Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: use interceptors to protect plugin's route #2416

Merged
merged 4 commits into from
Oct 17, 2020
Merged

feat: use interceptors to protect plugin's route #2416

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fe54d07
feat: use interceptors to protect plugin's route
spacewander Oct 14, 2020
1553652
localize
spacewander Oct 14, 2020
80396ed
tweak
spacewander Oct 14, 2020
f6e2702
doc
spacewander Oct 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 18 additions & 5 deletions apisix/admin/plugin_metadata.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,11 @@
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local error = error
local pcall = pcall
local require = require
local core = require("apisix.core")
local api_router = require("apisix.api_router")

local _M = {
}
Expand Down Expand Up @@ -44,15 +46,26 @@ local function check_conf(plugin_name, conf)
return nil, {error_msg = "invalid plugin name"}
end

local schema = plugin_object.metadata_schema
if not schema then
return nil, {error_msg = "no metadata schema for plugin " .. plugin_name}
end

if not conf then
return nil, {error_msg = "missing configurations"}
end

local schema = plugin_object.metadata_schema or {
type = "object",
properties = {},
}
if not schema.properties then
schema.properties = {
additionalProperties = false,
}
end

-- inject interceptors schema to each plugins
if schema.properties.interceptors then
error("'interceptors' can not be used as the name of metadata schema's field")
end
schema.properties.interceptors = api_router.interceptors_schema

core.log.info("schema: ", core.json.delay_encode(schema))
core.log.info("conf : ", core.json.delay_encode(conf))
local ok, err = core.schema.check(schema, conf)
Expand Down
72 changes: 67 additions & 5 deletions apisix/api_router.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,57 @@
--
local require = require
local router = require("resty.radixtree")
local plugin = require("apisix.plugin")
local plugin_mod = require("apisix.plugin")
local ip_restriction = require("apisix.plugins.ip-restriction")
local core = require("apisix.core")
local ipairs = ipairs


local _M = {}
local match_opts = {}
local interceptors = {
["ip-restriction"] = {
run = function (conf, ctx)
return ip_restriction.access(conf, ctx)
end,
schema = ip_restriction.schema,
}
}


_M.interceptors_schema = {
type = "array",
items = {
type = "object",
minItems = 1,
properties = {
name = {
type = "string",
enum = {"ip-restriction"},
},
conf = {
type = "object",
}
},
required = {"name", "conf"},
dependencies = {
name = {
oneOf = {}
}
}
}
}
for name, attrs in pairs(interceptors) do
core.table.insert(_M.interceptors_schema.items.properties.name.enum, name)
core.table.insert(_M.interceptors_schema.items.dependencies.name.oneOf, {
properties = {
name = {
enum = {name},
},
conf = attrs.schema,
}
})
end


local fetch_api_router
Expand All @@ -31,18 +75,36 @@ do
function fetch_api_router()
core.table.clear(routes)

for _, plugin in ipairs(plugin.plugins) do
for _, plugin in ipairs(plugin_mod.plugins) do
local api_fun = plugin.api
if api_fun then
local name = plugin.name
local api_routes = api_fun()
core.log.debug("fetched api routes: ",
core.json.delay_encode(api_routes, true))
for _, route in ipairs(api_routes) do
core.table.insert(routes, {
methods = route.methods,
paths = route.uri,
handler = function (...)
local code, body = route.handler(...)
handler = function (api_ctx)
local code, body

local metadata = plugin_mod.plugin_metadata(name)
if metadata and metadata.interceptors then
for _, rule in ipairs(metadata.interceptors) do
local f = interceptors[rule.name]
if f == nil then
core.log.error("unknown interceptor: ", rule.name)
else
code, body = f.run(rule.conf, api_ctx)
if code or body then
return core.response.exit(code, body)
end
end
end
end

code, body = route.handler(api_ctx)
if code or body then
core.response.exit(code, body)
end
Expand All @@ -59,7 +121,7 @@ end -- do


function _M.match(api_ctx)
local api_router = core.lrucache.global("api_router", plugin.load_times, fetch_api_router)
local api_router = core.lrucache.global("api_router", plugin_mod.load_times, fetch_api_router)
if not api_router then
core.log.error("failed to fetch valid api router")
return false
Expand Down
190 changes: 171 additions & 19 deletions t/admin/plugin-metadata.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,65 +237,217 @@ GET /t



