From cdebcfe5df6a11495a18b65ce32b5e7e0e7c9b16 Mon Sep 17 00:00:00 2001 From: Kyle Espinola Date: Mon, 20 Feb 2023 14:11:03 +0100 Subject: [PATCH] feat: add plugins for checking cookie session --- charts/hub-gateway/Chart.yaml | 2 +- charts/hub-gateway/plugins/kratos.lua | 28 ++------- charts/hub-gateway/plugins/session-json.lua | 50 +++++++++++++++ .../hub-gateway/plugins/session-redirect.lua | 63 +++++++++++++++++++ charts/hub-gateway/templates/apisixroute.yaml | 14 ++++- charts/hub-gateway/values.yaml | 49 +++++++++++++-- 6 files changed, 177 insertions(+), 29 deletions(-) create mode 100644 charts/hub-gateway/plugins/session-json.lua create mode 100644 charts/hub-gateway/plugins/session-redirect.lua diff --git a/charts/hub-gateway/Chart.yaml b/charts/hub-gateway/Chart.yaml index 6c58940..d637c45 100644 --- a/charts/hub-gateway/Chart.yaml +++ b/charts/hub-gateway/Chart.yaml @@ -18,7 +18,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: "0.4.0" +version: "0.5.0" # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/hub-gateway/plugins/kratos.lua b/charts/hub-gateway/plugins/kratos.lua index 194bc6e..7827bfb 100644 --- a/charts/hub-gateway/plugins/kratos.lua +++ b/charts/hub-gateway/plugins/kratos.lua @@ -66,8 +66,8 @@ local schema = { local _M = { version = 0.1, - priority = 1030, - name = "kratos", + priority = 2, + name = "session", schema = schema } @@ -75,23 +75,8 @@ function _M.check_schema(conf) return core.schema.check(schema, conf) end -local function build_json_error(code, status, reason) - - core.response.set_header(ctx, "content", "application/json") - local res = { - error = { - code = code, - status = status, - reason = reason - } - } - return json.encode(res) -end - function _M.access(conf, ctx) - local ret_code local headers = core.request.headers() - local method_name = ngx.req.get_method() local session_cookie_name = string.lower(conf.session_cookie_name or "ory_kratos_session") local cookie_header = string.lower("cookie_" .. session_cookie_name) @@ -101,7 +86,6 @@ function _M.access(conf, ctx) local session_token = headers[session_cookie_name] or cookie_value if not session_token then - local res = build_json_error(ret_code, "Unauthorized", "Missing " .. session_cookie_name .. " header or cookie") return end @@ -157,10 +141,10 @@ function _M.access(conf, ctx) -- Expose user id on $kratos_user_id variable -- Expose user email on $kratos_user_email variable if conf.expose_user_id then - core.request.set_header(ctx, "x-user-id", data.identity.id) - core.response.set_header("x-user-id", data.identity.id) - core.request.set_header(ctx, "x-user-email", data.identity.traits.email) - core.response.set_header("x-user-email", data.identity.traits.email) + core.request.set_header(ctx, "X-USER-ID", data.identity.id) + core.response.set_header("X-USER-ID", data.identity.id) + core.request.set_header(ctx, "X-USER-EMAIL", data.identity.traits.email) + core.response.set_header("X-USER-EMAIL", data.identity.traits.email) core.ctx.register_var("kratos_user_id", function(ctx) return data.identity.id end) diff --git a/charts/hub-gateway/plugins/session-json.lua b/charts/hub-gateway/plugins/session-json.lua new file mode 100644 index 0000000..85ef177 --- /dev/null +++ b/charts/hub-gateway/plugins/session-json.lua @@ -0,0 +1,50 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local json = require("apisix.core.json") + +local schema = { + type = "object", + properties = {} +} + +local _M = { + version = 0.1, + priority = 1, + name = "session-json", + schema = schema +} + +function _M.check_schema(conf) + return core.schema.check(schema, conf) +end + +function _M.access(conf, ctx) + local user_id = core.request.header(ctx, "X-USER-ID") + local uri = ctx.var.uri + + if not user_id then + core.response.set_header("Content-Type", "application/json") + + return 403, { + message = "no valid session" + } + end +end + +return _M diff --git a/charts/hub-gateway/plugins/session-redirect.lua b/charts/hub-gateway/plugins/session-redirect.lua new file mode 100644 index 0000000..99c1dde --- /dev/null +++ b/charts/hub-gateway/plugins/session-redirect.lua @@ -0,0 +1,63 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +local