From ce807228b6b8e2c069127db142244e875fa6d507 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Tue, 11 Mar 2025 23:24:48 +0800 Subject: [PATCH 01/25] feat: consumer key duplication check --- apisix/admin/consumers.lua | 26 ++++++++++++++++++++++++-- apisix/admin/credentials.lua | 12 +++++++++++- 2 files changed, 35 insertions(+), 3 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index e02789069c64..e8035c969d53 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -17,7 +17,7 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local resource = require("apisix.admin.resource") - +local plugin = require("apisix.plugin") local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) @@ -32,7 +32,29 @@ local function check_conf(username, conf, need_username, schema) if conf.plugins then ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) if not ok then - return nil, {error_msg = "invalid plugins configuration: " .. err} + return nil, { + error_msg = "invalid plugins configuration: " .. err + } + end + + -- check duplicate key + for plugin_name, plugin_conf in pairs(conf.plugins or {}) do + local plugin_obj = plugin.get(plugin_name) + if not plugin_obj then + return nil, {error_msg = "unknown plugin " .. plugin_name} + end + -- if plugin_obj and plugin_obj.type == "auth" then + plugin.decrypt_conf(plugin_name, plugin_conf, core.schema.TYPE_CONSUMER) + for key, key_value in pairs(plugin_conf) do + local consumer, _ = require("apisix.consumer").find_consumer(plugin_name, key, key_value) + if consumer then + return nil, { + error_msg = "duplicate key found with consumer: " .. consumer.username + } + end + + end + -- end end end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 3622867528d8..25afbd3f09d0 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -32,7 +32,7 @@ local function check_conf(_id, conf, _need_id, schema) return nil, {error_msg = "invalid plugins configuration: " .. err} end - for name, _ in pairs(conf.plugins) do + for name, plugin_conf in pairs(conf.plugins) do local plugin_obj = plugin.get(name) if not plugin_obj then return nil, {error_msg = "unknown plugin " .. name} @@ -40,6 +40,16 @@ local function check_conf(_id, conf, _need_id, schema) if plugin_obj.type ~= "auth" then return nil, {error_msg = "only supports auth type plugins in consumer credential"} end + + -- check duplicate key + plugin.decrypt_conf(name, plugin_conf, core.schema.TYPE_CONSUMER) + for key, key_value in pairs(plugin_conf) do + local consumer, _ = require("apisix.consumer").find_consumer(name, key, key_value) + if consumer then + return nil, {error_msg = "duplicate key found with consumer: " .. consumer.username} + end + end + end end From 489a9851698eaab1f307190413ce5c8b00b0e071 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 12 Mar 2025 12:15:27 +0800 Subject: [PATCH 02/25] fix: improve code logic --- apisix/admin/consumers.lua | 31 +++++++++++++++++++++---------- apisix/admin/credentials.lua | 20 ++++++++++++++++---- 2 files changed, 37 insertions(+), 14 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index e8035c969d53..e3db8b564be8 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -43,18 +43,29 @@ local function check_conf(username, conf, need_username, schema) if not plugin_obj then return nil, {error_msg = "unknown plugin " .. plugin_name} end - -- if plugin_obj and plugin_obj.type == "auth" then - plugin.decrypt_conf(plugin_name, plugin_conf, core.schema.TYPE_CONSUMER) - for key, key_value in pairs(plugin_conf) do - local consumer, _ = require("apisix.consumer").find_consumer(plugin_name, key, key_value) - if consumer then - return nil, { - error_msg = "duplicate key found with consumer: " .. consumer.username - } - end + if plugin_obj.type == "auth" then + plugin.decrypt_conf(plugin_name, plugin_conf, core.schema.TYPE_CONSUMER) + + local plugin_key_map = { + ["key-auth"] = "key", + ["basic-auth"] = "username", + ["jwt-auth"] = "key", + ["hmac-auth"] = "key_id" + } + local key_field = plugin_key_map[plugin_name] + if key_field then + local key_value = plugin_conf[key_field] + if key_value then + local consumer, _ = require("apisix.consumer").find_consumer(plugin_name, key_field, key_value) + if consumer and consumer.username ~= conf.username then + return nil, { + error_msg = "duplicate key found with consumer: " .. consumer.username + } + end + end + end end - -- end end end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 25afbd3f09d0..eb202e14d0e8 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -43,10 +43,22 @@ local function check_conf(_id, conf, _need_id, schema) -- check duplicate key plugin.decrypt_conf(name, plugin_conf, core.schema.TYPE_CONSUMER) - for key, key_value in pairs(plugin_conf) do - local consumer, _ = require("apisix.consumer").find_consumer(name, key, key_value) - if consumer then - return nil, {error_msg = "duplicate key found with consumer: " .. consumer.username} + + local plugin_key_map = { + ["key-auth"] = "key", + ["basic-auth"] = "username", + ["jwt-auth"] = "key", + ["hmac-auth"] = "key_id" + } + + local key_field = plugin_key_map[name] + if key_field then + local key_value = plugin_conf[key_field] + if key_value then + local consumer, _ = require("apisix.consumer").find_consumer(name, key_field, key_value) + if consumer and consumer.credential_id ~= _id then + return nil, {error_msg = "duplicate key found with consumer: " .. consumer.username} + end end end From a3a4ac276846b42991e7a1d6c51d86ec0ae8d1af Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 12 Mar 2025 12:16:48 +0800 Subject: [PATCH 03/25] fix: lint --- apisix/admin/consumers.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index e3db8b564be8..554be7fbc051 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -48,7 +48,7 @@ local function check_conf(username, conf, need_username, schema) local plugin_key_map = { ["key-auth"] = "key", - ["basic-auth"] = "username", + ["basic-auth"] = "username", ["jwt-auth"] = "key", ["hmac-auth"] = "key_id" } From fa3caa8c603523823931eefbe13997424685996c Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 12 Mar 2025 17:34:32 +0800 Subject: [PATCH 04/25] test: add test case --- apisix/admin/consumers.lua | 5 +- apisix/admin/credentials.lua | 5 +- t/admin/consumers2.t | 83 +++++++++++++++++++++ t/admin/credentials.t | 136 ++++++++++++++++++++++++++++++++++- 4 files changed, 223 insertions(+), 6 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 554be7fbc051..b0c70154d6f6 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -44,7 +44,8 @@ local function check_conf(username, conf, need_username, schema) return nil, {error_msg = "unknown plugin " .. plugin_name} end if plugin_obj.type == "auth" then - plugin.decrypt_conf(plugin_name, plugin_conf, core.schema.TYPE_CONSUMER) + local decrypted_conf = core.table.deepcopy(plugin_conf) + plugin.decrypt_conf(plugin_name, decrypted_conf, core.schema.TYPE_CONSUMER) local plugin_key_map = { ["key-auth"] = "key", @@ -55,7 +56,7 @@ local function check_conf(username, conf, need_username, schema) local key_field = plugin_key_map[plugin_name] if key_field then - local key_value = plugin_conf[key_field] + local key_value = decrypted_conf[key_field] if key_value then local consumer, _ = require("apisix.consumer").find_consumer(plugin_name, key_field, key_value) if consumer and consumer.username ~= conf.username then diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index eb202e14d0e8..893cc0ffb991 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -42,7 +42,8 @@ local function check_conf(_id, conf, _need_id, schema) end -- check duplicate key - plugin.decrypt_conf(name, plugin_conf, core.schema.TYPE_CONSUMER) + local decrypted_conf = core.table.deepcopy(plugin_conf) + plugin.decrypt_conf(name, decrypted_conf, core.schema.TYPE_CONSUMER) local plugin_key_map = { ["key-auth"] = "key", @@ -53,7 +54,7 @@ local function check_conf(_id, conf, _need_id, schema) local key_field = plugin_key_map[name] if key_field then - local key_value = plugin_conf[key_field] + local key_value = decrypted_conf[key_field] if key_value then local consumer, _ = require("apisix.consumer").find_consumer(name, key_field, key_value) if consumer and consumer.credential_id ~= _id then diff --git a/t/admin/consumers2.t b/t/admin/consumers2.t index 6e351d02be96..58df66271cc2 100644 --- a/t/admin/consumers2.t +++ b/t/admin/consumers2.t @@ -174,3 +174,86 @@ __DATA__ } --- response_body {"error_msg":"wrong username"} + + + +=== TEST 6: create consumer +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "desc": "key-auth for jack", + "plugins": { + "key-auth": { + "key": "the-key" + } + } + }]] + ) + } + } +--- request +GET /t + + + +=== TEST 7: duplicate consumer key, PUT +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack2", + "desc": "key-auth for jack2", + "plugins": { + "key-auth": { + "key": "the-key" + } + } + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"duplicate