This is an automated email from the ASF dual-hosted git repository.
AlinsRan pushed a change to branch feat/oidc-optional-client-secret
in repository https://gitbox.apache.org/repos/asf/apisix.git
discard a222c3760 feat(openid-connect): make client_secret optional for local
JWT verification modes
add 753914238 feat: add traffic-label plugin (#13342)
add 4d4e0d477 feat: add exit-transformer plugin (#13343)
add 412d31dc7 test(ai-aliyun-content-moderation): remove unused mock LLM
location (#13354)
add ba6035a04 docs(changelog): fix typos, version number, PR reference,
and heading levels in v3.x sections (#13360)
add 503f9eb7b fix: handle missing X-Etcd-Index header gracefully in
config_etcd (#13364)
add 6c988bc9d fix(core/etcd): nil-deref on response without header field
(#13361)
add 5f028f3b7 perf(ctx): cache parsed request body to avoid repeated
decode for post_arg.* (#13356)
add f26baed10 fix(chaitin-waf): use trusted client IP source for WAF
backend (#13339)
add c7b5618e0 feat(proxy-cache): add consumer_isolation and
cache_set_cookie options (#13350)
add 06c15d327 perf(limit-count): use evalsha with NOSCRIPT fallback for
Redis script execution (#13363)
add ef1970a1f fix: replace module-level mutable tables with per-call
allocation (#13369)
add ece5ccacf feat: add data-mask plugin (#13347)
add 173422ce2 docs: fix documentation typos reported by codespell (#13365)
add c205da97c docs(jwt-auth): fix missing TabItem tag in zh docs (#13378)
add c57ee9cac perf(core): cache parsed JSON request body to avoid
redundant decoding (#13377)
add 9f40d6c2a feat: add acl plugin (#13349)
add d3f343d04 feat(ai): support configurable request JSON library (#13386)
add dc7a8d460 feat(cas-auth): sign request URI cookie and tighten cookie
attributes (#13331)
add f06cba56f test: relax version assertions (#13403)
add ed5ca9e8e fix: normalize qjson errors in request json (#13407)
add 81dbc5b75 fix: preserve stream service plugin context (#13402)
add 6dd6a3477 perf(ai): reuse raw request body when unchanged (#13406)
add f434e1bfa chore: use apisix-runtime 1.3.6 (#13412)
add c1fc58f58 perf(ai-proxy): optimize SSE decoder - remove PCRE, add
decode_buf, fix comment lines (#13391)
add cd5f1ed55 feat(proxy-cache): honor Vary header for memory strategy
(#13376)
add e86c4fb21 feat(cas-auth): support configuring an absolute callback URL
(#13413)
add 9166556f5 fix(gcp): report auth_file path instead of file contents in
parse error (#13409)
add cd32b7958 feat: add dingtalk-auth plugin (#13381)
add 8048e7447 fix: remove stale HTTP2 body guard (#13428)
add 35a67f32e feat(plugin): add error-page plugin (#13380)
add 063d8509e ci: use prebuilt apisix runtime (#13432)
add 72c4eaf58 fix(authz-keycloak): copy permissions before appending
http_method_as_scope (#13410)
add 77b328c06 feat(plugin): add graphql-limit-count plugin (#13372)
add 8cdb55217 feat: add feishu-auth plugin (#13382)
add 4f40a4653 fix(ai-proxy-multi): stabilize domain health checks (#13441)
add 503e9f5da fix(authz-casdoor): scope session cookie per Casdoor client
(#13387)
add 5d5613aea feat(hmac-auth): default signed_headers to ["date"] (#13388)
add e7fabc555 chore(deps-dev): bump axios from 1.13.5 to 1.15.2 in /t
(#13341)
add d5f588846 chore(deps-dev): bump axios from 1.15.2 to 1.16.0 in /t
(#13455)
add 30ab165ab docs: add project security threat-model document +
discoverability scaffold (#13457)
add 6fe1cf0fd test: fix standalone content type narrowing (#13459)
add 37c29f8b3 feat: add saml-auth plugin (#13346)
add 8e3e72b39 feat(plugin): add graphql-proxy-cache plugin (#13435)
add 1a3467bdb fix: isolate logger response body buffers (#13450)
add 5f345688b revert: drop configurable request JSON libraries (#13449)
add 52d9d92e4 fix: sort AI proxy upstream request JSON keys (#13461)
add e1053faa7 fix(opa): apply send_headers_upstream for headers absent
from OPA response (#13433)
add 473a18976 fix(security): encrypt missing secret-like plugin fields at
rest (#13389)
add 2c1771d74 docs: update AI plugin order in config example (#13383)
add 94f578a11 fix(cas-auth): harden session and callback handling (#13427)
add 2d3d798be docs: update plugin examples for ingress controller 2.1.0
changes (#13462)
add eb31ea4c7 docs: remove stale admin key default examples (#13448)
add 2330c09ab fix(jwe-decrypt): reject tokens that fail to decrypt (#13404)
add 0048226a4 feat: add proxy-buffering plugin (#13446)
add 6d320c09f fix(cas-auth): return 400 instead of 500 for SLO POST with
empty body (#13471)
add bdb5fa25f feat(openid-connect): make client_secret optional for local
JWT verification modes
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (a222c3760)
\
N -- N -- N refs/heads/feat/oidc-optional-client-secret
(bdb5fa25f)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
No new revisions were added by this update.
