From f6bb7f0cdad9461b6ad61f7bf77caccafd0eb9ad Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 15 Apr 2022 15:22:45 +0800 Subject: [PATCH 1/7] fix: do not expose internal errors to the client --- apisix/plugins/basic-auth.lua | 6 ++++-- apisix/plugins/ldap-auth.lua | 6 ++++-- apisix/plugins/wolf-rbac.lua | 16 ++++++++-------- t/plugin/basic-auth.t | 18 +++++++++++++++--- t/plugin/ldap-auth.t | 20 +++++++++++++++++--- t/plugin/wolf-rbac.t | 27 ++++++++++++++++++++++----- 6 files changed, 70 insertions(+), 23 deletions(-) diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua index 83519bf81ed0..2bb080577269 100644 --- a/apisix/plugins/basic-auth.lua +++ b/apisix/plugins/basic-auth.lua @@ -151,13 +151,15 @@ function _M.rewrite(conf, ctx) local username, password, err = extract_auth_header(auth_header) if err then - return 401, { message = err } + core.log.warn(err) + return 401, { message = "Invalid user authorization" } end -- 2. get user info from consumer plugin local consumer_conf = consumer.plugin(plugin_name) if not consumer_conf then - return 401, { message = "Missing related consumer" } + core.log.warn("Missing related consumer") + return 401, { message = "Invalid user authorization" } end local consumers = consumers_lrucache("consumers_key", diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua index 6ea32f00debc..7df7ab9abfbe 100644 --- a/apisix/plugins/ldap-auth.lua +++ b/apisix/plugins/ldap-auth.lua @@ -131,7 +131,8 @@ function _M.rewrite(conf, ctx) local user, err = extract_auth_header(auth_header) if err then - return 401, { message = err } + core.log.warn(err) + return 401, { message = "Invalid user authorization" } end -- 2. try authenticate the user against the ldap server @@ -146,7 +147,8 @@ function _M.rewrite(conf, ctx) -- 3. Retrieve consumer for authorization plugin local consumer_conf = consumer_mod.plugin(plugin_name) if not consumer_conf then - return 401, {message = "Missing related consumer"} + core.log.warn("Missing related consumer") + return 401, { message = "Invalid user authorization" } end local consumers = lrucache("consumers_key", consumer_conf.conf_version, create_consumer_cache, consumer_conf) diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua index b429c7b5cbc4..ad4b24fbd87d 100644 --- a/apisix/plugins/wolf-rbac.lua +++ b/apisix/plugins/wolf-rbac.lua @@ -274,7 +274,7 @@ function _M.rewrite(conf, ctx) core.log.info("token info: ", core.json.delay_encode(tokenInfo), ", err: ", err) if err then - return 401, fail_response('invalid rbac token: parse failed') + return 401, fail_response('Invalid rbac token: parse failed') end local appid = tokenInfo.appid @@ -284,7 +284,8 @@ function _M.rewrite(conf, ctx) local consumer_conf = consumer.plugin(plugin_name) if not consumer_conf then - return 401, fail_response("Missing related consumer") + core.log.warn("Missing related consumer") + return 401, fail_response("Invalid user authorization") end local consumers = lrucache("consumers_key", consumer_conf.conf_version, @@ -326,7 +327,7 @@ function _M.rewrite(conf, ctx) core.log.error(" check_url_permission(", core.json.delay_encode(perm_item), ") failed, res: ",core.json.delay_encode(res)) - return 401, fail_response(res.err, + return 401, fail_response("Invalid user authorization", { username = username, nickname = nickname } ) end @@ -365,7 +366,7 @@ local function get_consumer(appid) if not consumer then core.log.info("request appid [", appid, "] not found") core.response.exit(400, - fail_response("appid [" .. tostring(appid) .. "] not found") + fail_response("appid not found") ) end return consumer @@ -386,7 +387,7 @@ local function request_to_wolf_server(method, uri, headers, body) if not res then core.log.error("request [", request_debug, "] failed! err: ", err) return core.response.exit(500, - fail_response("request to wolf-server failed! " .. tostring(err)) + fail_response("request to wolf-server failed!") ) end core.log.info("request [", request_debug, "] status: ", res.status, @@ -396,8 +397,7 @@ local function request_to_wolf_server(method, uri, headers, body) core.log.error("request [", request_debug, "] failed! status: ", res.status) return core.response.exit(500, - fail_response("request to wolf-server failed! status:" - .. tostring(res.status)) + fail_response("request to wolf-server failed!") ) end local body, err = json.decode(res.body) @@ -408,7 +408,7 @@ local function request_to_wolf_server(method, uri, headers, body) if not body.ok then core.log.error("request [", request_debug, "] failed! response body:", core.json.delay_encode(body)) - return core.response.exit(200, fail_response(body.reason)) + return