feat(plugins) set generic X-Credential-Identifier

kong/constants.lua

@@ -75,7 +75,7 @@ return {
     CONSUMER_ID = "X-Consumer-ID",
     CONSUMER_CUSTOM_ID = "X-Consumer-Custom-ID",
     CONSUMER_USERNAME = "X-Consumer-Username",
-    CREDENTIAL_USERNAME = "X-Credential-Username",
+    CREDENTIAL_USERNAME = "X-Credential-Username", -- TODO: deprecated, use CREDENTIAL_IDENTIFIER instead
     CREDENTIAL_IDENTIFIER = "X-Credential-Identifier",
     RATELIMIT_LIMIT = "X-RateLimit-Limit",
     RATELIMIT_REMAINING = "X-RateLimit-Remaining",

kong/plugins/basic-auth/access.lua

@@ -66,6 +66,7 @@ local function retrieve_credentials(header_name, conf)
   return username, password
 end
 
+
 --- Validate a credential in the Authorization header against one fetched from the database.
 -- @param credential The retrieved credential from the username passed in the request
 -- @param given_password The password as given in the Authorization header
@@ -79,6 +80,7 @@ local function validate_credentials(credential, given_password)
   return credential.password == digest
 end
 
+
 local function load_credential_into_memory(username)
   local credential, err = kong.db.basicauth_credentials:select_by_username(username)
   if err then
@@ -87,6 +89,7 @@ local function load_credential_into_memory(username)
   return credential
 end
 
+
 local function load_credential_from_db(username)
   if not username then
     return
@@ -104,7 +107,10 @@ local function load_credential_from_db(username)
   return credential
 end
 
+
 local function set_consumer(consumer, credential)
+  kong.client.authenticate(consumer, credential)
+
   local set_header = kong.service.request.set_header
   local clear_header = kong.service.request.clear_header
 
@@ -126,23 +132,22 @@ local function set_consumer(consumer, credential)
     clear_header(constants.HEADERS.CONSUMER_USERNAME)
   end
 
-  kong.client.authenticate(consumer, credential)
+  if credential and credential.username then
+    set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.username)
+    set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
+  else
+    clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
+    clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
+  end
 
   if credential then
-    if credential.username then
-      set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
-    else
-      clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
-    end
-
     clear_header(constants.HEADERS.ANONYMOUS)
-
   else
-    clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
     set_header(constants.HEADERS.ANONYMOUS, true)
   end
 end
 
+
 local function do_authentication(conf)
   -- If both headers are missing, return 401
   if not (kong.request.get_header("authorization") or kong.request.get_header("proxy-authorization")) then
@@ -156,18 +161,18 @@ local function do_authentication(conf)
   end
 
   local credential
-  local given_username, given_password = retrieve_credentials("proxy-authorization", conf)
-  if given_username then
-    credential = load_credential_from_db(given_username)
+  local username, password = retrieve_credentials("proxy-authorization", conf)
+  if username then
+    credential = load_credential_from_db(username)
   end
 
   -- Try with the authorization header
   if not credential then
-    given_username, given_password = retrieve_credentials("authorization", conf)
-    credential = load_credential_from_db(given_username)
+    username, password = retrieve_credentials("authorization", conf)
+    credential = load_credential_from_db(username)
   end
 
-  if not credential or not validate_credentials(credential, given_password) then
+  if not credential or not validate_credentials(credential, password) then
     return false, { status = 401, message = "Invalid authentication credentials" }
   end
 
@@ -207,7 +212,7 @@ function _M.execute(conf)
         return kong.response.exit(500, { message = "An unexpected error occurred" })
       end
 
-      set_consumer(consumer, nil)
+      set_consumer(consumer)
 
     else
       return kong.response.exit(err.status, { message = err.message }, err.headers)

kong/plugins/basic-auth/handler.lua

@@ -2,16 +2,15 @@
 local access = require "kong.plugins.basic-auth.access"
 
 
-local BasicAuthHandler = {}
+local BasicAuthHandler = {
+  PRIORITY = 1001,
+  VERSION = "2.2.0",
+}
 
 
 function BasicAuthHandler:access(conf)
   access.execute(conf)
 end
 
 
-BasicAuthHandler.PRIORITY = 1001
-BasicAuthHandler.VERSION = "2.1.0"
-
-
 return BasicAuthHandler

kong/plugins/hmac-auth/access.lua

@@ -236,6 +236,8 @@ end
 
 
 local function set_consumer(consumer, credential)
+  kong.client.authenticate(consumer, credential)
+
   local set_header = kong.service.request.set_header
   local clear_header = kong.service.request.clear_header
 
@@ -257,19 +259,17 @@ local function set_consumer(consumer, credential)
     clear_header(constants.HEADERS.CONSUMER_USERNAME)
   end
 
-  kong.client.authenticate(consumer, credential)
+  if credential and credential.username then
+    set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.username)
+    set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
+  else
+    clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
+    clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
+  end
 
   if credential then
-    if credential.username then
-      set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
-    else
-      clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
-    end
-
     clear_header(constants.HEADERS.ANONYMOUS)
-
   else
-    clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
     set_header(constants.HEADERS.ANONYMOUS, true)
   end
 end
@@ -373,7 +373,7 @@ function _M.execute(conf)
         return kong.response.exit(500, { message = "An unexpected error occurred" })
       end
 
