Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Http basic auth #454

Merged
merged 34 commits into from
Jan 14, 2022
Merged

Http basic auth #454

merged 34 commits into from
Jan 14, 2022

Conversation

samutamm
Copy link
Contributor

@samutamm samutamm commented Jan 5, 2022
edited
Loading

Fix #404

Table of Contents

Test case with userFile
Test case with etcd
User Header Lookup
BasicAuth and UserHeaderLookup filter combined

Test case with userFile

Create .htpasswd file:

sudo htpasswd -c /etc/apache2/.htpasswd doge # password doge
cat /etc/apache2/.htpasswd
# doge:$apr1$0f...

Create HTML Server:

kind: HTTPServer
name: server-demo
port: 10081
globalFilter: basicAuthFilter
keepAlive: true
https: false
rules:
    - paths:
      - pathPrefix: /pipeline
        backend: pipeline-demo

and pipeline:

name: pipeline-demo
kind: HTTPPipeline
flow:
  - filter: basicAuth
  - filter: proxy
filters:
  - name: basicAuth
    kind: Validator
    basicAuth:
      mode: "FILE"
      userFile: '/etc/apache2/.htpasswd'
  - name: proxy
    kind: Proxy
    mainPool:
      servers:
      - url: http://127.0.0.1:9095
      loadBalance:
        policy: roundRobin

Start also backend for proxy, for example go run example/backend-service/echo/echo.go for testing.
Send authorized request:
curl -u doge:doge -v localhost:10081/pipeline and observe status code 200.

Unauthorized one:
curl -u doge:foo -v localhost:10081/pipeline and see 401.

Remove doge's line from /etc/apache2/.htpasswd. Wait 1 minute and execute:
curl -u doge:doge -v localhost:10081/pipeline and notice status code 401 as doge has no more access.

Test case with etcd

Use same setup as previously, except change first filter to

  - name: basicAuth
    kind: Validator
    basicAuth:
      mode: "ETCD"

Send authorized request with doge's credentials:
curl -u doge:doge -v localhost:10081/pipeline ==> 401.

Add password to Easegress using egctl custom-data command:

echo '                                       
rebuild: true
list:
  - key: 'doge'
    password: 'doge'
' | ./bin/egctl custom-data update credentials

Now curl -u doge:doge -v localhost:10081/pipeline ==> 200.

Add apache2 mod5 encrypted password to etcd:

echo '                                       
rebuild: true
list:
  - key: 'doge'
    password: "$apr1$7q/O2y6n$1zNd5r5bJH2hn20x.V2To1"
' | ./bin/egctl custom-data update credentials

Again curl -u doge:doge -v localhost:10081/pipeline ==> 200.

Add bryct encrypted password to etcd:

echo '                                       
rebuild: true
list:
  - key: 'doge'
    password: "$2a$10$ZdnoaOVLm5Ug5URVNG5fiepEM8KJlL9p.5Ao5t5fuasNOIUD.wkmC"
' | ./bin/egctl custom-data update credentials

Curling curl -u doge:doge -v localhost:10081/pipeline ==> 200.

UserHeaderLookup filter

Create a filter called UserHeaderLookup with following configuration

name: authUserHeaders
kind: HeaderLookup
headerKey: "X-AUTH-USER" # header field to use for looking up the user in etcd
etcdPrefix: "/credentials/" # looking for user info at /custom-data/credentials/{user} in etcd
headerSetter:
  - etcdKey: "ext-id" # looking up 'ext-id' value in etcd
    headerKey: "user-ext-id" # set value to 'user-ext-id' 
  - etcdKey: "other-user-entry" # looking up 'other-user-entry' value in etcd
    headerKey: "other-user-entry" # set value to 'other-user-entry'

HeaderLookup filter modifies request header: it looks up user information stored in etcd, identified by etcdPrefix and headerKey. HeaderLookup then extracts the etcdKeys defined in headerSetter and sets them to headers, using headerKey as key.

BasicAuth and UserHeaderLookup filter combined

To use BasicAuth and UserHeaderLookup together, add following filters to pipeline

  - name: basicAuth
    kind: Validator
    basicAuth:
      mode: "ETCD"
  - name: headerLookup
    kind: HeaderLookup
    headerKey: "X-AUTH-USER"
    etcdPrefix: "credentials/"
    headerSetters:
    - etcdKey: "service-X-ID"
      headerKey: "service-X-ID"

Update Easegress custom-data:

echo '                                       
rebuild: true
list:
  - key: 'doge'
    password: 'doge'
    service-X-ID: 123456789
' | ./bin/egctl custom-data update credentials

Then execute curl -u doge:doge -v localhost:10081/pipeline and the header Service-X-Id: [12345678] has been included to the request.

@samutamm samutamm requested review from localvar, xxx7xxxx, zhao-kun and suchen-sci and removed request for xxx7xxxx and zhao-kun January 5, 2022 09:48
@codecov-commenter
Copy link

codecov-commenter commented Jan 6, 2022
edited
Loading

Codecov Report

Merging #454 (249b3c7) into main (9b29b1c) will decrease coverage by 0.11%.
The diff coverage is 78.96%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #454      +/-   ##
==========================================
- Coverage   80.32%   80.21%   -0.12%     
==========================================
  Files          73       76       +3     
  Lines        8279     8666     +387     
==========================================
+ Hits         6650     6951     +301     
- Misses       1265     1321      +56     
- Partials      364      394      +30
Impacted Files Coverage Δ
pkg/filter/validator/basicauth.go 72.38% <72.38%> (ø)
pkg/filter/headerlookup/headerlookup.go 83.58% <83.58%> (ø)
pkg/filter/validator/validator.go 96.15% <89.65%> (-3.85%) ⬇️
pkg/cluster/test_util.go 93.54% <93.54%> (ø)
pkg/object/mqttproxy/client.go 79.63% <0.00%> (-0.91%) ⬇️
pkg/cluster/cluster.go 51.87% <0.00%> (+0.17%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9b29b1c...249b3c7. Read the comment docs.

@samutamm samutamm requested a review from localvar January 6, 2022 09:08
@samutamm samutamm marked this pull request as draft January 7, 2022 06:16
@samutamm samutamm marked this pull request as ready for review January 7, 2022 08:06
@suchen-sci
Copy link
Contributor

please keep total test coverage higher than 80%.....

localvar
localvar reviewed Jan 13, 2022
View reviewed changes
pkg/filter/validator/basicauth.go Outdated Show resolved Hide resolved
pkg/filter/headerlookup/headerlookup.go Outdated Show resolved Hide resolved
pkg/filter/headerlookup/headerlookup.go Outdated Show resolved Hide resolved
pkg/filter/headerlookup/headerlookup.go Outdated Show resolved Hide resolved
pkg/filter/headerlookup/headerlookup.go Outdated Show resolved Hide resolved
pkg/filter/headerlookup/headerlookup.go Show resolved Hide resolved
@samutamm
Copy link
Contributor Author

please keep total test coverage higher than 80%.....

This is fixed now, the issue was in cluster package as I introduced a test util that was not used pkg/cluster tests..

@xxx7xxxx xxx7xxxx merged commit 31315af into easegress-io:main Jan 14, 2022
@samutamm samutamm deleted the http_basic_auth branch January 14, 2022 06:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@suchen-sci suchen-sci suchen-sci approved these changes

@xxx7xxxx xxx7xxxx xxx7xxxx approved these changes

@localvar localvar localvar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support HTTP basic authentication to restrict access
5 participants
@samutamm @codecov-commenter @suchen-sci @localvar @xxx7xxxx