core.response.exit(200, fail_response("request to wolf-server failed!")) end core.log.info("request [", request_debug, "] success! response body:", diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index f8cf5ab71d71..93be37e279aa 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -157,7 +157,11 @@ GET /hello Authorization: Bad_header YmFyOmJhcgo= --- error_code: 401 --- response_body -{"message":"Invalid authorization header format"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/Invalid authorization header format/ +--- grep_error_log_out +Invalid authorization header format --- no_error_log [error] @@ -170,7 +174,11 @@ GET /hello Authorization: Basic aca_a --- error_code: 401 --- response_body -{"message":"Failed to decode authentication header: aca_a"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/Failed to decode authentication header: aca_a/ +--- grep_error_log_out +Failed to decode authentication header: aca_a --- no_error_log [error] @@ -183,7 +191,11 @@ GET /hello Authorization: Basic YmFy --- error_code: 401 --- response_body -{"message":"Split authorization err: invalid decoded data: bar"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/Split authorization err: invalid decoded data: bar/ +--- grep_error_log_out +Split authorization err: invalid decoded data: bar --- no_error_log [error] diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index f100108fb39d..863dac60f782 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -38,6 +38,7 @@ run_tests(); __DATA__ === TEST 1: sanity +--- FIRST --- config location /t { content_by_lua_block { @@ -156,7 +157,11 @@ GET /hello Authorization: Bad_header Zm9vOmZvbwo= --- error_code: 401 --- response_body -{"message":"Invalid authorization header format"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/Invalid authorization header format/ +--- grep_error_log_out +Invalid authorization header format @@ -167,7 +172,11 @@ GET /hello Authorization: Basic aca_a --- error_code: 401 --- response_body -{"message":"Failed to decode authentication header: aca_a"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/Failed to decode authentication header: aca_a/ +--- grep_error_log_out +Failed to decode authentication header: aca_a @@ -178,7 +187,11 @@ GET /hello Authorization: Basic Zm9v --- error_code: 401 --- response_body -{"message":"Split authorization err: invalid decoded data: foo"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/Split authorization err: invalid decoded data: foo/ +--- grep_error_log_out +Split authorization err: invalid decoded data: foo @@ -194,6 +207,7 @@ Authorization: Basic Zm9vOmZvbwo= === TEST 10: verify +--- LAST --- request GET /hello --- more_headers diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 67aaacd706b4..8b1bab4f661e 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -211,20 +211,25 @@ appid=not-found&username=admin&password=123456 Content-Type: application/x-www-form-urlencoded --- error_code: 400 --- response_body_like eval -qr/appid \[not-found\] not found/ +qr/appid not found/ --- no_error_log [error] === TEST 8: login failed, username missing +--- LAST --- request POST /apisix/plugin/wolf-rbac/login appid=wolf-rbac-app&password=123456 --- more_headers Content-Type: application/x-www-form-urlencoded --- error_code: 200 ---- response_body_like eval +--- response_body +{"message":"request to wolf-server failed!"} +--- grep_error_log eval +qr/ERR_USERNAME_MISSING/ +--- grep_error_log_out eval qr/ERR_USERNAME_MISSING/ @@ -236,7 +241,11 @@ appid=wolf-rbac-app&username=admin --- more_headers Content-Type: application/x-www-form-urlencoded --- error_code: 200 ---- response_body_like eval +--- response_body +{"message":"request to wolf-server failed!"} +--- grep_error_log eval +qr/ERR_PASSWORD_MISSING/ +--- grep_error_log_out eval qr/ERR_PASSWORD_MISSING/ @@ -248,7 +257,11 @@ appid=wolf-rbac-app&username=not-found&password=123456 --- more_headers Content-Type: application/x-www-form-urlencoded --- error_code: 200 ---- response_body_like eval +--- response_body +{"message":"request to wolf-server failed!"} +--- grep_error_log eval +qr/ERR_USER_NOT_FOUND/ +--- grep_error_log_out eval qr/ERR_USER_NOT_FOUND/ @@ -260,7 +273,11 @@ appid=wolf-rbac-app&username=admin&password=wrong-password --- more_headers Content-Type: application/x-www-form-urlencoded --- error_code: 200 ---- response_body_like eval +--- response_body +{"message":"request to wolf-server failed!"