Summary of changes:
.github/workflows/build.yml | 4 +-
.github/workflows/cli.yml | 4 +-
.github/workflows/code-lint.yml | 1 -
.github/workflows/gm-cron.yaml.disabled | 4 +-
.github/workflows/gm.yml.disabled | 4 +-
.github/workflows/kubernetes-ci.yml | 3 +-
.github/workflows/source-install.yml | 6 +-
.github/workflows/tars-ci.yml | 3 +-
.ignore_words | 1 +
.requirements | 2 +-
AGENTS.md | 38 +
CHANGELOG.md | 26 +-
Makefile | 2 +
SECURITY.md | 34 +
apisix-master-0.rockspec | 2 +
apisix/api_router.lua | 4 +-
apisix/cli/config.lua | 11 +
apisix/cli/ngx_tpl.lua | 55 +-
apisix/control/router.lua | 7 +-
apisix/core/config_etcd.lua | 18 +-
apisix/core/ctx.lua | 43 +-
apisix/core/etcd.lua | 44 +-
apisix/core/request.lua | 95 +-
apisix/core/resolver.lua | 59 +
apisix/core/response.lua | 104 +-
apisix/init.lua | 21 +-
apisix/patch.lua | 28 +
apisix/plugin.lua | 65 +-
apisix/plugins/acl.lua | 251 ++++
apisix/plugins/ai-aws-content-moderation.lua | 1 +
apisix/plugins/ai-protocols/bedrock-converse.lua | 4 +
apisix/plugins/ai-protocols/openai-chat.lua | 2 +
apisix/plugins/ai-protocols/passthrough.lua | 1 +
apisix/plugins/ai-providers/base.lua | 183 ++-
apisix/plugins/ai-proxy-multi.lua | 201 ++-
apisix/plugins/ai-proxy/base.lua | 5 +-
apisix/plugins/ai-proxy/schema.lua | 20 +
apisix/plugins/ai-request-rewrite.lua | 1 +
apisix/plugins/ai-transport/auth-aws.lua | 7 +-
apisix/plugins/ai-transport/aws-eventstream.lua | 11 +
apisix/plugins/ai-transport/http.lua | 52 +-
apisix/plugins/ai-transport/sse.lua | 194 ++-
apisix/plugins/authz-casdoor.lua | 29 +-
apisix/plugins/authz-keycloak.lua | 3 +
apisix/plugins/azure-functions.lua | 9 +-
apisix/plugins/cas-auth.lua | 313 +++-
apisix/plugins/chaitin-waf.lua | 13 +-
apisix/plugins/data-mask.lua | 316 ++++
apisix/plugins/dingtalk-auth.lua | 298 ++++
apisix/plugins/error-log-logger.lua | 2 +-
apisix/plugins/error-page.lua | 144 ++
apisix/plugins/exit-transformer.lua | 88 ++
apisix/plugins/feishu-auth.lua | 294 ++++
apisix/plugins/google-cloud-logging.lua | 2 +-
apisix/plugins/graphql-limit-count.lua | 205 +++
apisix/plugins/graphql-proxy-cache.lua | 417 ++++++
apisix/plugins/hmac-auth.lua | 14 +-
apisix/plugins/http-logger.lua | 1 +
apisix/plugins/jwe-decrypt.lua | 7 +-
apisix/plugins/kafka-logger.lua | 3 +-
.../limit-count/limit-count-redis-cluster.lua | 8 +-
apisix/plugins/limit-count/limit-count-redis.lua | 8 +-
apisix/plugins/loggly.lua | 1 +
apisix/plugins/opa.lua | 14 +-
apisix/plugins/openfunction.lua | 6 +-
apisix/plugins/openid-connect.lua | 3 +-
.../prometheus.lua => plugins/proxy-buffering.lua} | 23 +-
apisix/plugins/proxy-cache/init.lua | 43 +
apisix/plugins/proxy-cache/memory.lua | 18 +
apisix/plugins/proxy-cache/memory_handler.lua | 266 +++-
apisix/plugins/proxy-cache/util.lua | 7 +-
apisix/plugins/redirect.lua | 7 +-
apisix/plugins/saml-auth.lua | 119 ++
apisix/plugins/splunk-hec-logging.lua | 1 +
apisix/plugins/traffic-label.lua | 222 +++
apisix/secret/gcp.lua | 2 +-
apisix/stream/router/ip_port.lua | 5 +-
apisix/utils/log-util.lua | 5 +-
ci/init-plugin-test-service.sh | 15 +
ci/install-lua-rapidjson.sh | 51 +
