Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth wasm go plugin #663

Open
wants to merge 11 commits into
base: main
Choose a base branch
from

Conversation

Uncle-Justice
Copy link
Contributor

Ⅰ. Describe what this PR did

完成go-wasm 插件中的oauth插件

Ⅱ. Does this pull request fix one issue?

fixes #633

Ⅲ. Why don't you add test cases (unit test/integration test)?

i did

Ⅳ. Describe how to verify it

运行原本的wasm插件测试指令

Ⅴ. Special notes for reviews

有一些打了todo注释的需要麻烦再确认一下

@CLAassistant
Copy link

CLAassistant commented Dec 3, 2023

CLA assistant check
All committers have signed the CLA.

@johnlanni
Copy link
Collaborator

cc @WeixinX

@johnlanni johnlanni requested a review from WeixinX December 4, 2023 02:07
@johnlanni johnlanni changed the title Wasm go ouath OAuth wasm go plugin Dec 4, 2023
@johnlanni
Copy link
Collaborator

@Uncle-Justice Please sign the CLA.

@codecov-commenter
Copy link

codecov-commenter commented Dec 4, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (5140372) 38.13% compared to head (5741f36) 38.13%.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #663   +/-   ##
=======================================
  Coverage   38.13%   38.13%           
=======================================
  Files          61       61           
  Lines       10428    10428           
=======================================
  Hits         3977     3977           
  Misses       6152     6152           
  Partials      299      299           

@WeixinX
Copy link
Collaborator

WeixinX commented Dec 6, 2023

@johnlanni 工作流中 Build and Test Plugins 所报的错误似乎在本地使用 tinygo 构建时也会偶尔出现:

