Auth_check Go plugin not loading

dgcirt · June 19, 2024, 7:30am

Hey Tyk community! I’m developing a Go native plugin that should perform authentication. I’m struggling to understand why it won’t load. I built the plugin with the Tyk compiler (v5.2.2, same as the gateway).

Here is my API config:

{
  "name": "usr-mgmt",
  "api_id": "usr-mgmt",
  "use_openid": false,
  "org_id": "default",
  "openid_options": null,
  "use_keyless": false,
  "use_go_plugin_auth": true,
  "version_data": {
    "not_versioned": true,
    "versions": {
      "Default": {
        "name": "Default",
        "use_extended_paths": true,
        "extended_paths": {
          "ignored": [{
            "path": "/usr-mgmt/health/status"
          }],
          "transform_response_headers": [
            {
              "add_headers": {
                "x-frame-options": "SAMEORIGIN",
                "x-content-security-policy": "default-src 'self';"
              },
              "path": "(.*)",
              "method": "GET"
            }
          ]
        }
      }
    }
  },
  "proxy": {
    "listen_path": "/usr-mgmt",
    "target_url": "${TYK_GW_HUB_USERMNGT_SERVICE_URL}",
    "strip_listen_path": true,
    "transport": {
      "ssl_insecure_skip_verify": false
    }
  },
  "disable_rate_limit": false,
  "disable_quota": false,
  "custom_middleware": {
    "pre": [],
    "auth_check": [
      {
        "name": "AuthenticateDevice",
        "path": "${TYK_GW_MIDDLEWAREPATH}/edge-authorization/mw_edge_authentication.so"
      }
    ],
    "post": [
      {
        "name": "EnhanceWithJwt",
        "path": "${TYK_GW_MIDDLEWAREPATH}/edge-authorization/mw_edge_authorization.so"
      }
    ],
    "post_key_auth": [],
    "response": [],
    "driver": "goplugin"
  },
  "CORS": {
    "enable": false,
    "options_passthrough": true
  }
}

and some logs:

2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg="Initializing API" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg="Loading custom POST-PROCESSOR middleware: EnhanceWithJwt" prefix=main
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=VersionCheck org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=RateCheckMW org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=info msg="Checking security policy: Token" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=AuthKey org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=KeyExpired org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=AccessRightsCheck org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=GranularAccessMiddleware org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=RateLimitAndQuotaCheck org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw="GoPluginMiddleware: /opt/tyk-gateway/middleware/edge-authorization/mw_edge_authorization_v5.2.2_linux_amd64.so:EnhanceWithJwt" org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=VersionCheck org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=KeyExpired org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=AccessRightsCheck org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg="Rate limit endpoint is: /usr-mgmt/tyk/rate-limits" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=debug msg="Setting Listen Path: /usr-mgmt" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:29:57 time="Jun 19 07:29:57" level=info msg="API Loaded" api_id=usr-mgmt api_name=usr-mgmt org_id=default prefix=gateway server_name=-- user_id=-- user_ip=--

I tried attaching the AuthenticateDevice mw to the pre- hook too, just to make sure i built it correctly, and I’m seeing this in the logs:

2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg="Initializing API" api_id=usr-mgmt api_name=usr-mgmt org_id=default
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg="Loading custom PRE-PROCESSOR middleware: AuthenticateDevice" prefix=main**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg="Loading custom POST-PROCESSOR middleware: EnhanceWithJwt" prefix=main**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=VersionCheck org_id=default**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=warning msg="plugin file /opt/tyk-gateway/middleware/edge-authorization/mw_edge_authentication_v5.2.2_linux_amd64.so doesn't exist"**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=warning msg="plugin file /opt/tyk-gateway/middleware/edge-authorization/mw_edge_authentication_5.2.2_linux_amd64.so doesn't exist"**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=warning msg="plugin file /opt/tyk-gateway/middleware/edge-authorization/mw_edge_authentication.so doesn't exist"**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=error msg="plugin file not found" error="plugin file not found" mwPath=/opt/tyk-gateway/middleware/edge-authorization/mw_edge_authentication.so mwSymbolName=AuthenticateDevice**
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw="GoPluginMiddleware: /opt/tyk-gateway/middleware/edge-authorization/mw_edge_authentication.so:AuthenticateDevice" org_id=default**
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=RateCheckMW org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=info msg="Checking security policy: Token" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=AuthKey org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=KeyExpired org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=AccessRightsCheck org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=GranularAccessMiddleware org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=RateLimitAndQuotaCheck org_id=default
**2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw="GoPluginMiddleware: /opt/tyk-gateway/middleware/edge-authorization/mw_edge_authorization_v5.2.2_linux_amd64.so:EnhanceWithJwt" org_id=default**
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=VersionCheck org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=KeyExpired org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg=Init api_id=usr-mgmt api_name=usr-mgmt mw=AccessRightsCheck org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg="Rate limit endpoint is: /usr-mgmt/tyk/rate-limits" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=debug msg="Setting Listen Path: /usr-mgmt" api_id=usr-mgmt api_name=usr-mgmt org_id=default
2024-06-19 10:13:40 time="Jun 19 07:13:40" level=info msg="API Loaded" api_id=usr-mgmt api_name=usr-mgmt org_id=default prefix=gateway server_name=-- user_id=-- user_ip=--

Note: both plugins were built in the same way. I struggle to understand why one of them loads properly and the other one doesn’t.

All in all, I guess the most important question is why doesn’t my authentication plugin load if i hook it to auth_check. I’d appreciate your help with this.

Olu · June 24, 2024, 12:03pm

@dgcirt Hello and welcome to the community.

It seems I can replicate the issue. There appears to be a problem with loading multiple golang plugins for v5.2.2. I have to disable one or the other for it to load and work

Issue might be related to bug fix in v5.2.4 but I haven’t tested with that version to confirm. Will do so later

Fixed a bug when using the build_id argument with the Tyk Plugin Compiler that prevents users from hot-reloading different versions of the same plugin compiled with different build_id. The bug was introduced with the plugin module build change implemented in the upgrade to Go version 1.19 in Tyk 5.1.0

Just to confirm, how are you building the plugin?

Also, did putting authentication in the pre-check work in your case?

dgcirt · June 25, 2024, 7:29am

Hey! Thanks for the answer.

I have solved the issue in the meanwhile. This was stupid, but the structure of the auth_check in the API definition was off. I had some [ ] which were making the plugin config unparseable.

    "auth_check": {
        "name": "AuthenticateDevice",
        "path": "${TYK_GW_MIDDLEWAREPATH}/edge-authentication/mw_edge_authentication.so"
    },
    "post": [
      {
        "name": "EnhanceWithJwt",
        "path": "${TYK_GW_MIDDLEWAREPATH}/edge-authorization/mw_edge_authorization.so"
      }
    ],

Olu · June 27, 2024, 3:32pm

I think I might have just copied yours and pasted it in . Good job spotting it!