Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: ext-auth plugin: Blacklist and whitelist modes support HTTP request method matching #1798

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat: ext-auth plugin: Blacklist and whitelist modes support HTTP request method matching #1798

wants to merge 6 commits into from
+311 −132

Conversation

hanxiantao
Copy link
Collaborator

@hanxiantao hanxiantao commented Feb 22, 2025
edited
Loading

Ⅰ. Describe what this PR did

ext-auth 插件黑白名单模式支持 http 请求 method 匹配

Ⅱ. Does this pull request fix one issue?

fixes #1770

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

认证白名单

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
    match_type: 'whitelist'
    match_list:
        - match_rule_domain: '*.bar.com'
          match_rule_path: '/foo/health'
          match_rule_type: 'exact'
        - match_rule_path: '/foo/metrics'
          match_rule_method: ["GET"]
          match_rule_type: 'exact'
        - match_rule_domain: 'images.example.com'
          match_rule_method: ["GET"]
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.96

认证服务固定返回500

curl -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/health?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X GET http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: images.example.com" -o /dev/null -w "%{http_code}\n" -s -S

curl -X GET http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: images.example.com" -o /dev/null -w "%{http_code}\n" -s -S

第一、四、五次curl进入认证,返回403,其他请求均跳过认证

认证白名单

认证黑名单

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
    match_type: 'blacklist'
    match_list:
        - match_rule_domain: '*.bar.com'
          match_rule_path: '/foo/health'
          match_rule_type: 'exact'
        - match_rule_path: '/foo/metrics'
          match_rule_method: ["GET"]
          match_rule_type: 'exact'
        - match_rule_domain: 'test.example.com'
        - match_rule_method: ["DELETE"]
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.96

认证服务固定返回500

curl -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/health?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X GET http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: test.example.com" -o /dev/null -w "%{http_code}\n" -s -S

curl -X DELETE http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

第二、三、五、六次curl进入认证,返回403,第一、四次请求跳过认证

认证黑名单

Ⅴ. Special notes for reviews

@codecov-commenter
Copy link

codecov-commenter commented Feb 22, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 43.41%. Comparing base (ef31e09) to head (6230b9c).
Report is 304 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1798      +/-   ##
==========================================
+ Coverage   35.91%   43.41%   +7.50%     
==========================================
  Files          69       76       +7     
  Lines       11576    12278     +702     
==========================================
+ Hits         4157     5331    +1174     
+ Misses       7104     6617     -487     
- Partials      315      330      +15

see 71 files with indirect coverage changes

@hanxiantao hanxiantao marked this pull request as draft February 22, 2025 04:35
@hanxiantao hanxiantao marked this pull request as ready for review February 22, 2025 05:24
@hanxiantao hanxiantao changed the title feat: ext-auth Plugin: Support for Whitelist/Blacklist and Request Method Matching feat: ext-auth plugin: Blacklist and whitelist modes support HTTP request method matching Feb 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnlanni johnlanni Awaiting requested review from johnlanni johnlanni is a code owner

@CH3CHO CH3CHO Awaiting requested review from CH3CHO CH3CHO is a code owner

@rinfx rinfx Awaiting requested review from rinfx rinfx is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

外部认证插件 是否可以在match_list里新增 http method 过滤
2 participants
@hanxiantao @codecov-commenter