From d9023f5c42ac935685080c604afac89197f997f8 Mon Sep 17 00:00:00 2001 From: soulbird Date: Tue, 3 Jan 2023 16:42:33 +0800 Subject: [PATCH 1/9] feat(secret): add ci and doc for some auth plugins --- docs/en/latest/plugins/basic-auth.md | 2 +- docs/en/latest/plugins/hmac-auth.md | 2 +- docs/en/latest/plugins/key-auth.md | 2 +- docs/en/latest/plugins/wolf-rbac.md | 2 +- docs/zh/latest/plugins/basic-auth.md | 2 +- docs/zh/latest/plugins/hmac-auth.md | 2 +- docs/zh/latest/plugins/key-auth.md | 2 +- docs/zh/latest/plugins/wolf-rbac.md | 2 +- t/plugin/basic-auth.t | 96 ++++++++++++++++++ t/plugin/hmac-auth3.t | 143 +++++++++++++++++++++++++++ t/plugin/wolf-rbac.t | 58 +++++++++++ 11 files changed, 305 insertions(+), 8 deletions(-) diff --git a/docs/en/latest/plugins/basic-auth.md b/docs/en/latest/plugins/basic-auth.md index 8447a4fce5d4..64f3714dbaae 100644 --- a/docs/en/latest/plugins/basic-auth.md +++ b/docs/en/latest/plugins/basic-auth.md @@ -40,7 +40,7 @@ For Consumer: | Name | Type | Required | Description | |----------|--------|----------|------------------------------------------------------------------------------------------------------------------------| | username | string | True | Unique username for a Consumer. If multiple Consumers use the same `username`, a request matching exception is raised. | -| password | string | True | Password of the user. | +| password | string | True | Password of the user. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | NOTE: `encrypt_fields = {"password"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/en/latest/plugins/hmac-auth.md b/docs/en/latest/plugins/hmac-auth.md index 5aaef2eb3247..5fa1489f3072 100644 --- a/docs/en/latest/plugins/hmac-auth.md +++ b/docs/en/latest/plugins/hmac-auth.md @@ -38,7 +38,7 @@ This Plugin works with a [Consumer](../terminology/consumer.md) object and a con | Name | Type | Required | Default | Valid values | Description | |-----------------------|---------------|----------|---------------|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | access_key | string | True | | | Unique key of a Consumer. If different Consumers have the same key, a request matching exception will occur. | -| secret_key | string | True | | | Used in pair with `access_key`. | +| secret_key | string | True | | | Used in pair with `access_key`. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | | algorithm | string | False | "hmac-sha256" | ["hmac-sha1", "hmac-sha256", "hmac-sha512"] | Encryption algorithm used. | | clock_skew | integer | False | 0 | | Clock skew allowed by the signature in seconds. Setting it to `0` will skip checking the date. | | signed_headers | array[string] | False | | | List of headers to be used in the encryption algorithm. If specified, the client request can only contain the specified headers. When unspecified, all the headers are used in the encryption algorithm. | diff --git a/docs/en/latest/plugins/key-auth.md b/docs/en/latest/plugins/key-auth.md index ebac702bbb83..106301ce6bbd 100644 --- a/docs/en/latest/plugins/key-auth.md +++ b/docs/en/latest/plugins/key-auth.md @@ -39,7 +39,7 @@ For Consumer: | Name | Type | Requirement | Description | |------|--------|-------------|----------------------------| -| key | string | required | Unique key for a Consumer. | +| key | string | required | Unique key for a Consumer. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | NOTE: `encrypt_fields = {"key"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). diff --git a/docs/en/latest/plugins/wolf-rbac.md b/docs/en/latest/plugins/wolf-rbac.md index f7259f6885cf..b5280fd81779 100644 --- a/docs/en/latest/plugins/wolf-rbac.md +++ b/docs/en/latest/plugins/wolf-rbac.md @@ -36,7 +36,7 @@ The `wolf-rbac` Plugin provides a [role-based access control](https://en.wikiped | Name | Type | Required | Default | Description | |---------------|--------|----------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | server | string | False | "http://127.0.0.1:12180" | Service address of wolf server. | -| appid | string | False | "unset" | App id added in wolf console. | +| appid | string | False | "unset" | App id added in wolf console. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | | header_prefix | string | False | "X-" | Prefix for a custom HTTP header. After authentication is successful, three headers will be added to the request header (for backend) and response header (for frontend) namely: `X-UserId`, `X-Username`, and `X-Nickname`. | ## API diff --git a/docs/zh/latest/plugins/basic-auth.md b/docs/zh/latest/plugins/basic-auth.md index ac8035152c73..e9451475f390 100644 --- a/docs/zh/latest/plugins/basic-auth.md +++ b/docs/zh/latest/plugins/basic-auth.md @@ -40,7 +40,7 @@ Consumer 端: | 名称 | 类型 | 必选项 | 描述 | | -------- | ------ | -----| ----------------------------------------------------------------------------------------------- | | username | string | 是 | Consumer 的用户名并且该用户名是唯一,如果多个 Consumer 使用了相同的 `username`,将会出现请求匹配异常。