You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by "spacewander (via GitHub)" <gi...@apache.org> on 2023/03/23 01:25:11 UTC

[GitHub] [apisix] spacewander commented on a diff in pull request #9146: fix(cli): fix allow_admin allows non-`127.0.0.0/24` to access admin api with empty admin_key

spacewander commented on code in PR #9146:
URL: https://github.com/apache/apisix/pull/9146#discussion_r1145568879


##########
apisix/cli/ops.lua:
##########
@@ -185,12 +186,9 @@ local function init(env)
     local checked_admin_key = false
     local allow_admin = yaml_conf.deployment.admin and
         yaml_conf.deployment.admin.allow_admin
-    if yaml_conf.apisix.enable_admin and allow_admin then
-        for _, allow_ip in ipairs(allow_admin) do
-            if allow_ip == "127.0.0.0/24" then
-                checked_admin_key = true
-            end
-        end
+    if yaml_conf.apisix.enable_admin and allow_admin
+       and table.getn(allow_admin) == 1 and allow_admin[1] == "127.0.0.0/24" then

Review Comment:
   table.getn is deprecated, use `#` instead



##########
t/cli/test_admin.sh:
##########
@@ -154,6 +154,45 @@ fi
 
 echo "pass: missing admin key and show ERROR message"
 
+# missing admin key, only allow 127.0.0.0/24 to access admin api
+
+git checkout conf/config.yaml

Review Comment:
   We don't need to checkout the config and then override it



##########
t/cli/test_admin.sh:
##########
@@ -154,6 +154,45 @@ fi
 
 echo "pass: missing admin key and show ERROR message"
 
+# missing admin key, only allow 127.0.0.0/24 to access admin api
+
+git checkout conf/config.yaml
+
+echo '
+deployment:
+  admin:
+    allow_admin:
+      - 127.0.0.0/24
+    allow_admin: ~
+' > conf/config.yaml
+
+make init > output.log 2>&1 | true
+
+grep -E "ERROR: missing valid Admin API token." output.log > /dev/null
+if [ ! $? -ne 0 ]; then

Review Comment:
   The condition here is incorrect?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org