 22: verify that only the keys in the query parameters are deleted
--- request
-GET /hello?auth=auth-one&test=auth-two
+GET /echo?auth=auth-one&test=auth-two
--- response_args
!auth
test: auth-two
@@ -511,7 +525,21 @@ test: auth-two
-=== TEST 22: customize query string, set hide_credentials = false
+=== TEST 23: when auth both in header and query string, verify auth request
args is hidden but request header is not hidden
+--- request
+GET /echo?auth=auth-one
+--- more_headers
+auth: auth-one
+--- response_headers
+auth: auth-one
+--- response_args
+!auth
+--- no_error_log
+[error]
+
+
+
+=== TEST 24: customize query string, set hide_credentials = false
--- config
location /t {
content_by_lua_block {
@@ -550,7 +578,7 @@ passed
-=== TEST 23: verify auth request args should not hidden
+=== TEST 25: verify auth request args should not hidden
--- request
GET /hello?auth=auth-one
--- response_args
