Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support hide the authentication header in basic-auth with a config #6039

Merged
merged 30 commits into from
Jan 14, 2022
Merged

feat: support hide the authentication header in basic-auth with a config #6039

merged 30 commits into from
Jan 14, 2022

Conversation

mangoGoForward
Copy link
Contributor

What this PR does / why we need it:

Resolves #5900

Pre-submission checklist:

  • Did you explain what problem does this PR solve? Or what new features have been added?
  • Have you added corresponding test cases?
  • Have you modified the corresponding document?
  • Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

@mangoGoForward mangoGoForward marked this pull request as draft January 7, 2022 03:08
mangoGoForward and others added 4 commits January 7, 2022 11:15
@mangoGoForward
Revert "fix: when eureka server return compressed data, use lua-zlib …
79ca875 
…to unzip received response data"

This reverts commit dc2570a
@mangoGoForward
remove blank line
9a9565c
@mangoGoForward
change default value of hide_auth_header to true
10d35fd 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward
change default value of hide_auth_header to true
c642635 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward mangoGoForward marked this pull request as ready for review January 7, 2022 03:21
@mangoGoForward mangoGoForward marked this pull request as draft January 7, 2022 03:29
mangoGoForward and others added 3 commits January 7, 2022 11:32
@mangoGoForward
fix code lint error
29d3077 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward
fix code lint error
1c42db0 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward
Merge pull request #1 from mangoGoForward/feature/hide-auth-header
7a663fa 
feat: support hide the authentication header in basic-auth
@mangoGoForward mangoGoForward marked this pull request as ready for review January 7, 2022 06:10
spacewander
spacewander reviewed Jan 7, 2022
View reviewed changes
apisix/plugins/basic-auth.lua Outdated
@@ -161,6 +170,11 @@ function _M.rewrite(conf, ctx)
return 401, { message = "Password is error" }
end

-- 5. hide `Authentication` header if `hide_auth_header` is `true`
if conf.hide_auth_header == true then
core.response.set_header("Authentication", "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems you misunderstand the original issue. We want to hide the request header.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My fault. Done.

@mangoGoForward
hide Authentication request header if hide_auth_header is true
6e8d684 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
tokers
tokers reviewed Jan 7, 2022
View reviewed changes
apisix/plugins/basic-auth.lua Outdated
properties = {
hide_auth_header = {
type = "boolean",
default = true,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the default value should be false.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

leslie-tsang
leslie-tsang requested changes Jan 7, 2022
View reviewed changes
docs/zh/latest/plugins/basic-auth.md Outdated
@@ -43,6 +43,7 @@ title: basic-auth
| -------- | ------ | ------ | ------ | ------ | ------------------------------------------------------------------------------------------------------------------ |
| username | string | 必须 | | | 不同的 `consumer` 对象应有不同的值,它应当是唯一的。不同 consumer 使用了相同的 `username` ,将会出现请求匹配异常。 |
| password | string | 必须 | | | 用户的密码 |
| hide_auth_header | boolean | 可选 | true | | 是否将 Authentication 请求头返回给客户端. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| hide_auth_header | boolean | 可选 | true | | 是否将 Authentication 请求头返回给客户端. |
| hide_auth_header | boolean | 可选 | false | | 是否将 Authentication 请求头传递给 upstream。 |

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

docs/en/latest/plugins/basic-auth.md Outdated
Comment on lines 42 to 46
| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |
| hide_auth_header | boolean | optional | true | | Whether to return the Authentication request headers to the client. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |
| hide_auth_header | boolean | optional | true | | Whether to return the Authentication request headers to the client. |
| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |
| hide_auth_header | boolean | optional | true | | Whether to return the Authentication request headers to the upstream. |

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

apisix/plugins/basic-auth.lua Outdated
@@ -39,6 +44,10 @@ local consumer_schema = {
properties = {
username = { type = "string" },
password = { type = "string" },
hide_auth_header = {
type = "boolean",
default = true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
default = true,
default = false,

