Merging to release-5.3: [TT-12741] Looped ap is wrongfully inherit th…

…e caller's authentication key when using url rewrite (#6778) (#6793) ### **User description** [TT-12741] Looped ap is wrongfully inherit the caller's authentication key when using url rewrite (#6778) ### **User description** <details open> <summary><a href="https://tyktech.atlassian.net/browse/TT-12741" title="TT-12741" target="_blank">TT-12741</a></summary> <br /> <table> <tr> <th>Summary</th> <td>Looped APIs wrongfully inherit the caller's Authentication key when using URL rewrite</td> </tr> <tr> <th>Type</th> <td> <img alt="Bug" src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium" /> Bug </td> </tr> <tr> <th>Status</th> <td>In Dev</td> </tr> <tr> <th>Points</th> <td>N/A</td> </tr> <tr> <th>Labels</th> <td><a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20'24Bugsmash%20ORDER%20BY%20created%20DESC" title="'24Bugsmash">'24Bugsmash</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20customer_bug%20ORDER%20BY%20created%20DESC" title="customer_bug">customer_bug</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC" title="jira_escalated">jira_escalated</a></td> </tr> </table> </details>  --- PR to see CI/CD result, please don't merge it. ___ ### **PR Type** Bug fix, Tests ___ ### **Description** - Introduced a new context constant `SelfLooping` and methods `ctxSetSelfLooping` and `ctxSelfLooping` to manage self-looping state in requests. - Updated `ctxCheckLimits` to bypass rate limits and quotas for self-looping requests. - Modified API loader to set self-looping state for self-referencing requests. - Enhanced the test `TestQuotaNotAppliedWithURLRewrite` to include scenarios for self-looping and URL rewrite, ensuring proper behavior. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>ctx.go</strong><dd><code>Add support for managing self-looping state in context</code>      </dd></summary> <hr> ctx/ctx.go <li>Added a new constant <code>SelfLooping</code> to the context.<br> <li> Introduced new methods <code>ctxSetSelfLooping</code> and <code>ctxSelfLooping</code> for <br>managing self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-600f5f552779994b15324fda108549eec7e7be30b1d8a1a16ee8344243e0cbc7">+1/-0</a>      </td> </tr> </table></td></tr><tr><td><strong>Bug fix</strong></td><td><table> <tr> <td> <details> <summary><strong>api.go</strong><dd><code>Update rate limit and quota checks for self-looping requests</code></dd></summary> <hr> gateway/api.go <li>Modified <code>ctxCheckLimits</code> to skip rate limits and quotas for <br>self-looping requests.<br> <li> Added logic to check and set self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-644cda3aeb4ac7f325359e85fcddb810f100dd5e6fa480b0d9f9363a743c4e05">+20/-1</a>    </td> </tr> <tr> <td> <details> <summary><strong>api_loader.go</strong><dd><code>Set self-looping state for self-referencing requests</code>          </dd></summary> <hr> gateway/api_loader.go - Added logic to set self-looping state when the hostname is "self". </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68">+1/-0</a>      </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>middleware_test.go</strong><dd><code>Enhance tests to cover self-looping and URL rewrite scenarios</code></dd></summary> <hr> gateway/middleware_test.go <li>Updated <code>TestQuotaNotAppliedWithURLRewrite</code> to include extended paths <br>and self-looping scenarios.<br> <li> Added a loader to create a merged API spec for testing.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-6a09a08e3f82cc5e9d8c6b5c8426d75ea1e5d85e15ab008fca1f512e7c49c1e6">+7/-1</a>      </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --------- Co-authored-by: Tit Petric <[email protected]> Co-authored-by: Tit Petric <[email protected]> [TT-12741]: https://tyktech.atlassian.net/browse/TT-12741?