apisix/plugins/basic-auth.lua - apisix - Git at Google

 --
 -- Licensed to the Apache Software Foundation (ASF) under one or more
 -- contributor license agreements.  See the NOTICE file distributed with
 -- this work for additional information regarding copyright ownership.
 -- The ASF licenses this file to You under the Apache License, Version 2.0
 -- (the "License"); you may not use this file except in compliance with
 -- the License.  You may obtain a copy of the License at
 --
 --     http://www.apache.org/licenses/LICENSE-2.0
 --
 -- Unless required by applicable law or agreed to in writing, software
 -- distributed under the License is distributed on an "AS IS" BASIS,
 -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
 local core = require("apisix.core")
 local ngx = ngx
 local ngx_re = require("ngx.re")
 local ipairs = ipairs
 local consumer = require("apisix.consumer")

 local lrucache = core.lrucache.new({
     ttl = 300, count = 512
 })
 local consumers_lrucache = core.lrucache.new({
     type = "plugin",
 })

 local schema = {
     type = "object",
     title = "work with route or service object",
     properties = {},
     additionalProperties = false,
 }

 local consumer_schema = {
     type = "object",
     title = "work with consumer object",
     properties = {
         username = { type = "string" },
         password = { type = "string" },
     },
     required = {"username", "password"},
     additionalProperties = false,
 }

 local plugin_name = "basic-auth"

 local _M = {
     version = 0.1,
     priority = 2520,
     type = 'auth',
     name = plugin_name,
     schema = schema,
     consumer_schema = consumer_schema
 }

 function _M.check_schema(conf, schema_type)
     local ok, err
     if schema_type == core.schema.TYPE_CONSUMER then
         ok, err = core.schema.check(consumer_schema, conf)
     else
         ok, err = core.schema.check(schema, conf)
     end

     if not ok then
         return false, err
     end

     return true
 end

 local function extract_auth_header(authorization)

     local function do_extract(auth)
         local obj = { username = "", password = "" }

         local m, err = ngx.re.match(auth, "Basic\\s(.+)", "jo")
         if err then
             -- error authorization
             return nil, err
         end

         local decoded = ngx.decode_base64(m[1])

         local res
         res, err = ngx_re.split(decoded, ":")
         if err then
             return nil, "split authorization err:" .. err
         end

         obj.username = ngx.re.gsub(res[1], "\\s+", "", "jo")
         obj.password = ngx.re.gsub(res[2], "\\s+", "", "jo")
         core.log.info("plugin access phase, authorization: ",
                       obj.username, ": ", obj.password)

         return obj, nil
     end

     local matcher, err = lrucache(authorization, nil, do_extract, authorization)

     if matcher then
         return matcher.username, matcher.password, err
     else
         return "", "", err
     end

 end

 local create_consume_cache
 do
     local consumer_names = {}

     function create_consume_cache(consumers)
         core.table.clear(consumer_names)

         for _, cur_consumer in ipairs(consumers.nodes) do
             core.log.info("consumer node: ",
                           core.json.delay_encode(cur_consumer))
             consumer_names[cur_consumer.auth_conf.username] = cur_consumer
         end

         return consumer_names
     end
 end

 function _M.rewrite(conf, ctx)
     core.log.info("plugin access phase, conf: ", core.json.delay_encode(conf))

     -- 1. extract authorization from header
     local auth_header = core.request.header(ctx, "Authorization")
     if not auth_header then
         core.response.set_header("WWW-Authenticate", "Basic realm='.'")
         return 401, { message = "Missing authorization in request" }
     end

     local username, password, err = extract_auth_header(auth_header)
     if err then
         return 401, { message = err }
     end

     -- 2. get user info from consumer plugin
     local consumer_conf = consumer.plugin(plugin_name)
     if not consumer_conf then
         return 401, { message = "Missing related consumer" }
     end

     local consumers = consumers_lrucache("consumers_key",
         consumer_conf.conf_version,
         create_consume_cache, consumer_conf)

     -- 3. check user exists
     local cur_consumer = consumers[username]
     if not cur_consumer then
         return 401, { message = "Invalid user key in authorization" }
     end
     core.log.info("consumer: ", core.json.delay_encode(cur_consumer))


