Merge pull request #18 from holaplex/mpw/gateway-hydra-plugin

add hydra plugin

Author: mpwsh

charts/hub-gateway/Chart.yaml

@@ -18,13 +18,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.5.0"
+version: "0.6.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2"
+appVersion: "0.3"
 sources:
   - https://github.com/holaplex/helm-charts
 

charts/hub-gateway/plugins/oauth2.lua

@@ -0,0 +1,131 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local http = require("resty.http")
+local json = require("apisix.core.json")
+
+local schema = {
+    type = "object",
+    properties = {
+        host = {
+            type = "string"
+        },
+        ssl_verify = {
+            type = "boolean",
+            default = true
+        },
+        timeout = {
+            type = "integer",
+            minimum = 1,
+            maximum = 60000,
+            default = 3000,
+            description = "timeout in milliseconds"
+        },
+        keepalive = {
+            type = "boolean",
+            default = true
+        },
+        keepalive_timeout = {
+            type = "integer",
+            minimum = 1000,
+            default = 60000
+        },
+        keepalive_pool = {
+            type = "integer",
+            minimum = 1,
+            default = 5
+        },
+        expose_client_id = {
+            type = "boolean",
+            default = false
+        },
+    },
+    required = {"host"}
+}
+
+local _M = {
+    version = 0.1,
+    priority = 3,
+    name = "oauth2",
+    schema = schema
+}
+
+function _M.check_schema(conf)
+    return core.schema.check(schema, conf)
+end
+
+function _M.access(conf, ctx)
+    local api_token = core.request.header(ctx, "Authorization")
+
+    if not api_token then
+        return 401, json.encode({
+          message = "Authorization header not found" 
+        })
+    end
+
+    local params = {
+        method = "POST",
+        body = "token=" .. api_token,
+        headers = {
+            ["Content-Type"] = "application/x-www-form-urlencoded"
+        },
+        keepalive = conf.keepalive,
+        ssl_verify = conf.ssl_verify
+    }
+
+    if conf.keepalive then
+        params.keepalive_timeout = conf.keepalive_timeout
+        params.keepalive_pool = conf.keepalive_pool
+    end
+
+    local endpoint = conf.host .. "/admin/oauth2/introspect"
+
+    local httpc = http.new()
+    httpc:set_timeout(conf.timeout)
+    local res, err = httpc:request_uri(endpoint, params)
+
+    -- block by default when introspection failed
+    if not res then
+        return 401, json.encode({
+              message = err
+            })
+    end
+
+    -- parse the introspection data
+    local data, err = json.decode(res.body)
+    if not data then
+        return 401, err
+    end
+
+    -- block if token is not active
+    if not data.active then
+        return 401, json.encode({
+            message = "Authorization token is not valid anymore. Please get a new one from the Hub web UI"
+        })
+    end
+
+    -- Expose hydra_client_id id on $hydra_client_id variable
+    if conf.expose_client_id then
+        core.request.set_header(ctx, "X-CLIENT-ID", data.client_id)
+        core.response.set_header("X-CLIENT-ID", data.client_id)
+        core.ctx.register_var("hydra_client_id", function(ctx)
+            return data.client_id
+        end)
+    end
+end
+
+return _M

charts/hub-gateway/plugins/kratos.lua renamed to charts/hub-gateway/plugins/session.lua

@@ -27,17 +27,26 @@ spec:
       methods:
       {{- .methods | toYaml | nindent 8 }}
     plugins:
-    {{- with .kratos }}
+    {{- with .session }}
     {{- if .enabled | default false }}
-    - name: kratos
+    - name: session
       enable: true
       config:
-        host: {{ print "http://" $apisixPlugins.kratos.serviceName  "." $namespace ".svc:" $apisixPlugins.kratos.servicePort | quote }}
+        host: {{ print "http://" $apisixPlugins.session.serviceName  "." $namespace ".svc:" $apisixPlugins.session.servicePort | quote }}
         expose_user_data: true
         expose_user_id: true
         session_cookie_name: {{ $sessionCookie }}
     {{- end }}
     {{- end }}
+    {{- with .oauth2 }}
+    {{- if .enabled | default false }}
+    - name: oauth2
+      enable: true
+      config:
+        host: {{ print "http://" $apisixPlugins.oauth2.serviceName  "." $namespace ".svc:" $apisixPlugins.oauth2.servicePort | quote }}
+        expose_client_id: true
+    {{- end }}
+    {{- end }}
     {{- with .sessionRedirect }}
     {{- if .enabled }}
     - name: session-redirect

