feat(plugins): add plugins

Author: vm-001

openapi.yml

@@ -1037,6 +1037,58 @@ components:
                 format: jsonschema
                 maxLength: 1048576
 
+    BasicAuthPluginConfiguration:
+      description: "The basic auth plugin configuration"
+      type: object
+      properties:
+        username:
+          type: string
+        password:
+          type: string
+      required:
+        - username
+        - password
+
+    KeyAuthPluginConfiguration:
+      description: ""
+      type: object
+      properties:
+        param_name:
+          type: string
+        param_sources:
+          type: array
+          items:
+            type: string
+            enum: [ "header", "query" ]
+        key:
+          type: string
+      required:
+        - param_name
+        - param_sources
+        - key
+
+    HmacAuthPluginConfiguration:
+      description: "The hmac-auth plugin configuration"
+      type: object
+      properties:
+        hash_method:
+          type: string
+          enum: [ "md5", "sha1", "sha256", "sha512" ]
+          default: "sha256"
+        hash_encoding:
+          type: string
+          enum: [ "hex", "base64", "base64url" ]
+          default: "hex"
+        signature_header:
+          type: string
+        key:
+          type: string
+      required:
+        - hash_method
+        - hash_encoding
+        - signature_header
+        - key
+
     HTTPSourceConfig:
       type: object
       default:

plugins/basic-auth/plugin.go

@@ -0,0 +1,38 @@
+package basic_auth
+
+import (
+	"context"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/webhookx-io/webhookx/db/entities"
+	"github.com/webhookx-io/webhookx/pkg/http/response"
+	"github.com/webhookx-io/webhookx/pkg/plugin"
+)
+
+type Config struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+func (c Config) Schema() *openapi3.Schema {
+	return entities.LookupSchema("BasicAuthPluginConfiguration")
+}
+
+type BasicAuthPlugin struct {
+	plugin.BasePlugin[Config]
+}
+
+func (p *BasicAuthPlugin) Name() string {
+	return "basic-auth"
+}
+
+func (p *BasicAuthPlugin) ExecuteInbound(ctx context.Context, inbound *plugin.Inbound) (result plugin.InboundResult, err error) {
+	username, password, ok := inbound.Request.BasicAuth()
+	if !ok || username != p.Config.Username || password != p.Config.Password {
+		response.JSON(inbound.Response, 401, `{"message":"Unauthorized"}`)
+		result.Terminated = true
+	}
+
+	result.Payload = inbound.RawBody
+	return
+}

plugins/hmac-auth/plugin.go

@@ -0,0 +1,93 @@
+package hmac_auth
+
+import (
+	"context"
+	"crypto/hmac"
+	"crypto/md5"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"hash"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/webhookx-io/webhookx/db/entities"
+	"github.com/webhookx-io/webhookx/pkg/http/response"
+	"github.com/webhookx-io/webhookx/pkg/plugin"
+)
+
+var (
+	ErrInvalidHashMethod     = errors.New("invalid hash method")
+	ErrInvalidEncodingMethod = errors.New("invalid encoding method")
+)
+
+var hashMethods = map[string]func() hash.Hash{
+	"md5":    md5.New,
+	"sha1":   sha1.New,
+	"sha256": sha256.New,
+	"sha512": sha512.New,
+}
+
+func Hmac(algorithm string, key string, data string) []byte {
+	fn, ok := hashMethods[algorithm]
+	if !ok {
+		panic(fmt.Errorf("%w: %s", ErrInvalidHashMethod, algorithm))
+	}
+	h := hmac.New(fn, []byte(key))
+	h.Write([]byte(data))
+	return h.Sum(nil)
+}
+
+func encode(encoding string, data []byte) string {
+	switch encoding {
+	case "hex":
+		return hex.EncodeToString(data)
+	case "base64":
+		return base64.StdEncoding.EncodeToString(data)
+	case "base64url":
+		return base64.RawURLEncoding.EncodeToString(data)
+	default:
+		panic(fmt.Errorf("%w: %s", ErrInvalidEncodingMethod, encoding))
+	}
+}
+
+type Config struct {
+	HashMethod      string `json:"hash_method"`
+	HashEncoding    string `json:"hash_encoding"`
+	SignatureHeader string `json:"signature_header"`
+	Key             string `json:"key"`
+}
+
+func (c Config) Schema() *openapi3.Schema {
+	return entities.LookupSchema("HmacAuthPluginConfiguration")
+}
+
+type HmacAuthPlugin struct {
+	plugin.BasePlugin[Config]
+}
+
+func (p *HmacAuthPlugin) Name() string {
+	return "hmac-auth"
+}
+
+func (p *HmacAuthPlugin) ExecuteInbound(ctx context.Context, inbound *plugin.Inbound) (result plugin.InboundResult, err error) {
+	matched := false
+	signature := inbound.Request.Header.Get(p.Config.SignatureHeader)
+	if len(signature) > 0 {
+		bytes := Hmac(p.Config.HashMethod, p.Config.Key, string(inbound.RawBody))
+		expectedSignature := encode(p.Config.HashEncoding, bytes)
+		matched = subtle.ConstantTimeCompare([]byte(signature), []byte(expectedSignature)) == 1
+	}
+
+	if !matched {
+		response.JSON(inbound.Response, 401, `{"message":"Unauthorized"}`)
+		result.Terminated = true
+	}
+	result.Payload = inbound.RawBody
+
+	return
+}