     -- 4. check the password is correct
     if cur_consumer.auth_conf.password ~= password then
         return 401, { message = "Password is error" }
     end

     consumer.attach_consumer(ctx, cur_consumer, consumer_conf)

     core.log.info("hit basic-auth access")
 end

 return _M
	--
	-- Licensed to the Apache Software Foundation (ASF) under one or more
	-- contributor license agreements. See the NOTICE file distributed with
	-- this work for additional information regarding copyright ownership.
	-- The ASF licenses this file to You under the Apache License, Version 2.0
	-- (the "License"); you may not use this file except in compliance with
	-- the License. You may obtain a copy of the License at
	--
	-- http://www.apache.org/licenses/LICENSE-2.0
	--
	-- Unless required by applicable law or agreed to in writing, software
	-- distributed under the License is distributed on an "AS IS" BASIS,
	-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	-- See the License for the specific language governing permissions and
	-- limitations under the License.
	--
	local core = require("apisix.core")
	local ngx = ngx
	local ngx_re = require("ngx.re")
	local ipairs = ipairs
	local consumer = require("apisix.consumer")

	local lrucache = core.lrucache.new({
	ttl = 300, count = 512
	})
	local consumers_lrucache = core.lrucache.new({
	type = "plugin",
	})

	local schema = {
	type = "object",
	title = "work with route or service object",
	properties = {},
	additionalProperties = false,
	}

	local consumer_schema = {
	type = "object",
	title = "work with consumer object",
	properties = {
	username = { type = "string" },
	password = { type = "string" },
	},
	required = {"username", "password"},
	additionalProperties = false,
	}

	local plugin_name = "basic-auth"

	local _M = {
	version = 0.1,
	priority = 2520,
	type = 'auth',
	name = plugin_name,
	schema = schema,
	consumer_schema = consumer_schema
	}

	function _M.check_schema(conf, schema_type)
	local ok, err
	if schema_type == core.schema.TYPE_CONSUMER then
	ok, err = core.schema.check(consumer_schema, conf)
	else
	ok, err = core.schema.check(schema, conf)
	end

	if not ok then
	return false, err
	end

	return true
	end

	local function extract_auth_header(authorization)

	local function do_extract(auth)
	local obj = { username = "", password = "" }

	local m, err = ngx.re.match(auth, "Basic\\s(.+)", "jo")
	if err then
	-- error authorization
	return nil, err
	end

	local decoded = ngx.decode_base64(m[1])

	local res
	res, err = ngx_re.split(decoded, ":")
	if err then
	return nil, "split authorization err:" .. err
	end

	obj.username = ngx.re.gsub(res[1], "\\s+", "", "jo")
	obj.password = ngx.re.gsub(res[2], "\\s+", "", "jo")
	core.log.info("plugin access phase, authorization: ",
	obj.username, ": ", obj.password)

	return obj, nil
	end

	local matcher, err = lrucache(authorization, nil, do_extract, authorization)

	if matcher then
	return matcher.username, matcher.password, err
	else
	return "", "", err
	end

	end

	local create_consume_cache
	do
	local consumer_names = {}

	function create_consume_cache(consumers)
	core.table.clear(consumer_names)

	for _, cur_consumer in ipairs(consumers.nodes) do
	core.log.info("consumer node: ",
	core.json.delay_encode(cur_consumer))
	consumer_names[cur_consumer.auth_conf.username] = cur_consumer
	end

	return consumer_names
	end
	end

	function _M.rewrite(conf, ctx)
	core.log.info("plugin access phase, conf: ", core.json.delay_encode(conf))

	-- 1. extract authorization from header
	local auth_header = core.request.header(ctx, "Authorization")
	if not auth_header then
	core.response.set_header("WWW-Authenticate", "Basic realm='.'")
	return 401, { message = "Missing authorization in request" }
	end

	local username, password, err = extract_auth_header(auth_header)
	if err then
	return 401, { message = err }
	end

	-- 2. get user info from consumer plugin
	local consumer_conf = consumer.plugin(plugin_name)
	if not consumer_conf then
	return 401, { message = "Missing related consumer" }
	end

	local consumers = consumers_lrucache("consumers_key",
	consumer_conf.conf_version,
	create_consume_cache, consumer_conf)

	-- 3. check user exists
	local cur_consumer = consumers[username]
	if not cur_consumer then
	return 401, { message = "Invalid user key in authorization" }
	end
	core.log.info("consumer: ", core.json.delay_encode(cur_consumer))


	-- 4. check the password is correct
	if cur_consumer.auth_conf.password ~= password then
	return 401, { message = "Password is error" }
	end

	consumer.attach_consumer(ctx, cur_consumer, consumer_conf)

	core.log.info("hit basic-auth access")
	end

	return _M