| -| password | string | 是 | 用户的密码。 | +| password | string | 是 | 用户的密码。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | 注意:schema 中还定义了 `encrypt_fields = {"password"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 diff --git a/docs/zh/latest/plugins/hmac-auth.md b/docs/zh/latest/plugins/hmac-auth.md index 54c1d04548d4..dfd924f0e33d 100644 --- a/docs/zh/latest/plugins/hmac-auth.md +++ b/docs/zh/latest/plugins/hmac-auth.md @@ -38,7 +38,7 @@ description: 本文介绍了关于 Apache APISIX `hmac-auth` 插件的基本信 | 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 | | ---------------- | ------------- | ------ | ------------- | ------------------------------------------| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | access_key | string | 是 | | | Consumer 的 `access_key` 必须是唯一的。如果不同 Consumer 使用了相同的 `access_key` ,将会出现请求匹配异常。 | -| secret_key | string | 是 | | | 与 `access_key` 配对使用。 | +| secret_key | string | 是 | | | 与 `access_key` 配对使用。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | algorithm | string | 否 | "hmac-sha256" | ["hmac-sha1", "hmac-sha256", "hmac-sha512"] | 可以使用的加密算法。 | | clock_skew | integer | 否 | 0 | | 签名允许的时间偏移(以秒为单位)。比如允许时间偏移 10 秒钟,那么就应设置为 `10`。如果将其设置为 `0`,则表示表示跳过日期检查。 | | signed_headers | array[string] | 否 | | | 要在加密计算中使用的 headers 列表。指定后客户端请求只能在此范围内指定 headers,如果未指定,就会在所有客户端请求指定的 headers 加入加密计算。如: ["User-Agent", "Accept-Language", "x-custom-a"]。 | diff --git a/docs/zh/latest/plugins/key-auth.md b/docs/zh/latest/plugins/key-auth.md index 23817fea09c2..17f71e1f1fe5 100644 --- a/docs/zh/latest/plugins/key-auth.md +++ b/docs/zh/latest/plugins/key-auth.md @@ -39,7 +39,7 @@ Consumer 端: | 名称 | 类型 | 必选项 | 描述 | | ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------- | -| key | string | 是 | 不同的 Consumer 应有不同的 `key`,它应当是唯一的。如果多个 Consumer 使用了相同的 `key`,将会出现请求匹配异常。 | +| key | string | 是 | 不同的 Consumer 应有不同的 `key`,它应当是唯一的。如果多个 Consumer 使用了相同的 `key`,将会出现请求匹配异常。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | 注意:schema 中还定义了 `encrypt_fields = {"key"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 diff --git a/docs/zh/latest/plugins/wolf-rbac.md b/docs/zh/latest/plugins/wolf-rbac.md index 0c9b25137d0f..af82fc7a8a08 100644 --- a/docs/zh/latest/plugins/wolf-rbac.md +++ b/docs/zh/latest/plugins/wolf-rbac.md @@ -36,7 +36,7 @@ description: 本文介绍了关于 Apache APISIX `wolf-rbac` 插件的基本信 | 名称 | 类型 | 必选项 | 默认值 | 描述 | | ------------- | ------ | ------ | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------- | | server | string | 否 | "http://127.0.0.1:12180" | `wolf-server` 的服务地址。 | -| appid | string | 否 | "unset" | 在 `wolf-console` 中已经添加的应用 id。 | +| appid | string | 否 | "unset" | 在 `wolf-console` 中已经添加的应用 id。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | header_prefix | string | 否 | "X-" | 自定义 HTTP 头的前缀。`wolf-rbac` 在鉴权成功后,会在请求头 (用于传给后端) 及响应头 (用于传给前端) 中添加 3 个 header:`X-UserId`, `X-Username`, `X-Nickname`。| ## 接口 diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index 64ae5dd04a37..cfb0917fba6e 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -452,3 +452,99 @@ GET /echo Authorization: Basic Zm9vOmJhcg== --- response_headers Authorization: Basic Zm9vOmJhcg== + + + +=== TEST 22: set basic-auth conf: password uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }]], + [[{ + "value": { + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }, + "key": "/apisix/secrets/vault/test1" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "foo", + "plugins": { + "basic-auth": { + "username": "foo", + "password": "$secret://vault/test1/foo/passwd" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "basic-auth": { + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 23: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/foo passwd=bar +--- response_body +Success! Data written to: kv/apisix/foo + + + +=== TEST 24: verify Authorization with foo/bar, request header should not hidden +--- request +GET /echo +--- more_headers +Authorization: Basic Zm9vOmJhcg== +--- response_headers +Authorization: Basic Zm9vOmJhcg== diff --git a/t/plugin/hmac-auth3.t b/t/plugin/hmac-auth3.t index df41efaa16a5..444e712ac1b1 100644 --- a/t/plugin/hmac-auth3.t +++ b/t/plugin/hmac-auth3.t @@ -755,3 +755,146 @@ apisix: --- response_body my-secret-key IRWpPjbDq5BCgHyIllnOMA== + + + +=== TEST 15: set hmac-auth conf: secret_key uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }]], + [[{ + "value": { + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }, + "key": "/apisix/secrets/vault/test1" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "hmac-auth": { + "access_key": "my-access-key", + "secret_key": "$secret://vault/test1/jack/secret_key" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "hmac-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 