Need to discuss it in maillist if use true as default value

apisix/plugins/basic-auth.lua Outdated
Comment on lines 173 to 177
-- 5. hide `Authentication` request header if `hide_auth_header` is `true`
if conf.hide_auth_header == true then
core.request.set_header(ctx, "Authentication", "")
end

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original issue seems to avoid to send the header to upstream.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, use core.request.set_header(ctx, "Authentication", nil) can avoid.

leslie-tsang
leslie-tsang reviewed Jan 7, 2022
View reviewed changes
apisix/plugins/basic-auth.lua Outdated
properties = {
hide_auth_header = {
type = "boolean",
default = true,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
default = true,
default = true,

Ditto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@mangoGoForward
hide Authentication request header if hide_auth_header is true
ec3bec6 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
spacewander
spacewander reviewed Jan 7, 2022
View reviewed changes
apisix/plugins/basic-auth.lua Outdated
@@ -30,7 +30,12 @@ local consumers_lrucache = core.lrucache.new({
local schema = {
type = "object",
title = "work with route or service object",
properties = {},
properties = {
hide_auth_header = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hide_credentials would be better? Kong uses this field in their basic-auth.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

apisix/plugins/basic-auth.lua Outdated
@@ -39,6 +44,10 @@ local consumer_schema = {
properties = {
username = { type = "string" },
password = { type = "string" },
hide_auth_header = {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to configure it in the consumer

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

docs/en/latest/plugins/basic-auth.md Outdated
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |
| hide_auth_header | boolean | optional | false | | Whether to return the Authentication request headers to the upstream. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's distinguish route conf from the consumer's like this one: https://github.com/apache/apisix/blob/master/docs/en/latest/plugins/ldap-auth.md#attributes

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

tzssangglass
tzssangglass reviewed Jan 10, 2022
View reviewed changes
apisix/plugins/basic-auth.lua Outdated
@@ -161,6 +166,11 @@ function _M.rewrite(conf, ctx)
return 401, { message = "Password is error" }
end

-- 5. hide `Authentication` request header if `hide_credentials` is `true`
if conf.hide_credentials == true then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if conf.hide_credentials == true then
if conf.hide_credentials then

is ok?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@tzssangglass
Copy link
Member

and need to add test cases to cover this. I see that you have test cases in your previous submission records……

spacewander
spacewander reviewed Jan 10, 2022
View reviewed changes
docs/en/latest/plugins/basic-auth.md Outdated

| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| hide_credentials | boolean | optional | false | | Whether to return the Authentication request headers to the upstream. |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
| hide_credentials | boolean | optional | false | | Whether to return the Authentication request headers to the upstream. |
| hide_credentials | boolean | optional | false | | Whether to pass the Authentication request headers to the upstream. |

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@mangoGoForward
add test cases to cover it
210c9d5 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
imjoey
imjoey reviewed Jan 12, 2022
View reviewed changes
docs/en/latest/plugins/basic-auth.md Outdated
Comment on lines 42 to 47
For consumer side:

| Name | Type | Requirement | Default | Valid | Description |
| -------- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| username | string | required | | | Different `consumer` should have different value which is unique. When different `consumer` use a same `username`, a request matching exception would be raised. |
| password | string | required | | | the user's password |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mangoGoForward IMHO there's no need to change this. How about revert it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

imjoey
imjoey requested changes Jan 12, 2022
View reviewed changes
Copy link
Member

@imjoey imjoey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mangoGoForward Please revert some changes in English docs, others look good to me. Thanks.

@mangoGoForward
update basic-auth doc
41bb17e 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
imjoey
imjoey reviewed Jan 12, 2022
View reviewed changes
t/plugin/basic-auth.t Outdated
@@ -20,6 +20,7 @@ repeat_each(2);
no_long_string();
no_root_location();
no_shuffle();
log_level('info');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mangoGoForward please take a check whether this change is needed. Thanks.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems unnecessary, removed.

@mangoGoForward
remove log_level
49b7850 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@spacewander
Copy link
Member

@mangoGoForward
Please make lint pass.

