You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/09/16 16:51:15 UTC
[GitHub] [apisix] Firstsawyou opened a new pull request #2241: draft: `consumer` provides access to a collection of `service`
Firstsawyou opened a new pull request #2241:
URL: https://github.com/apache/apisix/pull/2241
### What this PR does / why we need it:
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here. -->
The `consumer` provides access to the `service` collection . Put it in the "consumer-restriction" plug-in to achieve, by adding the "schema" field of this plug-in, to control the access of "consumer" and "service".
### Pre-submission checklist:
* [x] Did you explain what problem does this PR solve? Or what new features have been added?
* [ ] Have you added corresponding test cases?
* [ ] Have you modified the corresponding document?
* [ ] Is this PR backward compatible?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490773082
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,665 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: Route binding `hmac-auth` plug-in and whitelist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: verify: valid whitelist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 30: Route binding `hmac-auth` plug-in and invalid whitelist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 31: verify: invalid whitelist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body eval
+qr/{"message":"The service_id is forbidden."}/
+--- no_error_log
+[error]
+
+
+
+=== TEST 32: add consumer with plugin hmac-auth and consumer-restriction, and set blacklist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "blacklist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "blacklist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 33: Route binding `hmac-auth` plug-in and blacklist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 34: verify: valid blacklist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body eval
+qr/{"message":"The service_id is forbidden."}/
+--- no_error_log
+[error]
+
+
+
+=== TEST 35: Route binding `hmac-auth` plug-in and invalid blacklist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 36: verify: invalid blacklist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 37: delete: `service_id` is 1
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t( '/apisix/admin/services/1', ngx.HTTP_DELETE )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 38: delete: `service_id` is 2
Review comment:
it fails at my local machine. We should delete the `route` 1 first.
```
# Failed test 'TEST 39: delete: `service_id` is 2 - status code ok'
# at /usr/local/share/perl/5.30.0/Test/Nginx/Socket.pm line 948.
# got: '400'
# expected: '200'
# Failed test 'TEST 39: delete: `service_id` is 2 - response_body - response is expected (repeated req 0, req 0)'
# at /usr/local/share/perl/5.30.0/Test/Nginx/Socket.pm line 1589.
# got: '{"error_msg":"can not delete this service directly, route [1] is still using it now"}
#
# '
# expected: 'passed
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r489899670
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -20,6 +20,10 @@ local core = require("apisix.core")
local schema = {
type = "object",
properties = {
+ types_of = {
Review comment:
`type` is enough
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490685981
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: Route binding `hmac-auth` plug-in and `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
Review comment:
this is a reference to the usage of the `hmac-auth.t` test case.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491395834
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -29,11 +33,12 @@ local schema = {
type = "array",
items = {type = "string"},
minItems = 1
- }
+ },
+ rejected_code = {type = "integer", minimum = 200, default = 503}
},
oneOf = {
- {required = {"whitelist"}},
- {required = {"blacklist"}}
+ {required = {"whitelist", "types_of"}},
Review comment:
fixed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#issuecomment-695201614
@Firstsawyou
Please confirm that you have fixed all the points requested by the reviewer and leave a message.
Especially the part that @moonming asked you to modify (you did not reply to confirm).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491397282
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,665 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: Route binding `hmac-auth` plug-in and whitelist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: verify: valid whitelist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 30: Route binding `hmac-auth` plug-in and invalid whitelist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 31: verify: invalid whitelist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body eval
+qr/{"message":"The service_id is forbidden."}/
+--- no_error_log
+[error]
+
+
+
+=== TEST 32: add consumer with plugin hmac-auth and consumer-restriction, and set blacklist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "blacklist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "blacklist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 33: Route binding `hmac-auth` plug-in and blacklist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 34: verify: valid blacklist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body eval
+qr/{"message":"The service_id is forbidden."}/
+--- no_error_log
+[error]
+
+
+
+=== TEST 35: Route binding `hmac-auth` plug-in and invalid blacklist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 36: verify: invalid blacklist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 37: delete: `service_id` is 1
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t( '/apisix/admin/services/1', ngx.HTTP_DELETE )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 38: delete: `service_id` is 2
Review comment:
fixed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r489949071
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -29,11 +34,12 @@ local schema = {
type = "array",
items = {type = "string"},
minItems = 1
- }
+ },
+ rejected_code = {type = "integer", minimum = 200, default = 401}
},
oneOf = {
- {required = {"whitelist"}},
- {required = {"blacklist"}}
+ {required = {"whitelist", "type"}},
Review comment:
`"type"` should be optional, because we have set a default value for it
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -20,6 +20,11 @@ local core = require("apisix.core")
local schema = {
type = "object",
properties = {
+ type = {
+ type = "string",
+ enum = {"consumer", "service"},
Review comment:
`consumer_name`, `service_id` is better
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +83,30 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local type_id = type_funcs[conf.type](ctx)
+ core.log.warn("type_id: ", type_id)
Review comment:
If this log is only useful to developers, we cannot use the "warning" log level here.
