feat: Added authz-casbin plugin and doc and tests for it

.github/workflows/build.yml

@@ -89,7 +89,7 @@ jobs:
           tar zxvf ${{ steps.branch_env.outputs.fullname }}
 
       - name: Linux Get dependencies
-        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl
+        run: sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl libpcre3 libpcre3-dev
 
       - name: Linux Before install
         run: sudo ./ci/${{ matrix.os_name }}_runner.sh before_install

.github/workflows/chaos.yml

@@ -29,6 +29,7 @@ jobs:
           bash ./t/chaos/utils/setup_chaos_utils.sh start_minikube
           wget https://raw.githubusercontent.com/apache/apisix-docker/master/alpine-local/Dockerfile
           mkdir logs
+          sudo apt install -y libpcre3 libpcre3-dev
           docker build -t apache/apisix:alpine-local --build-arg APISIX_PATH=. -f Dockerfile .
           minikube cache add apache/apisix:alpine-local -v 7 --alsologtostderr
 

apisix/plugins/authz-casbin.lua

@@ -0,0 +1,115 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+local casbin          = require("casbin")
+local core            = require("apisix.core")
+local plugin          = require("apisix.plugin")
+local ngx             = ngx
+local get_headers     = ngx.req.get_headers
+
+local plugin_name = "authz-casbin"
+
+local schema = {
+    type = "object",
+    properties = {
+        model_path = { type = "string" },
+        policy_path = { type = "string" },
+        username = { type = "string"}
+    },
+    required = {"model_path", "policy_path", "username"},
+    additionalProperties = false
+}
+
+local metadata_schema = {
+    type = "object",
+    properties = {
+        model = {type = "string"},
+        policy = {type = "string"},
+    },
+    required = {"model", "policy"},
+    additionalProperties = false
+}
+
+local _M = {
+    version = 0.1,
+    priority = 2560,
+    name = plugin_name,
+    schema = schema,
+    metadata_schema = metadata_schema
+}
+
+function _M.check_schema(conf, schema_type)
+    if schema_type == core.schema.TYPE_METADATA then
+        return core.schema.check(metadata_schema, conf)
+    end
+    local ok, err = core.schema.check(schema, conf)
+    if ok then
+        return true
+    else
+        local metadata = plugin.plugin_metadata(plugin_name)
+        if metadata and metadata.value and conf.username then
+            return true
+        end
+    end
+    return false, err
+end
+
+
+local function new_enforcer(conf, modifiedIndex)
+    local model_path = conf.model_path
+    local policy_path = conf.policy_path
+
+    local e
+
+    if model_path and policy_path then
+        e = casbin:new(model_path, policy_path)
+        conf.type = "file"
+    end
+
+    local metadata = plugin.plugin_metadata(plugin_name)
+    if metadata and metadata.value.model and metadata.value.policy and not e then
+        local model = metadata.value.model
+        local policy = metadata.value.policy
+        e = casbin:newEnforcerFromText(model, policy)
+        conf.type = "metadata"
+        conf.modifiedIndex = modifiedIndex
+    end
+
+    conf.casbin_enforcer = e
+end
+
+
+function _M.rewrite(conf, ctx)
+    -- creates an enforcer when request sent for the first time
+    local metadata = plugin.plugin_metadata(plugin_name)
+    if (not conf.casbin_enforcer) or
+    (conf.type == "metadata" and conf.modifiedIndex ~= metadata.modifiedIndex) then
+        new_enforcer(conf, metadata.modifiedIndex)
+    end
+
+    local path = ctx.var.uri
+    local method = ctx.var.method
+    local username = get_headers()[conf.username]
+    if not username then username = "anonymous" end
+
+    if not conf.casbin_enforcer:enforce(username, path, method) then
+        return 403, {message = "Access Denied"}
+    end
+end
+
+
+return _M

ci/ASF-Release.cfg

@@ -99,6 +99,9 @@ t/toolkit
 # Exclude subcomponents files
 apisix/balancer/ewma.lua
 
+# Exclude plugin-specific configuration files
+t/plugin/authz-casbin
+
 [Options]
 # Not all code files allow licenses to appear starting at the first character
 # of the file. This option tells the scan to allow licenses to appear starting

ci/centos7-ci.sh

@@ -27,7 +27,7 @@ install_dependencies() {
 
     # install openresty to make apisix's rpm test work
     yum install -y yum-utils && yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
-    yum install -y openresty openresty-debug openresty-openssl111-debug-devel
+    yum install -y openresty openresty-debug openresty-openssl111-debug-devel pcre pcre-devel
 
     # install luarocks
     ./utils/linux-install-luarocks.sh

conf/config-default.yaml

@@ -285,6 +285,7 @@ plugins:                          # plugin list (sorted by priority)
   - uri-blocker                    # priority: 2900
   - request-validation             # priority: 2800
   - openid-connect                 # priority: 2599
+  - authz-casbin                   # priority: 2560
   - wolf-rbac                      # priority: 2555
   - hmac-auth                      # priority: 2530
   - basic-auth                     # priority: 2520

docs/en/latest/config.json

@@ -64,7 +64,8 @@
             "plugins/authz-keycloak",
             "plugins/wolf-rbac",
             "plugins/openid-connect",
-            "plugins/hmac-auth"
+            "plugins/hmac-auth",
+            "plugins/authz-casbin"
           ]
         },
         {

docs/en/latest/install-dependencies.md

@@ -58,7 +58,7 @@ sudo yum install yum-utils
 sudo yum-config-manager --add-repo https://openresty.org/package/centos/openresty.repo
 
 # install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel unzip pcre pcre-devel
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -81,7 +81,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo yum install -y openresty curl git gcc openresty-openssl111-devel
+sudo yum install -y openresty curl git gcc openresty-openssl111-devel pcre pcre-devel
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -107,7 +107,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc
+sudo apt-get install -y git openresty curl openresty-openssl111-dev make gcc libpcre3 libpcre3-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -138,7 +138,7 @@ tar -xvf etcd-v3.4.13-linux-amd64.tar.gz && \
     sudo cp -a etcd etcdctl /usr/bin/
 
 # install OpenResty and some compilation tools
-sudo apt-get install -y git openresty curl make openresty-openssl111-dev
+sudo apt-get install -y git openresty curl make openresty-openssl111-dev libpcre3 libpcre3-dev
 
 # install LuaRocks
 curl https://raw.githubusercontent.com/apache/apisix/master/utils/linux-install-luarocks.sh -sL | bash -
@@ -151,7 +151,7 @@ nohup etcd &
 
 ```shell
 # install OpenResty, etcd and some compilation tools
-brew install openresty/brew/openresty luarocks lua@5.1 etcd curl git
+brew install openresty/brew/openresty luarocks lua@5.1 etcd curl git pcre
 
 # start etcd server
 brew services start etcd