Skip to content

Commit

Permalink
Merge pull request #77 from TencentBlueKing/master
Browse files Browse the repository at this point in the history
  • Loading branch information
@wklken
wklken committed Dec 28, 2023
2 parents e9f7ab1 + 63af8b1 commit 38f64b9
Show file tree
Hide file tree
Showing 5 changed files with 98 additions and 19 deletions.
4 changes: 3 additions & 1 deletion src/apisix/ci/Dockerfile.apisix-test-busted
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,16 @@ FROM apache/apisix:$APISIX_VERSION-centos

# in github action, change the source of yum is not ok
# note: uncomment below if it's slow to build image
# RUN mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup && \
# RUN mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup && \
# curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.cloud.tencent.com/repo/centos7_base.repo && \
# yum clean all

RUN yum install -y sudo make gcc curl wget unzip git valgrind

ARG APISIX_VERSION
RUN curl https://raw.githubusercontent.com/apache/apisix/${APISIX_VERSION}/utils/linux-install-luarocks.sh | bash
# lock the version of luasystem, otherwise the busted won't be installed success
RUN luarocks install https://luarocks.org/manifests/lunarmodules/luasystem-0.2.1-0.rockspec
RUN luarocks install https://github.com/lunarmodules/busted/releases/download/v2.1.1/busted-2.1.1-1.rockspec

COPY ci/requirements-dev-0.rockspec /
Expand Down
55 changes: 39 additions & 16 deletions src/apisix/plugins/bk-components/bkauth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
--
local pl_types = require("pl.types")
local http = require("resty.http")
local uuid = require("resty.jit-uuid")
local core = require("apisix.core")
local bk_core = require("apisix.plugins.bk-core.init")

Expand Down Expand Up @@ -48,6 +49,8 @@ function _M.verify_app_secret(app_code, app_secret)

local http_client = http.new()
http_client:set_timeout(BKAUTH_TIMEOUT_MS)

local request_id = uuid.generate_v4()
local res, err = http_client:request_uri(
url, {
method = "POST",
Expand All @@ -57,16 +60,19 @@ function _M.verify_app_secret(app_code, app_secret)
}
),
ssl_verify = false,

headers = {
["X-Bk-App-Code"] = _M.app_code,
["X-Bk-App-Secret"] = _M.app_secret,
["X-Request-Id"] = request_id,
["Content-Type"] = "application/json",
},
}
)

if not (res and res.body) then
err = string_format("failed to request third-party api, url: %s, err: %s, response: nil", url, err)
err = string_format("failed to request third-party api, url: %s, request_id: %s, err: %s, response: nil", url,
request_id, err)
core.log.error(err)
return nil, err
end
Expand All @@ -83,24 +89,28 @@ function _M.verify_app_secret(app_code, app_secret)
if result == nil then
core.log.error(
string_format(
"failed to request %s, response is not valid json, status: %s, response: %s", url, res.status, res.body
"failed to request %s, request_id: %s, response is not valid json, status: %s, response: %s", url,
request_id, res.status, res.body
)
)
return nil, string_format(
"failed to request third-party api, response is not valid json, url: %s, status: %s", url, res.status
"failed to request third-party api, response is not valid json, url: %s, request_id: %s, status: %s", url,
request_id, res.status
)
end

if result.code ~= 0 or res.status ~= 200 then
core.log.error(
string_format(
"failed to request %s, result.code!=0 or status!=200, status: %s, response: %s", url, res.status,
"failed to request %s, request_id: %s, result.code!=0 or status!=200, status: %s, response: %s", url,
request_id, res.status,
res.body
)
)
return nil, string_format(
"failed to request third-party api, bkauth error message: %s, url: %s, status: %s, code: %s",
result.message, url, res.status, result.code
"failed to request third-party api, bkauth error message: %s, url: %s, \
request_id: %s, status: %s, code: %s",
result.message, url, request_id, res.status, result.code
)
end

Expand All @@ -119,20 +129,23 @@ function _M.list_app_secrets(app_code)

local http_client = http.new()
http_client:set_timeout(BKAUTH_TIMEOUT_MS)
local request_id = uuid.generate_v4()
local res, err = http_client:request_uri(
url, {
method = "GET",
ssl_verify = false,
headers = {
["X-Bk-App-Code"] = _M.app_code,
["X-Bk-App-Secret"] = _M.app_secret,
["X-Request-Id"] = request_id,
["Content-Type"] = "application/x-www-form-urlencoded",
},
}
)

if not (res and res.body) then
err = string_format("failed to request third-party api, url: %s, err: %s, response: nil", url, err)
err = string_format("failed to request third-party api, url: %s, request_id: %s, err: %s, response: nil", url,
request_id, err)
core.log.error(err)
return nil, err
end
Expand All @@ -148,24 +161,28 @@ function _M.list_app_secrets(app_code)
if result == nil then
core.log.error(
string_format(
"failed to request %s, response is not valid json, status: %s, response: %s", url, res.status, res.body
"failed to request %s, request_id: %s, response is not valid json, status: %s, response: %s", url,
request_id, res.status, res.body
)
)
return nil, string_format(
"failed to request third-party api, response is not valid json, url: %s, status: %s", url, res.status
"failed to request third-party api, response is not valid json, url: %s, request_id: %s, status: %s", url,
request_id, res.status
)
end

if result.code ~= 0 or res.status ~= 200 then
core.log.error(
string_format(
"failed to request %s, result.code!=0 or status!=200, status: %s, response: %s", url, res.status,
"failed to request %s, request_id: %s, result.code!=0 or status!=200, status: %s, response: %s", url,
request_id, res.status,
res.body
)
)
return nil, string_format(
"failed to request third-party api, bkauth error message: %s, url: %s, status: %s, code: %s",
result.message, url, res.status, result.code
"failed to request third-party api, bkauth error message: %s, url: %s,\
request_id: %s, status: %s, code: %s",
result.message, url, request_id, res.status, result.code
)
end

