Skip to content

Commit

Permalink
feat: Add forward-auth plugin exception configuration status_on_error (
Browse files Browse the repository at this point in the history 
…apache#10898)
  • Loading branch information
@smileby
smileby authored Feb 2, 2024
1 parent 07c4aa3 commit 3faeff6
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 4 deletions.
5 changes: 3 additions & 2 deletions apisix/plugins/forward-auth.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ local schema = {
properties = {
uri = {type = "string"},
allow_degradation = {type = "boolean", default = false},
status_on_error = {type = "integer", minimum = 200, maximum = 599, default = 403},
ssl_verify = {
type = "boolean",
default = true,
Expand Down Expand Up @@ -131,8 +132,8 @@ function _M.access(conf, ctx)
if not res and conf.allow_degradation then
return
elseif not res then
core.log.error("failed to process forward auth, err: ", err)
return 403
core.log.warn("failed to process forward auth, err: ", err)
return conf.status_on_error
end

if res.status >= 300 then
Expand Down
1 change: 1 addition & 0 deletions docs/en/latest/plugins/forward-auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ This Plugin moves the authentication and authorization logic to a dedicated exte
| keepalive_timeout | integer | False | 60000ms | [1000, ...]ms | Idle time after which the connection is closed. |
| keepalive_pool | integer | False | 5 | [1, ...]ms | Connection pool limit. |
| allow_degradation | boolean | False | false | | When set to `true`, allows authentication to be skipped when authentication server is unavailable. |
| status_on_error | integer | False | 403 | [200,...,599] | Sets the HTTP status that is returned to the client when there is a network error to the authorization service. The default status is “403” (HTTP Forbidden). |

## Data definition

Expand Down
1 change: 1 addition & 0 deletions docs/zh/latest/plugins/forward-auth.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ description: 本文介绍了关于 Apache APISIX `forward-auth` 插件的基本
| keepalive_timeout | integer || 60000ms | [1000, ...]ms | 长连接超时时间。 |
| keepalive_pool | integer || 5 | [1, ...]ms | 长连接池大小。 |
| allow_degradation | boolean || false | | 当设置为 `true` 时,允许在身份验证服务器不可用时跳过身份验证。 |
| status_on_error | boolean || 403 | [200,...,599] | 设置授权服务出现网络错误时返回给客户端的 HTTP 状态。默认状态为“403”。 |

## 数据定义

Expand Down
33 changes: 31 additions & 2 deletions t/plugin/forward-auth.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,26 @@ property "request_method" validation failed: matches none of the enum values
"upstream_id": "u1",
"uri": "/large-body"
}]],
},
{
url = "/apisix/admin/routes/8",
data = [[{
"plugins": {
"forward-auth": {
"uri": "http://127.39.40.1:9999/auth",
"request_headers": ["Authorization"],
"upstream_headers": ["X-User-ID"],
"client_headers": ["Location"],
"status_on_error": 503,
"allow_degradation": false
},
"proxy-rewrite": {
"uri": "/echo"
}
},
"upstream_id": "u1",
"uri": "/onerror"
}]],
}
}
Expand All @@ -297,7 +317,7 @@ property "request_method" validation failed: matches none of the enum values
}
}
--- response_body eval
"passed\n" x 10
"passed\n" x 11
Expand Down Expand Up @@ -408,7 +428,16 @@ Authorization: 111
=== TEST 13: test large body
=== TEST 13: Verify status_on_error
--- request
GET /onerror
--- more_headers
Authorization: 333
--- error_code: 503
=== TEST 14: test large body
--- config
location /t {
content_by_lua_block {
Expand Down

0 comments on commit 3faeff6

Please sign in to comment.