-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth wasm go plugin #663
base: main
Are you sure you want to change the base?
OAuth wasm go plugin #663
Conversation
cc @WeixinX |
@Uncle-Justice Please sign the CLA. |
@johnlanni 工作流中 Build and Test Plugins 所报的错误似乎在本地使用 tinygo 构建时也会偶尔出现: #11 [builder 6/6] RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./
#11 9.534 SIGSEGV: segmentation violation
#11 9.534 PC=0x529f032 m=7 sigcode=1844674407370955[1610](https://github.com/alibaba/higress/actions/runs/7112320889/job/19362049728?pr=663#step:7:1611)
#11 9.534 signal arrived during cgo execution
#11 9.534
#11 9.534 goroutine 274 [syscall]:
#11 9.534 runtime.cgocall(0x852480, 0xc007d6fb28)
#11 9.534 /usr/local/go/src/runtime/cgocall.go:157 +0x5c fp=0xc007d6fb00 sp=0xc007d6fac8 pc=0x4c36bc
#11 9.534 tinygo.org/x/go-llvm._Cfunc_LLVMDisposeModule(0x7f473db6afb0)
#11 9.534 _cgo_gotypes.go:4808 +0x45 fp=0xc007d6fb28 sp=0xc007d6fb00 pc=0x6f3dc5
#11 9.534 tinygo.org/x/go-llvm.Module.Dispose.func1({0xc007d6fba0?})
#11 9.534 /go/pkg/mod/tinygo.org/x/[email protected]/ir.go:464 +0x3f fp=0xc007d6fb60 sp=0xc007d6fb28 pc=0x702a3f
#11 9.534 tinygo.org/x/go-llvm.Module.Dispose({0x53?})
#11 9.534 /go/pkg/mod/tinygo.org/x/[email protected]/ir.go:464 +0x19 fp=0xc007d6fb78 sp=0xc007d6fb60 pc=0x7029d9
#11 9.534 github.com/tinygo-org/tinygo/builder.Build.func3.2()
#11 9.534 /__w/tinygo/tinygo/builder/build.go:359 +0x26 fp=0xc007d6fb90 sp=0xc007d6fb78 pc=0x801306
#11 9.534 runtime.deferreturn()
#11 9.534 /usr/local/go/src/runtime/panic.go:476 +0x33 fp=0xc007d6fbd0 sp=0xc007d6fb90 pc=0x4f2bf3
#11 9.534 github.com/tinygo-org/tinygo/builder.Build.func3(0xc00831c1e0)
#11 9.534 /__w/tinygo/tinygo/builder/build.go:477 +0xef3 fp=0xc007d6ff78 sp=0xc007d6fbd0 pc=0x801113
#11 9.534 github.com/tinygo-org/tinygo/builder.runJob(0xc00831c1e0, 0x7f473d719e90?)
#11 9.534 /__w/tinygo/tinygo/builder/jobs.go:222 +0x4f fp=0xc007d6ffc0 sp=0xc007d6ff78 pc=0x80c84f
#11 9.534 github.com/tinygo-org/tinygo/builder.runJobs.func2()
#11 9.534 /__w/tinygo/tinygo/builder/jobs.go:123 +0x2a fp=0xc007d6ffe0 sp=0xc007d6ffc0 pc=0x80c18a
#11 9.534 runtime.goexit()
#11 9.534 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc007d6ffe8 sp=0xc007d6ffe0 pc=0x5266c1
#11 9.534 created by github.com/tinygo-org/tinygo/builder.runJobs
#11 9.534 /__w/tinygo/tinygo/builder/jobs.go:123 +0x5be
#11 9.534
#11 9.534 goroutine 1 [chan receive]:
#11 9.534 runtime.gopark(0xc006e74000?, 0x528d0a?, 0x0?, 0x8c?, 0xc013bf8630?)