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +83,30 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local type_id = type_funcs[conf.type](ctx)
Review comment:
`type_id` is not a good name, and the `type_id` maybe a `nil` value.
we need to check it first.
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -29,11 +33,12 @@ local schema = {
type = "array",
items = {type = "string"},
minItems = 1
- }
+ },
+ rejected_code = {type = "integer", minimum = 200, default = 503}
},
oneOf = {
- {required = {"whitelist"}},
- {required = {"blacklist"}}
+ {required = {"whitelist", "types_of"}},
Review comment:
"types_of" is optional
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -48,6 +54,15 @@ local _M = {
schema = schema,
}
+local type_funcs = {
+ ["serviec"] = function(ctx)
Review comment:
typo
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -20,6 +20,11 @@ local core = require("apisix.core")
local schema = {
type = "object",
properties = {
+ type = {
+ type = "string",
+ enum = {"consumer", "service"},
+ default = "service"
Review comment:
the default value should be `consumer_name`, keep the same as the old way.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491399667
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
Review comment:
finished.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490784394
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,665 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: Route binding `hmac-auth` plug-in and whitelist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: verify: valid whitelist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 30: Route binding `hmac-auth` plug-in and invalid whitelist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 31: verify: invalid whitelist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body eval
+qr/{"message":"The service_id is forbidden."}/
+--- no_error_log
+[error]
+
+
+
+=== TEST 32: add consumer with plugin hmac-auth and consumer-restriction, and set blacklist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "blacklist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "blacklist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 33: Route binding `hmac-auth` plug-in and blacklist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 1,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 34: verify: valid blacklist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body eval
+qr/{"message":"The service_id is forbidden."}/
+--- no_error_log
+[error]
+
+
+
+=== TEST 35: Route binding `hmac-auth` plug-in and invalid blacklist `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 36: verify: invalid blacklist `service_id`
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 200
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 37: delete: `service_id` is 1
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t( '/apisix/admin/services/1', ngx.HTTP_DELETE )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 38: delete: `service_id` is 2
Review comment:
ok.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
moonming commented on pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#issuecomment-695205097
@Firstsawyou please read Apache code of conduct: https://github.com/apache/apisix/blob/master/CODE_OF_CONDUCT.md.
Replying to someone’s review is a kind of respect, which is a very important point in the open source community
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491401561
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +83,30 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local type_id = type_funcs[conf.type](ctx)
Review comment:
fixed
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490685703
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: Route binding `hmac-auth` plug-in and `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
Review comment:
the current way is right.
When the "auth" plugin is bound to "route" or "service", the "empty" table means that this plugin is enabled.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis merged pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis merged pull request #2241:
URL: https://github.com/apache/apisix/pull/2241
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490674241
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +541,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: Route binding `hmac-auth` plug-in and `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: verify: ok
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.print(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body
+{"message":"The service_id is not allowed"}
+--- no_error_log
+[error]
Review comment:
we need to delete the `service` which `id` is `1` and `2`
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491400928
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +541,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: Route binding `hmac-auth` plug-in and `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
+ }
+
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "methods": [
+ "GET"
+ ],
+ "uri": "/hello",
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "plugins": {
+ "hmac-auth": {}
+ }
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 29: verify: ok
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local access_key = "my-access-key"
+ local signing_string = "GET" .. "/hello" .. "" ..