key found with consumer: jack"} + + + +=== TEST 8: update consumer jack +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "desc": "key-auth for jack", + "plugins": { + "key-auth": { + "key": "the-key" + } + } + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- response_body +passed \ No newline at end of file diff --git a/t/admin/credentials.t b/t/admin/credentials.t index 15119829c2e3..3f92e74365e6 100644 --- a/t/admin/credentials.t +++ b/t/admin/credentials.t @@ -110,7 +110,7 @@ passed "desc": "basic-auth for jack", "plugins": { "basic-auth": { - "username": "the-user", + "username": "the-new-user", "password": "the-password" } } @@ -119,7 +119,7 @@ passed "value":{ "desc":"basic-auth for jack", "id":"credential_a", - "plugins":{"basic-auth":{"username":"the-user","password":"WvF5kpaLvIzjuk4GNIMTJg=="}} + "plugins":{"basic-auth":{"username":"the-new-user","password":"WvF5kpaLvIzjuk4GNIMTJg=="}} }, "key":"/apisix/consumers/jack/credentials/credential_a" }]] @@ -492,3 +492,135 @@ GET /t --- error_code: 400 --- response_body {"error_msg":"missing credential id"} + + +=== TEST 17: create a consumer bar +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "bar" }]]) + } + } +--- request +GET /t + + + +=== TEST 18: create a credential with key-auth for the consumer bar +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers/bar/credentials/credential_c', + ngx.HTTP_PUT, + [[{ + "desc": "key-auth for bar", + "plugins": { + "key-auth": { + "key": "the-key-bar" + } + } + }]] + ) + } + } +--- request +GET /t + + + +=== TEST 19: can not create a credential with duplicate key +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers/bar/credentials/credential_d', + ngx.HTTP_PUT, + [[{ + "desc": "key-auth for bar", + "plugins": { + "key-auth": { + "key": "the-key-bar" + } + } + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- request +GET /t +--- error_code: 400 +--- response_body +{"error_msg":"duplicate key found with consumer: bar"} + + + +=== TEST 20: can update credential credential_c with same key +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + + -- update desc, keep same key + local code, body = t('/apisix/admin/consumers/bar/credentials/credential_c', + ngx.HTTP_PUT, + [[{ + "desc": "new description", + "plugins": { + "key-auth": { + "key": "the-key-bar" + } + } + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- error_code: 200 + + + +=== TEST 21: delete credential credential_c +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers/bar/credentials/credential_c', ngx.HTTP_DELETE) + } + } +--- request +GET /t + + +=== TEST 22: delete consumer bar +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers/bar', ngx.HTTP_DELETE) + } + } +--- request +GET /t + + +=== TEST 23: delete consumer jack +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers/jack', ngx.HTTP_DELETE) + } + } +--- request +GET /t From ef0a8ea13c57574c3fabaa1aea5b75d1ea9181a2 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 12 Mar 2025 17:49:04 +0800 Subject: [PATCH 05/25] fix: format code --- apisix/admin/consumers.lua | 6 ++++-- apisix/admin/credentials.lua | 12 ++++++++---- t/admin/consumers2.t | 2 +- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index b0c70154d6f6..515667b2f16e 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -58,10 +58,12 @@ local function check_conf(username, conf, need_username, schema) if key_field then local key_value = decrypted_conf[key_field] if key_value then - local consumer, _ = require("apisix.consumer").find_consumer(plugin_name, key_field, key_value) + local consumer, _ = require("apisix.consumer") + .find_consumer(plugin_name, key_field, key_value) if consumer and consumer.username ~= conf.username then return nil, { - error_msg = "duplicate key found with consumer: " .. consumer.username + error_msg = "duplicate key found with consumer: " + .. consumer.username } end end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 893cc0ffb991..1ef0f3c43f56 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -20,7 +20,7 @@ local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") local pairs = pairs -local function check_conf(_id, conf, _need_id, schema) +local function check_conf(id, conf, _need_id, schema) local ok, err = core.schema.check(schema, conf) if not ok then return nil, {error_msg = "invalid configuration: " .. err} @@ -56,9 +56,13 @@ local function check_conf(_id, conf, _need_id, schema) if key_field then local key_value = decrypted_conf[key_field] if key_value then - local consumer, _ = require("apisix.consumer").find_consumer(name, key_field, key_value) - if consumer and consumer.credential_id ~= _id then - return nil, {error_msg = "duplicate key found with consumer: " .. consumer.username} + local consumer, _ = require("apisix.consumer") + .find_consumer(name, key_field, key_value) + if consumer and consumer.credential_id ~= id then + return nil, { + error_msg = "duplicate key found with consumer: " + .. consumer.username + } end end end diff --git a/t/admin/consumers2.t b/t/admin/consumers2.t index 58df66271cc2..c1d1817d7cbf 100644 --- a/t/admin/consumers2.t +++ b/t/admin/consumers2.t @@ -256,4 +256,4 @@ GET /t --- request GET /t --- response_body -passed \ No newline at end of file +passed From 80ce4312ef5eed0044c71d0fa3055f872893320f Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 12 Mar 2025 17:50:43 +0800 Subject: [PATCH 06/25] fix: format code --- apisix/admin/consumers.lua | 2 +- apisix/admin/credentials.lua | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 515667b2f16e..c2c065c677a4 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -62,7 +62,7 @@ local function check_conf(username, conf, need_username, schema) .find_consumer(plugin_name, key_field, key_value) if consumer and consumer.username ~= conf.username then return nil, { - error_msg = "duplicate key found with consumer: " + error_msg = "duplicate key found with consumer: " .. consumer.username } end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 1ef0f3c43f56..48e7ca3e6d7c 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -60,7 +60,7 @@ local function check_conf(id, conf, _need_id, schema) .find_consumer(name, key_field, key_value) if consumer and consumer.credential_id ~= id then return nil, { - error_msg = "duplicate key found with consumer: " + error_msg = "duplicate key found with consumer: " .. consumer.username } end From 93a4b63bedaebdc9cc6bf5458861c6bc8ff2ad3b Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 12 Mar 2025 21:46:02 +0800 Subject: [PATCH 07/25] fix: test --- t/admin/consumers2.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/admin/consumers2.t b/t/admin/consumers2.t index c1d1817d7cbf..ac9adb04a6fc 100644 --- a/t/admin/consumers2.t +++ b/t/admin/consumers2.t @@ -250,7 +250,7 @@ GET /t ) ngx.status = code - ngx.print(body) + ngx.say(body) } } --- request From 5e0fe0ffac59e8465901fe648a7b6f5b639f2bc6 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Thu, 13 Mar 2025 09:50:36 +0800 Subject: [PATCH 08/25] fix: lint code --- apisix/admin/consumers.lua | 10 ++++++++-- apisix/admin/credentials.lua | 10 +++++++--- t/admin/credentials.t | 3 +++ 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index c2c065c677a4..c0b455a717f8 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -18,6 +18,8 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local resource = require("apisix.admin.resource") local plugin = require("apisix.plugin") +local pairs = pairs +local consumer = require("apisix.consumer") local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) @@ -43,6 +45,7 @@ local function check_conf(username, conf, need_username, schema) if not plugin_obj then return nil, {error_msg = "unknown plugin " .. plugin_name} end + if plugin_obj.type == "auth" then local decrypted_conf = core.table.deepcopy(plugin_conf) plugin.decrypt_conf(plugin_name, decrypted_conf, core.schema.TYPE_CONSUMER) @@ -55,11 +58,14 @@ local function check_conf(username, conf, need_username, schema) } local key_field = plugin_key_map[plugin_name] + if key_field then local key_value = decrypted_conf[key_field] + if key_value then - local consumer, _ = require("apisix.consumer") - .find_consumer(plugin_name, key_field, key_value) + local consumer, _ = consumer + .find_consumer(plugin_name, key_field, key_value) + if consumer and consumer.username ~= conf.username then return nil, { error_msg = "duplicate key found with consumer: " diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 48e7ca3e6d7c..cec5fdcd323b 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -18,6 +18,7 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") +local consumer = require("apisix.consumer") local pairs = pairs local function check_conf(id, conf, _need_id, schema) @@ -37,6 +38,7 @@ local function check_conf(id, conf, _need_id, schema) if not plugin_obj then return nil, {error_msg = "unknown plugin " .. name} end + if