ci/linux-install-openresty.sh | 72 +-
...ix_current_luarocks_in_customed_nginx_runner.sh | 2 -
ci/linux_apisix_current_luarocks_runner.sh | 3 +-
ci/linux_openresty_runner.sh | 2 -
ci/linux_openresty_tongsuo_runner.sh | 1 -
ci/pod/docker-compose.plugin.yml | 13 +
ci/pod/keycloak/kcadm_configure_saml.sh | 39 +
ci/redhat-ci.sh | 2 +-
conf/config.yaml.example | 17 +-
docker/debian-dev/Dockerfile | 12 +-
docs/en/latest/FAQ.md | 16 +-
docs/en/latest/admin-api.md | 18 +-
docs/en/latest/certificate.md | 2 +-
docs/en/latest/config.json | 21 +-
docs/en/latest/dashboard.md | 4 +-
docs/en/latest/discovery/kubernetes.md | 2 +-
docs/en/latest/plugins/acl.md | 241 +++
docs/en/latest/plugins/ai-proxy.md | 1 +
docs/en/latest/plugins/authz-casdoor.md | 11 +-
docs/en/latest/plugins/basic-auth.md | 224 ++-
docs/en/latest/plugins/cas-auth.md | 20 +-
docs/en/latest/plugins/chaitin-waf.md | 4 +-
docs/en/latest/plugins/csrf.md | 2 +-
docs/en/latest/plugins/data-mask.md | 308 ++++
docs/en/latest/plugins/dingtalk-auth.md | 206 +++
docs/en/latest/plugins/error-page.md | 171 +++
docs/en/latest/plugins/exit-transformer.md | 142 ++
docs/en/latest/plugins/feishu-auth.md | 128 ++
docs/en/latest/plugins/graphql-limit-count.md | 179 +++
docs/en/latest/plugins/graphql-proxy-cache.md | 232 +++
docs/en/latest/plugins/hmac-auth.md | 90 +-
docs/en/latest/plugins/jwt-auth.md | 402 ++++-
docs/en/latest/plugins/key-auth.md | 221 ++-
docs/en/latest/plugins/limit-count.md | 79 +-
docs/en/latest/plugins/proxy-buffering.md | 109 ++
docs/en/latest/plugins/proxy-cache.md | 6 +
docs/en/latest/plugins/saml-auth.md | 153 ++
docs/en/latest/plugins/traffic-label.md | 158 ++
docs/en/latest/security-threat-model.md | 884 +++++++++++
docs/en/latest/terminology/plugin-config.md | 2 +-
docs/en/latest/tutorials/cache-api-responses.md | 4 +-
docs/en/latest/tutorials/client-to-apisix-mtls.md | 24 +-
docs/en/latest/tutorials/expose-api.md | 17 +-
.../latest/tutorials/monitor-api-health-check.md | 15 +-
.../latest/tutorials/websocket-authentication.md | 13 +-
docs/zh/latest/FAQ.md | 6 +-
docs/zh/latest/admin-api.md | 10 +-
docs/zh/latest/certificate.md | 2 +-
docs/zh/latest/config.json | 16 +-
docs/zh/latest/dashboard.md | 4 +-
docs/zh/latest/plugins/acl.md | 241 +++
docs/zh/latest/plugins/ai-proxy.md | 1 +
docs/zh/latest/plugins/authz-casdoor.md | 12 +-
docs/zh/latest/plugins/basic-auth.md | 224 ++-
docs/zh/latest/plugins/chaitin-waf.md | 4 +-
docs/zh/latest/plugins/csrf.md | 2 +-
docs/zh/latest/plugins/data-mask.md | 309 ++++
docs/zh/latest/plugins/error-page.md | 172 +++
docs/zh/latest/plugins/exit-transformer.md | 142 ++
docs/zh/latest/plugins/feishu-auth.md | 125 ++
docs/zh/latest/plugins/gm.md | 2 +-
docs/zh/latest/plugins/graphql-limit-count.md | 179 +++
docs/zh/latest/plugins/graphql-proxy-cache.md | 232 +++
docs/zh/latest/plugins/hmac-auth.md | 92 +-
docs/zh/latest/plugins/jwt-auth.md | 403 ++++-
docs/zh/latest/plugins/key-auth.md | 221 ++-
docs/zh/latest/plugins/limit-count.md | 77 +-
docs/zh/latest/plugins/proxy-buffering.md | 117 ++
docs/zh/latest/plugins/proxy-cache.md | 6 +
docs/zh/latest/plugins/saml-auth.md | 153 ++
