This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 14727fc00 feat: use env var instead of plain text for vault token
(#8866)
14727fc00 is described below
commit 14727fc00948b5cc6acf58539cee1080303b9659
Author: Abhishek Choudhary <[email protected]>
AuthorDate: Fri Feb 24 07:05:13 2023 +0530
feat: use env var instead of plain text for vault token (#8866)
---
apisix/secret/vault.lua | 9 +++-
t/plugin/basic-auth.t | 80 +++++++++++++++++++++++++++++++
t/plugin/hmac-auth4.t | 122 ++++++++++++++++++++++++++++++++++++++++++++++++
t/plugin/jwt-auth3.t | 83 ++++++++++++++++++++++++++++++++
t/plugin/key-auth.t | 56 ++++++++++++++++++++++
t/plugin/ldap-auth.t | 83 ++++++++++++++++++++++++++++++++
t/plugin/wolf-rbac.t | 66 ++++++++++++++++++++++++++
t/secret/vault.t | 80 +++++++++++++++++++++++++++++++
8 files changed, 577 insertions(+), 2 deletions(-)
diff --git a/apisix/secret/vault.lua b/apisix/secret/vault.lua
index eb2e6564c..f5dcb7a24 100644
--- a/apisix/secret/vault.lua
+++ b/apisix/secret/vault.lua
@@ -25,7 +25,7 @@ local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char
-
+local env = core.env
local schema = {
type = "object",
@@ -53,10 +53,15 @@ local function make_request_to_vault(conf, method, key,
data)
local req_addr = conf.uri .. norm_path("/v1/"
.. conf.prefix .. "/" .. key)
+ local token, _ = env.fetch_by_uri(conf.token)
+ if not token then
+ token = conf.token
+ end
+
local res, err = httpc:request_uri(req_addr, {
method = method,
headers = {
- ["X-Vault-Token"] = conf.token
+ ["X-Vault-Token"] = token
},
body = core.json.encode(data or {}, true)
})
diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t
index 533dda626..4a19cf138 100644
--- a/t/plugin/basic-auth.t
+++ b/t/plugin/basic-auth.t
@@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+}
+
use t::APISIX 'no_plan';
repeat_each(2);
@@ -540,3 +544,79 @@ GET /echo
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==
+
+
+
+=== TEST 25: set basic-auth conf with the token in an env var: password uses
secret ref
+--- request
+GET /t
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "$ENV://VAULT_TOKEN"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- change consumer with secrets ref: vault
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "foo",
+ "plugins": {
+ "basic-auth": {
+ "username": "foo",
+ "password": "$secret://vault/test1/foo/passwd"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- set route
+ code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "basic-auth": {
+ "hide_credentials": false
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 26: verify Authorization with foo/bar, request header should not
hidden
+--- request
+GET /echo
+--- more_headers
+Authorization: Basic Zm9vOmJhcg==
+--- response_headers
+Authorization: Basic Zm9vOmJhcg==
diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t
index 2316e07ae..78b89b58c 100644
--- a/t/plugin/hmac-auth4.t
+++ b/t/plugin/hmac-auth4.t
@@ -14,6 +14,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+}
use t::APISIX 'no_plan';
@@ -166,3 +169,122 @@ location /t {
}
--- response_body
passed
+
+
+
+=== TEST 4: set hmac-auth conf with the token in an env var: secret_key uses
secret ref
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "$ENV://VAULT_TOKEN"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- change consumer with secrets ref: vault
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "hmac-auth": {
+ "access_key": "my-access-key",
+ "secret_key":
"$secret://vault/test1/jack/secret_key"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- set route
+ code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "hmac-auth": {}
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 5: verify: ok
+--- config
+location /t {
+ content_by_lua_block {
+ local ngx_time = ngx.time
+ local ngx_http_time = ngx.http_time
+ local core = require("apisix.core")
+ local t = require("lib.test_admin")
+ local hmac = require("resty.hmac")
+ local ngx_encode_base64 = ngx.encode_base64
+
+ local secret_key = "my-secret-key"
+ local timestamp = ngx_time()
+ local gmt = ngx_http_time(timestamp)
+ local access_key = "my-access-key"
+ local custom_header_a = "asld$%dfasf"
+ local custom_header_b = "23879fmsldfk"
+
+ local signing_string = {
+ "GET",
+ "/hello",
+ "",
+ access_key,
+ gmt,
+ "x-custom-header-a:" .. custom_header_a,
+ "x-custom-header-b:" .. custom_header_b
+ }
+ signing_string = core.table.concat(signing_string, "\n") .. "\n"
+ core.log.info("signing_string:", signing_string)
+
+ local signature = hmac:new(secret_key,
hmac.ALGOS.SHA256):final(signing_string)
+ core.log.info("signature:", ngx_encode_base64(signature))
+ local headers = {}
+ headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
+ headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
+ headers["Date"] = gmt
+ headers["X-HMAC-ACCESS-KEY"] = access_key
+ headers["X-HMAC-SIGNED-HEADERS"] =
"x-custom-header-a;x-custom-header-b"
+ headers["x-custom-header-a"] = custom_header_a
+ headers["x-custom-header-b"] = custom_header_b
+
+ local code, body = t.test('/hello',
+ ngx.HTTP_GET,
+ "",
+ nil,
+ headers
+ )
+
+ ngx.status = code
+ ngx.say(body)
+ }
+}
+--- response_body
+passed
diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t
index ac4587de0..7daf6cf16 100755
--- a/t/plugin/jwt-auth3.t
+++ b/t/plugin/jwt-auth3.t
@@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+}
+
use t::APISIX 'no_plan';
repeat_each(1);
@@ -640,3 +644,82 @@ passed
}
--- response_body
hello world
+
+
+
+=== TEST 22: set jwt-auth conf with the token in an env var: secret uses
secret ref
+--- request
+GET /t
