feat: Added authz-casbin plugin and doc and tests for it (#4710)

Signed-off-by: Rushikesh Tote <rushi.tote@gmail.com> Co-authored-by: 罗泽轩 <spacewanderlzx@gmail.com> Co-authored-by: tzssangglass <tzssangglass@gmail.com>
apache · Aug 6, 2021 · 183351c · 183351c
1 parent 65a2d63
commit 183351c
Show file tree

Hide file tree

Showing 13 changed files with 903 additions and 9 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -89,7 +89,7 @@ jobs:
           tar zxvf ${{ steps.branch_env.outputs.fullname }}
 
       - name: Linux Get dependencies
-        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl
+        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev
 
       - name: Linux Before install
         run: sudo ./ci/${{ matrix.os_name }}_runner.sh before_install

diff --git a/apisix/plugins/authz-casbin.lua b/apisix/plugins/authz-casbin.lua
@@ -0,0 +1,137 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+local casbin          = require("casbin")
+local core            = require("apisix.core")
+local plugin          = require("apisix.plugin")
+local ngx             = ngx
+local get_headers     = ngx.req.get_headers
+
+local plugin_name = "authz-casbin"
+
+local schema = {
+    type = "object",
+    properties = {
+        model_path = { type = "string" },
+        policy_path = { type = "string" },
+        model = { type = "string" },
+        policy = { type = "string" },
+        username = { type = "string"}
+    },
+    oneOf = {
+        {required = {"model_path", "policy_path", "username"}},
+        {required = {"model", "policy", "username"}}
+    },
+    additionalProperties = false
+}
+
+local metadata_schema = {
+    type = "object",
+    properties = {
+        model = {type = "string"},
+        policy = {type = "string"},
+    },
+    required = {"model", "policy"},
+    additionalProperties = false
+}
+
+local _M = {
+    version = 0.1,
+    priority = 2560,
+    name = plugin_name,
+    schema = schema,
+    metadata_schema = metadata_schema
+}
+
+function _M.check_schema(conf, schema_type)
+    if schema_type == core.schema.TYPE_METADATA then
+        return core.schema.check(metadata_schema, conf)
+    end
+    local ok, err = core.schema.check(schema, conf)
+    if ok then
+        return true
+    else
+        local metadata = plugin.plugin_metadata(plugin_name)
+        if metadata and metadata.value and conf.username then
+            return true
+        end
+    end
+    return false, err
+end
+
+local casbin_enforcer
+
+local function new_enforcer_if_need(conf)
+    if conf.model_path and conf.policy_path then
+        local model_path = conf.model_path
+        local policy_path = conf.policy_path
+        if not conf.casbin_enforcer then
+            conf.casbin_enforcer = casbin:new(model_path, policy_path)
+        end
+        return true
+    end
+
+    if conf.model and conf.policy then
+        local model = conf.model
+        local policy = conf.policy
+        if not conf.casbin_enforcer then
+            conf.casbin_enforcer = casbin:newEnforcerFromText(model, policy)
+        end
+        return true
+    end
+
+    local metadata = plugin.plugin_metadata(plugin_name)
+    if not (metadata and metadata.value.model and metadata.value.policy) then
+        return nil, "not enough configuration to create enforcer"
+    end
+
+    local modifiedIndex = metadata.modifiedIndex
+    if not casbin_enforcer or casbin_enforcer.modifiedIndex ~= modifiedIndex then
+        local model = metadata.value.model
+        local policy = metadata.value.policy
+        casbin_enforcer = casbin:newEnforcerFromText(model, policy)
+        casbin_enforcer.modifiedIndex = modifiedIndex
+    end
+    return true
+end
+
+
+function _M.rewrite(conf, ctx)
+    -- creates an enforcer when request sent for the first time
+    local ok, err = new_enforcer_if_need(conf)
+    if not ok then
+        return 503, {message = err}
+    end
+
+    local path = ctx.var.uri
+    local method = ctx.var.method
+    local username = get_headers()[conf.username] or "anonymous"
+
+    if conf.casbin_enforcer then
+        if not conf.casbin_enforcer:enforce(username, path, method) then
+            return 403, {message = "Access Denied"}
+        end
+    else
+        if not casbin_enforcer:enforce(username, path, method) then
+            return 403, {message = "Access Denied"}
+        end
+    end
+end
+
+
+
+return _M
diff --git a/ci/ASF-Release.cfg b/ci/ASF-Release.cfg
@@ -99,6 +99,9 @@ t/toolkit
 # Exclude subcomponents files
 apisix/balancer/ewma.lua
 
+# Exclude plugin-specific configuration files
+t/plugin/authz-casbin
+
 [Options]
 # Not all code files allow licenses to appear starting at the first character
 # of the file. This option tells the scan to allow licenses to appear starting

diff --git a/ci/centos7-ci.sh b/ci/centos7-ci.sh
@@ -27,7 +27,7 @@ install_dependencies() {
 
     # install openresty to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
-    yum install -y openresty openresty-debug openresty-openssl111-debug-devel
+    yum install -y openresty openresty-debug openresty-openssl111-debug-devel pcre pcre-devel
 
     # install luarocks
     ./utils/linux-install-luarocks.sh

diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -285,6 +285,7 @@ plugins:                          # plugin list (sorted by priority)
   - uri-blocker                    # priority: 2900
   - request-validation             # priority: 2800
   - openid-connect                 # priority: 2599
+  - authz-casbin                   # priority: 2560
   - wolf-rbac                      # priority: 2555
   - hmac-auth                      # priority: 2530
   - basic-auth                     # priority: 2520

diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
@@ -64,7 +64,8 @@
             "plugins/authz-keycloak",
             "plugins/wolf-rbac",
             "plugins/openid-connect",
-            "plugins/hmac-auth"
+            "plugins/hmac-auth",
+            "plugins/authz-casbin"
           ]
         },
         {

diff --git a/docs/en/latest/install-dependencies.md b/docs/en/latest/install-dependencies.md
@@ -58,7 +58,7 @@ sudo yum install yum-utils
 sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
 
 # install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip pcre pcre-devel
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -81,7 +81,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel pcre pcre-devel
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -107,7 +107,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc
+sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc libpcre3 libpcre3-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -138,7 +138,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl make openresty-openssl111-dev
+sudo apt-get install -y git openresty curl make openresty-openssl111-dev libpcre3 libpcre3-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -151,7 +151,7 @@ nohup etcd &
 
 ```shell
 # install OpenResty, etcd and some compilation tools
-brew install openresty/brew/openresty luarocks lua@5.1 etcd curl git
+brew install openresty/brew/openresty luarocks lua@5.1 etcd curl git pcre
 
 # start etcd server
 brew services start etcd