charts/hub-gateway/templates/apisixroute.yaml

@@ -1,16 +1,17 @@
+{{- $files := .Files }}
+{{- range $key, $val := .Values.apisixPlugins }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: apisix-custom-plugins
+  name: {{ print $key "-plugin" | kebabcase | lower }}
   labels:
     {{- include "hub-gateway.labels" $ | nindent 4 }}
 data:
-  {{- $files := .Files }}
-  {{- range $key, $val := .Values.apisixPlugins }}
     {{- with $val.files}}
       {{- range . }}
         {{ (splitList "/" .) | last | nindent 2}}: |-
         {{ $.Files.Get . | nindent 8 }}
       {{- end }}
     {{- end }} 
-  {{- end }}
+---
+{{- end }}

charts/hub-gateway/templates/configmap.yaml

@@ -14,7 +14,7 @@ routes:
   methods:
     - POST
     - OPTIONS
-  kratos:
+  oauth2:
     enabled: true
   regexUri:
     - "/graphql"
@@ -29,7 +29,7 @@ routes:
   methods:
     - POST
     - OPTIONS
-  kratos:
+  session:
     enabled: true
   regexUri:
     - "/graphql"
@@ -44,7 +44,7 @@ routes:
   methods:
     - POST
     - OPTIONS
-  kratos:
+  session:
     enabled: true
   sessionJson:
     enabled: true
@@ -61,7 +61,7 @@ routes:
     - /browser/organizations/*
   methods:
     - POST
-  kratos:
+  session:
     enabled: true
   sessionRedirect:
     enabled: true
@@ -70,7 +70,7 @@ routes:
   subdomain: hub
   serviceName: hub
   servicePort: 80
-  kratos:
+  session:
     enabled: true
   sessionRedirect:
     enabled: true
@@ -93,7 +93,7 @@ routes:
   subdomain: hub
   serviceName: hub
   servicePort: 80
-  kratos:
+  session:
     enabled: true
   sessionRedirect:
     enabled: true
@@ -124,12 +124,29 @@ routes:
     - /__nextjs_original-stack-frame
     - /api/.ory/*
 
+- name: hub-auth-api
+  serviceName: hydra-public
+  servicePort: 4444
+  subdomain: api
+  paths:
+    - /auth
+  methods:
+    - POST
+  regexUri:
+    - "/auth"
+    - "/oauth2/token"
+
 apisixPlugins:
-  kratos:
+  session:
     serviceName: kratos-public
     servicePort: 80
     files:
-      - plugins/kratos.lua
+      - plugins/session.lua
+  oauth2:
+    serviceName: hydra-admin
+    servicePort: 4445
+    files:
+      - plugins/oauth2.lua
   sessionRedirect:
     files:
       - plugins/session-redirect.lua
@@ -190,9 +207,6 @@ apisix:
       viewer: VduoK1H4ujZB4nus9QEfOjgUjTGkmB
 
   plugins:
-    - kratos
-    - session-redirect
-    - session-json
     - mocking
     - cors
     - redirect
@@ -204,14 +218,28 @@ apisix:
   customPlugins:
     enabled: true
     plugins:
-      - name: "kratos"
+      - name: "session"
         configMap:
-          name: "apisix-custom-plugins"
+          name: "session-plugin"
+          mounts:
+            - key: "session.lua"
+              path: "/opts/custom_plugins/apisix/plugins/session.lua"
+      - name: "oauth2"
+        configMap:
+          name: "oauth2-plugin"
+          mounts:
+            - key: "oauth2.lua"
+              path: "/opts/custom_plugins/apisix/plugins/oauth2.lua"
+      - name: "session-redirect"
+        configMap:
+          name: "session-redirect-plugin"
           mounts:
-            - key: "kratos.lua"
-              path: "/opts/custom_plugins/apisix/plugins/kratos.lua"
             - key: "session-redirect.lua"
               path: "/opts/custom_plugins/apisix/plugins/session-redirect.lua"
+      - name: "session-json"
+        configMap:
+          name: "session-json-plugin"
+          mounts:
             - key: "session-json.lua"
               path: "/opts/custom_plugins/apisix/plugins/session-json.lua"