Merge branch 'master' into release/1.17-pre

Author: wklken

src/apisix/ci/Dockerfile.apisix-test-busted

@@ -13,7 +13,7 @@ RUN sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|
 RUN yum install -y sudo make gcc curl wget unzip git valgrind
 
 ARG APISIX_VERSION
-RUN curl https://raw.githubusercontent.com/apache/apisix/${APISIX_VERSION}/utils/linux-install-luarocks.sh | bash
+RUN wget https://raw.githubusercontent.com/apache/apisix/${APISIX_VERSION}/utils/linux-install-luarocks.sh && sed -i 's/3.8.0/3.12.0/g' linux-install-luarocks.sh &&  bash linux-install-luarocks.sh
 # lock the version of luasystem, otherwise the busted won't be installed success
 RUN luarocks install https://luarocks.org/manifests/lunarmodules/luasystem-0.2.1-0.rockspec
 RUN luarocks install https://github.com/lunarmodules/busted/releases/download/v2.1.1/busted-2.1.1-1.rockspec

src/apisix/ci/Dockerfile.apisix-test-nginx

@@ -2,7 +2,7 @@ ARG APISIX_VERSION="3.2.1"
 FROM apache/apisix:$APISIX_VERSION-centos
 
 # note: uncomment below if it's slow to build image
-# RUN mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup && \ 
+# RUN mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup && \
 #     curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.cloud.tencent.com/repo/centos7_base.repo && \
 #     yum clean all
 
@@ -24,10 +24,10 @@ RUN sed -i 's#yum install -y openresty openresty-debug openresty-openssl111-debu
 RUN sed -i 's|https://registry.npm.taobao.org|https://registry.npmmirror.com|g' ${CODE_DIR}/t/plugin/grpc-web/package-lock.json
 # fix archived libs in luarocks
 RUN sed -i 's|lualdap = 1.2.6-1|lualdap = 1.4.0-1|g' ${CODE_DIR}/rockspec/apisix-master-0.rockspec
-RUN cd ${CODE_DIR} &&  bash ./ci/centos7-ci.sh install_dependencies
+RUN cd ${CODE_DIR} && sed -i 's/3.8.0/3.12.0/g' utils/linux-install-luarocks.sh && bash ./ci/centos7-ci.sh install_dependencies
 RUN cp -r ${CODE_DIR}/t /usr/local/apisix/
 
-# the t/APISIX.pm:add_cleanup_handler will call it if the FLUSH_ETCD=1 
+# the t/APISIX.pm:add_cleanup_handler will call it if the FLUSH_ETCD=1
 RUN ln -s /usr/local/apisix/deps/bin /usr/local/apisix/bin
 
 # install etcd, we need to run in the container

src/apisix/plugins/bk-auth-verify.lua

@@ -71,7 +71,7 @@ local function get_auth_params_from_header(ctx)
 
     local auth_params = core.json.decode(authorization)
     if type(auth_params) ~= "table" then
-        core.log.error("the invalid X-Bkapi-Authorization: ", core.json.delay_encode(authorization))
+        core.log.warn("the invalid X-Bkapi-Authorization: ", core.json.delay_encode(authorization))
         return nil, "request header X-Bkapi-Authorization is not a valid JSON"
     end
 

src/apisix/plugins/bk-auth-verify/init.lua

@@ -19,6 +19,7 @@
 local pl_types = require("pl.types")
 local access_token_verifier = require("apisix.plugins.bk-auth-verify.access-token-verifier")
 local jwt_verifier = require("apisix.plugins.bk-auth-verify.jwt-verifier")
+local inner_jwt_verifier = require("apisix.plugins.bk-auth-verify.inner-jwt-verifier")
 local legacy_verifier = require("apisix.plugins.bk-auth-verify.legacy-verifier")
 local bk_user_define = require("apisix.plugins.bk-define.user")
 local setmetatable = setmetatable
@@ -69,13 +70,17 @@ end
 function _M.get_real_verifier(self)
     local jwt_token = self.auth_params:get_string("jwt")
     local access_token = self.auth_params:get_string("access_token")
+    local inner_jwt_token = self.auth_params:get_string("inner_jwt")
 
     if not pl_types.is_empty(jwt_token) then
         return jwt_verifier.new(jwt_token, access_token)
 
     elseif not pl_types.is_empty(access_token) then
         return access_token_verifier.new(access_token, self.bk_app)
 