#11 9.534 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc013bf85b0 sp=0xc013bf8590 pc=0x4f6c76
#11 9.534 runtime.chanrecv(0xc000dba000, 0xc013bf8768, 0x1)
#11 9.534 /usr/local/go/src/runtime/chan.go:583 +0x49d fp=0xc013bf8640 sp=0xc013bf85b0 pc=0x4c647d
#11 9.534 runtime.chanrecv1(0x54f3e80?, 0xc007244e70?)
#11 9.534 /usr/local/go/src/runtime/chan.go:442 +0x18 fp=0xc013bf8668 sp=0xc013bf8640 pc=0x4c5f78
#11 9.534 github.com/tinygo-org/tinygo/builder.runJobs(0xc00831b280?, 0xc0042b6798?)
#11 9.534 /__w/tinygo/tinygo/builder/jobs.go:132 +0x5e7 fp=0xc013bf8a60 sp=0xc013bf8668 pc=0x80bde7
#11 9.534 github.com/tinygo-org/tinygo/builder.Build({0x7ffc9d449efc, 0x2}, {0x7ffc9d449ea2, 0xa}, {0xc00012e660, 0x15}, 0xc000024480)
#11 9.534 /__w/tinygo/tinygo/builder/build.go:877 +0x369a fp=0xc013bf9568 sp=0xc013bf8a60 pc=0x7fc13a
#11 9.534 main.Build({0x7ffc9d449efc, 0x2}, {0x7ffc9d449ea2, 0xa}, 0xc00012c1e0)
#11 9.534 /__w/tinygo/tinygo/main.go:168 +0x26f fp=0xc013bf97d0 sp=0xc013bf9568 pc=0x8240af
#11 9.534 main.main()
#11 9.534 /__w/tinygo/tinygo/main.go:1573 +0x3588 fp=0xc013bf9f80 sp=0xc013bf97d0 pc=0x831da8
#11 9.534 runtime.main()
#11 9.534 /usr/local/go/src/runtime/proc.go:250 +0x207 fp=0xc013bf9fe0 sp=0xc013bf9f80 pc=0x4f6847
#11 9.534 runtime.goexit()
#11 9.534 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc013bf9fe8 sp=0xc013bf9fe0 pc=0x5266c1
#11 9.534
#11 9.534 goroutine 2 [force gc (idle)]:
#11 9.534 runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
#11 9.534 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000044fb0 sp=0xc000044f90 pc=0x4f6c76
#11 9.534 runtime.goparkunlock(...)
#11 9.534 /usr/local/go/src/runtime/proc.go:387
#11 9.534 runtime.forcegchelper()
#11 9.534 /usr/local/go/src/runtime/proc.go:305 +0xb0 fp=0xc000044fe0 sp=0xc000044fb0 pc=0x4f6ab0
#11 9.534 runtime.goexit()
#11 9.534 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000044fe8 sp=0xc000044fe0 pc=0x5266c1
#11 9.534 created by runtime.init.6
#11 9.534 /usr/local/go/src/runtime/proc.go:293 +0x25
#11 9.534
#11 9.534 goroutine 3 [GC sweep wait]:
#11 9.534 runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
#11 9.534 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000045780 sp=0xc000045760 pc=0x4f6c76
#11 9.535 runtime.goparkunlock(...)
#11 9.535 /usr/local/go/src/runtime/proc.go:387
#11 9.535 runtime.bgsweep(0x0?)
#11 9.535 /usr/local/go/src/runtime/mgcsweep.go:319 +0xde fp=0xc0000457c8 sp=0xc000045780 pc=0x4e341e
#11 9.535 runtime.gcenable.func1()
#11 9.535 /usr/local/go/src/runtime/mgc.go:178 +0x26 fp=0xc0000457e0 sp=0xc0000457c8 pc=0x4d8886
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000457e8 sp=0xc0000457e0 pc=0x5266c1
#11 9.535 created by runtime.gcenable
#11 9.535 /usr/local/go/src/runtime/mgc.go:178 +0x6b
#11 9.535
#11 9.535 goroutine 4 [GC scavenge wait]:
#11 9.535 runtime.gopark(0xa39e70be43?, 0xafa2d86?, 0x0?, 0x0?, 0x0?)