-      set_consumer(consumer, nil)
+      set_consumer(consumer)
 
     else
       return kong.response.exit(err.status, { message = err.message }, err.headers)

kong/plugins/hmac-auth/handler.lua

@@ -2,16 +2,15 @@
 local access = require "kong.plugins.hmac-auth.access"
 
 
-local HMACAuthHandler = {}
+local HMACAuthHandler = {
+  PRIORITY = 1000,
+  VERSION = "2.2.0",
+}
 
 
 function HMACAuthHandler:access(conf)
   access.execute(conf)
 end
 
 
-HMACAuthHandler.PRIORITY = 1000
-HMACAuthHandler.VERSION = "2.1.0"
-
-
 return HMACAuthHandler

kong/plugins/jwt/handler.lua

@@ -10,11 +10,10 @@ local tostring = tostring
 local re_gmatch = ngx.re.gmatch
 
 
-local JwtHandler = {}
-
-
-JwtHandler.PRIORITY = 1005
-JwtHandler.VERSION = "2.1.0"
+local JwtHandler = {
+  PRIORITY = 1005,
+  VERSION = "2.2.0",
+}
 
 
 --- Retrieve a JWT in a request.
@@ -77,6 +76,8 @@ end
 
 
 local function set_consumer(consumer, credential, token)
+  kong.client.authenticate(consumer, credential)
+
   local set_header = kong.service.request.set_header
   local clear_header = kong.service.request.clear_header
 
@@ -98,24 +99,27 @@ local function set_consumer(consumer, credential, token)
     clear_header(constants.HEADERS.CONSUMER_USERNAME)
   end
 
-  kong.client.authenticate(consumer, credential)
-
-  if credential then
-    kong.ctx.shared.authenticated_jwt_token = token -- TODO: wrap in a PDK function?
-    ngx.ctx.authenticated_jwt_token = token  -- backward compatibility only
+  if credential and credential.key then
+    set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.key)
+  else
+    clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
+  end
 
-    if credential.key then
-      set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.key)
-    else
-      clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
-    end
+  clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
 
+  if credential then
     clear_header(constants.HEADERS.ANONYMOUS)
-
   else
-    clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
     set_header(constants.HEADERS.ANONYMOUS, true)
   end
+
+  if token then
+    kong.ctx.shared.authenticated_jwt_token = token -- TODO: wrap in a PDK function?
+    ngx.ctx.authenticated_jwt_token = token  -- backward compatibility only
+  else
+    kong.ctx.shared.authenticated_jwt_token = nil
+    ngx.ctx.authenticated_jwt_token = nil  -- backward compatibility only
+  end
 end
 
 
@@ -170,7 +174,7 @@ local function do_authentication(conf)
 
   -- Verify "alg"
   if jwt.header.alg ~= algorithm then
-    return false, {status = 401, message = "Invalid algorithm"}
+    return false, { status = 401, message = "Invalid algorithm" }
   end
 
   local jwt_secret_value = algorithm ~= nil and algorithm:sub(1, 2) == "HS" and
@@ -251,7 +255,7 @@ function JwtHandler:access(conf)
         return kong.response.exit(500, { message = "An unexpected error occurred" })
       end
 
-      set_consumer(consumer, nil, nil)
+      set_consumer(consumer)
 
     else
       return kong.response.exit(err.status, err.errors or { message = err.message })

kong/plugins/key-auth/handler.lua

@@ -5,14 +5,13 @@ local kong = kong
 local type = type
 
 
-local _realm = 'Key realm="' .. _KONG._NAME .. '"'
-
+local KeyAuthHandler = {
+  PRIORITY = 1003,
+  VERSION = "2.2.0",
+}
 
-local KeyAuthHandler = {}
 
-
-KeyAuthHandler.PRIORITY = 1003
-KeyAuthHandler.VERSION = "2.1.0"
+local _realm = 'Key realm="' .. _KONG._NAME .. '"'
 
 
 local function load_credential(key)
@@ -26,6 +25,8 @@ end
 
 
 local function set_consumer(consumer, credential)
+  kong.client.authenticate(consumer, credential)
+
   local set_header = kong.service.request.set_header
   local clear_header = kong.service.request.clear_header
 
@@ -47,19 +48,17 @@ local function set_consumer(consumer, credential)
     clear_header(constants.HEADERS.CONSUMER_USERNAME)
   end
 
-  kong.client.authenticate(consumer, credential)
+  if credential and credential.id then
+    set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.id)
+  else
+    clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
+  end
 
-  if credential then
-    if credential.username then
-      set_header(constants.HEADERS.CREDENTIAL_USERNAME, credential.username)
-    else
-      clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
-    end
+  clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
 
+  if credential then
     clear_header(constants.HEADERS.ANONYMOUS)
-
   else
-    clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
     set_header(constants.HEADERS.ANONYMOUS, true)
   end
 end
@@ -194,7 +193,7 @@ function KeyAuthHandler:access(conf)
         return kong.response.exit(500, { message = "An unexpected error occurred" })
       end
 
-      set_consumer(consumer, nil)
+      set_consumer(consumer)
 
     else
       return kong.response.exit(err.status, { message = err.message }, err.headers)