feat(acl) allow acl plugin to use a consumer without credentials #2722
Conversation
bungle
force-pushed
the
feat/acl-plugin-consumer
branch
from
08fb9a7 to
7ebdaba
Compare
kong/plugins/acl/handler.lua
Outdated
| consumer_id = ngx.ctx.authenticated_credential.consumer_id | ||
| else | ||
| end | ||
|
|
There was a problem hiding this comment.
Wouldn't it be simpler to write an elseif here?
if ngx.ctx.authenticated_consumer then
consumer_id = ngx.ctx.authenticated_consumer.id
elseif ngx.ctx.authenticated_credential then
consumer_id = ngx.ctx.authenticated_credential.consumer_id
end
Or even
local consumer_id = (ngx.ctx.authenticated_consumer and ngx.ctx.authenticated_consumer.id) or
(ngx.ctx.authenticated_credential and ngx.ctx.authenticated_credential.consumer_id)
(That second one might be a bit too much)
There was a problem hiding this comment.
I'd be in favor of the latter approach ^ though the parens aren't necessary I don't think.
There was a problem hiding this comment.
Actually no. There is always change that ngx.ctx.authenticated_credential is set but ngx.ctx.authenticated_credential.customer_id results nil. For example right now I'm working this around by setting ngx.ctx.authenticated_credential.customer_id, but that feels wrong as I cannot set ngx.ctx.authenticated_credential.id as there is no credential (and that could screw another plugin). My approach works even if people do stupid things, and it doesn't hurt anything (maybe just one extra nil check).
There was a problem hiding this comment.
What I mean here is that even if there is ngx.ctx.authenticated_consumer table or ngx.ctx. authenticated_credential table, there is no gurantee that it has any properties. We could go on, and even argue that the current and this patched code will crash if ngx.ctx.authenticated_consumer or ngx.ctx.authenticated_credential are not tables.
bungle
force-pushed
the
feat/acl-plugin-consumer
branch
from
7ebdaba to
ddf2adf
Compare
|
I pushed a new version that also doesn't crash if the used context variables are not |
kong/plugins/acl/handler.lua
Outdated
|
|
||
| local ACLHandler = BasePlugin:extend() | ||
|
|
||
|
|
There was a problem hiding this comment.
It seems like this PR has many style changes. As we've agreed upon by the past, could we limit the scope of the changes in the PRs? Or if we want those changes in the same PR, could they be in separate commits at least?
feat(acl) work with consumerstyle(acl) update to new styleperf(acl) minor improvements
kong/plugins/acl/handler.lua
Outdated
|
|
||
| if not consumer_id then | ||
| return responses.send_HTTP_FORBIDDEN( | ||
| "Cannot identify the consumer, add an authentication plugin to use the ACL plugin" |
There was a problem hiding this comment.
aside note: welp, I never saw this before, but I don't think user-facing errors/responses should talk about the notion of "plugins". This should probably be logged for the Kong admin to see (ngx.log(ngx.WARN, ...) maybe), and the 403 response shown to the user should be blank. This is, of course, out of the scope of this PR and is definitely not a blocker for this PR imo :)
kong/plugins/acl/handler.lua
Outdated
| cache.acls_key(consumer_id), | ||
| nil, | ||
| load_acls_into_memory, | ||
| consumer_id) |
There was a problem hiding this comment.
Any reason for this change and the new line below? I think it was fine as it was (per the code style), except for the second line not aligning with the first argument. Such style changes should be part of another commit/PR anyways.
kong/plugins/acl/handler.lua
Outdated
| @@ -60,14 +89,17 @@ function ACLHandler:access(conf) | |||
| if next(conf.whitelist or empty) then | |||
| if not next(acls or empty) then | |||
| block = true | |||
|
|
|||
There was a problem hiding this comment.
ditto: all those style changes - while appreciated, it'd be great if they could at least be included in a separate commit :) Thanks!
kong/plugins/acl/handler.lua
Outdated
| @@ -83,7 +115,9 @@ function ACLHandler:access(conf) | |||
| for _, v in ipairs(acls) do | |||
| table_insert(str_acls, v.group) | |||
| end | |||
| ngx.req.set_header(constants.HEADERS.CONSUMER_GROUPS, table_concat(str_acls, ", ")) | |||
|
|
|||
| set_header(constants.HEADERS.CONSUMER_GROUPS, table_concat(str_acls, ", ")) | |||
There was a problem hiding this comment.
Such a change should also be separated in its own perf(acl) commit as well
thibaultcha
added
pr/changes requested
Tieske
force-pushed
the
feat/acl-plugin-consumer
branch
from
ddf2adf to
1225a7d
Compare
Tieske
force-pushed
the
feat/acl-plugin-consumer
branch
from
87d43d5 to
8e1382a
Compare
Tieske
added
pr/ready
Summary
Sometimes Kong is not the provider of credentials, but a third-party identity provider does that. E.g. with OpenID Connect and LDAP the credentials are stored in 3rd party IdP or directory.
ACL plugin on the other hand did only work with
ngx.ctx.authenticated_credential, this patch adds a support tongx.ctx.authenticated_consumeras well.