feat: Add the function to hide header for key-auth plugin (#6670)

apache · Apr 6, 2022 · 07d535d · 07d535d
1 parent 7e1baba
commit 07d535d
Show file tree

Hide file tree

Showing 4 changed files with 237 additions and 1 deletion.
diff --git a/apisix/plugins/key-auth.lua b/apisix/plugins/key-auth.lua
@@ -35,6 +35,10 @@ local schema = {
             type = "string",
             default = "apikey",
         },
+        hide_credentials = {
+            type = "boolean",
+            default = false,
+        }
     },
 }
 
@@ -110,6 +114,13 @@ function _M.rewrite(conf, ctx)
     end
     core.log.info("consumer: ", core.json.delay_encode(consumer))
 
+    if conf.hide_credentials then
+        core.request.set_header(ctx, conf.header, nil)
+        local args = core.request.get_uri_args(ctx)
+        args[conf.query] = nil
+        core.request.set_uri_args(ctx, args)
+    end
+
     consumer_mod.attach_consumer(ctx, consumer, consumer_conf)
     core.log.info("hit key-auth rewrite")
 end

diff --git a/docs/en/latest/plugins/key-auth.md b/docs/en/latest/plugins/key-auth.md
@@ -41,6 +41,7 @@ For route side:
 | ---- | ------ | ----------- | ------- | ----- | ---------------------------------------------------------------------------- |
 | header  | string | optional    | apikey        |       | the header we get the key from |
 | query   | string | optional    | apikey        |       | the query string we get the key from, which priority is lower than `header` |
+| hide_credentials   | bool | optional    | false        |       | Whether to pass the request header containing authentication information to upstream. |
 
 ## How To Enable
 

diff --git a/docs/zh/latest/plugins/key-auth.md b/docs/zh/latest/plugins/key-auth.md
@@ -40,7 +40,8 @@ router 端配置：
 | 名称 | 类型   | 必选项 | 默认值 | 有效值 | 描述                                                                                                          |
 | ---- | ------ | ------ | ------ | ------ | ------------------------------------------------------------------------------------------------------------- |
 | header  | string | 可选 | apikey |        | 设置我们从哪个 header 获取 key。 |
-| query  | string | 可选 | apikey |        | 设置我们从哪个 querystring 获取 key，优先级低于 header |
+| query  | string | 可选 | apikey |        | 设置我们从哪个 query string 获取 key，优先级低于 `header` |
+| hide_credentials  | bool | 可选 | false |        | 是否将含有认证信息的请求头传递给 upstream。 |
 
 ## 如何启用
 

diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t
@@ -334,3 +334,226 @@ GET /hello?auth=auth-one
 hello world
 --- no_error_log
 [error]
+
+
+
+=== TEST 14: enable key auth plugin using admin api, set hide_credentials = false
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "key-auth": {
+                            "hide_credentials": false
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/echo"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 15: verify apikey request header should not hidden
+--- request
+GET /echo
+--- more_headers
+apikey: auth-one
+--- response_headers
+apikey: auth-one
+--- no_error_log
+[error]
+
+
+
+=== TEST 16: add key auth plugin using admin api, set hide_credentials = true
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "key-auth": {
+                            "hide_credentials": true
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/echo"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 17: verify apikey request header is hidden
+--- request
+GET /echo
+--- more_headers
+apikey: auth-one
+--- response_headers
+!apikey
+--- no_error_log
+[error]
+
+
+
+=== TEST 18: verify that only the keys in the title are deleted
+--- request
+GET /echo
+--- more_headers
+apikey: auth-one
+test: auth-two
+--- response_headers
+!apikey
+test: auth-two
+--- no_error_log
+[error]
+
+
+
+=== TEST 19: customize query string, set hide_credentials = true
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "key-auth": {
+                            "query": "auth",
+                            "hide_credentials": true
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 20: verify auth request args is hidden
+--- request
+GET /hello?auth=auth-one
+--- response_args
+!auth
+--- no_error_log
+[error]
+
+
+
+=== TEST 21: verify that only the keys in the query parameters are deleted
+--- request
+GET /hello?auth=auth-one&test=auth-two
+--- response_args
+!auth
+test: auth-two
+--- no_error_log
+[error]
+
+
+
+=== TEST 22: customize query string, set hide_credentials = false
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "plugins": {
+                        "key-auth": {
+                            "query": "auth",
+                            "hide_credentials": false
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    },
+                    "uri": "/hello"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 23: verify auth request args should not hidden
+--- request
+GET /hello?auth=auth-one
+--- response_args
+auth: auth-one
+--- no_error_log
+[error]