} +--- grep_error_log eval +qr/ERR_PASSWORD_ERROR/ +--- grep_error_log_out eval qr/ERR_PASSWORD_ERROR/ From a88b25c7ccb9e558aeed9656af17f498c8b94300 Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 15 Apr 2022 15:26:51 +0800 Subject: [PATCH 2/7] remove LAST --- t/plugin/ldap-auth.t | 1 - t/plugin/wolf-rbac.t | 1 - 2 files changed, 2 deletions(-) diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index 863dac60f782..d6356cb1345b 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -207,7 +207,6 @@ Authorization: Basic Zm9vOmZvbwo= === TEST 10: verify ---- LAST --- request GET /hello --- more_headers diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 8b1bab4f661e..9ba0ca0a56b3 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -218,7 +218,6 @@ qr/appid not found/ === TEST 8: login failed, username missing ---- LAST --- request POST /apisix/plugin/wolf-rbac/login appid=wolf-rbac-app&password=123456 From 2e67ba40b597eafa229a23d7110b4da8777ba1df Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 15 Apr 2022 15:34:08 +0800 Subject: [PATCH 3/7] fix wolf test --- t/plugin/wolf-rbac.t | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 9ba0ca0a56b3..27f454e5ccfd 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -322,7 +322,7 @@ GET /hello --- more_headers x-rbac-token: invalid-rbac-token --- response_body -{"message":"invalid rbac token: parse failed"} +{"message":"Invalid rbac token: parse failed"} --- no_error_log [error] @@ -346,7 +346,13 @@ GET /hello1 --- more_headers x-rbac-token: V1#wolf-rbac-app#wolf-rbac-token --- response_body -{"message":"no permission to access"} +{"message":"Invalid user authorization"} +--- grep_error_log eval +qr/no permission to access */ +--- grep_error_log_out +no permission to access +no permission to access +no permission to access @@ -465,9 +471,12 @@ PUT /apisix/plugin/wolf-rbac/change_pwd Content-Type: application/json Cookie: x-rbac-token=V1#wolf-rbac-app#wolf-rbac-token --- error_code: 200 ---- response_body_like eval +--- response_body +{"message":"request to wolf-server failed!"} +--- grep_error_log eval +qr/ERR_OLD_PASSWORD_INCORRECT/ +--- grep_error_log_out eval qr/ERR_OLD_PASSWORD_INCORRECT/ - === TEST 25: change password From 14d7238e43eddd72f8ce6fb502443b6e6383f47d Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 15 Apr 2022 15:36:25 +0800 Subject: [PATCH 4/7] fix wolf test --- t/plugin/wolf-rbac.t | 1 + 1 file changed, 1 insertion(+) diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 27f454e5ccfd..47a4c3461823 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -479,6 +479,7 @@ qr/ERR_OLD_PASSWORD_INCORRECT/ qr/ERR_OLD_PASSWORD_INCORRECT/ + === TEST 25: change password --- request PUT /apisix/plugin/wolf-rbac/change_pwd From fc0a3d29bb2b47d893b0b7290f2ad93074af77a9 Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 15 Apr 2022 15:41:24 +0800 Subject: [PATCH 5/7] remove FIRST --- t/plugin/ldap-auth.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index d6356cb1345b..df02de48fcc0 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -38,7 +38,6 @@ run_tests(); __DATA__ === TEST 1: sanity ---- FIRST --- config location /t { content_by_lua_block { From b5cfe99d6dafc38cecb4e9a76b12e13190863a99 Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 15 Apr 2022 15:46:41 +0800 Subject: [PATCH 6/7] fix lint --- apisix/plugins/wolf-rbac.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua index ad4b24fbd87d..797edfe93362 100644 --- a/apisix/plugins/wolf-rbac.lua +++ b/apisix/plugins/wolf-rbac.lua @@ -23,7 +23,6 @@ local ngx_re = require("ngx.re") local http = require("resty.http") local ipairs = ipairs local ngx = ngx -local tostring = tostring local rawget = rawget local rawset = rawset local setmetatable = setmetatable From aa3ab23fe88b4723f8b57f8f829903f34e646c33 Mon Sep 17 00:00:00 2001 From: soulbird Date: Mon, 18 Apr 2022 13:41:37 +0800 Subject: [PATCH 7/7] change errmsg --- apisix/plugins/basic-auth.lua | 5 ++--- apisix/plugins/ldap-auth.lua | 5 ++--- apisix/plugins/wolf-rbac.lua | 7 +++---- t/plugin/basic-auth.t | 6 +++--- t/plugin/ldap-auth.t | 6 +++--- t/plugin/wolf-rbac.t | 4 ++-- 6 files changed, 15 insertions(+), 18 deletions(-) diff --git a/apisix/plugins/basic-auth.lua b/apisix/plugins/basic-auth.lua index 2bb080577269..32c0e0445966 100644 --- a/apisix/plugins/basic-auth.lua +++ b/apisix/plugins/basic-auth.lua @@ -152,14 +152,13 @@ function _M.rewrite(conf, ctx) local username, password, err = extract_auth_header(auth_header) if err then core.log.warn(err) - return 401, { message = "Invalid user authorization" } + return 401, { message = "Invalid authorization in request" } end -- 2. get user info from consumer plugin local consumer_conf = consumer.plugin(plugin_name) if not consumer_conf then - core.log.warn("Missing related consumer") - return 401, { message = "Invalid user authorization" } + return 401, { message = "Missing related