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ ___ ### **PR Type** Bug fix, Tests ___ ### **Description** - Introduced a new context constant `SelfLooping` and methods `ctxSetSelfLooping` and `ctxSelfLooping` to manage self-looping state in requests. - Updated `ctxCheckLimits` to bypass rate limits and quotas for self-looping requests. - Modified API loader to set self-looping state for self-referencing requests. - Enhanced tests to validate self-looping behavior, including scenarios with authentication tokens and URL rewrites. - Added utilities and unit tests for managing and checking self-looping state in requests. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>ctx.go</strong><dd><code>Add support for managing self-looping state in context</code>      </dd></summary> <hr> ctx/ctx.go <li>Added a new constant <code>SelfLooping</code> to the context.<br> <li> Introduced methods <code>ctxSetSelfLooping</code> and <code>ctxSelfLooping</code> for managing <br>self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-600f5f552779994b15324fda108549eec7e7be30b1d8a1a16ee8344243e0cbc7">+1/-0</a>      </td> </tr> <tr> <td> <details> <summary><strong>looping.go</strong><dd><code>Add utilities for managing self-looping state in requests</code></dd></summary> <hr> internal/httpctx/looping.go <li>Introduced <code>SetSelfLooping</code> and <code>IsSelfLooping</code> methods to manage and <br>check self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-bee59f2b12fc6b5ab219a4f90ef17e4f32c0e0a0015a48cea1400345f3381f5f">+19/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Bug fix</strong></td><td><table> <tr> <td> <details> <summary><strong>api.go</strong><dd><code>Update rate limit and quota checks for self-looping requests</code></dd></summary> <hr> gateway/api.go <li>Updated <code>ctxCheckLimits</code> to bypass rate limits and quotas for <br>self-looping requests.<br> <li> Integrated logic to check and set self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-644cda3aeb4ac7f325359e85fcddb810f100dd5e6fa480b0d9f9363a743c4e05">+7/-0</a>      </td> </tr> <tr> <td> <details> <summary><strong>api_loader.go</strong><dd><code>Set self-looping state for self-referencing requests</code>          </dd></summary> <hr> gateway/api_loader.go - Added logic to set self-looping state when the hostname is "self". </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68">+2/-0</a>      </td> </tr> <tr> <td> <details> <summary><strong>mw_auth_key.go</strong><dd><code>Skip auth key checks for self-looping requests</code>                      </dd></summary> <hr> gateway/mw_auth_key.go <li>Updated logic to skip authentication key checks for self-looping <br>requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-aeba053023a54c723dd9f83837e29ca0b2d9a212bc98fa6ad4bbb062669a1cf0">+6/-7</a>      </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>looping_test.go</strong><dd><code>Add test for self-looping with authentication tokens</code>          </dd></summary> <hr> gateway/looping_test.go <li>Added a new test <code>TestLooping_AnotherAPIWithAuthTokens</code> to validate <br>self-looping behavior with authentication tokens.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-c901365bf00575b31a45f2536c63cbc0c3c31350ce6919214a3647dab90596aa">+95/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>middleware_test.go</strong><dd><code>Enhance tests to cover self-looping and URL rewrite scenarios</code></dd></summary> <hr> gateway/middleware_test.go <li>Enhanced <code>TestQuotaNotAppliedWithURLRewrite</code> to include extended paths <br>and self-looping scenarios.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-6a09a08e3f82cc5e9d8c6b5c8426d75ea1e5d85e15ab008fca1f512e7c49c1e6">+2/-1</a>      </td> </tr> <tr> <td> <details> <summary><strong>looping_test.go</strong><dd><code>Add tests for self-looping state management utilities</code>        </dd></summary> <hr> internal/httpctx/looping_test.go - Added unit tests for `SetSelfLooping` and `IsSelfLooping` methods. </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-80a9999142896e55eb4ba14795930cec1baae48c016351a4f3d48292787e05b6">+19/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --------- Co-authored-by: Burak Sezer <[email protected]>
TykTechnologies · Dec 19, 2024 · 3680034 · 3680034
1 parent 023aa16
commit 3680034
Show file tree

