This is an automated email from the ASF dual-hosted git repository. membphis pushed a commit to branch release/3.9-invalid-delete-soon in repository https://gitbox.apache.org/repos/asf/apisix.git
commit 1b11b88adabda7e4d3c8803210607666756bbfb5 Author: YuanSheng Wang <membp...@gmail.com> AuthorDate: Sun Apr 21 20:47:30 2024 +0800 fix: add post request headers only if auth request method is post (#11175) author: suryaprabhakark --- apisix/plugins/forward-auth.lua | 10 ++- t/plugin/forward-auth2.t | 185 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 192 insertions(+), 3 deletions(-) diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua index 69dc48de6..95f04994c 100644 --- a/apisix/plugins/forward-auth.lua +++ b/apisix/plugins/forward-auth.lua @@ -89,11 +89,15 @@ function _M.access(conf, ctx) ["X-Forwarded-Host"] = core.request.get_host(ctx), ["X-Forwarded-Uri"] = ctx.var.request_uri, ["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx), - ["Expect"] = core.request.header(ctx, "expect"), - ["Content-Length"] = core.request.header(ctx, "content-length"), - ["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding") } + if conf.request_method == "POST" then + auth_headers["Content-Length"] = core.request.header(ctx, "content-length") + auth_headers["Expect"] = core.request.header(ctx, "expect") + auth_headers["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding") + auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding") + end + -- append headers that need to be get from the client request header if #conf.request_headers > 0 then for _, header in ipairs(conf.request_headers) do diff --git a/t/plugin/forward-auth2.t b/t/plugin/forward-auth2.t new file mode 100644 index 000000000..f90841ede --- /dev/null +++ b/t/plugin/forward-auth2.t @@ -0,0 +1,185 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); + +add_block_preprocessor(sub { + my ($block) = @_; + + if (!defined $block->request) { + $block->set_value("request", "GET /t"); + } +}); + +run_tests(); + +__DATA__ + +=== TEST 1: setup route with plugin +--- config + location /t { + content_by_lua_block { + local data = { + { + url = "/apisix/admin/upstreams/u1", + data = [[{ + "nodes": { + "127.0.0.1:1984": 1 + }, + "type": "roundrobin" + }]], + }, + { + url = "/apisix/admin/routes/auth", + data = { + plugins = { + ["serverless-pre-function"] = { + phase = "rewrite", + functions = { + [[return function(conf, ctx) + local core = require("apisix.core"); + local token = "token-headers-test"; + if core.request.header(ctx, "Authorization") == token then + if core.request.get_method() == "POST" then + if core.request.header(ctx, "Content-Length") or + core.request.header(ctx, "Transfer-Encoding") or + core.request.header(ctx, "Content-Encoding") then + core.response.exit(200) + else + core.response.exit(403) + end + else + if core.request.header(ctx, "Content-Length") or + core.request.header(ctx, "Transfer-Encoding") or + core.request.header(ctx, "Content-Encoding") then + core.response.exit(403) + else + core.response.exit(200) + end + end + end + end]] + } + } + }, + uri = "/auth" + }, + }, + { + url = "/apisix/admin/routes/echo", + data = [[{ + "plugins": { + "serverless-pre-function": { + "phase": "rewrite", + "functions": [ + "return function (conf, ctx) + local core = require(\"apisix.core\"); + core.response.exit(200, core.request.headers(ctx)); + end" + ] + } + }, + "uri": "/echo" + }]], + }, + { + url = "/apisix/admin/routes/1", + data = [[{ + "plugins": { + "forward-auth": { + "uri": "http://127.0.0.1:1984/auth", + "request_headers": ["Authorization"], + "request_method": "POST" + }, + "proxy-rewrite": { + "uri": "/echo" + } + }, + "upstream_id": "u1", + "uri": "/verify-auth-post" + }]], + }, + { + url = "/apisix/admin/routes/2", + data = [[{ + "plugins": { + "forward-auth": { + "uri": "http://127.0.0.1:1984/auth", + "request_headers": ["Authorization"], + "request_method": "GET" + }, + "proxy-rewrite": { + "uri": "/echo" + } + }, + "upstream_id": "u1", + "uri": "/verify-auth-get" + }]], + } + } + + local t = require("lib.test_admin").test + + for _, data in ipairs(data) do + local code, body = t(data.url, ngx.HTTP_PUT, data.data) + ngx.say(body) + end + } + } +--- response_body eval +"passed\n" x 5 + + + +=== TEST 2: verify auth server forward headers for request_method=GET +--- request +GET /verify-auth-get +--- more_headers +Authorization: token-headers-test +--- error_code: 200 + + + +=== TEST 3: verify auth server forward headers for request_method=POST for GET upstream +--- request +GET /verify-auth-post +--- more_headers +Authorization: token-headers-test +--- error_code: 200 + + + +=== TEST 4: verify auth server forward headers for request_method=POST +--- request +POST /verify-auth-post +{"authorization": "token-headers-test"} +--- more_headers +Authorization: token-headers-test +--- error_code: 200 + + + +=== TEST 5: verify auth server forward headers for request_method=GET for POST upstream +--- request +POST /verify-auth-get +{"authorization": "token-headers-test"} +--- more_headers +Authorization: token-headers-test +--- error_code: 200