feat: add cas-auth plugin #7932
Conversation
|
Please make the CI pass, thanks! |
.github/workflows/build.yml
Outdated
| @@ -97,6 +97,10 @@ jobs: | |||
| rm -rf $(ls -1 --ignore=*.tgz --ignore=ci --ignore=t --ignore=utils --ignore=.github) | |||
| tar zxvf ${{ steps.branch_env.outputs.fullname }} | |||
|
|
|||
| - name: download keycloak cas provider | |||
| run: | | |||
| sudo wget https://github.com/jacekkow/keycloak-protocol-cas/releases/download/18.0.2/keycloak-protocol-cas-18.0.2.jar -O /opt/keycloak-protocol-cas-18.0.2.jar | |||
There was a problem hiding this comment.
There was a problem hiding this comment.
@spacewander No, that scirpt runs after docker compose, but this download file must be set as volume in docker compose file.
There was a problem hiding this comment.
@kingluo
What about moving it into Start CI env (PLUGIN_TEST)?
apisix/plugins/cas-auth.lua
Outdated
| end | ||
|
|
||
| local function uri_without_ticket(conf) | ||
| return ngx.var.scheme .. "://" .. ngx.var.host .. ":" .. |
There was a problem hiding this comment.
Could you use ctx.var instead of ngx.var?
apisix/plugins/cas-auth.lua
Outdated
| store:delete(session_id) | ||
| set_our_cookie(COOKIE_NAME, "deleted; Max-Age=0") | ||
|
|
||
| ngx.redirect(conf.idp_uri .. "/logout") |
There was a problem hiding this comment.
ngx.redirect works like ngx.exit. As we avoid ngx.exit, we prefer to do it by ourselves, see
apisix/apisix/plugins/redirect.lua
Line 257 in 9129572
apisix/plugins/cas-auth.lua
Outdated
| end | ||
|
|
||
| local function set_cookie(cookie_str) | ||
| local h = to_table(ngx.header['Set-Cookie']) |
There was a problem hiding this comment.
We can use core.response.add_header if we don't check if the same cookie exists?
apisix/plugins/cas-auth.lua
Outdated
| local function first_access(conf) | ||
| local login_uri = conf.idp_uri .. "/login?" .. | ||
| ngx.encode_args({ service = uri_without_ticket(conf) }) | ||
| ngx.log(ngx.INFO, "first access: ", login_uri, |
apisix/plugins/cas-auth.lua
Outdated
| "/serviceValidate", { query = { ticket = ticket, service = uri_without_ticket(conf) } }) | ||
|
|
||
| if res and res.status == ngx.HTTP_OK and res.body ~= nil then | ||
| if string.find(res.body, "<cas:authenticationSuccess>") then |
apisix/plugins/cas-auth.lua
Outdated
| return m[1] | ||
| end | ||
| else | ||
| ngx.log(ngx.INFO, "CAS serviceValidate failed: " .. res.body) |
There was a problem hiding this comment.
"CAS serviceValidate failed: ", res.body is enough
apisix/plugins/cas-auth.lua
Outdated
| end | ||
|
|
||
| function _M.access(conf, ctx) | ||
| local method = ngx.req.get_method() |
There was a problem hiding this comment.
| local method = ngx.req.get_method() | |
| local method = core.request.get_method() |
apisix/plugins/cas-auth.lua
Outdated
| if method == "GET" and uri == conf.logout_uri then | ||
| return logout(conf, ctx) | ||
| elseif method == "POST" and uri == conf.cas_callback_uri then |
There was a problem hiding this comment.
| if method == "GET" and uri == conf.logout_uri then | |
| return logout(conf, ctx) | |
| elseif method == "POST" and uri == conf.cas_callback_uri then | |
| if method == "GET" and uri == conf.logout_uri then | |
| return logout(conf, ctx) | |
| end | |
| if method == "POST" and uri == conf.cas_callback_uri then |
is ok?
apisix/plugins/cas-auth.lua
Outdated
| ngx.req.read_body() | ||
| local data = ngx.req.get_body_data() |
There was a problem hiding this comment.
use core.request.get_body()
apisix/plugins/cas-auth.lua
Outdated
| if err == "no memory" then | ||
| core.log.emerg("CAS cookie store is out of memory") | ||
| elseif err == "exists" then | ||
| core.log.error("Same CAS ticket validated twice, this should never happen!") | ||
| end |
| } | ||
| } | ||
| }' | ||
| ``` |
There was a problem hiding this comment.
Can we add the process of how to start and configure IdP, as well as show some key images.
There was a problem hiding this comment.
I think that should be left to blog. I would link the blog into the doc later.
apisix/plugins/cas-auth.lua
Outdated
|
|
||
| if res and res.status == ngx.HTTP_OK and res.body ~= nil then | ||
| if core.string.find(res.body, "<cas:authenticationSuccess>") then | ||
| local m = ngx_re_match(res.body, "<cas:user>(.*?)</cas:user>"); |
There was a problem hiding this comment.
Missing jo in the re match?
apisix/plugins/cas-auth.lua
Outdated
| core.log.info("CAS serviceValidate failed: ", res.body) | ||
| end | ||
| else | ||
| core.log.error("validate ticket failed: res=", res, ", err=", err) |
There was a problem hiding this comment.
This may cause an error if res.status ~= ngx.HTTP_OK?
There was a problem hiding this comment.
Only if res and res.status == ngx.HTTP_OK and res.body ~= nil, the validate process is successful. Otherwise, log the res and err.
There was a problem hiding this comment.
@kingluo
Yes, but if res is not nil, will it raise an error when logging a table directly?
|
Please address #7932 (comment) |
|
Before we can merge it, what is your idea about #7932 (comment)? |
Description
Implement cas-auth plugin
Checklist