This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch release/2.13 in repository https://gitbox.apache.org/repos/asf/apisix.git
commit 9b0cc7a3b0ed837e330603304c4a7267ff392faf Author: leslie <[email protected]> AuthorDate: Thu May 5 09:54:20 2022 +0800 fix: hide 5xx error message from client (#6982) Co-authored-by: 高亮亮 <[email protected]> --- apisix/plugins/authz-casbin.lua | 3 ++- apisix/plugins/authz-keycloak.lua | 18 ++++++++++-------- t/plugin/authz-keycloak.t | 3 +++ 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/apisix/plugins/authz-casbin.lua b/apisix/plugins/authz-casbin.lua index d81d34089..fedd2d33f 100644 --- a/apisix/plugins/authz-casbin.lua +++ b/apisix/plugins/authz-casbin.lua @@ -112,7 +112,8 @@ function _M.rewrite(conf, ctx) -- creates an enforcer when request sent for the first time local ok, err = new_enforcer_if_need(conf) if not ok then - return 503, {message = err} + core.log.error(err) + return 503 end local path = ctx.var.uri diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua index 52321e546..c871a927b 100644 --- a/apisix/plugins/authz-keycloak.lua +++ b/apisix/plugins/authz-keycloak.lua @@ -340,7 +340,7 @@ local function authz_keycloak_ensure_sa_access_token(conf) if not token_endpoint then log.error("Unable to determine token endpoint.") - return 500, "Unable to determine token endpoint." + return 503, "Unable to determine token endpoint." end local session = authz_keycloak_cache_get("access-tokens", token_endpoint .. ":" @@ -446,7 +446,7 @@ local function authz_keycloak_ensure_sa_access_token(conf) if not session then -- No session available. Create a new one. - core.log.debug("Getting access token for Protection API from token endpoint.") + log.debug("Getting access token for Protection API from token endpoint.") local httpc = authz_keycloak_get_http_client(conf) local params = { @@ -522,7 +522,7 @@ local function authz_keycloak_resolve_resource(conf, uri, sa_access_token) if not resource_registration_endpoint then local err = "Unable to determine registration endpoint." log.error(err) - return 500, err + return 503, err end log.debug("Resource registration endpoint: ", resource_registration_endpoint) @@ -567,7 +567,7 @@ local function evaluate_permissions(conf, ctx, token) -- Ensure discovered data. local err = authz_keycloak_ensure_discovered_data(conf) if err then - return 500, err + return 503, err end local permission @@ -576,7 +576,8 @@ local function evaluate_permissions(conf, ctx, token) -- Ensure service account access token. local sa_access_token, err = authz_keycloak_ensure_sa_access_token(conf) if err then - return 500, err + log.error(err) + return 503 end -- Resolve URI to resource(s). @@ -586,7 +587,8 @@ local function evaluate_permissions(conf, ctx, token) -- Check result. if permission == nil then -- No result back from resource registration endpoint. - return 500, err + log.error(err) + return 503 end else -- Use statically configured permissions. @@ -631,7 +633,7 @@ local function evaluate_permissions(conf, ctx, token) if not token_endpoint then err = "Unable to determine token endpoint." log.error(err) - return 500, err + return 503, err end log.debug("Token endpoint: ", token_endpoint) @@ -658,7 +660,7 @@ local function evaluate_permissions(conf, ctx, token) if not res then err = "Error while sending authz request to " .. token_endpoint .. ": " .. err log.error(err) - return 500, err + return 503 end log.debug("Response status: ", res.status, ", data: ", res.body) diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index ad8ba8996..5dc7bd535 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -325,6 +325,8 @@ passed } }) + ngx.status = res.status + if res.status == 200 then ngx.say(true) else @@ -338,6 +340,7 @@ GET /t false --- error_log Error while sending authz request to https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token: 18: self signed certificate +--- error_code: 503
