diff --git a/Makefile b/Makefile index e4ff83f..36d835e 100644 --- a/Makefile +++ b/Makefile @@ -38,6 +38,7 @@ endef build-envoy: @$(call start_docker) docker exec -it ${CONTAINER_NAME} make build-envoy-local + docker exec -it ${CONTAINER_NAME} strip -s /home/admin/dev/bazel-bin/envoy mkdir -p output/bin mkdir -p output/conf docker cp ${CONTAINER_NAME}:/home/admin/dev/bazel-bin/envoy output/bin diff --git a/kuscia/source/filters/http/kuscia_common/kuscia_header.cc b/kuscia/source/filters/http/kuscia_common/kuscia_header.cc index c3ff2bb..c22b790 100644 --- a/kuscia/source/filters/http/kuscia_common/kuscia_header.cc +++ b/kuscia/source/filters/http/kuscia_common/kuscia_header.cc @@ -22,17 +22,23 @@ namespace KusciaCommon { constexpr absl::string_view InterConnProtocolBFIA{"bfia"}; constexpr absl::string_view InterConnProtocolKuscia{"kuscia"}; -absl::optional KusciaHeader::getSource(const Http::RequestHeaderMap& headers) { - auto protocol = headers.getByKey(KusciaCommon::HeaderKeyInterConnProtocol); - if (protocol && protocol.value() == InterConnProtocolBFIA) { - auto ptpSource = headers.getByKey(HeaderKeyBFIAPTPSource); - return ptpSource ? ptpSource : headers.getByKey(HeaderKeyBFIAScheduleSource); - } - return headers.getByKey(HeaderKeyKusciaSource); +absl::optional +KusciaHeader::getSource(const Http::RequestHeaderMap &headers) { + auto kusciaSource = headers.getByKey(HeaderKeyKusciaSource); + if (kusciaSource) { + return kusciaSource; + } + // BFIA protocol + auto protocol = headers.getByKey(KusciaCommon::HeaderKeyInterConnProtocol); + if (protocol && protocol.value() == InterConnProtocolBFIA) { + auto ptpSource = headers.getByKey(HeaderKeyBFIAPTPSource); + return ptpSource ? ptpSource + : headers.getByKey(HeaderKeyBFIAScheduleSource); + } + return kusciaSource; } } // namespace KusciaCommon } // namespace HttpFilters } // namespace Extensions } // namespace Envoy - diff --git a/kuscia/source/filters/http/kuscia_common/kuscia_header.h b/kuscia/source/filters/http/kuscia_common/kuscia_header.h index 3f1c735..9187671 100755 --- a/kuscia/source/filters/http/kuscia_common/kuscia_header.h +++ b/kuscia/source/filters/http/kuscia_common/kuscia_header.h @@ -34,6 +34,7 @@ const Http::LowerCaseString HeaderKeyOriginSource("Kuscia-Origin-Source"); const Http::LowerCaseString HeaderKeyErrorMessage("Kuscia-Error-Message"); +const Http::LowerCaseString HeaderKeyFmtError("Kuscia-Error-Formatted"); const Http::LowerCaseString HeaderKeyErrorMessageInternal("Kuscia-Error-Message-Internal"); const Http::LowerCaseString HeaderKeyRecordBody("Kuscia-Record-Body"); diff --git a/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.cc b/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.cc index 8fa6f17..344cd1c 100755 --- a/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.cc +++ b/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.cc @@ -42,20 +42,20 @@ Http::FilterHeadersStatus TokenAuthFilter::decodeHeaders(Http::RequestHeaderMap& auto source = KusciaHeader::getSource(headers).value_or(""); auto token = headers.getByKey(KusciaCommon::HeaderKeyKusciaToken).value_or(""); - bool is_valid = config_->validateSource(source, token); - if (!is_valid) { + auto status = config_->validateSource(source, token); + if (status != Http::Code::OK) { ENVOY_LOG(warn, "Check Kuscia Source Token fail, {}: {}, {}: {}", KusciaCommon::HeaderKeyKusciaSource, source, KusciaCommon::HeaderKeyKusciaToken, token); - sendUnauthorizedResponse(); + sendAuthorizeFailedResponse(status); return Http::FilterHeadersStatus::StopIteration; } return Http::FilterHeadersStatus::Continue; } -void TokenAuthFilter::sendUnauthorizedResponse() { - decoder_callbacks_->sendLocalReply(Http::Code::Unauthorized, UnauthorizedBodyMessage, nullptr, +void TokenAuthFilter::sendAuthorizeFailedResponse(Http::Code status) { + decoder_callbacks_->sendLocalReply(status, UnauthorizedBodyMessage, nullptr, absl::nullopt, Envoy::EMPTY_STRING); } @@ -70,19 +70,19 @@ TokenAuthConfig::TokenAuthConfig(const TokenAuthPbConfig& config) { } } -bool TokenAuthConfig::validateSource(absl::string_view source, absl::string_view token) const { +Http::Code TokenAuthConfig::validateSource(absl::string_view source, absl::string_view token) const { static const std::string NoopToken = "noop"; auto iter = source_token_map_.find(source); if (iter == source_token_map_.end()) { - return false; + return Http::Code::NotFound; } for (const auto& disired_token : iter->second) { if (token == disired_token || disired_token == NoopToken) { - return true; + return Http::Code::OK; } } - return false; + return Http::Code::Unauthorized; } } // namespace KusciaTokenAuth diff --git a/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.h b/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.h index 0d5e753..8a60dd8 100755 --- a/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.h +++ b/kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.h @@ -20,6 +20,7 @@ #include "source/common/buffer/buffer_impl.h" #include "source/common/common/logger.h" +#include "source/common/http/utility.h" #include "source/extensions/filters/http/common/pass_through_filter.h" #include "kuscia/api/filters/http/kuscia_token_auth/v3/token_auth.pb.h" @@ -43,7 +44,7 @@ class TokenAuthFilter : public Http::PassThroughDecoderFilter, bool) override; private: - void sendUnauthorizedResponse(); + void sendAuthorizeFailedResponse(Http::Code status); TokenAuthConfigSharedPtr config_; }; @@ -52,7 +53,7 @@ class TokenAuthConfig { public: explicit TokenAuthConfig(const TokenAuthPbConfig& config); - bool validateSource(absl::string_view source, absl::string_view token) const; + Http::Code validateSource(absl::string_view source, absl::string_view token) const; private: std::map, std::less<>> source_token_map_;