+ "" .. access_key .. timestamp .. secret_key
+
+ local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["X-HMAC-TIMESTAMP"] = timestamp
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.print(body)
+ }
+}
+--- request
+GET /t
+--- error_code: 401
+--- response_body
+{"message":"The service_id is not allowed"}
+--- no_error_log
+[error]
Review comment:
finished
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#issuecomment-695210405
> @Firstsawyou
>
> Please confirm that you have fixed all the points requested by the reviewer and leave a message.
>
> Especially the part that @moonming asked you to modify (you did not reply to confirm).
> @Firstsawyou
>
> Please confirm that you have fixed all the points requested by the reviewer and leave a message.
>
> Especially the part that @moonming asked you to modify (you did not reply to confirm).
Ok i have replied.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491396871
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local value = fetch_val_funcs[conf.type](ctx)
+ if not value then
+ return 401, { message = "Failed to fetch value by value type: " .. conf.type }
+ end
+ core.log.info("value: ", value)
+
local block = false
if conf.blacklist and #conf.blacklist > 0 then
- if is_include(ctx.consumer.username, conf.blacklist) then
+ if is_include(value, conf.blacklist) then
block = true
end
end
if conf.whitelist and #conf.whitelist > 0 then
- if not is_include(ctx.consumer.username, conf.whitelist) then
+ if not is_include(value, conf.whitelist) then
block = true
end
end
if block then
- return 403, { message = "The consumer is not allowed" }
+ return conf.rejected_code, { message = "The " .. conf.type .. " is not allowed" }
Review comment:
fixed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r489997687
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -29,25 +34,33 @@ local schema = {
type = "array",
items = {type = "string"},
minItems = 1
- }
+ },
+ rejected_code = {type = "integer", minimum = 200, default = 401}
},
oneOf = {
{required = {"whitelist"}},
{required = {"blacklist"}}
}
}
-
local plugin_name = "consumer-restriction"
-
local _M = {
version = 0.1,
priority = 2400,
name = plugin_name,
schema = schema,
}
+local type_funcs = {
Review comment:
`fetch_val_funcs` is better
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local type_value = type_funcs[conf.type](ctx)
+ if not type_value then
+ return 401, { message = "Missing `type` value." }
Review comment:
"Missing `type` value."
->
"failed to fetch value by value type: " .. conf.type
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local type_value = type_funcs[conf.type](ctx)
Review comment:
I think `value` is enough
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490688992
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local value = fetch_val_funcs[conf.type](ctx)
+ if not value then
+ return 401, { message = "Failed to fetch value by value type: " .. conf.type }
+ end
+ core.log.info("value: ", value)
+
local block = false
if conf.blacklist and #conf.blacklist > 0 then
- if is_include(ctx.consumer.username, conf.blacklist) then
+ if is_include(value, conf.blacklist) then
block = true
end
end
if conf.whitelist and #conf.whitelist > 0 then
- if not is_include(ctx.consumer.username, conf.whitelist) then
+ if not is_include(value, conf.whitelist) then
block = true
end
end
if block then
- return 403, { message = "The consumer is not allowed" }
+ return conf.rejected_code, { message = "The " .. conf.type .. " is not allowed" }
Review comment:
do you mean set `conf.rejected_cod` 405 (not allowed) by default?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r489899205
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -20,6 +20,10 @@ local core = require("apisix.core")
local schema = {
type = "object",
properties = {
+ types_of = {
+ type = "string",
+ enum = {"consumer", "service"}
Review comment:
need `default` value
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490713892
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
Review comment:
It is used to test whether the id of `service` is normal when it is not in the whitelist or blacklist. For example, there are service IDs 1 and 2, and the whitelist `service` id is 1. We need to use the `service` with id 2 to test whether it can be accessed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
moonming commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490722729
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
Review comment:
Please put the related tests together, I can’t understand the context of the current test cases
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
moonming commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490722963
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local value = fetch_val_funcs[conf.type](ctx)
+ if not value then
+ return 401, { message = "Failed to fetch value by value type: " .. conf.type }
+ end
+ core.log.info("value: ", value)
+
local block = false
if conf.blacklist and #conf.blacklist > 0 then
- if is_include(ctx.consumer.username, conf.blacklist) then
+ if is_include(value, conf.blacklist) then
block = true
end
end
if conf.whitelist and #conf.whitelist > 0 then
- if not is_include(ctx.consumer.username, conf.whitelist) then
+ if not is_include(value, conf.whitelist) then
block = true
end
end
if block then
- return 403, { message = "The consumer is not allowed" }
+ return conf.rejected_code, { message = "The " .. conf.type .. " is not allowed" }
Review comment:
No, just the words in message.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491399770
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
Review comment:
finished
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
membphis commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490686228
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
Review comment:
we can delete them:
https://github.com/apache/apisix/pull/2241/files/cb760bfcce3f5ff99ce30e6ec98b1e43d65b439b#diff-b17a4724115a2cba44ff3590fbd926a9R86-R88
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#issuecomment-695209906
> @Firstsawyou please read Apache code of conduct: https://github.com/apache/apisix/blob/master/CODE_OF_CONDUCT.md.
