spacewander commented on code in PR #8601:
URL: https://github.com/apache/apisix/pull/8601#discussion_r1063195906
##########
docs/zh/latest/plugins/jwt-auth.md:
##########
@@ -42,9 +42,9 @@ Consumer 端:
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述
|
| ------------- | ------- | ----- | ------- | --------------------------- |
------------------------------------------------------------------------------------------------------------
|
| key | string | 是 | | |
Consumer 的 `access_key` 必须是唯一的。如果不同 Consumer 使用了相同的 `access_key` ,将会出现请求匹配异常。 |
-| secret | string | 否 | | |
加密秘钥。如果未指定,后台将会自动生成。
|
-| public_key | string | 否 | | | RSA
或 ECDSA 公钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。
|
-| private_key | string | 否 | | | RSA
或 ECDSA 私钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。
|
+| secret | string | 否 | | |
加密秘钥。如果未指定,后台将会自动生。成。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在
Secret Manager 中。 |
Review Comment:
Typo
##########
t/plugin/hmac-auth4.t:
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_shuffle();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!$block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+ if (!$block->no_error_log && !$block->error_log) {
+ $block->set_value("no_error_log", "[error]\n[alert]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: set hmac-auth conf: secret_key uses secret ref
+--- request
+GET /t
Review Comment:
We already specified it at the top?
##########
t/plugin/hmac-auth4.t:
##########
@@ -0,0 +1,172 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_shuffle();
+no_root_location();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!$block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+ if (!$block->no_error_log && !$block->error_log) {
+ $block->set_value("no_error_log", "[error]\n[alert]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: set hmac-auth conf: secret_key uses secret ref
+--- request
+GET /t
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "root"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+
+ -- change consumer with secrets ref: vault
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key":
"$secret://vault/test1/jack/secret_key"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+
+ -- set route
+ code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "hmac-auth": {}
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 2: store secret into vault
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put
kv/apisix/jack secret_key=my-secret-key
+--- response_body
+Success! Data written to: kv/apisix/jack
+
+
+
+=== TEST 3: verify: ok
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local ngx_http_time = ngx.http_time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local gmt = ngx_http_time(timestamp)
+ local access_key = "my-access-key"
+ local custom_header_a = "asld$%dfasf"
+ local custom_header_b = "23879fmsldfk"
+
+ local signing_string = {
+ "GET",
+ "/hello",
+ "",
+ access_key,
+ gmt,
+ "x-custom-header-a:" .. custom_header_a,
+ "x-custom-header-b:" .. custom_header_b
+ }
+ signing_string = core.table.concat(signing_string, "\n") .. "\n"
+ core.log.info("signing_string:", signing_string)
+
+ local signature = hmac:new(secret_key,
hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["Date"] = gmt
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+ headers["X-HMAC-SIGNED-HEADERS"] =
"x-custom-header-a;x-custom-header-b"
+ headers["x-custom-header-a"] = custom_header_a
+ headers["x-custom-header-b"] = custom_header_b
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- request
+GET /t
Review Comment:
Ditto
##########
t/plugin/jwt-auth3.t:
##########
@@ -442,3 +457,201 @@
IeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb
YvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG
-----END RSA PRIVATE KEY-----
HrMHUvE9Esvn7GnZ+vAynaIg/8wlB3r0zm0htmnwofYPZeBpLnpW3iN9UtQG4ZIBYRZih6EBuRK8W3Kychw/SgjIFuzVeTFowBCUfd1wZ4Q+frUOLZ0Xmkh8j3yHUprnh+d9PA8EHCEapdkWY3psJj6rTgrREzjDEVf/TV3EjjfgG16ih5/c3TChApLXwfEwfBp5APSf7kzMccCRbA4bXvMDsQSQAwVsRD8cjJkSdHTvuzfg1g8xoCy4I05DsMM8CybJAd+BDZnJxhrGIQaItu5/0XQJy+uy/niOpzYYN+NDX+8fl65VUxdUtqXF82ChRlmGP3+zKN7epufAsL/36pHOnS73Q7WBKRxyyA16BEBk0wK7rI+KemBfG5YFXjcBnPkxYssSudqhmlcr6e5Tl0LhVj/BIj94fVE3/EJ+NO3BJMrlhjorilrQKAsiCWujWSqAK7gtAp3YEO//yOygh/p8gh22NdIV0ykGAx4QNKINUgdgh+g8DdykNGLGStH8TPUs8GmzV7nxvw/0cbiocLps6uk0VjjVUqUAvOdwpbiRwv6effPUB6cxW3G6QllBbTP8I+eoFIRfYd6cFJPpX1AtISfNZw459WarwZmHrZGOQU4iKlyl2yLcKY634Fx5JykUY5YP+MYYDHbIcD2gxA==
+
+
+
+=== TEST 16: set jwt-auth conf: secret uses secret ref
+--- request
+GET /t
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "root"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+
+ -- change consumer with secrets ref: vault
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "user-key",
+ "secret": "$secret://vault/test1/jack/secret"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+
+ -- set route
+ code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "jwt-auth": {
+ "header": "jwt-header",
+ "query": "jwt-query",
+ "cookie": "jwt-cookie",
+ "hide_credentials": false
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 17: store secret into vault
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put
kv/apisix/jack secret=my-secret-key
+--- response_body
+Success! Data written to: kv/apisix/jack
+
+
+
+=== TEST 18: verify (in header) not hiding credentials
+--- request
+GET /echo
+--- more_headers
+jwt-header: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
+--- response_headers
+jwt-header: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
+
+
+
+=== TEST 19: store rsa key pairs and secret into vault from local filesystem
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put
kv/apisix/rsa1 secret=$3nsitiv3-c8d3 public_key=@t/certs/public.pem
private_key=@t/certs/private.pem
+--- response_body
+Success! Data written to: kv/apisix/rsa1
+
+
+
+=== TEST 20: create consumer for RS256 algorithm with private/public key
fetched from vault and public key in consumer schema
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- enable jwt auth plugin using admin api
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "jwt-auth": {}
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:8777": 1
Review Comment:
Why don't we use the regular 1980 and /hello?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
