feat: add auth plugin for casdoor

[ComradeProgrammer]

What this PR does / why we need it:

auth-casdoor is an authorization plugin based on Casdoor. Casdoor is a centralized authentication / Single-Sign-On (SSO) platform

Pre-submission checklist:

• Did you explain what problem does this PR solve? Or what new features have been added?
• Have you added corresponding test cases?
• Have you modified the corresponding document?
• Is this PR backward compatible? If it is not backward compatible, please discuss on the mailing list first

[spacewander]

Let's remove the casdoor_ prefix

[spacewander]

@ComradeProgrammer
Please request me to review it once you are ready. Thanks!

[ComradeProgrammer]

Let's remove the casdoor_ prefix

all other casdoor_ prefixes are removed except casdoor_endpoint, because i think just using "endpoint" may be a little confusing.

[spacewander]

Let's remove the casdoor_ prefix

[spacewander]

Let's sort the imports like

apisix/apisix/plugins/authz-casbin.lua

Line 20 in 4624135

local plugin = require("apisix.plugin")

[spacewander]

Please sort according to the priority and fix the indent

[spacewander]

priority mismatch

[spacewander]

Ditto. Warn log should not be used in per-req level

[spacewander]

Suggested change

	return nil
	return nil, err

and log the err outside would be better

[spacewander]

Let's check if the endpoint contains ? in the schema instead of split it at runtime

[spacewander]

Need to check if decode succeed

[spacewander]

Could you provide a step-by-step example?
I still can't fully understand it after reading it twice...
It looks like the callback_url needs to contain part of the request host & path?

[ComradeProgrammer]

I am extremely flattered, delighted and grateful for this extremely detailed reply and advice from you. Revisions will be made accordingly soon and tests will be added soon together. @spacewander

[tzssangglass]

test is not in Attributes of plugin docs

[tzssangglass]

This line looks like it's only for debugging?

[tzssangglass]

what this for?

[ComradeProgrammer]

Do you mean this function? Extract "code" and "state" parameters and use them to launch to casdoor api, in order to fetch "access_token" so that we can confirm whether the user have really logged in

[spacewander]

The err doesn't have parameters in it

[tzssangglass]

Suggested change

	local args = core.request.get_uri_args()
	local args = core.request.get_uri_args(ctx)

and should pass ctx to this function

[tzssangglass]

it's better to determine if args is empty

[tzssangglass]

Suggested change

	local ok,err=core.schema.check(schema, conf)
	local ok, err = core.schema.check(schema, conf)

[tzssangglass]

use ngx.re.find is better?

[tzssangglass]

Suggested change

	if ok then
	--check whether contains extra ? or /
	if string.find(conf.callback_url,"?",1) then
	return false,"callback_url should not contain get parameters or end up with /"
	else
	return true,nil
	end
	else
	return false,err
	end
	if not ok then
	return false, err
	end
	--check whether contains extra ? or /
	local has_extra = string.find(conf.callback_url,"?",1)
	if has_extra then
	return false, "callback_url should not contain get parameters or end up with /"
	end
	return true, nil

is better?

[tzssangglass]

Suggested change

	return 503,"no original_url found in session"
	return 503, "no original_url found in session"

[tzssangglass]

It seems a bit strange that here return does not reverse anything, but just exits the current function?

[ComradeProgrammer]

@spacewander @tzssangglass Most of the revisions in your comments have been implemented, and tests are also added. I think this code is ready to be reviewed now, THX.

[tzssangglass]

@spacewander @tzssangglass Most of the revisions in your comments have been implemented, and tests are also added. I think this code is ready to be reviewed now, THX.

hi @ComradeProgrammer, after the CI run is finished, please fix the failure of the CI.

[ComradeProgrammer]

hi @ComradeProgrammer, after the CI run is finished, please fix the failure of the CI.

I have made changes according to the CI information, and I wonder whether I can have CI run another time , so that I can confirm whether I can pass CI now?

[tzssangglass]

I have made changes according to the CI information, and I wonder whether I can have CI run another time , so that I can confirm whether I can pass CI now?

hi @ComradeProgrammer , there are still some code lint check failed.

[spacewander]

Suggested change

	casdoor_endpoint = {type = "string"},
	endpoint_addr = {type = "string"},

would be better?

[spacewander]

please put each field per line, like other plugins

[spacewander]

The err doesn't have parameters in it

[spacewander]

Could we require the endpoint not to have ? so we don't need to use get_path?

[spacewander]

We can do the check in the schema via "pattern":

apisix/apisix/schema_def.lua

Line 34 in acf7a0c

pattern = [[^[a-zA-Z0-9-_.]+$]]

[spacewander]

Suggested change

	The second parameter "callback_url" is obviously the url of Casdoor. The third and fourth parameters are "client_id" and "client_secret", which you can acquire from Casdoor when you register an app.
	The second parameter "endpoint_addr" is obviously the url of Casdoor. The third and fourth parameters are "client_id" and "client_secret", which you can acquire from Casdoor when you register an app.

[spacewander]

Missing this one?

[spacewander]

Suggested change

Suppose a new user who have never visited this route before is going to visit it (http://localhost:9080/anything/d?param1=foo&param2=bar), considering that "auth-casdoor" is enabled, this visit would be processed by "auth-casdoor" plugin first. After checking the session and confirming that this use hasn't been authentication, the visit will be intercepted. After remembering the original url user wants to visit, he will be redirected to the login page of Casdoor.