> Replying to someone’s review is a kind of respect, which is a very important point in the open source community
Thank you, I will remember.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] moonming commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
moonming commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490671665
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
Review comment:
why not add this check in schema?
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
return 401, { message = "Missing authentication or identity verification." }
end
+ local value = fetch_val_funcs[conf.type](ctx)
+ if not value then
+ return 401, { message = "Failed to fetch value by value type: " .. conf.type }
+ end
+ core.log.info("value: ", value)
+
local block = false
if conf.blacklist and #conf.blacklist > 0 then
- if is_include(ctx.consumer.username, conf.blacklist) then
+ if is_include(value, conf.blacklist) then
block = true
end
end
if conf.whitelist and #conf.whitelist > 0 then
- if not is_include(ctx.consumer.username, conf.whitelist) then
+ if not is_include(value, conf.whitelist) then
block = true
end
end
if block then
- return 403, { message = "The consumer is not allowed" }
+ return conf.rejected_code, { message = "The " .. conf.type .. " is not allowed" }
Review comment:
`not allowed` -> `forbidden`
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
Review comment:
which test case to check this whitelist? and we need test cases for blacklist.
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
Review comment:
when we need this service?
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: Route binding `hmac-auth` plug-in and `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
Review comment:
is this a bug of `hmac-auth`? @nic-chen
##########
File path: t/plugin/consumer-restriction.t
##########
@@ -540,3 +540,256 @@ GET /hello
hello world
--- no_error_log
[error]
+
+
+
+=== TEST 25: create service (id:1)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/1',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 001"
+ },
+ "key": "/apisix/services/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 26: create service (id:2)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/services/2',
+ ngx.HTTP_PUT,
+ [[{
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "desc": "new service 002"
+ },
+ "key": "/apisix/services/2"
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 27: add consumer with plugin hmac-auth and consumer-restriction, and set whitelist
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key"
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key": "my-secret-key",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 300
+ },
+ "consumer-restriction": {
+ "type": "service_id",
+ "whitelist": [ "1" ],
+ "rejected_code": 401
+ }
+ }
+ }
+ },
+ "action": "set"
+ }]]
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 28: Route binding `hmac-auth` plug-in and `service_id`
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "service_id": 2,
+ "uri": "/hello",
+ "plugins": {
+ "hmac-auth": {}
Review comment:
why binding a empty `hmac-auth` plugin? which need sk and ak, right?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r490686675
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
Review comment:
this is a good idea.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: draft: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r489903558
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -20,6 +20,10 @@ local core = require("apisix.core")
local schema = {
type = "object",
properties = {
+ types_of = {
Review comment:
ok.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Firstsawyou commented on a change in pull request #2241: feature: `consumer` provides access to a collection of `service`
Posted by GitBox <gi...@apache.org>.
Firstsawyou commented on a change in pull request #2241:
URL: https://github.com/apache/apisix/pull/2241#discussion_r491395601
##########
File path: apisix/plugins/consumer-restriction.lua
##########
@@ -67,26 +81,33 @@ function _M.check_schema(conf)
return true
end
+
function _M.access(conf, ctx)
- if not ctx.consumer then
+ if not conf.type then
Review comment:
fixed.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org