Skip to content

Commit

Permalink
fix: add post request headers only if auth request method is post (#1…
Browse files Browse the repository at this point in the history 
…1174)
  • Loading branch information
@membphis
membphis authored Apr 22, 2024
1 parent 80b1d3a commit 8944307
Show file tree
Hide file tree
Showing 3 changed files with 194 additions and 5 deletions.
10 changes: 7 additions & 3 deletions apisix/plugins/forward-auth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,11 +88,15 @@ function _M.access(conf, ctx)
["X-Forwarded-Host"] = core.request.get_host(ctx),
["X-Forwarded-Uri"] = ctx.var.request_uri,
["X-Forwarded-For"] = core.request.get_remote_client_ip(ctx),
["Expect"] = core.request.header(ctx, "expect"),
["Content-Length"] = core.request.header(ctx, "content-length"),
["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding")
}

if conf.request_method == "POST" then
auth_headers["Content-Length"] = core.request.header(ctx, "content-length")
auth_headers["Expect"] = core.request.header(ctx, "expect")
auth_headers["Transfer-Encoding"] = core.request.header(ctx, "transfer-encoding")
auth_headers["Content-Encoding"] = core.request.header(ctx, "content-encoding")
end

-- append headers that need to be get from the client request header
if #conf.request_headers > 0 then
for _, header in ipairs(conf.request_headers) do
Expand Down
185 changes: 185 additions & 0 deletions t/plugin/forward-auth2.t
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';

repeat_each(1);
no_long_string();
no_root_location();

add_block_preprocessor(sub {
my ($block) = @_;

if (!defined $block->request) {
$block->set_value("request", "GET /t");
}
});

run_tests();

__DATA__
=== TEST 1: setup route with plugin
--- config
location /t {
content_by_lua_block {
local data = {
{
url = "/apisix/admin/upstreams/u1",
data = [[{
"nodes": {
"127.0.0.1:1984": 1
},
"type": "roundrobin"
}]],
},
{
url = "/apisix/admin/routes/auth",
data = {
plugins = {
["serverless-pre-function"] = {
phase = "rewrite",
functions = {
[[return function(conf, ctx)
local core = require("apisix.core");
local token = "token-headers-test";
if core.request.header(ctx, "Authorization") == token then
if core.request.get_method() == "POST" then
if core.request.header(ctx, "Content-Length") or
core.request.header(ctx, "Transfer-Encoding") or
core.request.header(ctx, "Content-Encoding") then
core.response.exit(200)
else
core.response.exit(403)
end
else
if core.request.header(ctx, "Content-Length") or
core.request.header(ctx, "Transfer-Encoding") or
core.request.header(ctx, "Content-Encoding") then
core.response.exit(403)
else
core.response.exit(200)
end
end
end
end]]
}
}
},
uri = "/auth"
},
},
{
url = "/apisix/admin/routes/echo",
data = [[{
"plugins": {
"serverless-pre-function": {
"phase": "rewrite",
"functions": [
"return function (conf, ctx)
local core = require(\"apisix.core\");
core.response.exit(200, core.request.headers(ctx));
end"
]
}
},
"uri": "/echo"
}]],
},
{
url = "/apisix/admin/routes/1",
data = [[{
"plugins": {
"forward-auth": {
"uri": "http://127.0.0.1:1984/auth",
"request_headers": ["Authorization"],
"request_method": "POST"
},
"proxy-rewrite": {
"uri": "/echo"
}
},
"upstream_id": "u1",
"uri": "/verify-auth-post"
}]],
},
{
url = "/apisix/admin/routes/2",
data = [[{
"plugins": {
"forward-auth": {
"uri": "http://127.0.0.1:1984/auth",
"request_headers": ["Authorization"],
"request_method": "GET"
},
"proxy-rewrite": {
"uri": "/echo"
}
},
"upstream_id": "u1",
"uri": "/verify-auth-get"
}]],
}
}
local t = require("lib.test_admin").test
for _, data in ipairs(data) do
local code, body = t(data.url, ngx.HTTP_PUT, data.data)
ngx.say(body)
end
}
}
--- response_body eval
"passed\n" x 5
=== TEST 2: verify auth server forward headers for request_method=GET
--- request
GET /verify-auth-get
--- more_headers
Authorization: token-headers-test
--- error_code: 200
=== TEST 3: verify auth server forward headers for request_method=POST for GET upstream
--- request
GET /verify-auth-post
--- more_headers
Authorization: token-headers-test
--- error_code: 200
=== TEST 4: verify auth server forward headers for request_method=POST
--- request
POST /verify-auth-post
{"authorization": "token-headers-test"}
--- more_headers
Authorization: token-headers-test
--- error_code: 200
=== TEST 5: verify auth server forward headers for request_method=GET for POST upstream
--- request
POST /verify-auth-get
{"authorization": "token-headers-test"}
--- more_headers
Authorization: token-headers-test
--- error_code: 200
4 changes: 2 additions & 2 deletions t/plugin/grpc-web/package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 8944307

Please sign in to comment.