Merge pull request #71 from TencentBlueKing/master

TencentBlueKing · Nov 30, 2023 · d11ab66 · d11ab66
2 parents 3c7f86d + a71cfd9
commit d11ab66
Show file tree

Hide file tree

Showing 17 changed files with 1,028 additions and 68 deletions.
diff --git a/src/apisix/plugins/bk-auth-verify.lua b/src/apisix/plugins/bk-auth-verify.lua
@@ -118,11 +118,25 @@ local function get_auth_params_from_request(ctx, authorization_keys)
     if err ~= nil then
         return nil, err
     elseif auth_params ~= nil then
+        -- 记录认证参数位置，便于统计哪些请求将认证参数放到请求参数，推动优化
+        ctx.var.auth_params_location = "header"
         return auth_params, nil
     end
 
+    if not ctx.var.bk_api_auth:allow_get_auth_params_from_parameters() then
+        -- 不允许从请求参数获取认证参数，直接返回
+        return {}, nil
+    end
+
     -- from the querystring and body
-    return get_auth_params_from_parameters(ctx, authorization_keys), nil
+    auth_params = get_auth_params_from_parameters(ctx, authorization_keys)
+
+    if not pl_types.is_empty(auth_params) then
+        -- 记录认证参数位置，便于统计哪些请求将认证参数放到请求参数，推动优化
+        ctx.var.auth_params_location = "params"
+    end
+
+    return auth_params
 end
 -- utils end
 
@@ -174,6 +188,8 @@ function _M.rewrite(conf, ctx) -- luacheck: no unused
     ctx.var.bk_user = user
     ctx.var.bk_app_code = app["app_code"]
     ctx.var.bk_username = user["username"]
+    -- 记录认证参数位置，便于统计哪些请求将认证参数放到请求参数，推动优化
+    ctx.var.auth_params_location = ctx.var.auth_params_location or ""
 end
 
 if _TEST then -- luacheck: ignore

diff --git a/src/apisix/plugins/bk-auth-verify/app-account-verifier.lua b/src/apisix/plugins/bk-auth-verify/app-account-verifier.lua
@@ -20,6 +20,7 @@ local app_account_utils = require("apisix.plugins.bk-auth-verify.app-account-uti
 local bk_app_define = require("apisix.plugins.bk-define.app")
 local bk_cache = require("apisix.plugins.bk-cache.init")
 local setmetatable = setmetatable
+local string       = string
 
 local _M = {}
 
@@ -46,6 +47,14 @@ function _M.verify_app(self)
     end
 
     if not pl_types.is_empty(self.app_secret) then
+        -- check the length before call bkauth apis
+        if string.len(self.app_code) > 32 then
+            return bk_app_define.new_anonymous_app("app code cannot be longer than 32 characters")
+        end
+        if string.len(self.app_secret) > 128 then
+            return bk_app_define.new_anonymous_app("app secret cannot be longer than 128 characters")
+        end
+
         return self:verify_by_app_secret()
     end
 

diff --git a/src/apisix/plugins/bk-define/context-api-bkauth.lua b/src/apisix/plugins/bk-define/context-api-bkauth.lua
@@ -112,6 +112,8 @@ function ContextApiBkAuth.new(bk_api_auth)
             api_type = bk_api_auth.api_type,
             unfiltered_sensitive_keys = bk_api_auth.unfiltered_sensitive_keys or {},
             include_system_headers_mapping = include_system_headers_mapping,
+            allow_auth_from_params = bk_api_auth.allow_auth_from_params,
+            allow_delete_sensitive_params = bk_api_auth.allow_delete_sensitive_params,
             uin_conf = UinConf.new(bk_api_auth.uin_conf),
             rtx_conf = RtxConf.new(bk_api_auth.rtx_conf),
             user_conf = UserConf.new(bk_api_auth.user_conf),
@@ -123,6 +125,13 @@ function ContextApiBkAuth.get_api_type(self)
     return self.api_type
 end
 
+---Allow get auth_params from request parameters, such as querystring, body
+---@return boolean
+function ContextApiBkAuth.allow_get_auth_params_from_parameters(self)
+    -- 默认允许从参数获取认证信息
+    return self.allow_auth_from_params ~= false
+end
+
 ---Get the unfiltered sensitive keys.
 ---@return table
 function ContextApiBkAuth.get_unfiltered_sensitive_keys(self)
@@ -147,8 +156,9 @@ end
 
 ---Filter the sensitive params or not, do the filter if api_type is not ESB.
 ---@return boolean
-function ContextApiBkAuth.is_filter_sensitive_params(self)
-    return self.api_type ~= ESB
+function ContextApiBkAuth.should_delete_sensitive_params(self)
+    -- 非 esb，且允许删除敏感参数（默认允许删除）
+    return self.api_type ~= ESB and self.allow_delete_sensitive_params ~= false
 end
 
 function ContextApiBkAuth.is_user_type_uin(self)

diff --git a/src/apisix/plugins/bk-delete-sensitive.lua b/src/apisix/plugins/bk-delete-sensitive.lua
@@ -34,6 +34,7 @@ local core = require("apisix.core")
 local bk_core = require("apisix.plugins.bk-core.init")
 local ngx = ngx -- luacheck: ignore
 local ipairs = ipairs
+local tostring = tostring
 
 local plugin_name = "bk-delete-sensitive"
 