16: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret_key=my-secret-key +--- response_body +Success! Data written to: kv/apisix/jack + + + +=== TEST 17: verify: ok +--- config +location /t { + content_by_lua_block { + local ngx_time = ngx.time + local ngx_http_time = ngx.http_time + local core = require("apisix.core") + local t = require("lib.test_admin") + local hmac = require("resty.hmac") + local ngx_encode_base64 = ngx.encode_base64 + + local secret_key = "my-secret-key" + local timestamp = ngx_time() + local gmt = ngx_http_time(timestamp) + local access_key = "my-access-key" + local custom_header_a = "asld$%dfasf" + local custom_header_b = "23879fmsldfk" + + local signing_string = { + "GET", + "/hello", + "", + access_key, + gmt, + "x-custom-header-a:" .. custom_header_a, + "x-custom-header-b:" .. custom_header_b + } + signing_string = core.table.concat(signing_string, "\n") .. "\n" + core.log.info("signing_string:", signing_string) + + local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) + core.log.info("signature:", ngx_encode_base64(signature)) + local headers = {} + headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature) + headers["X-HMAC-ALGORITHM"] = "hmac-sha256" + headers["Date"] = gmt + headers["X-HMAC-ACCESS-KEY"] = access_key + headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b" + headers["x-custom-header-a"] = custom_header_a + headers["x-custom-header-b"] = custom_header_b + + local code, body = t.test('/hello', + ngx.HTTP_GET, + "", + nil, + headers + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 2780d26b46f3..78ef19aed429 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -546,3 +546,61 @@ qr/ERR_TOKEN_INVALID */ ERR_TOKEN_INVALID ERR_TOKEN_INVALID ERR_TOKEN_INVALID + + + +=== TEST 31: add consumer with username and plugins +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "wolf_rbac_unit_test", + "plugins": { + "wolf-rbac": { + "appid": "$secret://vault/test1/wolf_rbac_unit_test/appid", + "server": "http://127.0.0.1:1982" + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 32: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/wolf_rbac_unit_test appid=wolf-rbac-app +--- response_body +Success! Data written to: kv/apisix/wolf_rbac_unit_test + + + +=== TEST 33: login successfully +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/plugin/wolf-rbac/login', + ngx.HTTP_POST, + [[ + {"appid": "wolf-rbac-app", "username": "admin","password": "123456"} + ]], + [[ + {"rbac_token":"V1#wolf-rbac-app#wolf-rbac-token","user_info":{"nickname":"administrator","username":"admin","id":"100"}} + ]], + {["Content-Type"] = "application/json"} + ) + ngx.status = code + } + } From 7d62c5735f4a6f337be6e6f002d5eedfbd106d32 Mon Sep 17 00:00:00 2001 From: soulbird Date: Tue, 3 Jan 2023 17:30:33 +0800 Subject: [PATCH 2/9] fix test case --- t/plugin/wolf-rbac.t | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 78ef19aed429..345e338125d9 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -554,7 +554,30 @@ ERR_TOKEN_INVALID location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/consumers', + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }]], + [[{ + "value": { + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }, + "key": "/apisix/secrets/vault/test1" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "wolf_rbac_unit_test", From a005f872debc258f969fdfee18258971bb14fd50 Mon Sep 17 00:00:00 2001 From: soulbird Date: Thu, 5 Jan 2023 12:10:49 +0800 Subject: [PATCH 3/9] add more test cases --- docs/en/latest/plugins/jwt-auth.md | 6 +- docs/en/latest/plugins/ldap-auth.md | 2 +- docs/zh/latest/plugins/jwt-auth.md | 6 +- docs/zh/latest/plugins/ldap-auth.md | 2 +- t/plugin/basic-auth.t | 8 -- t/plugin/hmac-auth3.t | 143 ----------------------- t/plugin/hmac-auth4.t | 172 ++++++++++++++++++++++++++++ t/plugin/jwt-auth3.t | 167 +++++++++++++++++++++++++++ t/plugin/key-auth.t | 8 -- t/plugin/ldap-auth.t | 91 +++++++++++++++ t/plugin/wolf-rbac.t | 10 +- 11 files changed, 439 insertions(+), 176 deletions(-) create mode 100644 t/plugin/hmac-auth4.t diff --git a/docs/en/latest/plugins/jwt-auth.md b/docs/en/latest/plugins/jwt-auth.md index 124ae38577d1..f0b65ddcd3a4 100644 --- a/docs/en/latest/plugins/jwt-auth.md +++ b/docs/en/latest/plugins/jwt-auth.md @@ -42,9 +42,9 @@ For Consumer: | Name | Type | Required | Default | Valid values | Description | |---------------|---------|-------------------------------------------------------|---------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | key | string | True | | | Unique key for a Consumer. | -| secret | string | False | | | The encryption key. If unspecified, auto generated in the background. | -| public_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA public key. | -| private_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA private key. | +| secret | string | False | | | The encryption key. If unspecified, auto generated in the background. