feat: allow degradation (#9345)

Author: shreemaan-abhishek

Diff for: apisix/plugins/forward-auth.lua

@@ -23,6 +23,7 @@ local schema = {
     type = "object",
     properties = {
         uri = {type = "string"},
+        allow_degradation = {type = "boolean", default = false},
         ssl_verify = {
             type = "boolean",
             default = true,
@@ -118,9 +119,9 @@ function _M.access(conf, ctx)
     httpc:set_timeout(conf.timeout)
 
     local res, err = httpc:request_uri(conf.uri, params)
-
-    -- block by default when authorization service is unavailable
-    if not res then
+    if not res and conf.allow_degradation then
+        return
+    elseif not res then
         core.log.error("failed to process forward auth, err: ", err)
         return 403
     end

Diff for: docs/en/latest/plugins/forward-auth.md

@@ -47,7 +47,9 @@ This Plugin moves the authentication and authorization logic to a dedicated exte
 | timeout           | integer       | False    | 3000ms  | [1, 60000]ms   | Timeout for the authorization service HTTP call.                                                                                                           |
 | keepalive         | boolean       | False    | true    |                | When set to `true`, keeps the connection alive for multiple requests.                                                                                      |
 | keepalive_timeout | integer       | False    | 60000ms | [1000, ...]ms  | Idle time after which the connection is closed.                                                                                                            |
-| keepalive_pool    | integer       | False    | 5       | [1, ...]ms     | Connection pool limit.                                                                                                                                     |
+| keepalive_pool    | integer       | False    | 5       | [1, ...]ms     | Connection pool limit.                                                                                                                           |
+| allow_degradation | boolean       | False    | false   |                | When set to `true`, allows authentication to be skipped when authentication server is unavailable. |
+
 
 ## Data definition
 

Diff for: docs/zh/latest/plugins/forward-auth.md

@@ -47,6 +47,7 @@ description: 本文介绍了关于 Apache APISIX `forward-auth` 插件的基本
 | keepalive         | boolean       | 否    | true    | [true, false]  | HTTP 长连接。                                                                                                         |
 | keepalive_timeout | integer       | 否    | 60000ms | [1000, ...]ms  | 长连接超时时间。                                                                                                      |
 | keepalive_pool    | integer       | 否    | 5       | [1, ...]ms     | 长连接池大小。                                                                                                        |
+| allow_degradation | boolean       | 否    | false   |                | 当设置为 `true` 时，允许在身份验证服务器不可用时跳过身份验证。 |
 
 ## 数据定义
 

Diff for: t/plugin/forward-auth.t

@@ -206,6 +206,55 @@ property "request_method" validation failed: matches none of the enum values
                         "uri": "/ping"
                     }]],
                 },
+                {
+                    url = "/apisix/admin/routes/4",
+                    data = [[{
+                        "plugins": {
+                            "serverless-pre-function": {
+                                "phase": "rewrite",
+                                "functions" : ["return function() require(\"apisix.core\").response.exit(444); end"]
+                            }
+                        },
+                        "upstream_id": "u1",
+                        "uri": "/crashed-auth"
+                    }]],
+                },
+                {
+                    url = "/apisix/admin/routes/5",
+                    data = [[{
+                        "plugins": {
+                            "forward-auth": {
+                                "uri": "http://127.0.0.1:1984/crashed-auth",
+                                "request_headers": ["Authorization"],
+                                "upstream_headers": ["X-User-ID"],
+                                "client_headers": ["Location"]
+                            }
+                        },
+                        "upstream_id": "u1",
+                        "uri": "/nodegr"
+                    }]],
+                },
+                {
+                    url = "/apisix/admin/routes/6",
+                    data = [[{
+                        "uri": "/get",
+                        "plugins": {
+                            "forward-auth": {
+                                "uri": "http://127.0.0.1:1984/crashed-auth",
+                                "request_headers": ["Authorization"],
+                                "upstream_headers": ["X-User-ID"],
+                                "client_headers": ["Location"],
+                                "allow_degradation": true
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "httpbin.org:80": 1
+                            },
+                            "type": "roundrobin"
+                        }
+                    }]],
+                }
             }
 
             local t = require("lib.test_admin").test
@@ -217,7 +266,7 @@ property "request_method" validation failed: matches none of the enum values
         }
     }
 --- response_body eval
-"201passed\n" x 6
+"201passed\n" x 9
 
 
 
@@ -305,3 +354,23 @@ POST /ping
 --- error_code: 403
 --- response_headers
 Location: http://example.com/auth
+
+
+
+=== TEST 11: hit route (unavailable auth server, expect failure)
+--- request
+GET /nodegr
+--- more_headers
+Authorization: 111
+--- error_code: 403
+--- error_log
+failed to process forward auth, err: closed
+
+
+
+=== TEST 12: hit route (unavailable auth server, allow degradation)
+--- request
+GET /get
+--- more_headers
+Authorization: 111
+--- error_code: 200