You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by sp...@apache.org on 2022/01/14 04:55:11 UTC
[apisix] branch master updated: feat: support hide the authentication header in basic-auth with a config (#6039)
This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new d7fda7e feat: support hide the authentication header in basic-auth with a config (#6039)
d7fda7e is described below
commit d7fda7ee69246fed3c483f5b6afeb6afb081d182
Author: mango <35...@users.noreply.github.com>
AuthorDate: Fri Jan 14 12:55:06 2022 +0800
feat: support hide the authentication header in basic-auth with a config (#6039)
Co-authored-by: xuwei <>
---
apisix/plugins/basic-auth.lua | 12 ++++-
docs/en/latest/plugins/basic-auth.md | 12 ++++-
docs/zh/latest/plugins/basic-auth.md | 8 +++
t/plugin/basic-auth.t | 100 +++++++++++++++++++++++++++++++++++
4 files changed, 129 insertions(+), 3 deletions(-)
diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua
index 5e78056..235154f 100644
--- a/apisix/plugins/basic-auth.lua
+++ b/apisix/plugins/basic-auth.lua
@@ -30,7 +30,12 @@ local consumers_lrucache = core.lrucache.new({
local schema = {
type = "object",
title = "work with route or service object",
- properties = {},
+ properties = {
+ hide_credentials = {
+ type = "boolean",
+ default = false,
+ }
+ },
}
local consumer_schema = {
@@ -172,6 +177,11 @@ function _M.rewrite(conf, ctx)
return 401, { message = "Password is error" }
end
+ -- 5. hide `Authorization` request header if `hide_credentials` is `true`
+ if conf.hide_credentials then
+ core.request.set_header(ctx, "Authorization", nil)
+ end
+
consumer.attach_consumer(ctx, cur_consumer, consumer_conf)
core.log.info("hit basic-auth access")
diff --git a/docs/en/latest/plugins/basic-auth.md b/docs/en/latest/plugins/basic-auth.md
index e618a58..f0b1480 100644
--- a/docs/en/latest/plugins/basic-auth.md
+++ b/docs/en/latest/plugins/basic-auth.md
@@ -39,11 +39,19 @@ For more information on Basic authentication, refer to [Wiki](https://en.wikiped
## Attributes
+For consumer side:
+
| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |
+For route side:
+
+| Name | Type | Requirement | Default | Valid | Description |
+| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| hide_credentials | boolean | optional | false | | Whether to pass the Authorization request headers to the upstream. |
+
## How To Enable
### 1. set a consumer and config the value of the `basic-auth` option
@@ -129,8 +137,8 @@ hello, world
## Disable Plugin
When you want to disable the `basic-auth` plugin, it is very simple,
- you can delete the corresponding json configuration in the plugin configuration,
- no need to restart the service, it will take effect immediately:
+you can delete the corresponding json configuration in the plugin configuration,
+no need to restart the service, it will take effect immediately:
```shell
$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -X PUT -d '
diff --git a/docs/zh/latest/plugins/basic-auth.md b/docs/zh/latest/plugins/basic-auth.md
index 667721b..8f1b18a 100644
--- a/docs/zh/latest/plugins/basic-auth.md
+++ b/docs/zh/latest/plugins/basic-auth.md
@@ -39,11 +39,19 @@ title: basic-auth
## 属性
+consumer 端配置:
+
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| -------- | ------ | ------ | ------ | ------ | ------------------------------------------------------------------------------------------------------------------ |
| username | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `username` ,将会出现请求匹配异常。 |
| password | string | 必须 | | | 用户的密码 |
+router 端配置:
+
+| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
+| -------- | ------ | ------ | ------ | ------ | ------------------------------------------------------------------------------------------------------------------ |
+| hide_credentials | boolean | 可选 | false | | 是否将 Authorization 请求头传递给 upstream。 |
+
## 如何启用
### 1. 创建一个 consumer 对象,并设置插件 `basic-auth` 的值。
diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t
index a780f3b..c1edd83 100644
--- a/t/plugin/basic-auth.t
+++ b/t/plugin/basic-auth.t
@@ -395,3 +395,103 @@ GET /t
GET /t
--- no_error_log
[error]
+
+
+
+=== TEST 15: enable basic auth plugin using admin api, set hide_credentials = true
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "basic-auth": {
+ "hide_credentials": true
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 16: verify Authorization request header is hidden
+--- request
+GET /echo
+--- more_headers
+Authorization: Basic Zm9vOmJhcg==
+--- response_headers
+!Authorization
+--- no_error_log
+[error]
+
+
+
+=== TEST 17: enable basic auth plugin using admin api, hide_credentials = false
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "basic-auth": {
+ "hide_credentials": false
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 18: verify Authorization request header should not hidden
+--- request
+GET /echo
+--- more_headers
+Authorization: Basic Zm9vOmJhcg==
+--- response_headers
+Authorization: Basic Zm9vOmJhcg==
+--- no_error_log
+[error]