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | +| public_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA public key. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | +| private_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA private key. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | | algorithm | string | False | "HS256" | ["HS256", "HS512", "RS256", "ES256"] | Encryption algorithm. | | exp | integer | False | 86400 | [1,...] | Expiry time of the token in seconds. | | base64_secret | boolean | False | false | | Set to true if the secret is base64 encoded. | diff --git a/docs/en/latest/plugins/ldap-auth.md b/docs/en/latest/plugins/ldap-auth.md index 761c99b705f9..ebc87a494f6e 100644 --- a/docs/en/latest/plugins/ldap-auth.md +++ b/docs/en/latest/plugins/ldap-auth.md @@ -41,7 +41,7 @@ For Consumer: | Name | Type | Required | Description | | ------- | ------ | -------- | -------------------------------------------------------------------------------- | -| user_dn | string | True | User dn of the LDAP client. For example, `cn=user01,ou=users,dc=example,dc=org`. | +| user_dn | string | True | User dn of the LDAP client. For example, `cn=user01,ou=users,dc=example,dc=org`. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | For Route: diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index 0f7196c5b8e1..c1f18dbfd7dd 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -42,9 +42,9 @@ Consumer 端: | 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 | | ------------- | ------- | ----- | ------- | --------------------------- | ------------------------------------------------------------------------------------------------------------ | | key | string | 是 | | | Consumer 的 `access_key` 必须是唯一的。如果不同 Consumer 使用了相同的 `access_key` ,将会出现请求匹配异常。 | -| secret | string | 否 | | | 加密秘钥。如果未指定,后台将会自动生成。 | -| public_key | string | 否 | | | RSA 或 ECDSA 公钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。 | -| private_key | string | 否 | | | RSA 或 ECDSA 私钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。 | +| secret | string | 否 | | | 加密秘钥。如果未指定,后台将会自动生。成。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | +| public_key | string | 否 | | | RSA 或 ECDSA 公钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | +| private_key | string | 否 | | | RSA 或 ECDSA 私钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | algorithm | string | 否 | "HS256" | ["HS256", "HS512", "RS256", "ES256"] | 加密算法。 | | exp | integer | 否 | 86400 | [1,...] | token 的超时时间。 | | base64_secret | boolean | 否 | false | | 当设置为 `true` 时,密钥为 base64 编码。 | diff --git a/docs/zh/latest/plugins/ldap-auth.md b/docs/zh/latest/plugins/ldap-auth.md index 955d10ce6f2d..ee9ef81e42ea 100644 --- a/docs/zh/latest/plugins/ldap-auth.md +++ b/docs/zh/latest/plugins/ldap-auth.md @@ -39,7 +39,7 @@ Consumer 端: | 名称 | 类型 | 必选项 | 描述 | | ------- | ------ | -------- | -------------------------------------------------------------------------------- | -| user_dn | string | 是 | LDAP 客户端的 dn,例如:`cn=user01,ou=users,dc=example,dc=org`。 | +| user_dn | string | 是 | LDAP 客户端的 dn,例如:`cn=user01,ou=users,dc=example,dc=org`。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | Route 端: diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index cfb0917fba6e..533dda6266b0 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -469,14 +469,6 @@ GET /t "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", "token" : "root" - }]], - [[{ - "value": { - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "root" - }, - "key": "/apisix/secrets/vault/test1" }]] ) diff --git a/t/plugin/hmac-auth3.t b/t/plugin/hmac-auth3.t index 444e712ac1b1..df41efaa16a5 100644 --- a/t/plugin/hmac-auth3.t +++ b/t/plugin/hmac-auth3.t @@ -755,146 +755,3 @@ apisix: --- response_body my-secret-key IRWpPjbDq5BCgHyIllnOMA== - - - -=== TEST 15: set hmac-auth conf: secret_key uses secret ref ---- request -GET /t ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "root" - }]], - [[{ - "value": { - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "root" - }, - "key": "/apisix/secrets/vault/test1" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- change consumer with secrets ref: vault - code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "jack", - "plugins": { - "hmac-auth": { - "access_key": "my-access-key", - "secret_key": "$secret://vault/test1/jack/secret_key" - } - } - }]] - ) - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- set route - code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "hmac-auth": {} - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed - - - -=== TEST 16: store secret into vault ---- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret_key=my-secret-key ---- response_body -Success! Data written to: kv/apisix/jack - - - -=== TEST 17: verify: ok ---- config -location /t { - content_by_lua_block { - local ngx_time = ngx.time - local ngx_http_time = ngx.http_time - local core = require("apisix.core") - local t = require("lib.test_admin") - local hmac = require("resty.hmac") - local ngx_encode_base64 = ngx.encode_base64 - - local secret_key = "my-secret-key" - local timestamp = ngx_time() - local gmt = ngx_http_time(timestamp) - local access_key = "my-access-key" - local custom_header_a = "asld$%dfasf" - local custom_header_b = "23879fmsldfk" - - local signing_string = { - "GET", - "/hello", - "", - access_key, - gmt, - "x-custom-header-a:" .. custom_header_a, - "x-custom-header-b:" .. custom_header_b - } - signing_string = core.table.concat(signing_string, "\n") .. "\n" - core.log.info("signing_string:", signing_string) - - local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) - core.log.info("signature:", ngx_encode_base64(signature)) - local headers = {} - headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature) - headers["X-HMAC-ALGORITHM"] = "hmac-sha256" - headers["Date"] = gmt - headers["X-HMAC-ACCESS-KEY"] = access_key - headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b" - headers["x-custom-header-a"] = custom_header_a - headers["x-custom-header-b"] = custom_header_b - - local code, body = t.test('/hello', - ngx.HTTP_GET, - "", - nil, - headers - ) - - ngx.status = code - ngx.say(body) - } -} ---- request -GET /t ---- response_body -passed diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t new file mode 100644 index 000000000000..6b4843b2fba8 --- /dev/null +++ b/t/plugin/hmac-auth4.t @@ -0,0 +1,172 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_shuffle(); +no_root_location(); + +add_block_preprocessor(sub { + my ($block) = @_; + + if (!$block->request) { + $block->set_value("request", "GET /t"); + } + + if (!$block->no_error_log && !$block->error_log) { + $block->set_value("no_error_log", "[error]\n[alert]"); + } +}); + +run_tests; + +__DATA__ + +=== TEST 1: set hmac-auth conf: secret_key uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "hmac-auth": { + "access_key": "my-access-key", + "secret_key": "$secret://vault/test1/jack/secret_key" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "hmac-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 2: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret_key=my-secret-key +--- response_body +Success! Data written to: kv/apisix/jack + + + +=== TEST 3: verify: ok +--- config +location /t { + content_by_lua_block { + local ngx_time = ngx.time + local ngx_http_time = ngx.http_time + local core = require("apisix.core") + local t = require("lib.test_admin") + local hmac = require("resty.hmac") + local ngx_encode_base64 = ngx.encode_base64 + + local secret_key = "my-secret-key" + local timestamp = ngx_time() + local gmt = ngx_http_time(timestamp) + local access_key = "my-access-key" + local custom_header_a = "asld$%dfasf" + local custom_header_b = "23879fmsldfk" + + local signing_string = { + "GET", + "/hello", + "", + access_key, + gmt, + "x-custom-header-a:" .. custom_header_a, + "x-custom-header-b:" .. custom_header_b + } + signing_string = core.table.concat(signing_string, "\n") .. "\n" + core.log.info("signing_string:", signing_string) + + local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) + core.log.info("signature:", ngx_encode_base64(signature)) + local headers = {} + headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature) + headers["X-HMAC-ALGORITHM"] = "hmac-sha256" + headers["Date"] = gmt + headers["X-HMAC-ACCESS-KEY"] = access_key + headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b" + headers["x-custom-header-a"] = custom_header_a + headers["x-custom-header-b"] = custom_header_b + + local code, body = t.test('/hello', + ngx.HTTP_GET, + "", + nil, + headers + ) + + ngx.status = code + ngx.say(body) + } +} +--- request +GET /t +--- response_body +passed diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 3e431232f406..099c18426e50 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -442,3 +442,170 @@ IeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb YvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG -----END RSA PRIVATE KEY----- HrMHUvE9Esvn7GnZ+vAynaIg/8wlB3r0zm0htmnwofYPZeBpLnpW3iN9UtQG4ZIBYRZih6EBuRK8W3Kychw/SgjIFuzVeTFowBCUfd1wZ4Q+frUOLZ0Xmkh8j3yHUprnh+d9PA8EHCEapdkWY3psJj6rTgrREzjDEVf/TV3EjjfgG16ih5/c3TChApLXwfEwfBp5APSf7kzMccCRbA4bXvMDsQSQAwVsRD8cjJkSdHTvuzfg1g8xoCy4I05DsMM8CybJAd+BDZnJxhrGIQaItu5/0XQJy+uy/niOpzYYN+NDX+8fl65VUxdUtqXF82ChRlmGP3+zKN7epufAsL/36pHOnS73Q7WBKRxyyA16BEBk0wK7rI+KemBfG5YFXjcBnPkxYssSudqhmlcr6e5Tl0LhVj/BIj94fVE3/EJ+NO3BJMrlhjorilrQKAsiCWujWSqAK7gtAp3YEO//yOygh/p8gh22NdIV0ykGAx4QNKINUgdgh+g8DdykNGLGStH8TPUs8GmzV7nxvw/0cbiocLps6uk0VjjVUqUAvOdwpbiRwv6effPUB6cxW3G6QllBbTP8I+eoFIRfYd6cFJPpX1AtISfNZw459WarwZmHrZGOQU4iKlyl2yLcKY634Fx5JykUY5YP+MYYDHbIcD2gxA== + + + +=== TEST 