#11 9.535 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000045f70 sp=0xc000045f50 pc=0x4f6c76
#11 9.535 runtime.goparkunlock(...)
#11 9.535 /usr/local/go/src/runtime/proc.go:387
#11 9.535 runtime.(*scavengerState).park(0x76c2780)
#11 9.535 /usr/local/go/src/runtime/mgcscavenge.go:400 +0x53 fp=0xc000045fa0 sp=0xc000045f70 pc=0x4e12f3
#11 9.535 runtime.bgscavenge(0x0?)
#11 9.535 /usr/local/go/src/runtime/mgcscavenge.go:633 +0x65 fp=0xc000045fc8 sp=0xc000045fa0 pc=0x4e18e5
#11 9.535 runtime.gcenable.func2()
#11 9.535 /usr/local/go/src/runtime/mgc.go:179 +0x26 fp=0xc000045fe0 sp=0xc000045fc8 pc=0x4d8826
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000045fe8 sp=0xc000045fe0 pc=0x5266c1
#11 9.535 created by runtime.gcenable
#11 9.535 /usr/local/go/src/runtime/mgc.go:179 +0xaa
#11 9.535
#11 9.535 goroutine 5 [finalizer wait]:
#11 9.535 runtime.gopark(0x0?, 0x5578578?, 0x20?, 0x84?, 0x2000000020?)
#11 9.535 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000044628 sp=0xc000044608 pc=0x4f6c76
#11 9.535 runtime.runfinq()
#11 9.535 /usr/local/go/src/runtime/mfinal.go:193 +0x107 fp=0xc0000447e0 sp=0xc000044628 pc=0x4d78c7
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000447e8 sp=0xc0000447e0 pc=0x5266c1
#11 9.535 created by runtime.createfing
#11 9.535 /usr/local/go/src/runtime/mfinal.go:163 +0x45
#11 9.535
#11 9.535 goroutine 7 [GC worker (idle)]:
#11 9.535 runtime.gopark(0x7757ca0?, 0x3?, 0xdf?, 0xc0?, 0x0?)
#11 9.535 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000046f50 sp=0xc000046f30 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 /usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc000046fe0 sp=0xc000046f50 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000046fe8 sp=0xc000046fe0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 /usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535
#11 9.535 goroutine 18 [GC worker (idle)]:
#11 9.535 runtime.gopark(0xa49de4fb23?, 0x3?, 0x4b?, 0x3b?, 0x0?)
#11 9.535 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000040750 sp=0xc000040730 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 /usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc0000407e0 sp=0xc000040750 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000407e8 sp=0xc0000407e0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 /usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535
#11 9.535 goroutine 8 [GC worker (idle)]:
#11 9.535 runtime.gopark(0xa49de4d7b9?, 0x3?, 0x76?, 0x47?, 0x0?)
#11 9.535 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000047750 sp=0xc000047730 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 /usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc0000477e0 sp=0xc000047750 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0000477e8 sp=0xc0000477e0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 /usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535
#11 9.535 goroutine 19 [GC worker (idle)]:
#11 9.535 runtime.gopark(0xa49dea09dc?, 0x3?, 0x78?, 0xfd?, 0x0?)
