Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(plugins/bk-user-restriction): add new plugin #85

Merged
merged 4 commits into from
Nov 8, 2024
Merged

feat(plugins/bk-user-restriction): add new plugin #85

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5951707
feat(plugins/bk-user-restriction): add new plugin
wklken Nov 5, 2024
bd70e1c
test(plugins/bk-user-restriction.lua): add unittests
wklken Nov 6, 2024
cdce8af
test(tests/test-bk-user-restriction.lua): fix fails
wklken Nov 6, 2024
6c7bcba
test(tests/test-bk-user-restriction.lua): sometimes it would fail whi…
wklken Nov 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/apisix/plugins/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
- bk-break-recursive-call # priority: 17700 # 该插件应默认应用于所有路由
- bk-body-limit # priority: 17690
- bk-auth-validate # priority: 17680
- bk-user-restriction # priority: 17679
- bk-jwt # priority: 17670
- bk-ip-restriction # priority: 17662
- bk-ip-group-restriction # priority: 17661 (will be deprecated)
Expand Down
14 changes: 14 additions & 0 deletions src/apisix/plugins/bk-core/errorx.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,20 @@ function _M.new_ip_not_allowed()
return setmetatable(error, mt)
end

function _M.new_bk_user_not_allowed()
local error = {
error = {
code = 1640303,
code_name = "BK_USER_NOT_ALLOWED",
message = "Request rejected by bk-user restriction",
result = false,
data = cjson_null,
},
status = 403,
}
return setmetatable(error, mt)
end

function _M.new_request_body_size_exceed()
local error = {
error = {
Expand Down
123 changes: 123 additions & 0 deletions src/apisix/plugins/bk-user-restriction.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
--
-- TencentBlueKing is pleased to support the open source community by making
-- 蓝鲸智云 - API 网关(BlueKing - APIGateway) available.
-- Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
-- Licensed under the MIT License (the "License"); you may not use this file except
-- in compliance with the License. You may obtain a copy of the License at
--
-- http://opensource.org/licenses/MIT
--
-- Unless required by applicable law or agreed to in writing, software distributed under
-- the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
-- either express or implied. See the License for the specific language governing permissions and
-- limitations under the License.
--
-- We undertake not to change the open source license (MIT license) applicable
-- to the current version of the project delivered to anyone in the future.
--

local core = require("apisix.core")
local errorx = require("apisix.plugins.bk-core.errorx")


local schema = {
type = "object",
properties = {
whitelist = {
type = "array",
items = { type = "string" },
minItems = 1,
},
blacklist = {
type = "array",
items = { type = "string" },
minItems = 1,
},
message = {
type = "string",
default = "The bk-user is not allowed",
minLength = 1,
maxLength = 1024,
},
},
oneOf = {
{ required = { "whitelist" } },
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

是不是应该在什么地方写插件的文档使用说明,比如我看到这就会好奇两个字段如果都配置会怎么样,理论上字段有互斥。(看了代码的写法,黑名单的优先级是更好,即使 user 命中白名单,仍然可能被黑名单拦下来)

{ required = { "blacklist" } },
},
}

local plugin_name = "bk-user-restriction"

local _M = {
version = 0.1,
priority = 17679,
name = plugin_name,
schema = schema,
}


function _M.check_schema(conf)
if not core.schema.check(_M.schema, conf) then
return false
end

if conf.whitelist then
conf.whitelist_map = {}
for _, user in ipairs(conf.whitelist) do
conf.whitelist_map[user] = true
end
end

if conf.blacklist then
conf.blacklist_map = {}
for _, user in ipairs(conf.blacklist) do
conf.blacklist_map[user] = true
end
end

return true
end

---@param conf any
---@param ctx apisix.Context
function _M.access(conf, ctx)
-- Return directly if "bk-resource-auth" is not loaded by checking "bk_resource_auth"
if ctx.var.bk_resource_auth == nil then
return
end

-- not verified user required, return directly(do nothing)
if not ctx.var.bk_resource_auth:get_verified_user_required() then
return
end

-- if user is nil, return directly(do nothing)
if ctx.var.user == nil then
return
end

-- if user is not verified, return directly(do nothing)
if ctx.var.user.verified == false then
return
end

local bk_username = ctx.var.user.username

if conf.whitelist_map and not conf.whitelist_map[bk_username] then
return errorx.exit_with_apigw_err(
ctx,
errorx.new_bk_user_not_allowed():with_fields({ message = conf.message, bk_username = bk_username }),
_M
)
end

if conf.blacklist_map and conf.blacklist_map[bk_username] then
return errorx.exit_with_apigw_err(
ctx,
errorx.new_bk_user_not_allowed():with_fields({ message = conf.message, bk_username = bk_username }),
_M
)
end
end

return _M
Loading
Loading