16: set jwt-auth conf: secret uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "jwt-auth": { + "key": "user-key", + "secret": "$secret://vault/test1/jack/secret" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 17: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret=my-secret-key +--- response_body +Success! Data written to: kv/apisix/jack + + + +=== TEST 18: verify (in header) not hiding credentials +--- request +GET /echo +--- more_headers +jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_headers +jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs + + + +=== TEST 19: store rsa private key into vault from local filesystem +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack private_key=@t/certs/private.pem +--- response_body +Success! Data written to: kv/apisix/jack + + + +=== TEST 20: store rsa public key into vault from local filesystem +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack public_key=@t/certs/public.pem +--- response_body +Success! Data written to: kv/apisix/jack + + + +=== TEST 21: create consumer for RS256 algorithm with private/public key fetched from vault and public key in consumer schema +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "john", + "plugins": { + "jwt-auth": { + "key": "rsa1", + "algorithm": "RS256", + "public_key": "$secret://vault/test1/jack/public_key", + "private_key": "$secret://vault/test1/jack/private_key", + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 23: sign a jwt with with rsa key pair and access /secure-endpoint +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, err, sign = t('/apisix/plugin/jwt/sign?key=rsa1', + ngx.HTTP_GET + ) + + if code > 200 then + ngx.status = code + ngx.say(err) + return + end + + local code, _, res = t('/secure-endpoint?jwt=' .. sign, + ngx.HTTP_GET + ) + if code >= 300 then + ngx.status = code + end + ngx.print(res) + } + } +--- response_body +successfully invoked secure endpoint diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index dd0d70f50113..8f3a120a6c53 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -592,14 +592,6 @@ GET /t "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", "token" : "root" - }]], - [[{ - "value": { - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "root" - }, - "key": "/apisix/secrets/vault/test1" }]] ) diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index 1af8291771e4..b8f3936ef411 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -440,3 +440,94 @@ Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ== hello world --- error_log find consumer user01 + + + +=== TEST 21: set ldap-auth conf: user_dn uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "root" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "user01", + "plugins": { + "ldap-auth": { + "user_dn": "$secret://vault/test1/user01/user_dn" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "ldap-auth": { + "base_dn": "ou=users,dc=example,dc=org", + "ldap_uri": "127.0.0.1:1389", + "uid": "cn" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 22: store secret into vault +--- exec +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/user01 user_dn="cn=user01,ou=users,dc=example,dc=org" +--- response_body +Success! Data written to: kv/apisix/user01 + + + +=== TEST 23: verify +--- request +GET /hello +--- more_headers +Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ== +--- response_body +hello world +--- error_log +find consumer user01 diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 345e338125d9..af3be4524206 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -549,7 +549,7 @@ ERR_TOKEN_INVALID -=== TEST 31: add consumer with username and plugins +=== TEST 31: set hmac-auth conf: appid uses secret ref --- config location /t { content_by_lua_block { @@ -561,14 +561,6 @@ ERR_TOKEN_INVALID "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", "token" : "root" - }]], - [[{ - "value": { - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "root" - }, - "key": "/apisix/secrets/vault/test1" }]] ) From 83b41416826f15904c7c02a2869ad7c61f1f9cb8 Mon Sep 17 00:00:00 2001 From: soulbird Date: Thu, 5 Jan 2023 12:13:41 +0800 Subject: [PATCH 4/9] fix lint --- t/plugin/jwt-auth3.