plugin_obj.type ~= "auth" then return nil, {error_msg = "only supports auth type plugins in consumer credential"} end @@ -55,13 +57,15 @@ local function check_conf(id, conf, _need_id, schema) local key_field = plugin_key_map[name] if key_field then local key_value = decrypted_conf[key_field] + if key_value then - local consumer, _ = require("apisix.consumer") - .find_consumer(name, key_field, key_value) + local consumer, _ = consumer + .find_consumer(name, key_field, key_value) + if consumer and consumer.credential_id ~= id then return nil, { error_msg = "duplicate key found with consumer: " - .. consumer.username + .. consumer.username } end end diff --git a/t/admin/credentials.t b/t/admin/credentials.t index 3f92e74365e6..3456c1c1ae26 100644 --- a/t/admin/credentials.t +++ b/t/admin/credentials.t @@ -494,6 +494,7 @@ GET /t {"error_msg":"missing credential id"} + === TEST 17: create a consumer bar --- config location /t { @@ -602,6 +603,7 @@ passed GET /t + === TEST 22: delete consumer bar --- config location /t { @@ -614,6 +616,7 @@ GET /t GET /t + === TEST 23: delete consumer jack --- config location /t { From 5660ad2bb81d8b4babbf3bc115a1a9cf544446f6 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Fri, 14 Mar 2025 12:01:57 +0800 Subject: [PATCH 09/25] fix: test --- apisix/admin/consumers.lua | 7 +++++-- t/secret/aws.t | 2 ++ t/secret/gcp.t | 2 ++ t/secret/secret_lru.t | 2 ++ 4 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index c0b455a717f8..685e762779bc 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -63,8 +63,11 @@ local function check_conf(username, conf, need_username, schema) local key_value = decrypted_conf[key_field] if key_value then - local consumer, _ = consumer - .find_consumer(plugin_name, key_field, key_value) + local consumer, _, err = consumer + .find_consumer(plugin_name, key_field, key_value) + if err then + core.log.warn("failed to find consumer: ", err) + end if consumer and consumer.username ~= conf.username then return nil, { diff --git a/t/secret/aws.t b/t/secret/aws.t index ae0e09b63398..c0d7266da762 100644 --- a/t/secret/aws.t +++ b/t/secret/aws.t @@ -314,3 +314,5 @@ GET /t } --- response_body all done +--- error_log +failed to fetch secret value: no secret conf, secret_uri: $secret://aws/mysecret/jack/key diff --git a/t/secret/gcp.t b/t/secret/gcp.t index b7fc5331cf37..dc28ab56ec65 100644 --- a/t/secret/gcp.t +++ b/t/secret/gcp.t @@ -247,6 +247,8 @@ kEJQcmfVew5mFXyxuEn3zA== } --- response_body all done +--- error_log +failed to fetch secret value: no secret conf, secret_uri: $secret://gcp/mysecret/jack/key diff --git a/t/secret/secret_lru.t b/t/secret/secret_lru.t index 3ff3386fcf15..9f320ae2883e 100644 --- a/t/secret/secret_lru.t +++ b/t/secret/secret_lru.t @@ -96,3 +96,5 @@ GET /t } --- response_body nil +--- error_log +failed to fetch secret value: no secret conf, secret_uri: $secret://vault/mysecret/jack/auth-key From 6cb6b78abe8df16bb2ce9a7f58efdff31725861e Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Fri, 14 Mar 2025 12:03:58 +0800 Subject: [PATCH 10/25] fix: add log --- apisix/admin/credentials.lua | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index cec5fdcd323b..cc029dbae225 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -59,9 +59,13 @@ local function check_conf(id, conf, _need_id, schema) local key_value = decrypted_conf[key_field] if key_value then - local consumer, _ = consumer + local consumer, _, err = consumer .find_consumer(name, key_field, key_value) + if err then + core.log.warn("failed to find consumer: ", err) + end + if consumer and consumer.credential_id ~= id then return nil, { error_msg = "duplicate key found with consumer: " From 02daa2cceef0ed9070de3bc8587e9e4759f7e4b4 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Mon, 17 Mar 2025 15:44:09 +0800 Subject: [PATCH 11/25] fix: format code --- apisix/admin/consumers.lua | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 685e762779bc..32af44109e14 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -34,9 +34,7 @@ local function check_conf(username, conf, need_username, schema) if conf.plugins then ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) if not ok then - return nil, { - error_msg = "invalid plugins configuration: " .. err - } + return nil, {error_msg = "invalid plugins configuration: " .. err} end -- check duplicate key From 3b2aa931683c54e873f378336995e7006e4edbdc Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Fri, 21 Mar 2025 17:20:51 +0800 Subject: [PATCH 12/25] update --- apisix/admin/consumers.lua | 20 ++++++++++---------- apisix/admin/credentials.lua | 10 ++-------- 2 files changed, 12 insertions(+), 18 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 32af44109e14..ba9b23653e24 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -21,6 +21,13 @@ local plugin = require("apisix.plugin") local pairs = pairs local consumer = require("apisix.consumer") +local plugin_key_map = { + ["key-auth"] = "key", + ["basic-auth"] = "username", + ["jwt-auth"] = "key", + ["hmac-auth"] = "key_id" +} + local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) if not ok then @@ -45,20 +52,13 @@ local function check_conf(username, conf, need_username, schema) end if plugin_obj.type == "auth" then - local decrypted_conf = core.table.deepcopy(plugin_conf) - plugin.decrypt_conf(plugin_name, decrypted_conf, core.schema.TYPE_CONSUMER) - - local plugin_key_map = { - ["key-auth"] = "key", - ["basic-auth"] = "username", - ["jwt-auth"] = "key", - ["hmac-auth"] = "key_id" - } + local plugin_conf_copy = core.table.deepcopy(plugin_conf) + plugin.decrypt_conf(plugin_name, plugin_conf_copy, core.schema.TYPE_CONSUMER) local key_field = plugin_key_map[plugin_name] if key_field then - local key_value = decrypted_conf[key_field] + local key_value = plugin_conf_copy[key_field] if key_value then local consumer, _, err = consumer diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index cc029dbae225..494be741155e 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -19,6 +19,7 @@ local plugins = require("apisix.admin.plugins") local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") local consumer = require("apisix.consumer") +local consumers = require("apisix.admin.consumers") local pairs = pairs local function check_conf(id, conf, _need_id, schema) @@ -47,14 +48,7 @@ local function check_conf(id, conf, _need_id, schema) local decrypted_conf = core.table.deepcopy(plugin_conf) plugin.decrypt_conf(name, decrypted_conf, core.schema.TYPE_CONSUMER) - local plugin_key_map = { - ["key-auth"] = "key", - ["basic-auth"] = "username", - ["jwt-auth"] = "key", - ["hmac-auth"] = "key_id" - } - - local key_field = plugin_key_map[name] + local key_field = consumers.plugin_key_map[name] if key_field then local key_value = decrypted_conf[key_field] From 7d2d9300b7f6727abed6eff0a03d8b6a577669c5 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Tue, 25 Mar 2025 14:10:11 +0800 Subject: [PATCH 13/25] fix: test --- apisix/admin/consumers.lua | 9 ++------- apisix/admin/credentials.lua | 3 ++- apisix/admin/utils.lua | 7 +++++++ 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index ba9b23653e24..6a6f6b16c40e 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -20,13 +20,8 @@ local resource = require("apisix.admin.resource") local plugin = require("apisix.plugin") local pairs = pairs local consumer = require("apisix.consumer") +local utils = require("apisix.admin.utils") -local plugin_key_map = { - ["key-auth"] = "key", - ["basic-auth"] = "username", - ["jwt-auth"] = "key", - ["hmac-auth"] = "key_id" -} local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) @@ -55,7 +50,7 @@ local function check_conf(username, conf, need_username, schema) local plugin_conf_copy = core.table.deepcopy(plugin_conf) plugin.decrypt_conf(plugin_name, plugin_conf_copy, core.schema.TYPE_CONSUMER) - local key_field = plugin_key_map[plugin_name] + local key_field = utils.plugin_key_map[plugin_name] if key_field then local key_value = plugin_conf_copy[key_field] diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 494be741155e..93fd2de69a9f 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -20,6 +20,7 @@ local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") local consumer = require("apisix.consumer") local consumers = require("apisix.admin.consumers") +local utils = require("apisix.admin.utils") local pairs = pairs local function check_conf(id, conf, _need_id, schema) @@ -48,7 +49,7 @@ local function check_conf(id, conf, _need_id, schema) local decrypted_conf = core.table.deepcopy(plugin_conf) plugin.decrypt_conf(name, decrypted_conf, core.schema.TYPE_CONSUMER) - local key_field = consumers.plugin_key_map[name] + local key_field = utils.plugin_key_map[name] if key_field then local key_value = decrypted_conf[key_field] diff --git a/apisix/admin/utils.lua b/apisix/admin/utils.lua index eee2787f0540..0a1541a137ac 100644 --- a/apisix/admin/utils.lua +++ b/apisix/admin/utils.lua @@ -110,4 +110,11 @@ function _M.decrypt_params(decrypt_func, body, schema_type) end end +_M.plugin_key_map = { + ["key-auth"] = "key", + ["basic-auth"] = "username", + ["jwt-auth"] = "key", + ["hmac-auth"] = "key_id" +} + return _M From 7fe1827f59db9bd767c49e058eedde0ade09273d Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Tue, 25 Mar 2025 14:34:15 +0800 Subject: [PATCH 14/25] fix: lint code --- apisix/admin/credentials.