#11 [builder 6/6] RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./
#11 9.534 SIGSEGV: segmentation violation
#11 9.534 PC=0x529f032 m=7 sigcode=1844674407370955[1610](https://github.com/alibaba/higress/actions/runs/7112320889/job/19362049728?pr=663#step:7:1611)
#11 9.534 signal arrived during cgo execution
#11 9.534 
#11 9.534 goroutine 274 [syscall]:
#11 9.534 runtime.cgocall(0x852480, 0xc007d6fb28)
#11 9.534 	/usr/local/go/src/runtime/cgocall.go:157 +0x5c fp=0xc007d6fb00 sp=0xc007d6fac8 pc=0x4c36bc
#11 9.534 tinygo.org/x/go-llvm._Cfunc_LLVMDisposeModule(0x7f473db6afb0)
#11 9.534 	_cgo_gotypes.go:4808 +0x45 fp=0xc007d6fb28 sp=0xc007d6fb00 pc=0x6f3dc5
#11 9.534 tinygo.org/x/go-llvm.Module.Dispose.func1({0xc007d6fba0?})
#11 9.534 	/go/pkg/mod/tinygo.org/x/go-llvm@v0.0.0-20221028183034-8341240c0b32/ir.go:464 +0x3f fp=0xc007d6fb60 sp=0xc007d6fb28 pc=0x702a3f
#11 9.534 tinygo.org/x/go-llvm.Module.Dispose({0x53?})
#11 9.534 	/go/pkg/mod/tinygo.org/x/go-llvm@v0.0.0-20221028183034-8341240c0b32/ir.go:464 +0x19 fp=0xc007d6fb78 sp=0xc007d6fb60 pc=0x7029d9
#11 9.534 github.com/tinygo-org/tinygo/builder.Build.func3.2()
#11 9.534 	/__w/tinygo/tinygo/builder/build.go:359 +0x26 fp=0xc007d6fb90 sp=0xc007d6fb78 pc=0x801306
#11 9.534 runtime.deferreturn()
#11 9.534 	/usr/local/go/src/runtime/panic.go:476 +0x33 fp=0xc007d6fbd0 sp=0xc007d6fb90 pc=0x4f2bf3
#11 9.534 github.com/tinygo-org/tinygo/builder.Build.func3(0xc00831c1e0)
#11 9.534 	/__w/tinygo/tinygo/builder/build.go:477 +0xef3 fp=0xc007d6ff78 sp=0xc007d6fbd0 pc=0x801113
#11 9.534 github.com/tinygo-org/tinygo/builder.runJob(0xc00831c1e0, 0x7f473d719e90?)
#11 9.534 	/__w/tinygo/tinygo/builder/jobs.go:222 +0x4f fp=0xc007d6ffc0 sp=0xc007d6ff78 pc=0x80c84f
#11 9.534 github.com/tinygo-org/tinygo/builder.runJobs.func2()
#11 9.534 	/__w/tinygo/tinygo/builder/jobs.go:123 +0x2a fp=0xc007d6ffe0 sp=0xc007d6ffc0 pc=0x80c18a
#11 9.534 runtime.goexit()
#11 9.534 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc007d6ffe8 sp=0xc007d6ffe0 pc=0x5266c1
#11 9.534 created by github.com/tinygo-org/tinygo/builder.runJobs
#11 9.534 	/__w/tinygo/tinygo/builder/jobs.go:123 +0x5be
#11 9.534 
#11 9.534 goroutine 1 [chan receive]:
#11 9.534 runtime.gopark(0xc006e74000?, 0x528d0a?, 0x0?, 0x8c?, 0xc013bf8630?)
#11 9.534 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc013bf85b0 sp=0xc013bf8590 pc=0x4f6c76
#11 9.534 runtime.chanrecv(0xc000dba000, 0xc013bf8768, 0x1)
#11 9.534 	/usr/local/go/src/runtime/chan.go:583 +0x49d fp=0xc013bf8640 sp=0xc013bf85b0 pc=0x4c647d
#11 9.534 runtime.chanrecv1(0x54f3e80?, 0xc007244e70?)
#11 9.534 	/usr/local/go/src/runtime/chan.go:442 +0x18 fp=0xc013bf8668 sp=0xc013bf8640 pc=0x4c5f78
#11 9.534 github.com/tinygo-org/tinygo/builder.runJobs(0xc00831b280?, 0xc0042b6798?)
#11 9.534 	/__w/tinygo/tinygo/builder/jobs.go:132 +0x5e7 fp=0xc013bf8a60 sp=0xc013bf8668 pc=0x80bde7
#11 9.534 github.com/tinygo-org/tinygo/builder.Build({0x7ffc9d449efc, 0x2}, {0x7ffc9d449ea2, 0xa}, {0xc00012e660, 0x15}, 0xc000024480)
#11 9.534 	/__w/tinygo/tinygo/builder/build.go:877 +0x369a fp=0xc013bf9568 sp=0xc013bf8a60 pc=0x7fc13a
#11 9.534 main.Build({0x7ffc9d449efc, 0x2}, {0x7ffc9d449ea2, 0xa}, 0xc00012c1e0)
#11 9.534 	/__w/tinygo/tinygo/main.go:168 +0x26f fp=0xc013bf97d0 sp=0xc013bf9568 pc=0x8240af
#11 9.534 main.main()
#11 9.534 	/__w/tinygo/tinygo/main.go:1573 +0x3588 fp=0xc013bf9f80 sp=0xc013bf97d0 pc=0x831da8
#11 9.534 runtime.main()
#11 9.534 	/usr/local/go/src/runtime/proc.go:250 +0x207 fp=0xc013bf9fe0 sp=0xc013bf9f80 pc=0x4f6847
#11 9.534 runtime.goexit()
#11 9.534 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc013bf9fe8 sp=0xc013bf9fe0 pc=0x5266c1
#11 9.534 
#11 9.534 goroutine 2 [force gc (idle)]:
#11 9.534 runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
#11 9.534 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000044fb0 sp=0xc000044f90 pc=0x4f6c76
#11 9.534 runtime.goparkunlock(...)
#11 9.534 	/usr/local/go/src/runtime/proc.go:387
#11 9.534 runtime.forcegchelper()
#11 9.534 	/usr/local/go/src/runtime/proc.go:305 +0xb0 fp=0xc000044fe0 sp=0xc000044fb0 pc=0x4f6ab0
#11 9.534 runtime.goexit()
#11 9.534 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000044fe8 sp=0xc000044fe0 pc=0x5266c1
#11 9.534 created by runtime.init.6
#11 9.534 	/usr/local/go/src/runtime/proc.go:293 +0x25
#11 9.534 
#11 9.534 goroutine 3 [GC sweep wait]:
#11 9.534 runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
#11 9.534 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000045780 sp=0xc000045760 pc=0x4f6c76
#11 9.535 runtime.goparkunlock(...)
#11 9.535 	/usr/local/go/src/runtime/proc.go:387
#11 9.535 runtime.bgsweep(0x0?)
#11 9.535 	/usr/local/go/src/runtime/mgcsweep.go:319 +0xde fp=0xc0000457c8 sp=0xc000045780 pc=0x4e341e
#11 9.535 runtime.gcenable.func1()
