feat: add authz plugin for casdoor

apache · Feb 19, 2022 · 753238b · 753238b
1 parent 9b98f1d
commit 753238b
Show file tree

Hide file tree

Showing 3 changed files with 205 additions and 0 deletions.
diff --git a/apisix/plugins/authz-casdoor.lua b/apisix/plugins/authz-casdoor.lua
@@ -0,0 +1,128 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local log = core.log
+local ngx = ngx
+local session = require("resty.session")
+local http = require("resty.http")
+local cjson = require("cjson")
+
+local plugin_name = "authz-casdoor"
+local schema = {
+    type = "object",
+    properties = {
+        casdoor_endpoint = { type = "string" },
+        casdoor_client_id = { type = "string" },
+        casdoor_client_secret = { type = "string" },
+        casdoor_callback_url = { type = "string" },
+    },
+    required = {
+        "casdoor_callback_url",
+        "casdoor_endpoint",
+        "casdoor_client_id",
+        "casdoor_client_secret"
+    }
+}
+
+local _M = {
+    version = 0.1,
+    priority = 12,
+    name = plugin_name,
+    schema = schema,
+}
+
+local function get_path(uri)
+    local without_query = uri:match("(.-)%?") or uri
+    return without_query:match(".-//[^/]+(/.*)") or without_query
+end
+
+local function fetch_access_token(conf)
+    local args = ngx.req.get_uri_args()
+    if not args.code or not args.state then
+        log.err("failed when accessing token. Invalid code or state ")
+        return nil
+    end
+    local client = http.new()
+    local res, err = client:request_uri(
+    get_path(conf.casdoor_endpoint) .. "/api/login/oauth/access_token",
+        {
+            method = "POST",
+            query = {
+                code = args.code,
+                grant_type = "authorization_code",
+                client_id = conf.casdoor_client_id,
+                client_secret = conf.casdoor_client_secret
+            }
+        }
+    )
+    if not res then
+        log.err("failed when accessing token. ", err)
+        return nil
+    end
+    local data = cjson.decode(res.body)
+    if not data.access_token then
+        log.err("failed when accessing token: no access_token contained")
+        return nil
+    end
+    return data.access_token
+end
+
+function _M.check_schema(conf)
+    return core.schema.check(schema, conf)
+end
+
+function _M.access(conf, ctx)
+    log.warn("hit authz-casdoor access")
+    local current_uri = ngx.var.request_uri
+    local session_obj_read = session.open()
+    -- step 1: check whether hits the callback
+    if get_path(current_uri) == get_path(conf.casdoor_callback_url) then
+        local access_token = fetch_access_token(conf)
+        if not access_token then
+            return 500, "failed to fetch access token"
+        else
+            local original_url = session_obj_read.data.original_uri
+            local session_obj_write = session.start()
+            session_obj_write.data.access_token = access_token
+            session_obj_write:save()
+            ngx.redirect(original_url, 302)
+            return
+        end
+    end
+
+    --step 2: check whether session exists
+
+    if session_obj_read.data.access_token then
+        -- session exists
+        log.warn("session exists")
+    else
+        -- session not exists, redirect to login page
+        log.warn("session not exists")
+        local session_obj_write = session.start()
+        session_obj_write.data.original_uri = current_uri
+        session_obj_write:save()
+        local redirect_url = conf.casdoor_endpoint
+            .. "/login/oauth/authorize?response_type=code&scope=read&state=casdoor&client_id="
+            .. conf.casdoor_client_id
+            .. "&redirect_uri="
+            .. conf.casdoor_callback_url
+        ngx.redirect(redirect_url, 302)
+    end
+
+end
+
+return _M
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
@@ -340,6 +340,7 @@ plugins:                          # plugin list (sorted by priority)
   - request-validation             # priority: 2800
   - openid-connect                 # priority: 2599
   - authz-casbin                   # priority: 2560
+  - authz-casdoor                  # priority: 2561
   - wolf-rbac                      # priority: 2555
   - ldap-auth                      # priority: 2540
   - hmac-auth                      # priority: 2530

diff --git a/docs/en/latest/plugins/authz-casdoor.md b/docs/en/latest/plugins/authz-casdoor.md
@@ -0,0 +1,76 @@
+---
+title: authz-casdoor
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Summary
+
+- [**Name**](#name)
+- [**Attributes**](#attributes)
+- [**Metadata**](#metadata)
+- [**How To Enable**](#how-to-enable)
+- [**Test Plugin**](#test-plugin)
+- [**Disable Plugin**](#disable-plugin)
+- [**Examples**](#examples)
+
+## Name
+
+`authz-casdoor` is an authorization plugin based on [Casdoor](https://casdoor.org/). Casdoor is a centralized authentication / Single-Sign-On (SSO) platform supporting OAuth 2.0, OIDC and SAML, integrated with Casbin RBAC and ABAC permission management
+
+## Attributes
+
+| Name        | Type   | Requirement | Default | Valid | Description                                                  |
+| ----------- | ------ | ----------- | ------- | ----- | ------------------------------------------------------------ |
+| casdoor_endpoint  | string | required    |         |       | The url of casdoor.             |
+| casdoor_client_id | string | required    |         |       | The client id in casdoor.                          |
+| casdoor_client_secret       | string | required    |         |       | The client secret in casdoor.               |
+| casdoor_callback_url      | string | required    |         |       | The callback url which is used to receive state and code.                            |
+
+## How To Enable
+
+You can enable the plugin on any route by giving out all four attributes mentioned above.
+
+### Example
+
+```shell
+curl "http://127.0.0.1:9080/apisix/admin/routes/1" -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X PUT -d '
+{
+  "methods": ["GET"],
+  "uri": "/anything/*",
+  "plugins": {
+    "authz-casdoor": {
+        "casdoor_callback_url":"http://localhost:9080/anything/callback",
+        "casdoor_endpoint":"http://localhost:8000",
+        "casdoor_client_id":"7ceb9b7fda4a9061ec1c",
+        "casdoor_client_secret":"3416238e1edf915eac08b8fe345b2b95cdba7e04"
+    }
+   },
+  "upstream": {
+    "type": "roundrobin",
+    "nodes": {
+      "httpbin.org:80": 1
+    }
+  }
+}'
+
+```
+
+By doing this all requests toward `/anything/*` will be intercepted and whether this user has logged in via Casdoor will be checked (by checking session). If not, the user will be redirected to login page of casdoor, thus implementing authentication without modifying server's code.