Suppose a new user who has never visited this route before is going to visit it (http://localhost:9080/anything/d?param1=foo&param2=bar), considering that "auth-casdoor" is enabled, this visit would be processed by "auth-casdoor" plugin first. After checking the session and confirming that this user hasn't been authenticated, the visit will be intercepted. With the original url user wants to visit kept, he will be redirected to the login page of Casdoor.

[spacewander]

Suggested change

	Next time this user want to visit url behind this route (for example, http://localhost:9080/anything/d), after discovering that this user have been authentication previously, this plugin won't redirect this user any more so that this user can visit whatever he wants under this route without being interfered
	Next time this user want to visit url behind this route (for example, http://localhost:9080/anything/d), after discovering that this user has been authenticated previously, this plugin won't redirect this user anymore so that this user can visit whatever he wants under this route without being interfered

[spacewander]

Suggested change

After successfully logging in with username and password(or whatever method he use), Casdoor will redirect this user to the "callback_url" with GET parameter "code " and "state" specified. Because the "callback_url" is known by the plugin, so when the visit toward the "callback_url" is intercepted this time, the logic of "Authorization code Grant Flow" in Oauth2 will be triggered, which means this plugin will request the access token to confirm whether this user is really logged in. After this confirmation, this plugin will redirect this user to the original url user wants to visit, which was remembered by us previously. The logged in status will also be remembered by session

After successfully logging in with username and password(or whatever method he uses), Casdoor will redirect this user to the "callback_url" with GET parameter "code " and "state" specified. Because the "callback_url" is known by the plugin, when the visit toward the "callback_url" is intercepted this time, the logic of "Authorization code Grant Flow" in Oauth2 will be triggered, which means this plugin will request the access token to confirm whether this user is really logged in. After this confirmation, this plugin will redirect this user to the original url user wants to visit, which was kept by us previously. The logged-in status will also be kept in the session.

[spacewander]

We can use

apisix/apisix/plugins/http-logger.lua

Line 88 in acf7a0c

local url_decoded = url.parse(conf.uri)

to get the path instead of writing own solution.

[ComradeProgrammer]

@spacewander revisions have been made

[tzssangglass]

should we check if session exist? ref: bungle/lua-resty-session#12 (comment)

[tzssangglass]

Suggested change

	-- step 1: check whether hits the callback
	if current_uri == conf.callback_url:match(".-//[^/]+(/.*)") then
	-- step 1: check whether hits the callback
	if current_uri == conf.callback_url:match(".-//[^/]+(/.*)") then

[tzssangglass]

Suggested change

	`auth-casdoor` is an authorization plugin based on [Casdoor](https://casdoor.org/). Casdoor is a centralized authentication / Single-Sign-On (SSO) platform supporting OAuth 2.0, OIDC and SAML, integrated with Casbin RBAC and ABAC permission management
	`auth-casdoor` is an authorization plugin based on [Casdoor](https://casdoor.org/). Casdoor is a centralized authentication / Single-Sign-On (SSO) platform supporting OAuth 2.0, OIDC and SAML, integrated with Casbin RBAC and ABAC permission management.

[tzssangglass]

Suggested change

	local res2,err2=httpc:request_uri(callback_url, {
	local res2,err2 = httpc:request_uri(callback_url, {

Please pay more attention to similar formatting issues in this PR.

[ComradeProgrammer]

@spacewander @tzssangglass what about this time? (revisions have been made)

[ComradeProgrammer]

@spacewander @tzssangglass what kind of "chaos-test" is this? Besides, comparing with my last previous commit, the only change was format in test file t/plugin/auth-casdoor.t, but I passed all the tests in the previous commit.

[ComradeProgrammer]

what is apisix/utils/batch-processor.lua? This file seemed to lead to the failure of lint but it's irrelevant with me......

[tzssangglass]

what is apisix/utils/batch-processor.lua? This file seemed to lead to the failure of lint but it's irrelevant with me......

Please merge the APISIX master branch into your PR branch.

[ComradeProgrammer]

rebase made(force-pushed was caused by rebase)

[spacewander]

Suggested change

	if err then
	if not access_token then

[ComradeProgrammer]

revised

[spacewander]

This branch can be saved

[ComradeProgrammer]

revised

[spacewander]

Suggested change

	local redirect_url=conf.endpoint_addr .. "/login/oauth/authorize?" .. ngx.encode_args({
	local redirect_url = conf.endpoint_addr .. "/login/oauth/authorize?" .. ngx.encode_args({

[ComradeProgrammer]

revised

[ComradeProgrammer]

revisions have been made

[leslie-tsang]

@spacewander @ComradeProgrammer The documentation in the PR still needs to be optimized, let's merge this PR first and deal with the documentation in the next PR ?

[spacewander]

OK
@leslie-tsang
Let's open an issue about what needs to be proved.

[ComradeProgrammer]

1. Thanks! Please merge this PR.
2. I will work on the docs for this plugin later in another PR .

[spacewander]

@ComradeProgrammer
Let's add casdoor to the README

[lijing-21]

Hi @ComradeProgrammer , thank you for your contribution!

Here is the Contributor T-shirt form[1], if you're interested, kindly take a look :)

[1] https://github.com/apache/apisix/blob/master/CONTRIBUTING.md#contributor-t-shirt