#11 9.535 	/usr/local/go/src/runtime/mgc.go:178 +0x26 fp=0xc0000457e0 sp=0xc0000457c8 pc=0x4d8886
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000457e8 sp=0xc0000457e0 pc=0x5266c1
#11 9.535 created by runtime.gcenable
#11 9.535 	/usr/local/go/src/runtime/mgc.go:178 +0x6b
#11 9.535 
#11 9.535 goroutine 4 [GC scavenge wait]:
#11 9.535 runtime.gopark(0xa39e70be43?, 0xafa2d86?, 0x0?, 0x0?, 0x0?)
#11 9.535 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000045f70 sp=0xc000045f50 pc=0x4f6c76
#11 9.535 runtime.goparkunlock(...)
#11 9.535 	/usr/local/go/src/runtime/proc.go:387
#11 9.535 runtime.(*scavengerState).park(0x76c2780)
#11 9.535 	/usr/local/go/src/runtime/mgcscavenge.go:400 +0x53 fp=0xc000045fa0 sp=0xc000045f70 pc=0x4e12f3
#11 9.535 runtime.bgscavenge(0x0?)
#11 9.535 	/usr/local/go/src/runtime/mgcscavenge.go:633 +0x65 fp=0xc000045fc8 sp=0xc000045fa0 pc=0x4e18e5
#11 9.535 runtime.gcenable.func2()
#11 9.535 	/usr/local/go/src/runtime/mgc.go:179 +0x26 fp=0xc000045fe0 sp=0xc000045fc8 pc=0x4d8826
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000045fe8 sp=0xc000045fe0 pc=0x5266c1
#11 9.535 created by runtime.gcenable
#11 9.535 	/usr/local/go/src/runtime/mgc.go:179 +0xaa
#11 9.535 
#11 9.535 goroutine 5 [finalizer wait]:
#11 9.535 runtime.gopark(0x0?, 0x5578578?, 0x20?, 0x84?, 0x2000000020?)
#11 9.535 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000044628 sp=0xc000044608 pc=0x4f6c76
#11 9.535 runtime.runfinq()
#11 9.535 	/usr/local/go/src/runtime/mfinal.go:193 +0x107 fp=0xc0000447e0 sp=0xc000044628 pc=0x4d78c7
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000447e8 sp=0xc0000447e0 pc=0x5266c1
#11 9.535 created by runtime.createfing
#11 9.535 	/usr/local/go/src/runtime/mfinal.go:163 +0x45
#11 9.535 
#11 9.535 goroutine 7 [GC worker (idle)]:
#11 9.535 runtime.gopark(0x7757ca0?, 0x3?, 0xdf?, 0xc0?, 0x0?)
#11 9.535 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000046f50 sp=0xc000046f30 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc000046fe0 sp=0xc000046f50 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000046fe8 sp=0xc000046fe0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535 
#11 9.535 goroutine 18 [GC worker (idle)]:
#11 9.535 runtime.gopark(0xa49de4fb23?, 0x3?, 0x4b?, 0x3b?, 0x0?)
#11 9.535 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000040750 sp=0xc000040730 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc0000407e0 sp=0xc000040750 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000407e8 sp=0xc0000407e0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535 
#11 9.535 goroutine 8 [GC worker (idle)]:
#11 9.535 runtime.gopark(0xa49de4d7b9?, 0x3?, 0x76?, 0x47?, 0x0?)
#11 9.535 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000047750 sp=0xc000047730 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc0000477e0 sp=0xc000047750 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000477e8 sp=0xc0000477e0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535 
#11 9.535 goroutine 19 [GC worker (idle)]:
#11 9.535 runtime.gopark(0xa49dea09dc?, 0x3?, 0x78?, 0xfd?, 0x0?)
#11 9.535 	/usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000040f50 sp=0xc000040f30 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc000040fe0 sp=0xc000040f50 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000040fe8 sp=0xc000040fe0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 	/usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535 
#11 9.535 rax    0x7f473e9e2680
#11 9.535 rbx    0x7f473e0284f0
#11 9.535 rcx    0x7f473f224dd8
#11 9.535 rdx    0x0
#11 9.535 rdi    0x7f473e028490
#11 9.535 rsi    0x7f473e0284d0
#11 9.535 rbp    0x7f473e028490
#11 9.535 rsp    0x7f47403d78d8
#11 9.535 r8     0x471fa92e00007f47
#11 9.535 r9     0x8f2dd19d9121252f
#11 9.535 r10    0xc2c5cc827ab5b9bd
#11 9.535 r11    0x2
#11 9.535 r12    0x0
#11 9.535 r13    0x7f47398a7f30
#11 9.535 r14    0x7f4739871068
#11 9.535 r15    0x7f473e2a9740
#11 9.535 rip    0x529f032
#11 9.535 rflags 0x10202
#11 9.535 cs     0x33
#11 9.535 fs     0x0
#11 9.535 gs     0x0
#11 ERROR: process "/bin/sh -c tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./" did not complete successfully: exit code: 2
------
 > [builder 6/6] RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./:
9.535 r11    0x2
9.535 r12    0x0
9.535 r13    0x7f47398a7f30
9.535 r14    0x7f4739871068
9.535 r15    0x7f473e2a9740
9.535 rip    0x529f032
9.535 rflags 0x10202
9.535 cs     0x33
9.535 fs     0x0
9.535 gs     0x0
------
Dockerfile:17
--------------------
  15 |     
  16 |     RUN go mod tidy
  17 | >>> RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./
  18 |     
  19 |     FROM scratch as output
--------------------
ERROR: failed to solve: process "/bin/sh -c tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./" did not complete successfully: exit code: 2