plugins/key-auth/plugin.go

@@ -0,0 +1,62 @@
+package key_auth
+
+import (
+	"context"
+
+	"github.com/getkin/kin-openapi/openapi3"
+	"github.com/webhookx-io/webhookx/db/entities"
+	"github.com/webhookx-io/webhookx/pkg/http/response"
+	"github.com/webhookx-io/webhookx/pkg/plugin"
+)
+
+// apikey-verifier ?
+
+type Config struct {
+	ParamName    string   `json:"param_name" validate:"required"`
+	ParamSources []string `json:"param_sources" validate:"required"`
+	Key          string   `json:"key" validate:"required"`
+}
+
+func (c Config) Schema() *openapi3.Schema {
+	return entities.LookupSchema("KeyAuthPluginConfiguration")
+}
+
+type KeyAuthPlugin struct {
+	plugin.BasePlugin[Config]
+}
+
+func (p *KeyAuthPlugin) Name() string {
+	return "key-auth"
+}
+
+func (p *KeyAuthPlugin) ExecuteInbound(ctx context.Context, inbound *plugin.Inbound) (result plugin.InboundResult, err error) {
+	name := p.Config.ParamName
+	key := p.Config.Key
+	sources := p.Config.ParamSources
+
+	querys := inbound.Request.URL.Query()
+	headers := inbound.Request.Header
+
+	found := false
+	for _, source := range sources {
+		var value string
+		switch source {
+		case "query":
+			value = querys.Get(name)
+		case "header":
+			value = headers.Get(name)
+		}
+		if value == key {
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		response.JSON(inbound.Response, 401, `{"message":"Unauthorized"}`)
+		result.Terminated = true
+	}
+
+	result.Payload = inbound.RawBody
+	return
+}

plugins/plugins.go

@@ -2,8 +2,11 @@ package plugins
 
 import (
 	"github.com/webhookx-io/webhookx/pkg/plugin"
+	basic_auth "github.com/webhookx-io/webhookx/plugins/basic-auth"
 	"github.com/webhookx-io/webhookx/plugins/function"
+	hmac_auth "github.com/webhookx-io/webhookx/plugins/hmac-auth"
 	"github.com/webhookx-io/webhookx/plugins/jsonschema_validator"
+	key_auth "github.com/webhookx-io/webhookx/plugins/key-auth"
 	"github.com/webhookx-io/webhookx/plugins/wasm"
 	"github.com/webhookx-io/webhookx/plugins/webhookx_signature"
 )
@@ -21,4 +24,13 @@ func LoadPlugins() {
 	plugin.RegisterPlugin(plugin.TypeInbound, "jsonschema-validator", func() plugin.Plugin {
 		return &jsonschema_validator.SchemaValidatorPlugin{}
 	})
+	plugin.RegisterPlugin(plugin.TypeInbound, "basic-auth", func() plugin.Plugin {
+		return &basic_auth.BasicAuthPlugin{}
+	})
+	plugin.RegisterPlugin(plugin.TypeInbound, "key-auth", func() plugin.Plugin {
+		return &key_auth.KeyAuthPlugin{}
+	})
+	plugin.RegisterPlugin(plugin.TypeInbound, "hmac-auth", func() plugin.Plugin {
+		return &hmac_auth.HmacAuthPlugin{}
+	})
 }

test/admin/plugins_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/webhookx-io/webhookx/db"
 	"github.com/webhookx-io/webhookx/db/entities"
 	"github.com/webhookx-io/webhookx/pkg/plugin"
+	key_auth "github.com/webhookx-io/webhookx/plugins/key-auth"
 	"github.com/webhookx-io/webhookx/test/fixtures/plugins/hello"
 	"github.com/webhookx-io/webhookx/test/fixtures/plugins/inbound"
 	"github.com/webhookx-io/webhookx/test/fixtures/plugins/outbound"
@@ -213,6 +214,95 @@ var _ = Describe("/plugins", Ordered, func() {
 			})
 		})
 