@mangoGoForward
Copy link
Contributor Author

mangoGoForward commented Jan 13, 2022
edited
Loading

@mangoGoForward Please make lint pass.

That's strange, it's good when I run reindex on local(MacOS) and Centos environment, please see the screenshot below:

image

I will test again on ubuntu later, If you know the error's location, please help me to improve, Thanks.

@mangoGoForward
Copy link
Contributor Author

I run reindex to check test code style on Ubuntu Server 20.04 LTS, also is right, so strangely. please see:

image

@tzssangglass
Copy link
Member

Strange, I had no problem checking the format of this test case.

@mangoGoForward mangoGoForward marked this pull request as draft January 14, 2022 01:45
@mangoGoForward
Revert "Revert "feat: support hide the authentication header in basic…
8531227 
…-auth""

This reverts commit a1deeef

Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward
change en doc
31af04d 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward
change zh doc
ccc46b6 
Signed-off-by: mango <xu.weiKyrie@foxmail.com>
@mangoGoForward mangoGoForward marked this pull request as ready for review January 14, 2022 01:56
@mangoGoForward
Copy link
Contributor Author

Strange, I had no problem checking the format of this test case.

I have run workflow in my fork repo, it also failed.

image

@imjoey
Copy link
Member

imjoey commented Jan 14, 2022
edited
Loading

@mangoGoForward The changes look good to me. Could you explain why you committed several other commits after Zexuan's approval? Thanks.

@mangoGoForward
Copy link
Contributor Author

@mangoGoForward The changes look good to me. Could you explain why you committed several other commits? Thanks.

I want to trigger the actions of my forked repo, so I commit a PR to my repo's master branch, and got file conflict when merged from master, so i commit 8440045 to resolved. but the master branch's code is polluted, so I revert the commit to 49b7850, and I also checked those file changes, it is same as 49b7850, I'm sorry about troubled your review work.

@imjoey
Copy link
Member

imjoey commented Jan 14, 2022

@mangoGoForward The changes look good to me. Could you explain why you committed several other commits? Thanks.

I want to trigger the actions of my forked repo, so I commit a PR to my repo's master branch, and got file conflict when merged from master, so i commit 8440045 to resolved. but the master branch's code is polluted, so I revert the commit to 49b7850, and I also checked those file changes, it is same as 49b7850, I'm sorry about troubled your review work.

@mangoGoForward Got it and thanks. Let's wait for the CI. :-)

@imjoey
Copy link
Member

imjoey commented Jan 14, 2022

@spacewander @mangoGoForward The CI job failure of linux_openresty on ubuntu-18.04 seemed not related to the code and I restarted that job. I would prefer to leave an approval in prior and merge this after that job passed. Thanks.

imjoey
imjoey approved these changes Jan 14, 2022
View reviewed changes
Copy link
Member

@imjoey imjoey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good to me.

@spacewander spacewander merged commit d7fda7e into apache:master Jan 14, 2022
@tzssangglass tzssangglass mentioned this pull request Jan 14, 2022
Merged
4 tasks
@lijing-21
Copy link
Contributor

Hi @mangoGoForward , thank you for your contribution!

Here is the Contributor T-shirt form[1], if you're interested, kindly take a look :)

[1] https://github.com/apache/apisix/blob/master/CONTRIBUTING.md#contributor-t-shirt

@mangoGoForward
Copy link
Contributor Author

Hi @mangoGoForward , thank you for your contribution!

Here is the Contributor T-shirt form[1], if you're interested, kindly take a look :)

[1] https://github.com/apache/apisix/blob/master/CONTRIBUTING.md#contributor-t-shirt

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leslie-tsang leslie-tsang leslie-tsang requested changes

@tzssangglass tzssangglass tzssangglass left review comments

@tokers tokers tokers left review comments

@spacewander spacewander spacewander approved these changes

@imjoey imjoey imjoey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

request help: support hide the authentication header in basic-auth and key-auth plugins
7 participants
@mangoGoForward @tzssangglass @imjoey @spacewander @lijing-21 @tokers @leslie-tsang