Skip to content

feat: Add ext-auth plugin support for authentication blacklists/whitelists #1694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jan 21, 2025
Merged

feat: Add ext-auth plugin support for authentication blacklists/whitelists #1694

merged 6 commits into from
Jan 21, 2025

Conversation

hanxiantao
Copy link
Collaborator

@hanxiantao hanxiantao commented Jan 19, 2025
edited
Loading

Ⅰ. Describe what this PR did

1)支持配置请求黑白名单
2)优化代码结构,完善单元测试
3)优化文档,添加 endpoint_mode 为 forward_auth 时 X-Forwarded-* 请求头相关的示例,文档中删除 X-Original-* 相关的部分

Ⅱ. Does this pull request fix one issue?

fixes #1691

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

认证白名单

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
    match_type: 'whitelist'
    match_list:
        - match_rule_domain: '*.bar.com'
          match_rule_path: '/foo/health'
          match_rule_type: 'exact'
        - match_rule_path: '/foo/metrics'
          match_rule_type: 'exact'
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.87

认证服务固定返回500

curl -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/health?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

只有第一次curl进入认证,返回401,其他请求均跳过认证

认证白名单

认证黑名单

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
    match_type: 'blacklist'
    match_list:
        - match_rule_domain: '*.bar.com'
          match_rule_path: '/foo/health'
          match_rule_type: 'exact'
        - match_rule_path: '/foo/metrics'
          match_rule_type: 'exact'
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.87

认证服务固定返回500

curl -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/health?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -o - -w "\n%{http_code}\n" -s -S

curl -X PUT http://localhost:8082/foo/metrics?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -o /dev/null -w "%{http_code}\n" -s -S

第二、三次curl进入认证,返回401,第一次请求跳过认证

认证黑名单

endpoint_mode为envoy时

1)认证成功

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint:
        path_prefix: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.87

curl -kvv -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com"

认证成功

endpoint_mode为envoy时认证成功

认证请求Method为原始请求Method,认证请求path为path_prefix+原始path拼接,并添加对应请求头key1和key2到认证服务

endpoint_mode为envoy时认证成功2

2)认证失败

curl -kvv -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com"

认证失败,响应码和响应体为认证服务返回的内容

endpoint_mode为envoy时认证失败

认证请求Method为原始请求Method,认证请求path为path_prefix+原始path拼接,并添加对应请求头key1和key2到认证服务

endpoint_mode为envoy时认证失败2

endpoint_mode为forward_auth时

1)认证成功

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
          - exact: x-user-id
          - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint_mode: forward_auth
      endpoint:
        request_method: POST
        path: /auth
        service_name: ext-auth.static
        service_port: 80
        service_source: ip
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.87

curl -kvv -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -H "x-user-id: 111111" -H "x-custom-1: test"

认证成功

endpoint_mode为forward_auth时认证成功

认证请求Method为配置的request_method,认证请求path为配置的path

endpoint_mode为forward_auth时认证成功2

2)认证失败

curl -kvv -X PUT http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5 -H "foo: bar" -H "Authorization: xxx" -H "Host: foo.bar.com" -H "x-user-id: 111111" -H "x-custom-1: test"

认证失败

endpoint_mode为forward_auth时认证失败

认证请求Method为配置的request_method,认证请求path为配置的path

endpoint_mode为forward_auth时认证失败2

Ⅴ. Special notes for reviews

@codecov-commenter
Copy link

codecov-commenter commented Jan 19, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 43.61%. Comparing base (ef31e09) to head (2bd1133).
Report is 276 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1694      +/-   ##
==========================================
+ Coverage   35.91%   43.61%   +7.70%     
==========================================
  Files          69       76       +7     
  Lines       11576    12358     +782     
==========================================
+ Hits         4157     5390    +1233     
+ Misses       7104     6630     -474     
- Partials      315      338      +23

see 70 files with indirect coverage changes

@hanxiantao hanxiantao mentioned this pull request Jan 19, 2025
Merged
johnlanni
johnlanni requested changes Jan 20, 2025
View reviewed changes
@hanxiantao hanxiantao changed the title Add support for skipped_path_prefixes to ext-auth plugin feat: Add ext-auth plugin support for authentication blacklists/whitelists Jan 20, 2025
@hanxiantao hanxiantao requested a review from johnlanni January 20, 2025 14:10
johnlanni
johnlanni approved these changes Jan 21, 2025
View reviewed changes
Copy link
Collaborator

@johnlanni johnlanni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Thanks!

@johnlanni johnlanni merged commit 0259ead into alibaba:main Jan 21, 2025
13 checks passed
@hanxiantao hanxiantao mentioned this pull request Jan 22, 2025
Closed
VinceCui pushed a commit to VinceCui/higress that referenced this pull request May 21, 2025
@hanxiantao
feat: Add ext-auth plugin support for authentication blacklists/white…
73a76ea 
…lists (alibaba#1694)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnlanni johnlanni johnlanni approved these changes

@CH3CHO CH3CHO Awaiting requested review from CH3CHO CH3CHO is a code owner

@rinfx rinfx Awaiting requested review from rinfx rinfx is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

【外部认证】插件是否能支持响应body 及 例外路径(不需要认证)
3 participants
@hanxiantao @codecov-commenter @johnlanni