@@ -55,7 +56,6 @@ function _M.check_schema(conf)
     return core.schema.check(schema, conf)
 end
 
-
 ---Delete the sensitive parameters in the request header, uri args and body,
 ---it will check the first, then do the modification.
 ---@param ctx apisix.Context
@@ -103,6 +103,15 @@ local function delete_sensitive_params(ctx, sensitive_keys, unfiltered_sensitive
         ::continue::
     end
 
+    if ctx.var.auth_params_location == "header" and (query_changed or form_changed or body_changed) then
+        core.log.warn(
+            "auth params are present in both header and request parameters, request_id: " ..
+                tostring(ctx.var.bk_request_id)
+        )
+        -- 记录认证参数位置，便于统计哪些请求将认证参数放到请求参数，推动优化
+        ctx.var.auth_params_location = "header_and_params"
+    end
+
     if check_query and query_changed then
         core.request.set_uri_args(ctx, uri_args)
     end
@@ -127,7 +136,7 @@ local function delete_sensitive_headers()
 end
 
 function _M.rewrite(conf, ctx) -- luacheck: no unused
-    if ctx.var.bk_api_auth and ctx.var.bk_api_auth:is_filter_sensitive_params() then
+    if ctx.var.bk_api_auth and ctx.var.bk_api_auth:should_delete_sensitive_params() then
         delete_sensitive_params(
             ctx, bk_core.config.get_sensitive_keys(), ctx.var.bk_api_auth:get_unfiltered_sensitive_keys()
         )

diff --git a/src/apisix/plugins/bk-stage-context.lua b/src/apisix/plugins/bk-stage-context.lua
@@ -15,7 +15,6 @@
 -- We undertake not to change the open source license (MIT license) applicable
 -- to the current version of the project delivered to anyone in the future.
 --
-
 local core = require("apisix.core")
 local bk_core = require("apisix.plugins.bk-core.init")
 local context_api_bkauth = require("apisix.plugins.bk-define.context-api-bkauth")
@@ -63,6 +62,14 @@ local schema = {
                         type = "string",
                     },
                 },
+                allow_auth_from_params = {
+                    type = "boolean",
+                    default = true,
+                },
+                allow_delete_sensitive_params = {
+                    type = "boolean",
+                    default = true,
+                },
                 uin_conf = {
                     type = "object",
                     properties = {
@@ -132,20 +139,17 @@ local _M = {
     schema = schema,
 }
 
-
 ---@param jwt_private_key string: JWT private key (encoded in Base64)
----@return string|nil, string: The decoded JWT private key, or nil and error message if the decoding fails
+---@return string|nil, string|nil: The decoded JWT private key, or nil and error message if the decoding fails
 local function decode_jwt_private_key(jwt_private_key)
     local decoded_private_key = ngx_decode_base64(jwt_private_key)
     if not decoded_private_key then
         core.log.error("failed to decode jwt_private_key with base64. jwt_private_key=", jwt_private_key)
         return nil, "failed to decode jwt_private_key with base64"
     end
-    return decoded_private_key
+    return decoded_private_key, nil
 end
 
-
-
 ---@param conf table: The user-provided configuration for the plugin instance
 ---@return boolean, string|nil: true and nil if the configuration is valid, false and error message if not
 function _M.check_schema(conf)
@@ -165,7 +169,6 @@ function _M.check_schema(conf)
     return true
 end
 
-
 ---@param conf table: The user-provided configuration for the plugin instance
 ---@param ctx  api.Context: The request context
 function _M.rewrite(conf, ctx)

diff --git a/src/apisix/t/README.md b/src/apisix/t/README.md
@@ -33,4 +33,4 @@
 - [apisix source code : t](https://github.com/apache/apisix/tree/master/t)
 - [test-nginx](https://github.com/openresty/test-nginx)
 - [test-nginx doc: user guide](https://openresty.gitbooks.io/programming-openresty/content/testing/index.html)
-
+- [Test::Nginx::Socket](https://metacpan.org/pod/Test::Nginx::Socket)
diff --git a/src/apisix/t/bk-auth-validate.t b/src/apisix/t/bk-auth-validate.t
@@ -0,0 +1,52 @@
+#
+# TencentBlueKing is pleased to support the open source community by making
+# 蓝鲸智云 - API 网关(BlueKing - APIGateway) available.
+# Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
+# Licensed under the MIT License (the "License"); you may not use this file except
+# in compliance with the License. You may obtain a copy of the License at
+#
+#     http://opensource.org/licenses/MIT
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# We undertake not to change the open source license (MIT license) applicable
+# to the current version of the project delivered to anyone in the future.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+no_shuffle();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!defined $block->request) {
+        $block->set_value("request", "GET /t");
+    }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: sanity
+--- config
+    location /t {
+        content_by_lua_block {
+            local plugin = require("apisix.plugins.bk-auth-validate")
+            local ok, err = plugin.check_schema({})
+            if not ok then
+                ngx.say(err)
+            end
+
+            ngx.say("done")
+        }
+    }
+--- response_body
+done