docs/zh/latest/plugins/traffic-label.md | 158 ++
docs/zh/latest/tutorials/cache-api-responses.md | 4 +-
docs/zh/latest/tutorials/client-to-apisix-mtls.md | 14 +-
docs/zh/latest/tutorials/expose-api.md | 17 +-
t/APISIX.pm | 44 +-
t/admin/plugins.t | 9 +
t/admin/routes_request_body.t | 2 +-
t/admin/ssl4.t | 8 +-
t/admin/standalone.spec.ts | 9 +-
t/certs/server.crt | 18 +
t/certs/server.key | 28 +
t/certs/sse_server.crt | 19 +
t/certs/sse_server.key | 28 +
t/chaos/utils/Dockerfile | 2 +-
t/cli/test_proxy_buffering.sh | 94 ++
t/cli/test_sse.py | 84 ++
t/core/config_etcd.t | 48 +
t/core/ctx3.t | 128 ++
t/core/etcd-nil-header.t | 104 ++
t/core/request.t | 52 +
t/lib/keycloak_cas.lua | 4 +
t/lib/keycloak_saml.lua | 469 ++++++
t/node/remote-addr-ipv6.t | 2 +-
t/package.json | 2 +-
t/plugin/acl.t | 1539 ++++++++++++++++++++
t/{node/sanity-radixtree.t => plugin/acl2.t} | 98 +-
t/plugin/ai-aliyun-content-moderation.t | 14 -
t/plugin/ai-proxy-client-disconnect.t | 134 ++
t/plugin/ai-proxy-flush.t | 320 ++++
t/plugin/ai-proxy-multi-domain-healthcheck-repro.t | 244 ++++
t/plugin/ai-proxy-multi-domain-healthcheck.t | 338 +++++
t/plugin/ai-proxy-multi.balancer.t | 26 +-
t/plugin/ai-proxy-multi3.t | 34 +-
t/plugin/ai-proxy-request-body-override.t | 150 +-
t/plugin/ai-transport-http.t | 290 ++++
t/plugin/authz-casdoor.t | 171 +++
t/plugin/authz-keycloak5.t | 138 ++
t/plugin/azure-functions.t | 14 -
t/plugin/cas-auth.t | 657 +++++++++
t/plugin/chaitin-waf.t | 114 ++
t/plugin/data-mask.t | 722 +++++++++
t/plugin/dingtalk-auth.t | 373 +++++
t/plugin/error-log-logger-kafka.t | 69 +
t/plugin/error-page.t | 427 ++++++
t/plugin/exit-transformer.t | 482 ++++++
t/plugin/feishu-auth.t | 678 +++++++++
t/plugin/graphql-limit-count.t | 635 ++++++++
t/plugin/graphql-proxy-cache/disk.t | 233 +++
t/plugin/graphql-proxy-cache/graphql.t | 538 +++++++
t/plugin/graphql-proxy-cache/memory.t | 555 +++++++
t/plugin/hmac-auth.t | 278 +++-
t/plugin/http-logger.t | 75 +
t/plugin/jwe-decrypt.t | 90 +-
t/plugin/kafka-logger3.t | 76 +
t/plugin/limit-count-redis.t | 62 +-
t/plugin/loggly.t | 73 +-
t/plugin/{workflow-without-case.t => opa3.t} | 43 +-
t/plugin/openid-connect2.t | 83 ++
t/plugin/proxy-cache/memory.t | 850 +++++++++++
t/plugin/redirect.t | 2 +-
t/plugin/saml-auth.t | 608 ++++++++
t/plugin/security-warning.t | 10 +-
t/plugin/server-info.t | 4 +-
t/plugin/splunk-hec-logging.t | 70 +
t/plugin/traffic-label.t | 643 ++++++++
t/plugin/traffic-label2.t | 553 +++++++
t/plugin/uri-blocker.t | 4 +-
t/pnpm-lock.yaml | 51 +-
t/router/multi-ssl-certs.t | 2 +-
t/router/radixtree-sni.t | 6 +-
t/router/radixtree-sni3.t | 2 +-
t/secret/conf/invalid.json | 1 +
t/secret/gcp.t | 26 +
t/stream-plugin/syslog.t | 136 +-
utils/install-dependencies.sh | 6 +-
utils/linux-install-luarocks.sh | 1 +
226 files changed, 24945 insertions(+), 777 deletions(-)
create mode 100644 AGENTS.md
create mode 100644 SECURITY.md
create mode 100644 apisix/plugins/acl.lua
create mode 100644 apisix/plugins/data-mask.lua
create mode 100644 apisix/plugins/dingtalk-auth.lua
create mode 100644 apisix/plugins/error-page.lua
create mode 100644 apisix/plugins/exit-transformer.lua