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 099c18426e50..b06c6a8b2c57 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -583,7 +583,7 @@ passed -=== TEST 23: sign a jwt with with rsa key pair and access /secure-endpoint +=== TEST 22: sign a jwt with with rsa key pair and access /secure-endpoint --- config location /t { content_by_lua_block { From 0f3cb196b2c733ecf8306fdc3cbc886957393014 Mon Sep 17 00:00:00 2001 From: soulbird Date: Thu, 5 Jan 2023 12:58:10 +0800 Subject: [PATCH 5/9] fix test cases --- t/plugin/jwt-auth3.t | 2 +- t/plugin/key-auth.t | 31 +++++++++++-------------------- 2 files changed, 12 insertions(+), 21 deletions(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index b06c6a8b2c57..10d3f1480629 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -566,7 +566,7 @@ Success! Data written to: kv/apisix/jack "key": "rsa1", "algorithm": "RS256", "public_key": "$secret://vault/test1/jack/public_key", - "private_key": "$secret://vault/test1/jack/private_key", + "private_key": "$secret://vault/test1/jack/private_key" } } }]] diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 8f3a120a6c53..850a65e183e9 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -578,13 +578,12 @@ auth: authone -=== TEST 28: put secret vault config ---- request -GET /t +=== TEST 28: set key-auth conf: key uses secret ref --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test + -- put secret vault config local etcd = require("apisix.core.etcd") local code, body = t('/apisix/admin/secrets/vault/test1', ngx.HTTP_PUT, @@ -595,27 +594,19 @@ GET /t }]] ) - ngx.status = code - ngx.say(body) - } - } ---- response_body -passed - - + if code >= 300 then + ngx.status = code + return ngx.say(body) + end -=== TEST 29: change consumer with secrets ref: vault ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test + -- change consumer with secrets ref: vault local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "jack", "plugins": { "key-auth": { - "key": "$secret://vault/test1/jack/auth-key" + "key": "$secret://vault/test1/jack/key" } } }]] @@ -634,15 +625,15 @@ passed -=== TEST 30: store secret into vault +=== TEST 29: store secret into vault --- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack auth-key=authtwo +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack key=authtwo --- response_body Success! Data written to: kv/apisix/jack -=== TEST 31: verify auth request +=== TEST 30: verify auth request --- request GET /hello?auth=authtwo --- response_args From fcfe7fbf51f31e3efc18f8101d73d84868c850af Mon Sep 17 00:00:00 2001 From: soulbird Date: Thu, 5 Jan 2023 14:26:36 +0800 Subject: [PATCH 6/9] fix test cases --- t/plugin/jwt-auth3.t | 50 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 44 insertions(+), 6 deletions(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 10d3f1480629..39d1b11dbe37 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -538,17 +538,17 @@ jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs === TEST 19: store rsa private key into vault from local filesystem --- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack private_key=@t/certs/private.pem +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 private_key=@t/certs/private.pem --- response_body -Success! Data written to: kv/apisix/jack +Success! Data written to: kv/apisix/rsa1 === TEST 20: store rsa public key into vault from local filesystem --- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack public_key=@t/certs/public.pem +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 public_key=@t/certs/public.pem --- response_body -Success! Data written to: kv/apisix/jack +Success! Data written to: kv/apisix/rsa1 @@ -557,6 +557,44 @@ Success! Data written to: kv/apisix/jack location /t { content_by_lua_block { local t = require("lib.test_admin").test + -- enable jwt auth plugin using admin api + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:8777": 1 + }, + "type": "roundrobin" + }, + "uri": "/secure-endpoint" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- create public API route (jwt-auth sign) + local code, body = t('/apisix/admin/routes/2', + ngx.HTTP_PUT, + [[{ + "plugins": { + "public-api": {} + }, + "uri": "/apisix/plugin/jwt/sign" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ @@ -565,8 +603,8 @@ Success! Data written to: kv/apisix/jack "jwt-auth": { "key": "rsa1", "algorithm": "RS256", - "public_key": "$secret://vault/test1/jack/public_key", - "private_key": "$secret://vault/test1/jack/private_key" + "public_key": "$secret://vault/test1/rsa1/public_key", + "private_key": "$secret://vault/test1/rsa1/private_key" } } }]] From 69cd49dea8a73a5e4586b834245de786157a227f Mon Sep 17 00:00:00 2001 From: soulbird Date: Thu, 5 Jan 2023 15:28:42 +0800 Subject: [PATCH 7/9] fix test cases --- t/plugin/jwt-auth3.t | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 39d1b11dbe37..f11d50decf12 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -536,23 +536,15 @@ jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs -=== TEST 19: store rsa private key into vault from local filesystem +=== TEST 19: store rsa key pairs and secret into vault from local filesystem --- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 private_key=@t/certs/private.pem +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 secret=$3nsitiv3-c8d3 public_key=@t/certs/public.pem private_key=@t/certs/private.pem --- response_body Success! Data written