#11 9.535 /usr/local/go/src/runtime/proc.go:381 +0xd6 fp=0xc000040f50 sp=0xc000040f30 pc=0x4f6c76
#11 9.535 runtime.gcBgMarkWorker()
#11 9.535 /usr/local/go/src/runtime/mgc.go:1275 +0xf1 fp=0xc000040fe0 sp=0xc000040f50 pc=0x4da3f1
#11 9.535 runtime.goexit()
#11 9.535 /usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc000040fe8 sp=0xc000040fe0 pc=0x5266c1
#11 9.535 created by runtime.gcBgMarkStartWorkers
#11 9.535 /usr/local/go/src/runtime/mgc.go:1199 +0x25
#11 9.535
#11 9.535 rax 0x7f473e9e2680
#11 9.535 rbx 0x7f473e0284f0
#11 9.535 rcx 0x7f473f224dd8
#11 9.535 rdx 0x0
#11 9.535 rdi 0x7f473e028490
#11 9.535 rsi 0x7f473e0284d0
#11 9.535 rbp 0x7f473e028490
#11 9.535 rsp 0x7f47403d78d8
#11 9.535 r8 0x471fa92e00007f47
#11 9.535 r9 0x8f2dd19d9121252f
#11 9.535 r10 0xc2c5cc827ab5b9bd
#11 9.535 r11 0x2
#11 9.535 r12 0x0
#11 9.535 r13 0x7f47398a7f30
#11 9.535 r14 0x7f4739871068
#11 9.535 r15 0x7f473e2a9740
#11 9.535 rip 0x529f032
#11 9.535 rflags 0x10202
#11 9.535 cs 0x33
#11 9.535 fs 0x0
#11 9.535 gs 0x0
#11 ERROR: process "/bin/sh -c tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./" did not complete successfully: exit code: 2
------
> [builder 6/6] RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./:
9.535 r11 0x2
9.535 r12 0x0
9.535 r13 0x7f47398a7f30
9.535 r14 0x7f4739871068
9.535 r15 0x7f473e2a9740
9.535 rip 0x529f032
9.535 rflags 0x10202
9.535 cs 0x33
9.535 fs 0x0
9.535 gs 0x0
------
Dockerfile:17
--------------------
15 |
16 | RUN go mod tidy
17 | >>> RUN tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./
18 |
19 | FROM scratch as output
--------------------
ERROR: failed to solve: process "/bin/sh -c tinygo build -o /main.wasm -scheduler=none -gc=custom -tags='custommalloc nottinygc_finalizer' -target=wasi ./" did not complete successfully: exit code: 2 |
我在本地也会遇到同样的tinygo报错的情况 |
@Uncle-Justice @WeixinX 你们是通过什么方式使用的,是按照文档里的 make 命令在docker镜像中构建,还是直接安装的tinygo命令行工具构建的? |
@johnlanni 我使用文档中给出的指令进行测试,偶尔会报这个问题: PLUGIN_NAME=oauth make build 早期我自己直接使用tinygo本地编译main.go的时候使用的是这条指令,印象中没有报过类似的问题: tinygo build -o main.wasm -scheduler=none -target=wasi -gc=custom -tags='custommalloc nottinygc_finalizer' ./main.go |
@Uncle-Justice 嗯 怀疑是容器下运行导致的,我查一下原因 |
@Uncle-Justice 参考下 basic-auth 和 key-auth,需要处理 global_auth 这个配置参数,实现这个效果: |
@johnlanni 好的,我尽快完成global_auth功能的增加以及测试代码 |
@Uncle-Justice 当前 basic-auth 和 key-auth 对于 global_auth 参数效果的实现逻辑比较繁琐、不够简洁,请参考以下伪代码实现该效果: noAllow: allow 列表为空,即当前 domain/route 未配置了该插件
ruleSet: 表示至少一个 domain/route 配置了该插件
if noAllow == false { // allow 列表非空
在 allow 列表中寻找对应 consumer,若能找到则认证通过;
否则,认证不通过
}
// 上面逻辑快速返回,因此以下 noAllow == true (allow 列表为空):
if global_auth == true || ( global_auth 未设置 && ruleSet == false ) { // 全局生效
在全局 consumers 列表寻找对应 consumer,若能找到则认证通过;
否则,认证不通过
}
if global_auth == false || ( global_auth 未设置 && ruleSet == true ) {
无需认证,直接放行
} |