create mode 100644 apisix/plugins/feishu-auth.lua
create mode 100644 apisix/plugins/graphql-limit-count.lua
create mode 100644 apisix/plugins/graphql-proxy-cache.lua
copy apisix/{stream/plugins/prometheus.lua => plugins/proxy-buffering.lua}
(74%)
create mode 100644 apisix/plugins/saml-auth.lua
create mode 100644 apisix/plugins/traffic-label.lua
create mode 100755 ci/install-lua-rapidjson.sh
create mode 100644 ci/pod/keycloak/kcadm_configure_saml.sh
create mode 100644 docs/en/latest/plugins/acl.md
create mode 100644 docs/en/latest/plugins/data-mask.md
create mode 100644 docs/en/latest/plugins/dingtalk-auth.md
create mode 100644 docs/en/latest/plugins/error-page.md
create mode 100644 docs/en/latest/plugins/exit-transformer.md
create mode 100644 docs/en/latest/plugins/feishu-auth.md
create mode 100644 docs/en/latest/plugins/graphql-limit-count.md
create mode 100644 docs/en/latest/plugins/graphql-proxy-cache.md
create mode 100644 docs/en/latest/plugins/proxy-buffering.md
create mode 100644 docs/en/latest/plugins/saml-auth.md
create mode 100644 docs/en/latest/plugins/traffic-label.md
create mode 100644 docs/en/latest/security-threat-model.md
create mode 100644 docs/zh/latest/plugins/acl.md
create mode 100644 docs/zh/latest/plugins/data-mask.md
create mode 100644 docs/zh/latest/plugins/error-page.md
create mode 100644 docs/zh/latest/plugins/exit-transformer.md
create mode 100644 docs/zh/latest/plugins/feishu-auth.md
create mode 100644 docs/zh/latest/plugins/graphql-limit-count.md
create mode 100644 docs/zh/latest/plugins/graphql-proxy-cache.md
create mode 100644 docs/zh/latest/plugins/proxy-buffering.md
create mode 100644 docs/zh/latest/plugins/saml-auth.md
create mode 100644 docs/zh/latest/plugins/traffic-label.md
create mode 100644 t/certs/server.crt
create mode 100644 t/certs/server.key
create mode 100644 t/certs/sse_server.crt
create mode 100644 t/certs/sse_server.key
create mode 100755 t/cli/test_proxy_buffering.sh
create mode 100644 t/cli/test_sse.py
create mode 100644 t/core/etcd-nil-header.t
create mode 100644 t/lib/keycloak_saml.lua
create mode 100644 t/plugin/acl.t
copy t/{node/sanity-radixtree.t => plugin/acl2.t} (61%)
create mode 100644 t/plugin/ai-proxy-flush.t
create mode 100644 t/plugin/ai-proxy-multi-domain-healthcheck-repro.t
create mode 100644 t/plugin/ai-proxy-multi-domain-healthcheck.t
create mode 100644 t/plugin/ai-transport-http.t
create mode 100644 t/plugin/authz-keycloak5.t
create mode 100644 t/plugin/data-mask.t
create mode 100644 t/plugin/dingtalk-auth.t
create mode 100644 t/plugin/error-page.t
create mode 100644 t/plugin/exit-transformer.t
create mode 100644 t/plugin/feishu-auth.t
create mode 100644 t/plugin/graphql-limit-count.t
create mode 100644 t/plugin/graphql-proxy-cache/disk.t
create mode 100644 t/plugin/graphql-proxy-cache/graphql.t
create mode 100644 t/plugin/graphql-proxy-cache/memory.t
copy t/plugin/{workflow-without-case.t => opa3.t} (66%)
create mode 100644 t/plugin/saml-auth.t
create mode 100644 t/plugin/traffic-label.t
create mode 100644 t/plugin/traffic-label2.t
create mode 100644 t/secret/conf/invalid.json