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 93fd2de69a9f..ee6113b8af3e 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -19,7 +19,6 @@ local plugins = require("apisix.admin.plugins") local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") local consumer = require("apisix.consumer") -local consumers = require("apisix.admin.consumers") local utils = require("apisix.admin.utils") local pairs = pairs From 38430a0925c52aeaea60822abcae3d1490276922 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Thu, 27 Mar 2025 17:51:47 +0800 Subject: [PATCH 15/25] fix: remove error log --- apisix/admin/consumers.lua | 5 +---- apisix/admin/credentials.lua | 6 +----- 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 6a6f6b16c40e..75067e98db65 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -56,11 +56,8 @@ local function check_conf(username, conf, need_username, schema) local key_value = plugin_conf_copy[key_field] if key_value then - local consumer, _, err = consumer + local consumer = consumer .find_consumer(plugin_name, key_field, key_value) - if err then - core.log.warn("failed to find consumer: ", err) - end if consumer and consumer.username ~= conf.username then return nil, { diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index ee6113b8af3e..458e1322e65a 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -53,13 +53,9 @@ local function check_conf(id, conf, _need_id, schema) local key_value = decrypted_conf[key_field] if key_value then - local consumer, _, err = consumer + local consumer = consumer .find_consumer(name, key_field, key_value) - if err then - core.log.warn("failed to find consumer: ", err) - end - if consumer and consumer.credential_id ~= id then return nil, { error_msg = "duplicate key found with consumer: " From 95c2a92330b896689996c88933744575ecbfe716 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Fri, 28 Mar 2025 16:42:45 +0800 Subject: [PATCH 16/25] fix: update code --- apisix/admin/consumers.lua | 71 +++++++++++++++++++++--------------- apisix/admin/credentials.lua | 45 +++++++++++++---------- 2 files changed, 67 insertions(+), 49 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 75067e98db65..8e3efe21e78e 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -23,6 +23,45 @@ local consumer = require("apisix.consumer") local utils = require("apisix.admin.utils") +local function check_duplicate_key(username, plugins_conf) + if not plugins_conf then + return true + end + + for plugin_name, plugin_conf in pairs(plugins_conf) do + local plugin_obj = plugin.get(plugin_name) + if not plugin_obj then + return nil, "unknown plugin " .. plugin_name + end + + if plugin_obj.type ~= "auth" then + goto continue + end + + local plugin_conf_copy = core.table.deepcopy(plugin_conf) + plugin.decrypt_conf(plugin_name, plugin_conf_copy, core.schema.TYPE_CONSUMER) + + local key_field = utils.plugin_key_map[plugin_name] + if not key_field then + goto continue + end + + local key_value = plugin_conf_copy[key_field] + if not key_value then + goto continue + end + + local consumer = consumer.find_consumer(plugin_name, key_field, key_value) + if consumer and consumer.username ~= username then + return nil, "duplicate key found with consumer: " .. consumer.username + end + + ::continue:: + end + + return true +end + local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) if not ok then @@ -39,35 +78,9 @@ local function check_conf(username, conf, need_username, schema) return nil, {error_msg = "invalid plugins configuration: " .. err} end - -- check duplicate key - for plugin_name, plugin_conf in pairs(conf.plugins or {}) do - local plugin_obj = plugin.get(plugin_name) - if not plugin_obj then - return nil, {error_msg = "unknown plugin " .. plugin_name} - end - - if plugin_obj.type == "auth" then - local plugin_conf_copy = core.table.deepcopy(plugin_conf) - plugin.decrypt_conf(plugin_name, plugin_conf_copy, core.schema.TYPE_CONSUMER) - - local key_field = utils.plugin_key_map[plugin_name] - - if key_field then - local key_value = plugin_conf_copy[key_field] - - if key_value then - local consumer = consumer - .find_consumer(plugin_name, key_field, key_value) - - if consumer and consumer.username ~= conf.username then - return nil, { - error_msg = "duplicate key found with consumer: " - .. consumer.username - } - end - end - end - end + local ok, err = check_duplicate_key(conf.username, conf.plugins) + if not ok then + return nil, {error_msg = err} end end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 458e1322e65a..9eb56c3e615a 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -22,6 +22,28 @@ local consumer = require("apisix.consumer") local utils = require("apisix.admin.utils") local pairs = pairs +local function check_duplicate_key(id, name, plugin_conf) + local decrypted_conf = core.table.deepcopy(plugin_conf) + plugin.decrypt_conf(name, decrypted_conf, core.schema.TYPE_CONSUMER) + + local key_field = utils.plugin_key_map[name] + if not key_field then + return true + end + + local key_value = decrypted_conf[key_field] + if not key_value then + return true + end + + local consumer = consumer.find_consumer(name, key_field, key_value) + if consumer and consumer.credential_id ~= id then + return nil, "duplicate key found with consumer: " .. consumer.username + end + + return true +end + local function check_conf(id, conf, _need_id, schema) local ok, err = core.schema.check(schema, conf) if not ok then @@ -44,27 +66,10 @@ local function check_conf(id, conf, _need_id, schema) return nil, {error_msg = "only supports auth type plugins in consumer credential"} end - -- check duplicate key - local decrypted_conf = core.table.deepcopy(plugin_conf) - plugin.decrypt_conf(name, decrypted_conf, core.schema.TYPE_CONSUMER) - - local key_field = utils.plugin_key_map[name] - if key_field then - local key_value = decrypted_conf[key_field] - - if key_value then - local consumer = consumer - .find_consumer(name, key_field, key_value) - - if consumer and consumer.credential_id ~= id then - return nil, { - error_msg = "duplicate key found with consumer: " - .. consumer.username - } - end - end + local ok, err = check_duplicate_key(id, name, plugin_conf) + if not ok then + return nil, {error_msg = err} end - end end From de681970ee18eb5e5f2036adcfc726c1286243cd Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Tue, 1 Apr 2025 13:42:48 +0800 Subject: [PATCH 17/25] fix: lint --- apisix/admin/consumers.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 8e3efe21e78e..3100ccfc335c 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -40,7 +40,7 @@ local function check_duplicate_key(username, plugins_conf) local plugin_conf_copy = core.table.deepcopy(plugin_conf) plugin.decrypt_conf(plugin_name, plugin_conf_copy, core.schema.TYPE_CONSUMER) - + local key_field = utils.plugin_key_map[plugin_name] if not key_field then goto continue @@ -58,7 +58,7 @@ local function check_duplicate_key(username, plugins_conf) ::continue:: end - + return true end From b5efe91184fc6deb91cdb9dab9450e9e251a5273 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 2 Apr 2025 11:24:42 +0800 Subject: [PATCH 18/25] fix: update code --- apisix/admin/consumers.lua | 13 +- apisix/admin/credentials.lua | 48 +++-- conf/config.yaml | 369 +++++++++++++++++++++++++++++------ t/APISIX.pm | 2 +- t/admin/credentials.t | 39 ---- 5 files changed, 347 insertions(+), 124 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 3100ccfc335c..bb5b52958b68 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -38,15 +38,12 @@ local function check_duplicate_key(username, plugins_conf) goto continue end - local plugin_conf_copy = core.table.deepcopy(plugin_conf) - plugin.decrypt_conf(plugin_name, plugin_conf_copy, core.schema.TYPE_CONSUMER) - local key_field = utils.plugin_key_map[plugin_name] if not key_field then goto continue end - local key_value = plugin_conf_copy[key_field] + local key_value = plugin_conf[key_field] if not key_value then goto continue end @@ -73,14 +70,14 @@ local function check_conf(username, conf, need_username, schema) end if conf.plugins then - ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) + local ok, err = check_duplicate_key(conf.username, conf.plugins) if not ok then - return nil, {error_msg = "invalid plugins configuration: " .. err} + return nil, {error_msg = err} end - local ok, err = check_duplicate_key(conf.username, conf.plugins) + ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) if