Hide file tree

Showing 11 changed files with 243 additions and 8 deletions.
diff --git a/ctx/ctx.go b/ctx/ctx.go
@@ -50,6 +50,7 @@ const (
 	// CacheOptions holds cache options required for cache writer middleware.
 	CacheOptions
 	OASDefinition
+	SelfLooping
 )
 
 func setContext(r *http.Request, ctx context.Context) {

diff --git a/docs/diagrams/middleware-looping.png b/docs/diagrams/middleware-looping.png
diff --git a/gateway/api.go b/gateway/api.go
@@ -43,6 +43,8 @@ import (
 	"sync"
 	"time"
 
+	"github.com/TykTechnologies/tyk/internal/httpctx"
+
 	"github.com/getkin/kin-openapi/openapi3"
 
 	"github.com/TykTechnologies/tyk/config"
@@ -3218,6 +3220,11 @@ func ctxSetCheckLoopLimits(r *http.Request, b bool) {
 
 // Should we check Rate limits and Quotas?
 func ctxCheckLimits(r *http.Request) bool {
+	// If this is a self loop, do not need to check the limits and quotas.
+	if httpctx.IsSelfLooping(r) {
+		return false
+	}
+
 	// If looping disabled, allow all
 	if !ctxLoopingEnabled(r) {
 		return true

diff --git a/gateway/api_loader.go b/gateway/api_loader.go
@@ -27,6 +27,7 @@ import (
 	"github.com/TykTechnologies/tyk/storage"
 	"github.com/TykTechnologies/tyk/trace"
 
+	"github.com/TykTechnologies/tyk/internal/httpctx"
 	"github.com/TykTechnologies/tyk/internal/httputil"
 	"github.com/TykTechnologies/tyk/internal/otel"
 )
@@ -589,6 +590,7 @@ func (d *DummyProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 		var handler http.Handler
 		if r.URL.Hostname() == "self" {
+			httpctx.SetSelfLooping(r, true)
 			if h, found := d.Gw.apisHandlesByID.Load(d.SH.Spec.APIID); found {
 				if chain, ok := h.(*ChainObject); ok {
 					handler = chain.ThisHandler

diff --git a/gateway/looping_test.go b/gateway/looping_test.go
@@ -6,6 +6,7 @@ package gateway
 
 import (
 	"encoding/json"
+	"net/http"
 	"sync"
 	"testing"
 
@@ -324,7 +325,101 @@ func TestLooping(t *testing.T) {
 			{Path: "/external/", Code: 200},
 		}...)
 	})
+}
+
+func TestLooping_AnotherAPIWithAuthTokens(t *testing.T) {
+	ts := StartTest(nil)
+	defer ts.Close()
+
+	// Looping to another api with auth tokens
+	specs := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) {
+		spec.APIDefinition.APIID = "apia"
+		spec.APIDefinition.Name = "ApiA"
+		spec.APIDefinition.Proxy.ListenPath = "/apia"
+		spec.APIDefinition.UseKeylessAccess = false
+		spec.APIDefinition.AuthConfigs = map[string]apidef.AuthConfig{
+			"authToken": {
+				AuthHeaderName: "Authorization",
+			},
+		}
+
+		UpdateAPIVersion(spec, "v1", func(v *apidef.VersionInfo) {
+			v.UseExtendedPaths = true
+			v.ExtendedPaths.URLRewrite = []apidef.URLRewriteMeta{{
+				Path:         "/",
+				Method:       http.MethodGet,
+				MatchPattern: ".*",
+				RewriteTo:    "tyk://apib",
+			}}
+		})
+	}, func(spec *APISpec) {
+		spec.APIDefinition.APIID = "apib"
+		spec.APIDefinition.Name = "ApiB"
+		spec.APIDefinition.Proxy.ListenPath = "/apib"
+		spec.APIDefinition.UseKeylessAccess = false
+		spec.APIDefinition.AuthConfigs = map[string]apidef.AuthConfig{
+			"authToken": {
+				AuthHeaderName: "X-Api-Key",
+			},
+		}
+	})
+	specApiA := specs[0]
+	specApiB := specs[1]
+
+	_, authKeyForApiA := ts.CreateSession(func(s *user.SessionState) {
+		s.AccessRights = map[string]user.AccessDefinition{
+			specApiA.APIDefinition.APIID: {
+				APIName:        specApiA.APIDefinition.Name,
+				APIID:          specApiA.APIDefinition.APIID,
+				Versions:       []string{"default"},
+				AllowanceScope: specApiA.APIDefinition.APIID,
+			},
+		}
+		s.OrgID = specApiA.APIDefinition.OrgID
+	})
 