+		Context("basic-auth plugin", func() {
+			It("return 201", func() {
+				source := factory.SourceP()
+				assert.Nil(GinkgoT(), db.Sources.Insert(context.TODO(), source))
+				resp, err := adminClient.R().
+					SetBody(map[string]interface{}{
+						"name":      "basic-auth",
+						"source_id": source.ID,
+						"config": map[string]string{
+							"username": "foo",
+							"password": "bar",
+						},
+					}).
+					SetResult(entities.Plugin{}).
+					Post("/workspaces/default/plugins")
+
+				assert.Nil(GinkgoT(), err)
+				assert.Equal(GinkgoT(), 201, resp.StatusCode())
+
+				result := resp.Result().(*entities.Plugin)
+				assert.Equal(GinkgoT(), "basic-auth", result.Name)
+				assert.Equal(GinkgoT(), source.ID, *result.SourceId)
+				assert.Equal(GinkgoT(), "foo", result.Config["username"])
+				assert.Equal(GinkgoT(), "bar", result.Config["password"])
+			})
+		})
+
+		Context("key-auth plugin", func() {
+			It("return 201", func() {
+				source := factory.SourceP()
+				assert.Nil(GinkgoT(), db.Sources.Insert(context.TODO(), source))
+				resp, err := adminClient.R().
+					SetBody(map[string]interface{}{
+						"name":      "key-auth",
+						"source_id": source.ID,
+						"config": map[string]interface{}{
+							"param_name":    "apikey",
+							"param_sources": []string{"header", "query"},
+							"key":           "mykey",
+						},
+					}).
+					SetResult(entities.Plugin{}).
+					Post("/workspaces/default/plugins")
+
+				assert.Nil(GinkgoT(), err)
+				assert.Equal(GinkgoT(), 201, resp.StatusCode())
+
+				result := resp.Result().(*entities.Plugin)
+				assert.Equal(GinkgoT(), "key-auth", result.Name)
+				assert.Equal(GinkgoT(), source.ID, *result.SourceId)
+				cfg := key_auth.Config{}
+				utils.MapToStruct(result.Config, &cfg)
+				assert.Equal(GinkgoT(), "apikey", cfg.ParamName)
+				assert.Equal(GinkgoT(), []string{"header", "query"}, cfg.ParamSources)
+				assert.Equal(GinkgoT(), "mykey", cfg.Key)
+			})
+		})
+
+		Context("hmac-auth plugin", func() {
+			It("return 201", func() {
+				source := factory.SourceP()
+				assert.Nil(GinkgoT(), db.Sources.Insert(context.TODO(), source))
+				resp, err := adminClient.R().
+					SetBody(map[string]interface{}{
+						"name":      "hmac-auth",
+						"source_id": source.ID,
+						"config": map[string]interface{}{
+							"hash_method":      "sha256",
+							"hash_encoding":    "base64",
+							"signature_header": "x-signature",
+							"key":              "mykey",
+						},
+					}).
+					SetResult(entities.Plugin{}).
+					Post("/workspaces/default/plugins")
+
+				assert.Nil(GinkgoT(), err)
+				assert.Equal(GinkgoT(), 201, resp.StatusCode())
+
+				result := resp.Result().(*entities.Plugin)
+				assert.Equal(GinkgoT(), "hmac-auth", result.Name)
+				assert.Equal(GinkgoT(), source.ID, *result.SourceId)
+				assert.Equal(GinkgoT(), "sha256", result.Config["hash_method"])
+				assert.Equal(GinkgoT(), "base64", result.Config["hash_encoding"])
+				assert.Equal(GinkgoT(), "x-signature", result.Config["signature_header"])
+				assert.Equal(GinkgoT(), "mykey", result.Config["key"])
+			})
+		})
+
 		Context("errors", func() {
 			It("return HTTP 400", func() {
 				resp, err := adminClient.R().