authn plugins hide credential by default (#582)

Signed-off-by: spacewander <[email protected]>
mosn · Jun 20, 2024 · 892cffd · 892cffd
1 parent 936b17e
commit 892cffd
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/api/plugins/tests/integration/data_plane/bootstrap.yml b/api/plugins/tests/integration/data_plane/bootstrap.yml
@@ -108,6 +108,9 @@ static_resources:
                                     local headers = handle:headers()
                                     local resp_headers = {[":status"] = "200"}
                                     for key, value in pairs(headers) do
+                                      if key:find(":") ~= nil then
+                                        key = key:sub(2)
+                                      end
                                       local k = "echo-" .. key
                                       local v = resp_headers[k]
                                       if v ~= nil then

diff --git a/plugins/plugins/key_auth/filter.go b/plugins/plugins/key_auth/filter.go
@@ -47,12 +47,14 @@ func (f *filter) verify(value string) api.ResultAction {
 
 func (f *filter) DecodeHeaders(headers api.RequestHeaderMap, endStream bool) api.ResultAction {
 	config := f.config
+	var u *url.URL
 	var query url.Values
 	for _, key := range config.Keys {
 		var vals []string
 		if key.Source == key_auth.Source_QUERY {
 			if query == nil {
-				query = headers.Url().Query()
+				u = headers.Url()
+				query = u.Query()
 			}
 			vals = query[key.Name]
 		} else {
@@ -61,6 +63,14 @@ func (f *filter) DecodeHeaders(headers api.RequestHeaderMap, endStream bool) api
 
 		n := len(vals)
 		if n == 1 {
+			// hide credential by default
+			if key.Source == key_auth.Source_QUERY {
+				query.Del(key.Name)
+				u.RawQuery = query.Encode()
+				headers.Set(":path", u.String())
+			} else {
+				headers.Del(key.Name)
+			}
 			return f.verify(vals[0])
 		}
 		if n > 1 {

diff --git a/plugins/tests/integration/key_auth_test.go b/plugins/tests/integration/key_auth_test.go
@@ -61,6 +61,7 @@ func TestKeyAuth(t *testing.T) {
 			run: func(t *testing.T) {
 				resp, _ := dp.Get("/echo", http.Header{"Authorization": []string{"rick"}})
 				assert.Equal(t, 200, resp.StatusCode)
+				assert.Equal(t, 0, len(resp.Header.Values("Echo-Authorization")))
 				resp, _ = dp.Get("/echo", http.Header{"Authorization": []string{"morty"}})
 				assert.Equal(t, 401, resp.StatusCode)
 				resp, _ = dp.Get("/echo", nil)
@@ -84,8 +85,9 @@ func TestKeyAuth(t *testing.T) {
 				},
 			}),
 			run: func(t *testing.T) {
-				resp, _ := dp.Get("/echo?ak=rick", nil)
+				resp, _ := dp.Get("/echo?ak=rick&other=Key", nil)
 				assert.Equal(t, 200, resp.StatusCode)
+				assert.Equal(t, "/echo?other=Key", resp.Header.Get("Echo-Path"))
 				resp, _ = dp.Get("/echo?ak=morty", nil)
 				assert.Equal(t, 401, resp.StatusCode)
 				resp, _ = dp.Get("/echo", nil)