+	_, authKeyForApiB := ts.CreateSession(func(s *user.SessionState) {
+		s.AccessRights = map[string]user.AccessDefinition{
+			specApiB.APIDefinition.APIID: {
+				APIName:        specApiB.APIDefinition.Name,
+				APIID:          specApiB.APIDefinition.APIID,
+				Versions:       []string{"default"},
+				AllowanceScope: specApiB.APIDefinition.APIID,
+			},
+		}
+		s.OrgID = specApiB.APIDefinition.OrgID
+	})
+
+	headersWithApiBToken := map[string]string{
+		"Authorization": authKeyForApiA,
+		"X-Api-Key":     authKeyForApiB,
+	}
+	headersWithoutApiBToken := map[string]string{
+		"Authorization": authKeyForApiA,
+		"X-Api-Key":     "some-string",
+	}
+	headersWithOnlyApiAToken := map[string]string{
+		"Authorization": authKeyForApiA,
+	}
+	_, _ = ts.Run(t, []test.TestCase{
+		{
+			Headers: headersWithApiBToken,
+			Path:    "/apia",
+			Code:    http.StatusOK,
+		},
+		{
+			Headers:   headersWithoutApiBToken,
+			Path:      "/apia",
+			Code:      http.StatusForbidden,
+			BodyMatch: "Access to this API has been disallowed",
+		},
+		{
+			Headers:   headersWithOnlyApiAToken,
+			Path:      "/apia",
+			Code:      http.StatusUnauthorized,
+			BodyMatch: "Authorization field missing",
+		},
+	}...)
 }
 
 func TestConcurrencyReloads(t *testing.T) {

diff --git a/gateway/middleware_test.go b/gateway/middleware_test.go
@@ -354,7 +354,8 @@ func TestQuotaNotAppliedWithURLRewrite(t *testing.T) {
 	spec := ts.Gw.BuildAndLoadAPI(func(spec *APISpec) {
 		spec.Proxy.ListenPath = "/quota-test"
 		spec.UseKeylessAccess = false
-		UpdateAPIVersion(spec, "Default", func(v *apidef.VersionInfo) {
+		UpdateAPIVersion(spec, "v1", func(v *apidef.VersionInfo) {
+			v.UseExtendedPaths = true
 			v.ExtendedPaths.URLRewrite = []apidef.URLRewriteMeta{{
 				Path:         "/abc",
 				Method:       http.MethodGet,

diff --git a/gateway/mw_auth_key.go b/gateway/mw_auth_key.go
@@ -6,16 +6,15 @@ import (
 	"strings"
 	"time"
 
-	"github.com/TykTechnologies/tyk/internal/crypto"
-	"github.com/TykTechnologies/tyk/internal/otel"
-	"github.com/TykTechnologies/tyk/storage"
-
-	"github.com/TykTechnologies/tyk/user"
-
 	"github.com/TykTechnologies/tyk/apidef"
 	"github.com/TykTechnologies/tyk/config"
+	"github.com/TykTechnologies/tyk/internal/crypto"
+	"github.com/TykTechnologies/tyk/internal/httpctx"
+	"github.com/TykTechnologies/tyk/internal/otel"
 	"github.com/TykTechnologies/tyk/request"
 	signaturevalidator "github.com/TykTechnologies/tyk/signature_validator"
+	"github.com/TykTechnologies/tyk/storage"
+	"github.com/TykTechnologies/tyk/user"
 )
 
 const (
@@ -95,7 +94,7 @@ func (k *AuthKey) ProcessRequest(_ http.ResponseWriter, r *http.Request, _ inter
 	}
 