consumer" } end local consumers = consumers_lrucache("consumers_key", diff --git a/apisix/plugins/ldap-auth.lua b/apisix/plugins/ldap-auth.lua index 7df7ab9abfbe..3fce91141119 100644 --- a/apisix/plugins/ldap-auth.lua +++ b/apisix/plugins/ldap-auth.lua @@ -132,7 +132,7 @@ function _M.rewrite(conf, ctx) local user, err = extract_auth_header(auth_header) if err then core.log.warn(err) - return 401, { message = "Invalid user authorization" } + return 401, { message = "Invalid authorization in request" } end -- 2. try authenticate the user against the ldap server @@ -147,8 +147,7 @@ function _M.rewrite(conf, ctx) -- 3. Retrieve consumer for authorization plugin local consumer_conf = consumer_mod.plugin(plugin_name) if not consumer_conf then - core.log.warn("Missing related consumer") - return 401, { message = "Invalid user authorization" } + return 401, { message = "Missing related consumer" } end local consumers = lrucache("consumers_key", consumer_conf.conf_version, create_consumer_cache, consumer_conf) diff --git a/apisix/plugins/wolf-rbac.lua b/apisix/plugins/wolf-rbac.lua index 797edfe93362..16ed736cd7c3 100644 --- a/apisix/plugins/wolf-rbac.lua +++ b/apisix/plugins/wolf-rbac.lua @@ -273,7 +273,7 @@ function _M.rewrite(conf, ctx) core.log.info("token info: ", core.json.delay_encode(tokenInfo), ", err: ", err) if err then - return 401, fail_response('Invalid rbac token: parse failed') + return 401, fail_response('invalid rbac token: parse failed') end local appid = tokenInfo.appid @@ -283,8 +283,7 @@ function _M.rewrite(conf, ctx) local consumer_conf = consumer.plugin(plugin_name) if not consumer_conf then - core.log.warn("Missing related consumer") - return 401, fail_response("Invalid user authorization") + return 401, fail_response("Missing related consumer") end local consumers = lrucache("consumers_key", consumer_conf.conf_version, @@ -326,7 +325,7 @@ function _M.rewrite(conf, ctx) core.log.error(" check_url_permission(", core.json.delay_encode(perm_item), ") failed, res: ",core.json.delay_encode(res)) - return 401, fail_response("Invalid user authorization", + return 401, fail_response("Invalid user permission", { username = username, nickname = nickname } ) end diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index 93be37e279aa..5d626edd07af 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -157,7 +157,7 @@ GET /hello Authorization: Bad_header YmFyOmJhcgo= --- error_code: 401 --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid authorization in request"} --- grep_error_log eval qr/Invalid authorization header format/ --- grep_error_log_out @@ -174,7 +174,7 @@ GET /hello Authorization: Basic aca_a --- error_code: 401 --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid authorization in request"} --- grep_error_log eval qr/Failed to decode authentication header: aca_a/ --- grep_error_log_out @@ -191,7 +191,7 @@ GET /hello Authorization: Basic YmFy --- error_code: 401 --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid authorization in request"} --- grep_error_log eval qr/Split authorization err: invalid decoded data: bar/ --- grep_error_log_out diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index df02de48fcc0..9ecac330f948 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -156,7 +156,7 @@ GET /hello Authorization: Bad_header Zm9vOmZvbwo= --- error_code: 401 --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid authorization in request"} --- grep_error_log eval qr/Invalid authorization header format/ --- grep_error_log_out @@ -171,7 +171,7 @@ GET /hello Authorization: Basic aca_a --- error_code: 401 --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid authorization in request"} --- grep_error_log eval qr/Failed to decode authentication header: aca_a/ --- grep_error_log_out @@ -186,7 +186,7 @@ GET /hello Authorization: Basic Zm9v --- error_code: 401 --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid authorization in request"} --- grep_error_log eval qr/Split authorization err: invalid decoded data: foo/ --- grep_error_log_out diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 47a4c3461823..c76c7d2d020b 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -322,7 +322,7 @@ GET /hello --- more_headers x-rbac-token: invalid-rbac-token --- response_body -{"message":"Invalid rbac token: parse failed"} +{"message":"invalid rbac token: parse failed"} --- no_error_log [error] @@ -346,7 +346,7 @@ GET /hello1 --- more_headers x-rbac-token: V1#wolf-rbac-app#wolf-rbac-token --- response_body -{"message":"Invalid user authorization"} +{"message":"Invalid user permission"} --- grep_error_log eval qr/no permission to access */ --- grep_error_log_out