Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add hide_credentials for multi-auth plugin #11256

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: add hide_credentials for multi-auth plugin #11256

wants to merge 3 commits into from
+453 −222

Conversation

madhawa-gunasekara
Copy link
Member

@madhawa-gunasekara madhawa-gunasekara commented May 15, 2024
edited

Fixes #11069 11069

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@madhawa-gunasekara madhawa-gunasekara marked this pull request as draft May 15, 2024 11:15
@madhawa-gunasekara madhawa-gunasekara force-pushed the issue-11069 branch 2 times, most recently from 7a041fc to 6b7bbed Compare May 15, 2024 12:30
@madhawa-gunasekara madhawa-gunasekara marked this pull request as ready for review May 15, 2024 13:08
@madhawa-gunasekara
Copy link
Member Author

Hi @shreemaan-abhishek.

Can you please review this pull request?

bzp2010
bzp2010 reviewed May 28, 2024
View reviewed changes
apisix/utils/auth-util.lua
@@ -0,0 +1,56 @@
--
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This new file has only been used twice for the application, does it have more use cases? 🤔

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, It can be used for future autherntication plugins to clear cookies and query params

docs/en/latest/plugins/multi-auth.md Outdated
@@ -41,6 +41,7 @@ For Route:
| Name | Type | Required | Default | Description |
|--------------|-------|----------|---------|-----------------------------------------------------------------------|
| auth_plugins | array | True | - | Add supporting auth plugins configuration. expects at least 2 plugins |
|hide_credentials|boolean|False|False|Set to true will not pass the authorization request of header\query\cookie to the Upstream.|
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! I think this should ideally be formatted, such as spaces or indentation.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

t/plugin/multi-auth2.t Outdated
Comment on lines 57 to 58
--- request
GET /t
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A similar section can be found by referring to this test, they can simplify
https://github.com/apache/apisix/blob/master/t/plugin/forward-auth.t#L23-L29
https://github.com/apache/apisix/blob/master/t/plugin/forward-auth.t#L54-L56

t/plugin/multi-auth.t Outdated
Comment on lines 662 to 721
=== TEST 23: enable multi auth plugin with same header without hide credential
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"multi-auth": {
"auth_plugins": [
{
"basic-auth": {}
},
{
"key-auth": {
"query": "apikey",
"header": "authorization"
}
},
{
"jwt-auth": {
"cookie": "jwt",
"query": "jwt",
"header": "authorization"
}
}
]
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed



=== TEST 24: verify key-auth using the same authorization header for jwt-auth
--- request
GET /echo
--- more_headers
Authorization: auth-one
--- response_headers
Authorization: auth-one
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice if these tests could be split to a new document, this is already long.

Some other questions, what are these tests to ensure? It doesn't look like your modifications matter much?
I don't see any settings or notes that are not the same as ensuring the plugin request header is configured, what should their behavior be? Pass the token into all plugins until any of them return?

t/plugin/multi-auth2.t Outdated
Comment on lines 85 to 86
--- request
GET /t
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

@bzp2010
Copy link
Contributor

bzp2010 commented May 28, 2024
edited

BTW, regarding the error in the Chinese documentation lint, you can try merging the master branches into your work branch, they are already fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@membphis membphis Awaiting requested review from membphis

@moonming moonming Awaiting requested review from moonming

@shreemaan-abhishek shreemaan-abhishek Awaiting requested review from shreemaan-abhishek

@bzp2010 bzp2010 Awaiting requested review from bzp2010

At least 3 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: Enable hide_credentials for multi-auth plugin
2 participants
@madhawa-gunasekara @bzp2010