Expand All @@ -188,6 +205,7 @@ function _M.verify_access_token(access_token)

local http_client = http.new()
http_client:set_timeout(BKAUTH_TIMEOUT_MS)
local request_id = uuid.generate_v4()
local res, err = http_client:request_uri(
url, {
method = "POST",
Expand All @@ -200,14 +218,16 @@ function _M.verify_access_token(access_token)
headers = {
["X-Bk-App-Code"] = _M.app_code,
["X-Bk-App-Secret"] = _M.app_secret,
["X-Request-Id"] = request_id,
-- ["Authorization"] = "Bearer " .. self.bkauth_access_token
["Content-Type"] = "application/json",
},
}
)

if not (res and res.body) then
err = string_format("failed to request third-party api, url: %s, err: %s, response: nil", url, err)
err = string_format("failed to request third-party api, url: %s, request_id: %s, err: %s, response: nil", url,
request_id, err)
core.log.error(err)
return nil, err
end
Expand All @@ -216,17 +236,20 @@ function _M.verify_access_token(access_token)
if result == nil then
core.log.error(
string_format(
"failed to request %s, response is not valid json, status: %s, response: %s", url, res.status, res.body
"failed to request %s, request_id: %s, response is not valid json, status: %s, response: %s", url,
request_id, res.status, res.body
)
)
return nil, string_format(
"failed to request third-party api, response is not valid json, url: %s, status: %s", url, res.status
"failed to request third-party api, response is not valid json, url: %s, request_id: %s, status: %s", url,
request_id, res.status
)
end

if result.code ~= 0 or res.status ~= 200 then
return nil, string_format(
"bkauth error message: %s, url: %s, status: %s, code: %s", result.message, url, res.status, result.code
"bkauth error message: %s, url: %s, request_id: %s, status: %s, code: %s",
result.message, url, request_id, res.status, result.code
)
end

Expand Down
3 changes: 2 additions & 1 deletion src/apisix/plugins/bk-define/context-resource-bkauth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ function _M.get_verified_user_required(self)
end

function _M.get_resource_perm_required(self)
return self.resource_perm_required
-- only verified_app_required is true, the bk_app_code is verified, then the resource perm is meaningful
return self.verified_app_required and self.resource_perm_required
end

function _M.get_skip_user_verification(self)
Expand Down
12 changes: 11 additions & 1 deletion src/apisix/tests/bk-components/test-bkauth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ local bkauth = require("apisix.plugins.bk-components.bkauth")

describe(
"bkauth", function()

local response, response_err

before_each(
Expand Down Expand Up @@ -59,6 +58,7 @@ describe(
local result, err = bkauth.verify_app_secret("fake-app-code", "fake-app-secret")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand Down Expand Up @@ -93,6 +93,7 @@ describe(
local result, err = bkauth.verify_app_secret("fake-app-code", "fake-app-secret")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand All @@ -115,6 +116,7 @@ describe(
local result, err = bkauth.verify_app_secret("fake-app-code", "fake-app-secret")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand Down Expand Up @@ -174,6 +176,7 @@ describe(
local result, err = bkauth.list_app_secrets("fake-app-code")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)
it(
Expand Down Expand Up @@ -210,6 +213,7 @@ describe(
local result, err = bkauth.list_app_secrets("fake-app-code")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand All @@ -232,6 +236,7 @@ describe(
local result, err = bkauth.list_app_secrets("fake-app-code")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand Down Expand Up @@ -282,6 +287,7 @@ describe(
local result, err = bkauth.verify_access_token("fake-token")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand All @@ -295,6 +301,7 @@ describe(
local result, err = bkauth.verify_access_token("fake-token")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand All @@ -309,6 +316,7 @@ describe(
local result, err = bkauth.verify_access_token("fake-token")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "failed to request third-party api"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand All @@ -328,6 +336,7 @@ describe(
local result, err = bkauth.verify_access_token("fake-token")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "bkauth error message: error"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand All @@ -347,6 +356,7 @@ describe(
local result, err = bkauth.verify_access_token("fake-token")
assert.is_nil(result)
assert.is_true(core.string.has_prefix(err, "bkauth error message: error"))
assert.is_true(core.string.find(err, "request_id") ~= nil)
end
)

Expand Down
43 changes: 43 additions & 0 deletions src/apisix/tests/bk-define/test-context-resource-bkauth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,49 @@ describe(
)
end
)

it(
"resource perm, verified_app_required is false", function()
bk_resource_auth = context_resource_bkauth.new(
{
verified_app_required = false,
verified_user_required = true,
resource_perm_required = true,
skip_user_verification = true,
}
)

assert.is_false(bk_resource_auth:get_resource_perm_required())
end
)
it(
"resource perm, resource_perm_required is false", function()
bk_resource_auth = context_resource_bkauth.new(
{
verified_app_required = true,
verified_user_required = true,
resource_perm_required = false,
skip_user_verification = true,
}
)

assert.is_false(bk_resource_auth:get_resource_perm_required())
end
)
it(
"resource perm, both true", function()
bk_resource_auth = context_resource_bkauth.new(
{
verified_app_required = true,
verified_user_required = true,
resource_perm_required = true,
skip_user_verification = true,
}
)

assert.is_true(bk_resource_auth:get_resource_perm_required())
end
)
end
)
end
Expand Down

0 comments on commit 38f64b9

Please sign in to comment.