@Uncle-Justice
Copy link
Contributor Author

我在本地也会遇到同样的tinygo报错的情况

@johnlanni
Copy link
Collaborator

@Uncle-Justice @WeixinX 你们是通过什么方式使用的,是按照文档里的 make 命令在docker镜像中构建,还是直接安装的tinygo命令行工具构建的?

@Uncle-Justice
Copy link
Contributor Author

Uncle-Justice commented Dec 7, 2023

@johnlanni 我使用文档中给出的指令进行测试,偶尔会报这个问题:

PLUGIN_NAME=oauth make build

早期我自己直接使用tinygo本地编译main.go的时候使用的是这条指令,印象中没有报过类似的问题:

tinygo build -o main.wasm -scheduler=none -target=wasi -gc=custom -tags='custommalloc nottinygc_finalizer' ./main.go

@johnlanni
Copy link
Collaborator

@Uncle-Justice 嗯 怀疑是容器下运行导致的,我查一下原因

@johnlanni
Copy link
Collaborator

@Uncle-Justice 参考下 basic-auth 和 key-auth,需要处理 global_auth 这个配置参数,实现这个效果:
image

@Uncle-Justice
Copy link
Contributor Author

@johnlanni 好的,我尽快完成global_auth功能的增加以及测试代码

@WeixinX
Copy link
Collaborator

WeixinX commented Dec 9, 2023

@Uncle-Justice 当前 basic-auth 和 key-auth 对于 global_auth 参数效果的实现逻辑比较繁琐、不够简洁,请参考以下伪代码实现该效果:

noAllow: allow 列表为空即当前 domain/route 未配置了该插件
ruleSet: 表示至少一个 domain/route 配置了该插件

if noAllow == false { // allow 列表非空
     allow 列表中寻找对应 consumer若能找到则认证通过否则认证不通过
}

// 上面逻辑快速返回,因此以下 noAllow == true (allow 列表为空):
if global_auth == true || ( global_auth 未设置 && ruleSet == false ) { // 全局生效
    在全局 consumers 列表寻找对应 consumer若能找到则认证通过否则认证不通过
}

if global_auth == false || ( global_auth 未设置 && ruleSet == true ) {
    无需认证直接放行
}

@Uncle-Justice
Copy link
Contributor Author

@WeixinX 你的建议启发了我,让我想起之前的一个点,higress的wasm文档写的也是路由级 > 域名级 > 全局,那么比如consumer1在路由A的allowset中,但是不在全局consumers 配置中应该怎么处理呢?