not ok then - return nil, {error_msg = err} + return nil, {error_msg = "invalid plugins configuration: " .. err} end end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 9eb56c3e615a..9912a181708a 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -22,23 +22,33 @@ local consumer = require("apisix.consumer") local utils = require("apisix.admin.utils") local pairs = pairs -local function check_duplicate_key(id, name, plugin_conf) - local decrypted_conf = core.table.deepcopy(plugin_conf) - plugin.decrypt_conf(name, decrypted_conf, core.schema.TYPE_CONSUMER) +local function check_duplicate_key(id, plugins) + for name, plugin_conf in pairs(plugins) do + local plugin_obj = plugin.get(name) + if not plugin_obj then + goto continue + end - local key_field = utils.plugin_key_map[name] - if not key_field then - return true - end + if plugin_obj.type ~= "auth" then + goto continue + end - local key_value = decrypted_conf[key_field] - if not key_value then - return true - end + local key_field = utils.plugin_key_map[name] + if not key_field then + goto continue + end + + local key_value = plugin_conf[key_field] + if not key_value then + goto continue + end - local consumer = consumer.find_consumer(name, key_field, key_value) - if consumer and consumer.credential_id ~= id then - return nil, "duplicate key found with consumer: " .. consumer.username + local consumer = consumer.find_consumer(name, key_field, key_value) + if consumer and consumer.credential_id ~= id then + return nil, "duplicate key found with consumer: " .. consumer.username + end + + ::continue:: end return true @@ -51,6 +61,11 @@ local function check_conf(id, conf, _need_id, schema) end if conf.plugins then + local ok, err = check_duplicate_key(id, conf.plugins) + if not ok then + return nil, {error_msg = err} + end + ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) if not ok then return nil, {error_msg = "invalid plugins configuration: " .. err} @@ -65,11 +80,6 @@ local function check_conf(id, conf, _need_id, schema) if plugin_obj.type ~= "auth" then return nil, {error_msg = "only supports auth type plugins in consumer credential"} end - - local ok, err = check_duplicate_key(id, name, plugin_conf) - if not ok then - return nil, {error_msg = err} - end end end diff --git a/conf/config.yaml b/conf/config.yaml index 6a3c43068f4a..f2cc33f2ff13 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -1,63 +1,318 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# If you want to set the specified configuration value, you can set the new -# in this file. For example if you want to specify the etcd address: -# -# deployment: -# role: traditional -# role_traditional: -# config_provider: etcd -# etcd: -# host: -# - http://127.0.0.1:2379 -# -# To configure via environment variables, you can use `${{VAR}}` syntax. For instance: -# -# deployment: -# role: traditional -# role_traditional: -# config_provider: etcd -# etcd: -# host: -# - http://${{ETCD_HOST}}:2379 -# -# And then run `export ETCD_HOST=$your_host` before `make init`. -# -# If the configured environment variable can't be found, an error will be thrown. -# -# Also, If you want to use default value when the environment variable not set, -# Use `${{VAR:=default_value}}` instead. For instance: -# -# deployment: -# role: traditional -# role_traditional: -# config_provider: etcd -# etcd: -# host: -# - http://${{ETCD_HOST:=localhost}}:2379 -# -# This will find environment variable `ETCD_HOST` first, and if it's not exist it will use `localhost` as default value. -# +--- +apisix: + disable_sync_configuration_during_start: false + normalize_uri_like_servlet: false + node_listen: + - 9080 + enable_dev_mode: false + enable_reuseport: true + enable_ipv6: true + extra_lua_path: '' + extra_lua_cpath: '' + enable_resolv_search_opt: true + enable_admin: true + proxy_mode: http + router: + http: radixtree_host_uri + ssl: radixtree_sni + enable_server_tokens: true + enable_http2: true + data_encryption: + keyring: + - qeddd145sfvddff3 + - edd1c9f0985e76a2 + enable_encrypt_fields: true + ssl: + listen: + - enable_http3: false + port: 9443 + ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt + enable: true + ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl_session_tickets: false + ssl_protocols: TLSv1.2 TLSv1.3 + events: + module: lua-resty-events + resolver_timeout: 5 + proxy_cache: + cache_ttl: 10s + zones: + - disk_size: 1G + disk_path: /tmp/disk_cache_one + cache_levels: '1:2' + memory_size: 50m + name: disk_cache_one + - memory_size: 50m + name: memory_cache + delete_uri_tail_slash: false + show_upstream_status_in_response_header: false + enable_control: true +nginx_config: + main_configuration_snippet: '' + http_configuration_snippet: '' + http_server_configuration_snippet: '' + http_server_location_configuration_snippet: '' + http_admin_configuration_snippet: '' + error_log: logs/error.log + event: + worker_connections: 10620 + error_log_level: info + worker_processes: auto + enable_cpu_affinity: false + worker_rlimit_nofile: 20480 + worker_shutdown_timeout: 240s + max_pending_timers: 16384 + max_running_timers: 4096 + meta: + lua_shared_dict: + prometheus-metrics: 15m + http: + access_log_buffer: 16384 + keepalive_timeout: 60s + client_header_timeout: 60s + real_ip_from: + - 127.0.0.1 + - 'unix:' + client_max_body_size: 0 + send_timeout: 10s + underscores_in_headers: 'on' + real_ip_header: X-Real-IP + enable_access_log: true + access_log: logs/access.log + access_log_format: $remote_addr - $remote_user [$time_local] $http_host "$request" + $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent" $upstream_addr + $upstream_status $upstream_response_time "$upstream_scheme://$upstream_host$upstream_uri" + lua_shared_dict: + worker-events: 10m + lrucache-lock: 10m + balancer-ewma: 10m + balancer-ewma-locks: 10m + balancer-ewma-last-touched-at: 10m + etcd-cluster-health-check: 10m + plugin-limit-conn: 10m + plugin-limit-conn-redis-cluster-slot-lock: 1m + plugin-limit-req-redis-cluster-slot-lock: 1m + plugin-limit-req: 10m + plugin-limit-count: 10m + plugin-limit-count-redis-cluster-slot-lock: 1m + prometheus-metrics: 10m + plugin-api-breaker: 10m + discovery: 1m + jwks: 1m + introspection: 10m + access-tokens: 1m + ext-plugin: 1m + tracing_buffer: 10m + tars: 1m + cas-auth: 10m + ocsp-stapling: 10m + internal-status: 10m + upstream-healthcheck: 10m + access_log_format_escape: default + variables_hash_max_size: 2048 + charset: utf-8 + client_body_timeout: 60s + real_ip_recursive: 'off' + proxy_ssl_server_name: true + upstream: + keepalive_requests: 1000 + keepalive_timeout: 60s + keepalive: 320 + stream: + access_log_format_escape: default + lua_shared_dict: + etcd-cluster-health-check-stream: 10m + lrucache-lock-stream: 10m + plugin-limit-conn-stream: 10m + worker-events-stream: 10m + tars-stream: 1m + enable_access_log: false + access_log: logs/access_stream.log + access_log_format: $remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received + $session_time + stream_configuration_snippet: '' + http_end_configuration_snippet: '' +etcd: + tls: + verify: true + startup_retry: 2 + watch_timeout: 50 + host: + - http://127.0.0.1:2379 + prefix: /apisix + timeout: 30 +plugin_attr: + zipkin: + set_ngx_var: false + log-rotate: + enable_compression: false + max_size: -1 + timeout: 10000 + interval: 3600 + max_kept: 168 + proxy-mirror: + timeout: + read: 60s + connect: 60s + send: 60s + prometheus: + metric_prefix: apisix_ + enable_export_server: true + export_uri: /apisix/prometheus/metrics + export_addr: + port: 9091 + ip: 127.0.0.1 + skywalking: + service_name: APISIX + report_interval: 3 + service_instance_name: APISIX Instance Name + endpoint_addr: http://127.0.0.1:12800 + inspect: + hooks_file: /usr/local/apisix/plugin_inspect_hooks.lua + delay: 3 + dubbo-proxy: + upstream_multiplex_count: 32 + server-info: + report_ttl: 60 + opentelemetry: + trace_id_source: x-request-id + set_ngx_var: false + batch_span_processor: + drop_on_queue_full: false + max_queue_size: 1024 + batch_timeout: 2 + inactive_timeout: 1 + max_export_batch_size: 16 + collector: + address: 127.0.0.1:4318 + request_timeout: 3 + request_headers: + Authorization: token + resource: + service.name: APISIX +stream_plugins: +- ip-restriction +- limit-conn +- mqtt-proxy +- syslog deployment: role: traditional + config_provider: etcd + etcd: + tls: + verify: true + startup_retry: 2 + watch_timeout: 50 + host: + - http://127.0.0.1:2379 + prefix: /apisix + timeout: 30 role_traditional: config_provider: etcd admin: + admin_api_version: v3 admin_key: - - name: admin - key: '' # using fixed API token has security risk, please update it when you deploy to production environment. If passed empty then will be autogenerated by APISIX and will be written back here. Recommended is to use external mechanism to generate and store the token. - role: admin + - role: admin + name: admin + key: eakaZpqodXhMbuEakOWYuWtgkwUNkkid + admin_listen: + port: 9180 + ip: 0.0.0.0 + admin_key_required: true + allow_admin: + - 127.0.0.0/24 + enable_admin_cors: true +graphql: + max_size: 1048576 +plugins: +- real-ip +- ai +- client-control +- proxy-control +- request-id +- zipkin +- ext-plugin-pre-req +- fault-injection +- mocking +- serverless-pre-function +- cors +- ip-restriction +- ua-restriction +- referer-restriction +- csrf +- uri-blocker +- request-validation +- chaitin-waf +- multi-auth +- openid-connect +- cas-auth +- authz-casbin +- authz-casdoor +- wolf-rbac +- ldap-auth +- hmac-auth +- basic-auth +- jwt-auth +- jwe-decrypt +- key-auth +- consumer-restriction +- attach-consumer-label +- forward-auth +- opa +- authz-keycloak +- proxy-cache +- body-transformer +- ai-prompt-template +- ai-prompt-decorator +- ai-prompt-guard +- ai-rag +- ai-proxy-multi +- ai-proxy +- ai-aws-content-moderation +- proxy-mirror +- proxy-rewrite +- workflow +- api-breaker +- limit-conn +- limit-count +- limit-req +- gzip +- server-info +- traffic-split +- redirect +- response-rewrite +- degraphql +- kafka-proxy +- grpc-transcode +- grpc-web +- http-dubbo +- public-api +- prometheus +- datadog +- loki-logger +- elasticsearch-logger +- echo +- loggly +- http-logger +- splunk-hec-logging +- skywalking-logger +- google-cloud-logging +- sls-logger +- tcp-logger +- kafka-logger +- rocketmq-logger +- syslog +- udp-logger +- file-logger +- clickhouse-logger +- tencent-cloud-cls +- inspect +- example-plugin +- aws-lambda +- azure-functions +- openwhisk +- openfunction +- serverless-post-function +- ext-plugin-post-req +- ext-plugin-post-resp +... diff --git a/t/APISIX.pm b/t/APISIX.pm index 2e1724a12aa1..bddcb7aee100 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -280,7 +280,7 @@ _EOC_ } # set default `timeout` to 5sec - my $timeout = $block->timeout // 5; + my $timeout = $block->timeout // 15; $block->set_value("timeout", $timeout); my $stream_tls_request = $block->stream_tls_request; diff --git a/t/admin/credentials.t b/t/admin/credentials.t index 3456c1c1ae26..6d15f9288cc7 100644 --- a/t/admin/credentials.t +++ b/t/admin/credentials.t @@ -588,42 +588,3 @@ GET /t --- response_body passed --- error_code: 200 - - - -=== TEST 21: delete credential credential_c ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/consumers/bar/credentials/credential_c', ngx.HTTP_DELETE) - } - } ---- request -GET /t - - - -=== TEST 22: delete consumer bar ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/consumers/bar', ngx.HTTP_DELETE) - } - } ---- request -GET /t - - - -=== TEST 23: delete consumer jack ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/consumers/jack', ngx.HTTP_DELETE) - } - } ---- request -GET /t From f5f883d7d06bcefc46a1b6c966be60bc2841597e Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 2 Apr 2025 11:26:04 +0800 Subject: [PATCH 19/25] fix: update --- conf/config.yaml | 369 ++++++++--------------------------------------- t/APISIX.pm | 2 +- 2 files changed, 58 insertions(+), 313 deletions(-) diff --git a/conf/config.yaml b/conf/config.yaml index f2cc33f2ff13..6a3c43068f4a 100644 --- a/conf/config.yaml +++ b/conf/config.yaml @@ -1,318 +1,63 @@ ---- -apisix: - disable_sync_configuration_during_start: false - normalize_uri_like_servlet: false - node_listen: - - 9080 - enable_dev_mode: false - enable_reuseport: true - enable_ipv6: true - extra_lua_path: '' - extra_lua_cpath: '' - enable_resolv_search_opt: true - enable_admin: true - proxy_mode: http - router: - http: radixtree_host_uri - ssl: radixtree_sni - enable_server_tokens: true - enable_http2: true - data_encryption: - keyring: - - qeddd145sfvddff3 - - edd1c9f0985e76a2 - enable_encrypt_fields: true - ssl: - listen: - - enable_http3: false - port: 9443 - ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt - enable: true - ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 - ssl_session_tickets: false - ssl_protocols: TLSv1.2 TLSv1.3 - events: - module: lua-resty-events - resolver_timeout: 5 - proxy_cache: - cache_ttl: 10s - zones: - - disk_size: 1G - disk_path: /tmp/disk_cache_one - cache_levels: '1:2' - memory_size: 50m - name: disk_cache_one - - memory_size: 50m - name: memory_cache - delete_uri_tail_slash: false - show_upstream_status_in_response_header: false - enable_control: true -nginx_config: - main_configuration_snippet: '' - http_configuration_snippet: '' - http_server_configuration_snippet: '' - http_server_location_configuration_snippet: '' - http_admin_configuration_snippet: '' - error_log: logs/error.log - event: - worker_connections: 10620 - error_log_level: info - worker_processes: auto - enable_cpu_affinity: false - worker_rlimit_nofile: 20480 - worker_shutdown_timeout: 240s - max_pending_timers: 16384 - max_running_timers: 4096 - meta: - lua_shared_dict: - prometheus-metrics: 15m - http: - access_log_buffer: 16384 - keepalive_timeout: 60s - client_header_timeout: 60s - real_ip_from: - - 127.0.0.1 - - 'unix:' - client_max_body_size: 0 - send_timeout: 10s - underscores_in_headers: 'on' - real_ip_header: X-Real-IP - enable_access_log: true - access_log: logs/access.log - access_log_format: $remote_addr - $remote_user [$time_local] $http_host "$request" - $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent" $upstream_addr - $upstream_status $upstream_response_time "$upstream_scheme://$upstream_host$upstream_uri" - lua_shared_dict: - worker-events: 10m - lrucache-lock: 10m - balancer-ewma: 10m - balancer-ewma-locks: 10m - balancer-ewma-last-touched-at: 10m - etcd-cluster-health-check: 10m - plugin-limit-conn: 10m - plugin-limit-conn-redis-cluster-slot-lock: 1m - plugin-limit-req-redis-cluster-slot-lock: 1m - plugin-limit-req: 10m - plugin-limit-count: 10m - plugin-limit-count-redis-cluster-slot-lock: 1m - prometheus-metrics: 10m - plugin-api-breaker: 10m - discovery: 1m - jwks: 1m - introspection: 10m - access-tokens: 1m - ext-plugin: 1m - tracing_buffer: 10m - tars: 1m - cas-auth: 10m - ocsp-stapling: 10m - internal-status: 10m - upstream-healthcheck: 10m - access_log_format_escape: default - variables_hash_max_size: 2048 - charset: utf-8 - client_body_timeout: 60s - real_ip_recursive: 'off' - proxy_ssl_server_name: true - upstream: - keepalive_requests: 1000 - keepalive_timeout: 60s - keepalive: 320 - stream: - access_log_format_escape: default - lua_shared_dict: - etcd-cluster-health-check-stream: 10m - lrucache-lock-stream: 10m - plugin-limit-conn-stream: 10m - worker-events-stream: 10m - tars-stream: 1m - enable_access_log: false - access_log: logs/access_stream.log - access_log_format: $remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received - $session_time - stream_configuration_snippet: '' - http_end_configuration_snippet: '' -etcd: - tls: - verify: true - startup_retry: 2 - watch_timeout: 50 - host: - - http://127.0.0.1:2379 - prefix: /apisix - timeout: 30 -plugin_attr: - zipkin: - set_ngx_var: false - log-rotate: - enable_compression: false - max_size: -1 - timeout: 10000 - interval: 3600 - max_kept: 168 - proxy-mirror: - timeout: - read: 60s - connect: 60s - send: 60s - prometheus: - metric_prefix: apisix_ - enable_export_server: true - export_uri: /apisix/prometheus/metrics - export_addr: - port: 9091 - ip: 127.0.0.1 - skywalking: - service_name: APISIX - report_interval: 3 - service_instance_name: APISIX Instance Name - endpoint_addr: http://127.0.0.1:12800 - inspect: - hooks_file: /usr/local/apisix/plugin_inspect_hooks.lua - delay: 3 - dubbo-proxy: - upstream_multiplex_count: 32 - server-info: - report_ttl: 60 - opentelemetry: - trace_id_source: x-request-id - set_ngx_var: false - batch_span_processor: - drop_on_queue_full: false - max_queue_size: 1024 - batch_timeout: 2 - inactive_timeout: 1 - max_export_batch_size: 16 - collector: - address: 127.0.0.1:4318 - request_timeout: 3 - request_headers: - Authorization: token - resource: - service.name: APISIX -stream_plugins: -- ip-restriction -- limit-conn -- mqtt-proxy -- syslog +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# If you want to set the specified configuration value, you can set the new +# in this file. For example if you want to specify the etcd address: +# +# deployment: +# role: traditional +# role_traditional: +# config_provider: etcd +# etcd: +# host: +# - http://127.0.0.1:2379 +# +# To configure via environment variables, you can use `${{VAR}}` syntax. For instance: +# +# deployment: +# role: traditional +# role_traditional: +# config_provider: etcd +# etcd: +# host: +# - http://${{ETCD_HOST}}:2379 +# +# And then run `export ETCD_HOST=$your_host` before `make init`. +# +# If the configured environment variable can't be found, an error will be thrown. +# +# Also, If you want to use default value when the environment variable not set, +# Use `${{VAR:=default_value}}` instead. For instance: +# +# deployment: +# role: traditional +# role_traditional: +# config_provider: etcd +# etcd: +# host: +# - http://${{ETCD_HOST:=localhost}}:2379 +# +# This will find environment variable `ETCD_HOST` first, and if it's not exist it will use `localhost` as default value. +# deployment: role: traditional - config_provider: etcd - etcd: - tls: - verify: true - startup_retry: 2 - watch_timeout: 50 - host: - - http://127.0.0.1:2379 - prefix: /apisix - timeout: 30 role_traditional: config_provider: etcd admin: - admin_api_version: v3 admin_key: - - role: admin - name: admin - key: eakaZpqodXhMbuEakOWYuWtgkwUNkkid - admin_listen: - port: 9180 - ip: 0.0.0.0 - admin_key_required: true - allow_admin: - - 127.0.0.0/24 - enable_admin_cors: true -graphql: - max_size: 1048576 -plugins: -- real-ip -- ai -- client-control -- proxy-control -- request-id -- zipkin -- ext-plugin-pre-req -- fault-injection -- mocking -- serverless-pre-function -- cors -- ip-restriction -- ua-restriction -- referer-restriction -- csrf -- uri-blocker -- request-validation -- chaitin-waf -- multi-auth -- openid-connect -- cas-auth -- authz-casbin -- authz-casdoor -- wolf-rbac -- ldap-auth -- hmac-auth -- basic-auth -- jwt-auth -- jwe-decrypt -- key-auth -- consumer-restriction -- attach-consumer-label -- forward-auth -- opa -- authz-keycloak -- proxy-cache -- body-transformer -- ai-prompt-template -- ai-prompt-decorator -- ai-prompt-guard -- ai-rag -- ai-proxy-multi -- ai-proxy -- ai-aws-content-moderation -- proxy-mirror -- proxy-rewrite -- workflow -- api-breaker -- limit-conn -- limit-count -- limit-req -- gzip -- server-info -- traffic-split -- redirect -- response-rewrite -- degraphql -- kafka-proxy -- grpc-transcode -- grpc-web -- http-dubbo -- public-api -- prometheus -- datadog -- loki-logger -- elasticsearch-logger -- echo -- loggly -- http-logger -- splunk-hec-logging -- skywalking-logger -- google-cloud-logging -- sls-logger -- tcp-logger -- kafka-logger -- rocketmq-logger -- syslog -- udp-logger -- file-logger -- clickhouse-logger -- tencent-cloud-cls -- inspect -- example-plugin -- aws-lambda -- azure-functions -- openwhisk -- openfunction -- serverless-post-function -- ext-plugin-post-req -- ext-plugin-post-resp -... + - name: admin + key: '' # using fixed API token has security risk, please update it when you deploy to production environment. If passed empty then will be autogenerated by APISIX and will be written back here. Recommended is to use external mechanism to generate and store the token. + role: admin diff --git a/t/APISIX.pm b/t/APISIX.pm index bddcb7aee100..2e1724a12aa1 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -280,7 +280,7 @@ _EOC_ } # set default `timeout` to 5sec - my $timeout = $block->timeout // 15; + my $timeout = $block->timeout // 5; $block->set_value("timeout", $timeout); my $stream_tls_request = $block->stream_tls_request; From e3af265a35d3ba2662e208710c24856c6f49e13f Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Wed, 2 Apr 2025 11:28:09 +0800 Subject: [PATCH 20/25] fix: update --- apisix/admin/credentials.lua | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 9912a181708a..b4f0ab7610fb 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -71,12 +71,11 @@ local function check_conf(id, conf, _need_id, schema) return nil, {error_msg = "invalid plugins configuration: " .. err} end - for name, plugin_conf in pairs(conf.plugins) do + for name, _ in pairs(conf.plugins) do local plugin_obj = plugin.get(name) if not plugin_obj then return nil, {error_msg = "unknown plugin " .. name} end - if plugin_obj.type ~= "auth" then return nil, {error_msg = "only supports auth type plugins in consumer credential"} end From 37170390bedebdbdd49bd24c8a7a75ac51d398da Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Thu, 3 Apr 2025 10:57:31 +0800 Subject: [PATCH 21/25] update --- apisix/admin/consumers.lua | 12 +++++++----- apisix/admin/credentials.lua | 11 +++++++---- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index bb5b52958b68..1f9c9f116227 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -70,15 +70,17 @@ local function check_conf(username, conf, need_username, schema) end if conf.plugins then - local ok, err = check_duplicate_key(conf.username, conf.plugins) - if not ok then - return nil, {error_msg = err} - end - + -- check_schema encrypts the key in the plugin. + -- check duplicate key require the original key. + local conf_plugins_copy = core.table.deepcopy(conf.plugins) ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) if not ok then return nil, {error_msg = "invalid plugins configuration: " .. err} end + local ok, err = check_duplicate_key(conf.username, conf_plugins_copy) + if not ok then + return nil, {error_msg = err} + end end if conf.group_id then diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index b4f0ab7610fb..d4ef3dcf7e5a 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -61,14 +61,17 @@ local function check_conf(id, conf, _need_id, schema) end if conf.plugins then - local ok, err = check_duplicate_key(id, conf.plugins) + -- check_schema encrypts the key in the plugin. + -- check duplicate key require the original key. + local conf_plugins_copy = core.table.deepcopy(conf.plugins) + ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) if not ok then - return nil, {error_msg = err} + return nil, {error_msg = "invalid plugins configuration: " .. err} end - ok, err = plugins.check_schema(conf.plugins, core.schema.TYPE_CONSUMER) + local ok, err = check_duplicate_key(id, conf_plugins_copy) if not ok then - return nil, {error_msg = "invalid plugins configuration: " .. err} + return nil, {error_msg = err} end for name, _ in pairs(conf.plugins) do From 07b2eca906395b65f40870a739bf742b4305d49f Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Thu, 3 Apr 2025 16:42:10 +0800 Subject: [PATCH 22/25] fix: merge function --- apisix/admin/consumers.lua | 40 +-------------------------------- apisix/admin/credentials.lua | 35 +---------------------------- apisix/admin/utils.lua | 43 +++++++++++++++++++++++++++++++++++- 3 files changed, 44 insertions(+), 74 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index 1f9c9f116227..da67ca10ce17 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -19,46 +19,8 @@ local plugins = require("apisix.admin.plugins") local resource = require("apisix.admin.resource") local plugin = require("apisix.plugin") local pairs = pairs -local consumer = require("apisix.consumer") local utils = require("apisix.admin.utils") - -local function check_duplicate_key(username, plugins_conf) - if not plugins_conf then - return true - end - - for plugin_name, plugin_conf in pairs(plugins_conf) do - local plugin_obj = plugin.get(plugin_name) - if not plugin_obj then - return nil, "unknown plugin " .. plugin_name - end - - if plugin_obj.type ~= "auth" then - goto continue - end - - local key_field = utils.plugin_key_map[plugin_name] - if not key_field then - goto continue - end - - local key_value = plugin_conf[key_field] - if not key_value then - goto continue - end - - local consumer = consumer.find_consumer(plugin_name, key_field, key_value) - if consumer and consumer.username ~= username then - return nil, "duplicate key found with consumer: " .. consumer.username - end - - ::continue:: - end - - return true -end - local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) if not ok then @@ -77,7 +39,7 @@ local function check_conf(username, conf, need_username, schema) if not ok then return nil, {error_msg = "invalid plugins configuration: " .. err} end - local ok, err = check_duplicate_key(conf.username, conf_plugins_copy) + local ok, err = utils.check_duplicate_key(conf_plugins_copy, conf.username) if not ok then return nil, {error_msg = err} end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index d4ef3dcf7e5a..73e877d8b0e8 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -18,42 +18,9 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") -local consumer = require("apisix.consumer") local utils = require("apisix.admin.utils") local pairs = pairs -local function check_duplicate_key(id, plugins) - for name, plugin_conf in pairs(plugins) do - local plugin_obj = plugin.get(name) - if not plugin_obj then - goto continue - end - - if plugin_obj.type ~= "auth" then - goto continue - end - - local key_field = utils.plugin_key_map[name] - if not key_field then - goto continue - end - - local key_value = plugin_conf[key_field] - if not key_value then - goto continue - end - - local consumer = consumer.find_consumer(name, key_field, key_value) - if consumer and consumer.credential_id ~= id then - return nil, "duplicate key found with consumer: " .. consumer.username - end - - ::continue:: - end - - return true -end - local function check_conf(id, conf, _need_id, schema) local ok, err = core.schema.check(schema, conf) if not ok then @@ -69,7 +36,7 @@ local function check_conf(id, conf, _need_id, schema) return nil, {error_msg = "invalid plugins configuration: " .. err} end - local ok, err = check_duplicate_key(id, conf_plugins_copy) + local ok, err = utils.check_duplicate_key(conf_plugins_copy, nil, id) if not ok then return nil, {error_msg = err} end diff --git a/apisix/admin/utils.lua b/apisix/admin/utils.lua index 0a1541a137ac..c72f1d73c2a8 100644 --- a/apisix/admin/utils.lua +++ b/apisix/admin/utils.lua @@ -19,6 +19,8 @@ local ngx_time = ngx.time local tonumber = tonumber local ipairs = ipairs local pairs = pairs +local consumer = require("apisix.consumer") +local plugin = require("apisix.plugin") local _M = {} @@ -110,11 +112,50 @@ function _M.decrypt_params(decrypt_func, body, schema_type) end end -_M.plugin_key_map = { + +local plugin_key_map = { ["key-auth"] = "key", ["basic-auth"] = "username", ["jwt-auth"] = "key", ["hmac-auth"] = "key_id" } + +function _M.check_duplicate_key(plugins_conf, username, credential_id) + if not plugins_conf then + return true + end + + for plugin_name, plugin_conf in pairs(plugins_conf) do + local plugin_obj = plugin.get(plugin_name) + if not plugin_obj then + return nil, "unknown plugin " .. plugin_name + end + + if plugin_obj.type ~= "auth" then + goto continue + end + + local key_field = plugin_key_map[plugin_name] + if not key_field then + goto continue + end + + local key_value = plugin_conf[key_field] + if not key_value then + goto continue + end + + local consumer = consumer.find_consumer(plugin_name, key_field, key_value) + if consumer and + ((username and consumer.username ~= username) or (credential_id and consumer.credential_id ~= credential_id)) then + return nil, "duplicate key found with consumer: " .. consumer.username + end + + ::continue:: + end + + return true +end + return _M From 9caab8f237d46a640914de91ea95ad3d592bf63e Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Thu, 3 Apr 2025 16:55:49 +0800 Subject: [PATCH 23/25] fix: lint code --- apisix/admin/consumers.lua | 2 -- apisix/admin/utils.lua | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index da67ca10ce17..d78800767c44 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -17,8 +17,6 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local resource = require("apisix.admin.resource") -local plugin = require("apisix.plugin") -local pairs = pairs local utils = require("apisix.admin.utils") local function check_conf(username, conf, need_username, schema) diff --git a/apisix/admin/utils.lua b/apisix/admin/utils.lua index c72f1d73c2a8..594840a1075e 100644 --- a/apisix/admin/utils.lua +++ b/apisix/admin/utils.lua @@ -148,7 +148,8 @@ function _M.check_duplicate_key(plugins_conf, username, credential_id) local consumer = consumer.find_consumer(plugin_name, key_field, key_value) if consumer and - ((username and consumer.username ~= username) or (credential_id and consumer.credential_id ~= credential_id)) then + ((username and consumer.username ~= username) or + (credential_id and consumer.credential_id ~= credential_id)) then return nil, "duplicate key found with consumer: " .. consumer.username end From 74d42191f7520e423c6ad53d77a098eb1a8225d9 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Sun, 27 Apr 2025 15:28:23 +0800 Subject: [PATCH 24/25] fix: adjust function position --- apisix/admin/consumers.lua | 4 +-- apisix/admin/credentials.lua | 4 +-- apisix/admin/utils.lua | 49 ------------------------------------ apisix/consumer.lua | 45 +++++++++++++++++++++++++++++++++ t/APISIX.pm | 2 +- 5 files changed, 50 insertions(+), 54 deletions(-) diff --git a/apisix/admin/consumers.lua b/apisix/admin/consumers.lua index d78800767c44..e936c64ef30b 100644 --- a/apisix/admin/consumers.lua +++ b/apisix/admin/consumers.lua @@ -17,7 +17,7 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local resource = require("apisix.admin.resource") -local utils = require("apisix.admin.utils") +local consumer = require("apisix.consumer") local function check_conf(username, conf, need_username, schema) local ok, err = core.schema.check(schema, conf) @@ -37,7 +37,7 @@ local function check_conf(username, conf, need_username, schema) if not ok then return nil, {error_msg = "invalid plugins configuration: " .. err} end - local ok, err = utils.check_duplicate_key(conf_plugins_copy, conf.username) + local ok, err = consumer.check_duplicate_key(conf_plugins_copy, conf.username) if not ok then return nil, {error_msg = err} end diff --git a/apisix/admin/credentials.lua b/apisix/admin/credentials.lua index 73e877d8b0e8..75cd213ea046 100644 --- a/apisix/admin/credentials.lua +++ b/apisix/admin/credentials.lua @@ -18,7 +18,7 @@ local core = require("apisix.core") local plugins = require("apisix.admin.plugins") local plugin = require("apisix.plugin") local resource = require("apisix.admin.resource") -local utils = require("apisix.admin.utils") +local consumer = require("apisix.consumer") local pairs = pairs local function check_conf(id, conf, _need_id, schema) @@ -36,7 +36,7 @@ local function check_conf(id, conf, _need_id, schema) return nil, {error_msg = "invalid plugins configuration: " .. err} end - local ok, err = utils.check_duplicate_key(conf_plugins_copy, nil, id) + local ok, err = consumer.check_duplicate_key(conf_plugins_copy, nil, id) if not ok then return nil, {error_msg = err} end diff --git a/apisix/admin/utils.lua b/apisix/admin/utils.lua index 594840a1075e..eee2787f0540 100644 --- a/apisix/admin/utils.lua +++ b/apisix/admin/utils.lua @@ -19,8 +19,6 @@ local ngx_time = ngx.time local tonumber = tonumber local ipairs = ipairs local pairs = pairs -local consumer = require("apisix.consumer") -local plugin = require("apisix.plugin") local _M = {} @@ -112,51 +110,4 @@ function _M.decrypt_params(decrypt_func, body, schema_type) end end - -local plugin_key_map = { - ["key-auth"] = "key", - ["basic-auth"] = "username", - ["jwt-auth"] = "key", - ["hmac-auth"] = "key_id" -} - - -function _M.check_duplicate_key(plugins_conf, username, credential_id) - if not plugins_conf then - return true - end - - for plugin_name, plugin_conf in pairs(plugins_conf) do - local plugin_obj = plugin.get(plugin_name) - if not plugin_obj then - return nil, "unknown plugin " .. plugin_name - end - - if plugin_obj.type ~= "auth" then - goto continue - end - - local key_field = plugin_key_map[plugin_name] - if not key_field then - goto continue - end - - local key_value = plugin_conf[key_field] - if not key_value then - goto continue - end - - local consumer = consumer.find_consumer(plugin_name, key_field, key_value) - if consumer and - ((username and consumer.username ~= username) or - (credential_id and consumer.credential_id ~= credential_id)) then - return nil, "duplicate key found with consumer: " .. consumer.username - end - - ::continue:: - end - - return true -end - return _M diff --git a/apisix/consumer.lua b/apisix/consumer.lua index 0ec39d7190ee..d7f8ab9916a1 100644 --- a/apisix/consumer.lua +++ b/apisix/consumer.lua @@ -340,5 +340,50 @@ function _M.get_anonymous_consumer(name) return anon_consumer, anon_consumer_conf, err end +local auth_plugin_key_map = { + ["key-auth"] = "key", + ["basic-auth"] = "username", + ["jwt-auth"] = "key", + ["hmac-auth"] = "key_id" +} + +function _M.check_duplicate_key(plugins_conf, username, credential_id) + if not plugins_conf then + return true + end + + for plugin_name, plugin_conf in pairs(plugins_conf) do + local plugin_obj = plugin.get(plugin_name) + if not plugin_obj then + return nil, "unknown plugin " .. plugin_name + end + + if plugin_obj.type ~= "auth" then + goto continue + end + + local key_field = auth_plugin_key_map[plugin_name] + if not key_field then + goto continue + end + + local key_value = plugin_conf[key_field] + if not key_value then + goto continue + end + + local consumer = _M.find_consumer(plugin_name, key_field, key_value) + if consumer and + ((username and consumer.username ~= username) or + (credential_id and consumer.credential_id ~= credential_id)) then + return nil, "duplicate key found with consumer: " .. consumer.username + end + + ::continue:: + end + + return true +end + return _M diff --git a/t/APISIX.pm b/t/APISIX.pm index 2e1724a12aa1..bddcb7aee100 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -280,7 +280,7 @@ _EOC_ } # set default `timeout` to 5sec - my $timeout = $block->timeout // 5; + my $timeout = $block->timeout // 15; $block->set_value("timeout", $timeout); my $stream_tls_request = $block->stream_tls_request; From 5a528fa0d36b00ca0b3710ceb9b7c06f6268b4f8 Mon Sep 17 00:00:00 2001 From: Baoyuan Date: Sun, 27 Apr 2025 15:28:47 +0800 Subject: [PATCH 25/25] fix --- t/APISIX.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/APISIX.pm b/t/APISIX.pm index bddcb7aee100..2e1724a12aa1 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -280,7 +280,7 @@ _EOC_ } # set default `timeout` to 5sec - my $timeout = $block->timeout // 15; + my $timeout = $block->timeout // 5; $block->set_value("timeout", $timeout); my $stream_tls_request = $block->stream_tls_request;