=== TEST 8: no plugin metadata schema
=== TEST 8: verify metadata schema fail
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/echo',
ngx.HTTP_PUT,
[[{"k": "v"}]],
local code, body = t('/apisix/admin/plugin_metadata/example-plugin',
ngx.HTTP_PUT,
[[{
"skey": "val"
}]],
[[{
"node": {
"value": "sdf"
"value": {
"skey": "val",
"ikey": 1
}
},
"action": "set"
}]]
)

ngx.status = code
ngx.print(body)
ngx.say(body)
}
}
--- request
GET /t
--- error_code: 400
--- response_body eval
qr/\{"error_msg":"invalid configuration: property \\"ikey\\" is required"\}/
--- no_error_log
[error]



=== TEST 9: set plugin interceptors
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/prometheus',
ngx.HTTP_PUT,
[[{
"interceptors": [
{
"name": "ip-restriction",
"conf": {
"whitelist": ["192.168.1.0/24"]
}
}
]
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
{"error_msg":"no metadata schema for plugin echo"}
passed
--- no_error_log
[error]



=== TEST 9: verify metadata schema fail
=== TEST 10: hit prometheus route
--- request
GET /apisix/prometheus/metrics
-- error_code: 403



=== TEST 11: set plugin interceptors (allow ip access)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/example-plugin',
local code, body = t('/apisix/admin/plugin_metadata/prometheus',
ngx.HTTP_PUT,
[[{
"skey": "val"
}]],
"interceptors": [
{
"name": "ip-restriction",
"conf": {
"whitelist": ["127.0.0.1"]
}
}
]
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
--- no_error_log
[error]



=== TEST 12: hit prometheus route again
--- request
GET /apisix/prometheus/metrics
-- error_code: 200



=== TEST 13: invalid interceptors configure (unknown interceptor)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/prometheus',
ngx.HTTP_PUT,
[[{
"node": {
"value": {
"skey": "val",
"ikey": 1
"interceptors": [
{
"name": "unknown",
"conf": {
"whitelist": ["127.0.0.1"]
}
}
},
"action": "set"
]
}]]
)

ngx.status = code
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body eval
qr/\{"error_msg":"invalid configuration: property \\"interceptors\\" validation failed: failed to validate item 1: property \\"name\\" validation failed: matches non of the enum values"\}/
--- error_code: 400
--- no_error_log
[error]



=== TEST 14: invalid interceptors configure (missing conf)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/prometheus',
ngx.HTTP_PUT,
[[{
"interceptors": [
{
"name": "ip-restriction"
}
]
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- error_code: 400
--- response_body eval
qr/\{"error_msg":"invalid configuration: property \\"ikey\\" is required"\}/
qr/\{"error_msg":"invalid configuration: property \\"interceptors\\" validation failed: failed to validate item 1: property \\"conf\\" is required"\}/
--- no_error_log
[error]



=== TEST 15: invalid interceptors configure (invalid interceptor configure)
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/plugin_metadata/prometheus',
ngx.HTTP_PUT,
[[{
"interceptors": [
{
"name": "ip-restriction",
"conf": {"aa": "b"}
}
]
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- error_code: 400
--- response_body eval
qr/\{"error_msg":"invalid configuration: property \\"interceptors\\" validation failed: failed to validate item 1: failed to validate dependent schema for \\"name\\": value should match only one schema, but matches none"\}/
--- no_error_log
[error]