refactor(plugins/ldap-auth): optimize the process of parsing and handling

authentication headers

1. use the `ngx.re.find` and `ngx.re.match` functions for more robust and
efficient string matching operations.
2. adds error handling and logging for potential errors during authentication
header parsing and credential decoding.
3. tweak the handling position for the case where `proxy_authorization_value`
does not exist.

Fix: [FTI-5329](https://konghq.atlassian.net/browse/FTI-5329)
Signed-off-by: sabertobihwy <[email protected]>

Author: sabertobihwy

kong/plugins/ldap-auth/access.lua

@@ -6,10 +6,10 @@ local kong = kong
 local error = error
 local decode_base64 = ngx.decode_base64
 local tostring =  tostring
-local match = string.match
+local re_find = ngx.re.find
+local re_match = ngx.re.match
 local lower = string.lower
 local upper = string.upper
-local find = string.find
 local sub = string.sub
 local fmt = string.format
 local tcp = ngx.socket.tcp
@@ -24,15 +24,37 @@ local _M = {}
 
 
 local function retrieve_credentials(authorization_header_value, conf)
+  local lower_header_type = lower(conf.header_type)
+  local regex = "^\\s*" .. lower_header_type .. "\\s+"
+  local from, to, err = re_find(lower(authorization_header_value), regex, "jo")
+  if err then
+    kong.log.err("error while find header_type: ", lower_header_type, " in authorization header value")
+    return nil
+  end
+
+  if not from then
+    kong.log.info("header_type: ", lower_header_type, " not found in authorization header value")
+    return nil
+  end
+
   local username, password
-  if authorization_header_value then
-    local s, e = find(lower(authorization_header_value), "^%s*" ..
-                      lower(conf.header_type) .. "%s+")
-    if s == 1 then
-      local cred = sub(authorization_header_value, e + 1)
-      local decoded_cred = decode_base64(cred)
-      username, password = match(decoded_cred, "(.-):(.+)")
+  if from == 1 then
+    local cred = sub(authorization_header_value, to + 1)
+    local decoded_cred = decode_base64(cred)
+    local m, err = re_match(decoded_cred, "^(.*?):(.+)$", "jo")
+    if err then
+      kong.log.err("error while decoding credentials: ", err)
+      return nil
     end
+
+    if m and type(m) == "table" and (m[1] and m[2]) then
+      username = m[1]
+      password = m[2]
+    else
+      kong.log.err("no valid credentials found in authorization header value")
+      return nil
+    end
+
   end
 
   return username, password
@@ -231,8 +253,12 @@ local function do_authentication(conf)
     }
   end
 
-  local is_authorized, credential = authenticate(conf, proxy_authorization_value)
-  if not is_authorized then
+  local is_authorized, credential
+  if proxy_authorization_value then
+    is_authorized, credential = authenticate(conf, proxy_authorization_value)
+  end
+
+  if not is_authorized and authorization_value then
     is_authorized, credential = authenticate(conf, authorization_value)
   end