@WeixinX 你的建议启发了我,让我想起之前的一个点,higress的wasm文档写的也是路由级 > 域名级 > 全局,那么比如consumer1在路由A的allowset中,但是不在全局 因为之前的设计要求是,allowset中只存放consumer的name,不存放id以及secret,但是没有secret又无法对token解密,虽然token可以直接解码出name进行校对,但是如果不做解密,token机制也相当于没有用上。所以我之前设计的是一个consumer必须首先出现在全局 |
allow 列表中的 consumer name 是从全局 consumers 配置来的,如果前者有而后者没有,那是不是就能够被认定是用户配置错了呢? |
@WeixinX 好的,我明白了,那就还是需要首先保证全局 if noAllow == false { // allow 列表非空
在 allow 列表中寻找对应 consumer,若能找到则认证通过;
否则,认证不通过
} 所以我目前的想法和你的比较相近,但是这个三个if的顺序有变动,变动之后可能在代码上会更简洁一些: // 基础认证:token解码->判断consumer合法性->token解密验证,失败返回401
// 签发路由匹配:当globalCredentials为false时,需保证token签发路由与当前路由匹配,失败返回403,做签发路由匹配之前必须做基础认证token解码
// 路由规则匹配:在 allow 列表中查找,如果找到则认证通过,否则认证失败,返回403
// 通常按照基础认证->签发路由匹配->路由规则匹配的规则进行,在某些条件下中途就直接认证通过,跳过后面的步骤
if noAllow && (globalAuthSetFalse || (globalAuthNoSet && ruleSet)) {
不做任何检验,直接放行
}
// 以下的情况,在noallow=true时,就只剩下(globalAuthSetTrue || (globalAuthNoSet && !ruleSet))这两种可能,他们都是需要做基础认证而不做路由规则匹配的
做基础认证
做签发路由匹配
if noAllow == false{
做路由规则匹配
}
校验结束 |
Response: http.AssertionResponse{ | ||
ExpectedResponse: http.Response{ | ||
StatusCode: 400, | ||
// TODO: 目前http.Response未支持body校验 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
是否可以扩展下e2e test框架 支持body校验
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这个是不是可以搞了
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
我发现之前的逻辑是200才会检查header,其他非3开头的情况都是直接跳过了这些校验的,所以我后面增加的body以及response的e2e逻辑也遵循了这种方式
所以如果这里预期是400,其实按目前的e2e测试逻辑,是不用再校验body的
之前使用POST申请token这个功能的e2e测试我会尽快加上
StatusCode: 400, | ||
// TODO: 目前http.Response未支持body校验 | ||
}, | ||
// TODO: cpp版本是可以直接比照types.Action的,这里似乎不可以 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
e2e test 对比最终结果即可
| `client_id` | string | 必填 | - | OAuth2 client id | | ||
| `client_secret` | string | 必填 | - | OAuth2 client secret | | ||
|
||
`_rules_` 中每一项的配置字段说明如下: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这块说明可以去掉,之前写cpp版本文档的时候,还没有现在的wasmplugin crd,所以要用户手动配置这些规则,现在已经在crd里定义对应字段了,插件文档里可以不用写了
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@johnlanni 是指rules_
这个配置在插件yaml中不用写了吗?如果在插件的yaml中定义了_rules_,那此时实际的规则是以crd为准还是这里的yaml为准?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
crd里已经封装掉对_rules_
字段的处理,用户再写上这个配置,是不会有作用的
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@johnlanni 明白,即匹配域名或路由生效的配置matchRules
是所有wasm plugin都具备的特性,因此直接在wasm plugin crd层面做了定义,特定插件的文档主要关注自身特有的配置字段的说明。
已删除oauth插件文档中有关rules
字段的说明
因为 test.com 仅授权了 consumer2,但这个 Access Token 是基于 consumer1 的 `client_id`,`client_secret` 获取的,因此将返回 `403 Access Denied` | ||
|
||
|
||
### 网关实例级别开启 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
同上
@Uncle-Justice README看看调整下,完成后我就合入啦 |
Ⅰ. Describe what this PR did
完成go-wasm 插件中的oauth插件
Ⅱ. Does this pull request fix one issue?
fixes #633
Ⅲ. Why don't you add test cases (unit test/integration test)?
i did
Ⅳ. Describe how to verify it
运行原本的wasm插件测试指令
Ⅴ. Special notes for reviews
有一些打了todo注释的需要麻烦再确认一下