因为之前的设计要求是,allowset中只存放consumer的name,不存放id以及secret,但是没有secret又无法对token解密,虽然token可以直接解码出name进行校对,但是如果不做解密,token机制也相当于没有用上。所以我之前设计的是一个consumer必须首先出现在全局consumers 列表中,然后才能进一步判断路由规则通不通过

@WeixinX
Copy link
Collaborator

WeixinX commented Dec 10, 2023

@Uncle-Justice

那么比如consumer1在路由A的allowset中,但是不在全局consumers 配置中应该怎么处理呢?

allow 列表中的 consumer name 是从全局 consumers 配置来的,如果前者有而后者没有,那是不是就能够被认定是用户配置错了呢?

@Uncle-Justice
Copy link
Contributor Author

@WeixinX 好的,我明白了,那就还是需要首先保证全局consumers 中包含这个consumer。那么在下面这个if逻辑下还是需要先做token校验,判断consumer是否存在于consumers 中,然后再去做allow的相关判断:

if noAllow == false { // allow 列表非空
     allow 列表中寻找对应 consumer若能找到则认证通过否则认证不通过
}

所以我目前的想法和你的比较相近,但是这个三个if的顺序有变动,变动之后可能在代码上会更简洁一些:

// 基础认证:token解码->判断consumer合法性->token解密验证,失败返回401
// 签发路由匹配:当globalCredentials为false时,需保证token签发路由与当前路由匹配,失败返回403,做签发路由匹配之前必须做基础认证token解码
// 路由规则匹配:在 allow 列表中查找,如果找到则认证通过,否则认证失败,返回403

// 通常按照基础认证->签发路由匹配->路由规则匹配的规则进行,在某些条件下中途就直接认证通过,跳过后面的步骤

if noAllow && (globalAuthSetFalse || (globalAuthNoSet && ruleSet)) {
  不做任何检验直接放行
}
// 以下的情况,在noallow=true时,就只剩下(globalAuthSetTrue || (globalAuthNoSet && !ruleSet))这两种可能,他们都是需要做基础认证而不做路由规则匹配的
做基础认证
做签发路由匹配

if noAllow == false{
  做路由规则匹配
}

校验结束

Response: http.AssertionResponse{
ExpectedResponse: http.Response{
StatusCode: 400,
// TODO: 目前http.Response未支持body校验
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

是否可以扩展下e2e test框架 支持body校验

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这个是不是可以搞了

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

我发现之前的逻辑是200才会检查header,其他非3开头的情况都是直接跳过了这些校验的,所以我后面增加的body以及response的e2e逻辑也遵循了这种方式

所以如果这里预期是400,其实按目前的e2e测试逻辑,是不用再校验body的

之前使用POST申请token这个功能的e2e测试我会尽快加上

StatusCode: 400,
// TODO: 目前http.Response未支持body校验
},
// TODO: cpp版本是可以直接比照types.Action的,这里似乎不可以
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e2e test 对比最终结果即可

| `client_id` | string | 必填 | - | OAuth2 client id |
| `client_secret` | string | 必填 | - | OAuth2 client secret |

`_rules_` 中每一项的配置字段说明如下:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这块说明可以去掉,之前写cpp版本文档的时候,还没有现在的wasmplugin crd,所以要用户手动配置这些规则,现在已经在crd里定义对应字段了,插件文档里可以不用写了

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@johnlanni 是指rules_这个配置在插件yaml中不用写了吗?如果在插件的yaml中定义了_rules_,那此时实际的规则是以crd为准还是这里的yaml为准?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

crd里已经封装掉对_rules_字段的处理,用户再写上这个配置,是不会有作用的

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

可以看下这篇文档:https://higress.io/zh-cn/docs/plugins/intro

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@johnlanni 明白,即匹配域名或路由生效的配置matchRules是所有wasm plugin都具备的特性,因此直接在wasm plugin crd层面做了定义,特定插件的文档主要关注自身特有的配置字段的说明。

已删除oauth插件文档中有关rules字段的说明

因为 test.com 仅授权了 consumer2,但这个 Access Token 是基于 consumer1 的 `client_id`,`client_secret` 获取的,因此将返回 `403 Access Denied`


### 网关实例级别开启
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

同上

@johnlanni
Copy link
Collaborator

@Uncle-Justice README看看调整下,完成后我就合入啦

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: In Progress
Development

Successfully merging this pull request may close these issues.

Implement the Golang version of the existing CPP Wasm plugin: OAuth
6 participants