 	// skip auth key check if the request is looped.
-	if ses := ctxGetSession(r); ses != nil && !ctxCheckLimits(r) {
+	if ses := ctxGetSession(r); ses != nil && httpctx.IsSelfLooping(r) {
 		return nil, http.StatusOK
 	}
 

diff --git a/internal/httpctx/context.go b/internal/httpctx/context.go
@@ -0,0 +1,28 @@
+package httpctx
+
+import (
+	"context"
+	"net/http"
+)
+
+type Value[T any] struct {
+	Key any
+}
+
+func NewValue[T any](key any) *Value[T] {
+	return &Value[T]{Key: key}
+}
+
+func (v *Value[T]) Get(r *http.Request) (res T) {
+	if val := r.Context().Value(v.Key); val != nil {
+		res, _ = val.(T)
+	}
+	return
+}
+
+func (v *Value[T]) Set(r *http.Request, val T) *http.Request {
+	ctx := context.WithValue(r.Context(), v.Key, val)
+	h := r.WithContext(ctx)
+	*r = *h
+	return h
+}
diff --git a/internal/httpctx/context_test.go b/internal/httpctx/context_test.go
@@ -0,0 +1,64 @@
+package httpctx_test
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/TykTechnologies/tyk/internal/httpctx"
+)
+
+func TestValue_SetAndGet(t *testing.T) {
+	// Define a key and instantiate a new Value with type map[string]any
+	key := "testKey"
+	value := httpctx.NewValue[map[string]any](key)
+
+	// Prepare a map to store in context
+	expectedData := map[string]any{
+		"userID":   123,
+		"userRole": "admin",
+	}
+
+	// Create a new HTTP request using httptest
+	req := httptest.NewRequest("GET", "/", nil)
+
+	// Set the value in the request's context
+	req = value.Set(req, expectedData)
+
+	// Retrieve the value from the context
+	retrievedData := value.Get(req)
+	assert.Equal(t, expectedData, retrievedData, "Retrieved data does not match expected data")
+}
+
+func TestValue_GetWithMissingKey(t *testing.T) {
+	// Define a key and instantiate a new Value with type map[string]any
+	key := "missingKey"
+	value := httpctx.NewValue[map[string]any](key)
+
+	// Create a new HTTP request using httptest
+	req := httptest.NewRequest("GET", "/", nil)
+
+	// Try to retrieve the value from the context
+	retrievedData := value.Get(req)
+
+	// Expect not to find any data
+	assert.Nil(t, retrievedData, "Expected retrieved data to be nil for a missing key")
+}
+
+func TestValue_SetDifferentTypes(t *testing.T) {
+	// Test using a different type for Value, e.g., int
+	intKey := "intKey"
+	intValue := httpctx.NewValue[int](intKey)
+
+	// Create a new HTTP request using httptest
+	req := httptest.NewRequest("GET", "/", nil)
+
+	// Set an int value in the context
+	expectedInt := 42
+	req = intValue.Set(req, expectedInt)
+
+	// Retrieve the int value from the context
+	retrievedInt := intValue.Get(req)
+	assert.Equal(t, expectedInt, retrievedInt, "Retrieved int value does not match expected value")
+}
diff --git a/internal/httpctx/looping.go b/internal/httpctx/looping.go
@@ -0,0 +1,19 @@
+package httpctx
+
+import (
+	"net/http"
+
+	"github.com/TykTechnologies/tyk/ctx"
+)
+
+var selfLoopingValue = NewValue[bool](ctx.SelfLooping)
+
+// SetSelfLooping updates the request context with a boolean value indicating whether the request is in a self-looping state.
+func SetSelfLooping(r *http.Request, value bool) {
+	selfLoopingValue.Set(r, value)
+}
+
+// IsSelfLooping returns true if the request is flagged as self-looping, indicating it originates and targets the same service.
+func IsSelfLooping(r *http.Request) bool {
+	return selfLoopingValue.Get(r)
+}
diff --git a/internal/httpctx/looping_test.go b/internal/httpctx/looping_test.go
@@ -0,0 +1,19 @@
+package httpctx_test
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/TykTechnologies/tyk/internal/httpctx"
+)
+
+func TestSetSelfLooping(t *testing.T) {
+	req := httptest.NewRequest("GET", "/", nil)
+	assert.False(t, httpctx.IsSelfLooping(req))
+	httpctx.SetSelfLooping(req, true)
+	assert.True(t, httpctx.IsSelfLooping(req))
+	httpctx.SetSelfLooping(req, false)
+	assert.False(t, httpctx.IsSelfLooping(req))
+}