+    elseif not pl_types.is_empty(inner_jwt_token) then
+        return inner_jwt_verifier.new(inner_jwt_token)
+
     else
         return legacy_verifier.new(self.bk_app, self.bk_api_auth, self.auth_params)
 

src/apisix/plugins/bk-auth-verify/inner-jwt-verifier.lua

@@ -0,0 +1,111 @@
+--
+-- TencentBlueKing is pleased to support the open source community by making
+-- 蓝鲸智云 - API 网关(BlueKing - APIGateway) available.
+-- Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+-- Licensed under the MIT License (the "License"); you may not use this file except
+-- in compliance with the License. You may obtain a copy of the License at
+--
+--     http://opensource.org/licenses/MIT
+--
+-- Unless required by applicable law or agreed to in writing, software distributed under
+-- the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+-- either express or implied. See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- We undertake not to change the open source license (MIT license) applicable
+-- to the current version of the project delivered to anyone in the future.
+--
+
+
+-- verified the inner jwt token signed by bk-apigateway
+-- X-Bkapi-Authorization: {"inner_jwt": ""}
+-- currently it only be used in the mcp-proxy, which will proxy the request from agent to the real apigateway api
+-- so, after the bk-apigateway verified the app and user, it generate the inner_jwt and call the real apigateway api
+-- the app_code in inner_jwt is not the real app_code, but a virtual app_code(like v_mcp_{mcp_service_id}_{app_code})
+-- so the permission can be controlled by the virtual app_code,
+-- which not exists in the real PaaS, so no security concern.
+-- NOTE: the design of verifier is not so good, so here we parse_bk_jwt_token twice
+--       only refactor it if the performance is a problem
+
+local bk_app_define = require("apisix.plugins.bk-define.app")
+local bk_user_define = require("apisix.plugins.bk-define.user")
+local jwt_utils = require("apisix.plugins.bk-auth-verify.jwt-utils")
+local string_format = string.format
+local setmetatable = setmetatable
+
+local _M = {
+    name = "inner-jwt",
+}
+
+local mt = {
+    __index = _M,
+}
+
+function _M.new(inner_jwt_token)
+    return setmetatable(
+        {
+            jwt_token = inner_jwt_token,
+        }, mt
+    )
+end
+
+function _M.verify_app(self)
+    local jwt_obj, err = jwt_utils.parse_bk_jwt_token(self.jwt_token)
+    if jwt_obj == nil then
+        return nil, string_format("parameter jwt is invalid: %s", err)
+    end
+
+    if jwt_obj.header.kid ~= "bk-apigateway" then
+        return nil, "invalid kid, only bk-apigateway is supported"
+    end
+
+    local app_info = jwt_obj.payload.app
+    if app_info == nil then
+        return nil, "parameter jwt does not indicate app information"
+    end
+    if app_info.verified ~= true then
+        return nil, "the app indicated by jwt is not verified"
+    end
+
+    return bk_app_define.new_app(
+        {
+            app_code = app_info.app_code,
+            exists = true,
+            verified = true,
+        }
+    )
+end
+
+function _M.verify_user(self)
+    local jwt_obj, err = jwt_utils.parse_bk_jwt_token(self.jwt_token)
+    if jwt_obj == nil then
+        return nil, string_format("parameter jwt is invalid: %s", err)
+    end
+
+    if jwt_obj.header.kid ~= "bk-apigateway" then
+        return nil, "invalid kid, only bk-apigateway is supported"
+    end
+
+    local user_info = jwt_obj.payload.user
+    if user_info == nil then
+        return bk_user_define.new_anonymous_user(
+        "auth parameter does not indicate user information, verified by inner-jwt-verifier"
+        )
+    end
+
+    if user_info.verified ~= true then
+        return bk_user_define.new_anonymous_user(
+        "the user indicated by auth parameter is not verified, verified by inner-jwt-verifier"
+        )
+    end
+
+    return bk_user_define.new_user(
+        {
+            username = user_info.username,
+            verified = true,
+            source_type = "inner_jwt",
+        }
+    )
+end
+
+return _M

src/apisix/tests/bk-auth-verify/test-init.lua

@@ -162,6 +162,15 @@ describe(
                     end
                 )
 
+                it(
+                    "inner-jwt-verifier", function()
+                        auth_params.inner_jwt = "fake-inner-jwt"
+
+                        local verifier = bk_auth_verify:get_real_verifier()
+                        assert.is_equal(verifier.name, "inner-jwt")
+                    end
+                )
+
                 it(
                     "legacy verifier", function()
                         local verifier = bk_auth_verify:get_real_verifier()