You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/05/29 12:56:37 UTC

[apisix] 12/12: fix: hide 5xx error message from client (#6982)

This is an automated email from the ASF dual-hosted git repository.

spacewander pushed a commit to branch release/2.13
in repository https://gitbox.apache.org/repos/asf/apisix.git

commit 9b0cc7a3b0ed837e330603304c4a7267ff392faf
Author: leslie <59...@users.noreply.github.com>
AuthorDate: Thu May 5 09:54:20 2022 +0800

    fix: hide 5xx error message from client (#6982)
    
    Co-authored-by: 高亮亮 <gl...@alibaba-inc.com>
---
 apisix/plugins/authz-casbin.lua   |  3 ++-
 apisix/plugins/authz-keycloak.lua | 18 ++++++++++--------
 t/plugin/authz-keycloak.t         |  3 +++
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/apisix/plugins/authz-casbin.lua b/apisix/plugins/authz-casbin.lua
index d81d34089..fedd2d33f 100644
--- a/apisix/plugins/authz-casbin.lua
+++ b/apisix/plugins/authz-casbin.lua
@@ -112,7 +112,8 @@ function _M.rewrite(conf, ctx)
     -- creates an enforcer when request sent for the first time
     local ok, err = new_enforcer_if_need(conf)
     if not ok then
-        return 503, {message = err}
+        core.log.error(err)
+        return 503
     end
 
     local path = ctx.var.uri
diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua
index 52321e546..c871a927b 100644
--- a/apisix/plugins/authz-keycloak.lua
+++ b/apisix/plugins/authz-keycloak.lua
@@ -340,7 +340,7 @@ local function authz_keycloak_ensure_sa_access_token(conf)
 
     if not token_endpoint then
         log.error("Unable to determine token endpoint.")
-        return 500, "Unable to determine token endpoint."
+        return 503, "Unable to determine token endpoint."
     end
 
     local session = authz_keycloak_cache_get("access-tokens", token_endpoint .. ":"
@@ -446,7 +446,7 @@ local function authz_keycloak_ensure_sa_access_token(conf)
     if not session then
         -- No session available. Create a new one.
 
-        core.log.debug("Getting access token for Protection API from token endpoint.")
+        log.debug("Getting access token for Protection API from token endpoint.")
         local httpc = authz_keycloak_get_http_client(conf)
 
         local params = {
@@ -522,7 +522,7 @@ local function authz_keycloak_resolve_resource(conf, uri, sa_access_token)
     if not resource_registration_endpoint then
         local err = "Unable to determine registration endpoint."
         log.error(err)
-        return 500, err
+        return 503, err
     end
 
     log.debug("Resource registration endpoint: ", resource_registration_endpoint)
@@ -567,7 +567,7 @@ local function evaluate_permissions(conf, ctx, token)
     -- Ensure discovered data.
     local err = authz_keycloak_ensure_discovered_data(conf)
     if err then
-        return 500, err
+        return 503, err
     end
 
     local permission
@@ -576,7 +576,8 @@ local function evaluate_permissions(conf, ctx, token)
         -- Ensure service account access token.
         local sa_access_token, err = authz_keycloak_ensure_sa_access_token(conf)
         if err then
-            return 500, err
+            log.error(err)
+            return 503
         end
 
         -- Resolve URI to resource(s).
@@ -586,7 +587,8 @@ local function evaluate_permissions(conf, ctx, token)
         -- Check result.
         if permission == nil then
             -- No result back from resource registration endpoint.
-            return 500, err
+            log.error(err)
+            return 503
         end
     else
         -- Use statically configured permissions.
@@ -631,7 +633,7 @@ local function evaluate_permissions(conf, ctx, token)
     if not token_endpoint then
         err = "Unable to determine token endpoint."
         log.error(err)
-        return 500, err
+        return 503, err
     end
     log.debug("Token endpoint: ", token_endpoint)
 
@@ -658,7 +660,7 @@ local function evaluate_permissions(conf, ctx, token)
     if not res then
         err = "Error while sending authz request to " .. token_endpoint .. ": " .. err
         log.error(err)
-        return 500, err
+        return 503
     end
 
     log.debug("Response status: ", res.status, ", data: ", res.body)
diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t
index ad8ba8996..5dc7bd535 100644
--- a/t/plugin/authz-keycloak.t
+++ b/t/plugin/authz-keycloak.t
@@ -325,6 +325,8 @@ passed
                 }
              })
 
+            ngx.status = res.status
+
             if res.status == 200 then
                 ngx.say(true)
             else
@@ -338,6 +340,7 @@ GET /t
 false
 --- error_log
 Error while sending authz request to https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token: 18: self signed certificate
+--- error_code: 503