to: kv/apisix/rsa1 -=== TEST 20: store rsa public key into vault from local filesystem ---- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 public_key=@t/certs/public.pem ---- response_body -Success! Data written to: kv/apisix/rsa1 - - - -=== TEST 21: create consumer for RS256 algorithm with private/public key fetched from vault and public key in consumer schema +=== TEST 20: create consumer for RS256 algorithm with private/public key fetched from vault and public key in consumer schema --- config location /t { content_by_lua_block { @@ -603,6 +595,7 @@ Success! Data written to: kv/apisix/rsa1 "jwt-auth": { "key": "rsa1", "algorithm": "RS256", + "secret": "$secret://vault/test1/rsa1/secret", "public_key": "$secret://vault/test1/rsa1/public_key", "private_key": "$secret://vault/test1/rsa1/private_key" } @@ -621,7 +614,7 @@ passed -=== TEST 22: sign a jwt with with rsa key pair and access /secure-endpoint +=== TEST 21: sign a jwt with with rsa key pair and access /secure-endpoint --- config location /t { content_by_lua_block { From 43178a7d9aea02d3c6c0f7163970dc6dbb2554d8 Mon Sep 17 00:00:00 2001 From: soulbird Date: Thu, 5 Jan 2023 16:18:07 +0800 Subject: [PATCH 8/9] fix test case --- t/plugin/jwt-auth3.t | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index f11d50decf12..a58455137c17 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -24,6 +24,21 @@ no_shuffle(); add_block_preprocessor(sub { my ($block) = @_; + my $http_config = $block->http_config // <<_EOC_; + + server { + listen 8777; + + location /secure-endpoint { + content_by_lua_block { + ngx.say("successfully invoked secure endpoint") + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); + if ((!defined $block->error_log) && (!defined $block->no_error_log)) { $block->set_value("no_error_log", "[error]"); } From 6b6c35db08b10e871e9e57fdbea4359d80a51054 Mon Sep 17 00:00:00 2001 From: soulbird Date: Fri, 6 Jan 2023 16:12:44 +0800 Subject: [PATCH 9/9] fix comment --- docs/zh/latest/plugins/jwt-auth.md | 2 +- t/plugin/hmac-auth4.t | 4 ---- t/plugin/jwt-auth3.t | 25 +++++-------------------- 3 files changed, 6 insertions(+), 25 deletions(-) diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index c1f18dbfd7dd..c85c610a554d 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -42,7 +42,7 @@ Consumer 端: | 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 | | ------------- | ------- | ----- | ------- | --------------------------- | ------------------------------------------------------------------------------------------------------------ | | key | string | 是 | | | Consumer 的 `access_key` 必须是唯一的。如果不同 Consumer 使用了相同的 `access_key` ,将会出现请求匹配异常。 | -| secret | string | 否 | | | 加密秘钥。如果未指定,后台将会自动生。成。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | +| secret | string | 否 | | | 加密秘钥。如果未指定,后台将会自动生成。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | public_key | string | 否 | | | RSA 或 ECDSA 公钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | private_key | string | 否 | | | RSA 或 ECDSA 私钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | algorithm | string | 否 | "HS256" | ["HS256", "HS512", "RS256", "ES256"] | 加密算法。 | diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index 6b4843b2fba8..2316e07ae6d2 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -39,8 +39,6 @@ run_tests; __DATA__ === TEST 1: set hmac-auth conf: secret_key uses secret ref ---- request -GET /t --- config location /t { content_by_lua_block { @@ -166,7 +164,5 @@ location /t { ngx.say(body) } } ---- request -GET /t --- response_body passed diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index a58455137c17..ac4587de0ed7 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -24,21 +24,6 @@ no_shuffle(); add_block_preprocessor(sub { my ($block) = @_; - my $http_config = $block->http_config // <<_EOC_; - - server { - listen 8777; - - location /secure-endpoint { - content_by_lua_block { - ngx.say("successfully invoked secure endpoint") - } - } - } -_EOC_ - - $block->set_value("http_config", $http_config); - if ((!defined $block->error_log) && (!defined $block->no_error_log)) { $block->set_value("no_error_log", "[error]"); } @@ -573,11 +558,11 @@ Success! Data written to: kv/apisix/rsa1 }, "upstream": { "nodes": { - "127.0.0.1:8777": 1 + "127.0.0.1:1980": 1 }, "type": "roundrobin" }, - "uri": "/secure-endpoint" + "uri": "/hello" }]] ) @@ -629,7 +614,7 @@ passed -=== TEST 21: sign a jwt with with rsa key pair and access /secure-endpoint +=== TEST 21: sign a jwt with with rsa key pair and access /hello --- config location /t { content_by_lua_block { @@ -644,7 +629,7 @@ passed return end - local code, _, res = t('/secure-endpoint?jwt=' .. sign, + local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) if code >= 300 then @@ -654,4 +639,4 @@ passed } } --- response_body -successfully invoked secure endpoint +hello world