core = require("apisix.core") +local http = require("resty.http") +local json = require("apisix.core.json") + +local schema = { + type = "object", + properties = { + login_uri = { + type = "string" + }, + redirect_to = { + type = "boolean", + default = false + } + }, + require = {"login_uri"} +} + +local _M = { + version = 0.1, + priority = 1, + name = "session-redirect", + schema = schema +} + +function _M.check_schema(conf) + return core.schema.check(schema, conf) +end + +function _M.access(conf, ctx) + local redirect_to = conf.redirect_to + local user_id = core.request.header(ctx, "X-USER-ID") + local uri = ctx.var.uri + local redirect_uri = conf.login_uri + + if redirect_to then + redirect_uri = redirect_uri .. "?return_to=" .. uri + end + + if not user_id then + core.response.set_header("Location", redirect_uri) + + return 302, "Unauthorized please login" + end +end + +return _M diff --git a/charts/hub-gateway/templates/apisixroute.yaml b/charts/hub-gateway/templates/apisixroute.yaml index 6f96069..ea8a306 100644 --- a/charts/hub-gateway/templates/apisixroute.yaml +++ b/charts/hub-gateway/templates/apisixroute.yaml @@ -2,6 +2,7 @@ {{- $namespace := .Values.hubNamespace -}} {{- $domain := .Values.domain -}} {{- $sessionCookie := .Values.sessionCookieName -}} +{{- $loginUri := .Values.loginUri -}} {{- with .Values.routes }} {{- range . }} apiVersion: apisix.apache.org/v2 @@ -26,7 +27,8 @@ spec: methods: {{- .methods | toYaml | nindent 8 }} plugins: - {{- if .setUserHeader }} + {{- with .kratos }} + {{- if .enabled | default false }} - name: kratos enable: true config: @@ -35,6 +37,16 @@ spec: expose_user_id: true session_cookie_name: {{ $sessionCookie }} {{- end }} + {{- end }} + {{- with .sessionRedirect }} + {{- if .enabled }} + - name: session-redirect + enable: true + config: + login_uri: {{ $loginUri }} + redirect_to: {{ .redirectTo | default false }} + {{- end }} + {{- end }} {{- if .regexUri }} - name: proxy-rewrite enable: true diff --git a/charts/hub-gateway/values.yaml b/charts/hub-gateway/values.yaml index 09c452d..54416d6 100644 --- a/charts/hub-gateway/values.yaml +++ b/charts/hub-gateway/values.yaml @@ -2,6 +2,7 @@ hubNamespace: default domain: 127.0.0.1.nip.io port: 9080 sessionCookieName: "hub_session" +loginUri: "http://hub.127.0.0.1.nip.io:9080/login" routes: - name: api @@ -13,7 +14,8 @@ routes: methods: - POST - OPTIONS - setUserHeader: true + kratos: + enabled: true regexUri: - "/graphql" - "/" @@ -27,7 +29,8 @@ routes: methods: - POST - OPTIONS - setUserHeader: true + kratos: + enabled: true regexUri: - "/graphql" - "/" @@ -41,7 +44,10 @@ routes: methods: - POST - OPTIONS - setUserHeader: true + kratos: + enabled: true + sessionJson: + enabled: true regexUri: - "/graphql" - "/" @@ -55,13 +61,19 @@ routes: - /browser/organizations/* methods: - POST - setUserHeader: true + kratos: + enabled: true + sessionRedirect: + enabled: true - name: ui-private subdomain: hub serviceName: hub servicePort: 80 - setUserHeader: true + kratos: + enabled: true + sessionRedirect: + enabled: true methods: - GET paths: @@ -70,12 +82,27 @@ routes: - /webhooks/* - /members - /members/* + - /organizations - /organizations/new - /projects - /projects/* - /treasuries - /treasuries/* +- name: ui-private-invite + subdomain: hub + serviceName: hub + servicePort: 80 + kratos: + enabled: true + sessionRedirect: + enabled: true + redirectTo: true + methods: + - GET + paths: + - /invites/* + - name: ui-public subdomain: hub serviceName: hub @@ -103,6 +130,12 @@ apisixPlugins: servicePort: 80 files: - plugins/kratos.lua + sessionRedirect: + files: + - plugins/session-redirect.lua + sessionJson: + files: + - plugins/session-json.lua apisix: enabled: true @@ -158,6 +191,8 @@ apisix: plugins: - kratos + - session-redirect + - session-json - mocking - cors - redirect @@ -175,6 +210,10 @@ apisix: mounts: - key: "kratos.lua" path: "/opts/custom_plugins/apisix/plugins/kratos.lua" + - key: "session-redirect.lua" + path: "/opts/custom_plugins/apisix/plugins/session-redirect.lua" + - key: "session-json.lua" + path: "/opts/custom_plugins/apisix/plugins/session-json.lua" logs: enableAccessLog: true