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "$ENV://VAULT_TOKEN"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- change consumer with secrets ref: vault
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "jwt-auth": {
+ "key": "user-key",
+ "secret": "$secret://vault/test1/jack/secret"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- set route
+ code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "jwt-auth": {
+ "header": "jwt-header",
+ "query": "jwt-query",
+ "cookie": "jwt-cookie",
+ "hide_credentials": false
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/echo"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 23: verify (in header) not hiding credentials
+--- request
+GET /echo
+--- more_headers
+jwt-header: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
+--- response_headers
+jwt-header: Bearer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t
index 850a65e18..138f1d647 100644
--- a/t/plugin/key-auth.t
+++ b/t/plugin/key-auth.t
@@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+}
+
use t::APISIX 'no_plan';
repeat_each(2);
@@ -638,3 +642,55 @@ Success! Data written to: kv/apisix/jack
GET /hello?auth=authtwo
--- response_args
auth: authtwo
+
+
+
+=== TEST 31: set key-auth conf with the token in an env var: key uses secret
ref
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local etcd = require("apisix.core.etcd")
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "$ENV://VAULT_TOKEN"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- change consumer with secrets ref: vault
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "key-auth": {
+ "key": "$secret://vault/test1/jack/key"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+
+
+
+=== TEST 32: verify auth request
+--- request
+GET /hello?auth=authtwo
+--- response_args
+auth: authtwo
diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t
index b8f3936ef..e16bc0513 100644
--- a/t/plugin/ldap-auth.t
+++ b/t/plugin/ldap-auth.t
@@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+}
+
use t::APISIX 'no_plan';
repeat_each(2);
@@ -531,3 +535,82 @@ Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ==
hello world
--- error_log
find consumer user01
+
+
+
+=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses
secret ref
+--- request
+GET /t
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "$ENV://VAULT_TOKEN"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- change consumer with secrets ref: vault
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "user01",
+ "plugins": {
+ "ldap-auth": {
+ "user_dn": "$secret://vault/test1/user01/user_dn"
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ -- set route
+ code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "ldap-auth": {
+ "base_dn": "ou=users,dc=example,dc=org",
+ "ldap_uri": "127.0.0.1:1389",
+ "uid": "cn"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 25: verify
+--- request
+GET /hello
+--- more_headers
+Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ==
+--- response_body
+hello world
+--- error_log
+find consumer user01
diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t
index af3be4524..34c7068ca 100644
--- a/t/plugin/wolf-rbac.t
+++ b/t/plugin/wolf-rbac.t
@@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+}
+
use t::APISIX 'no_plan';
@@ -619,3 +623,65 @@ Success! Data written to: kv/apisix/wolf_rbac_unit_test
ngx.status = code
}
}
+
+
+
+=== TEST 34: set hmac-auth conf with the token in an env var: appid uses
secret ref
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ -- put secret vault config
+ local code, body = t('/apisix/admin/secrets/vault/test1',
+ ngx.HTTP_PUT,
+ [[{
+ "uri": "http://127.0.0.1:8200";,
+ "prefix" : "kv/apisix",
+ "token" : "$ENV://VAULT_TOKEN"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.say(body)
+ end
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "wolf_rbac_unit_test",
+ "plugins": {
+ "wolf-rbac": {
+ "appid":
"$secret://vault/test1/wolf_rbac_unit_test/appid",
+ "server": "http://127.0.0.1:1982";
+ }
+ }
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 35: login successfully
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/plugin/wolf-rbac/login',
+ ngx.HTTP_POST,
+ [[
+ {"appid": "wolf-rbac-app", "username": "admin","password":
"123456"}
+ ]],
+ [[
+
{"rbac_token":"V1#wolf-rbac-app#wolf-rbac-token","user_info":{"nickname":"administrator","username":"admin","id":"100"}}
+ ]],
+ {["Content-Type"] = "application/json"}
+ )
+ ngx.status = code
+ }
+ }
diff --git a/t/secret/vault.t b/t/secret/vault.t
index 2ab74c99a..a31183e37 100644
--- a/t/secret/vault.t
+++ b/t/secret/vault.t
@@ -14,6 +14,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
+BEGIN {
+ $ENV{VAULT_TOKEN} = "root";
+ $ENV{WRONG_VAULT_TOKEN} = "squareroot"
+}
+
use t::APISIX 'no_plan';
repeat_each(1);
@@ -156,3 +161,78 @@ Success! Data written to: kv/apisix/apisix-key/jack
GET /t
--- response_body
value
+
+
+
+=== TEST 7: get value from vault using token in an env var
+--- config
+ location /t {
+ content_by_lua_block {
+ local vault = require("apisix.secret.vault")
+ local conf = {
+ prefix = "kv/apisix",
+ token = "$ENV://VAULT_TOKEN",
+ uri = "http://127.0.0.1:8200";
+ }
+ local value, err = vault.get(conf, "/apisix-key/jack/key")
+ if err then
+ return ngx.say(err)
+ end
+
+ ngx.say("value")
+ }
+ }
+--- request
+GET /t
+--- response_body
+value
+
+
+
+=== TEST 8: get value from vault: token env var wrong/missing
+--- config
+ location /t {
+ content_by_lua_block {
+ local vault = require("apisix.secret.vault")
+ local conf = {
+ prefix = "kv/apisix",
+ token = "$ENV://VALT_TOKEN",
+ uri = "http://127.0.0.1:8200";
+ }
+ local value, err = vault.get(conf, "/apisix-key/jack/key")
+ if err then
+ return ngx.say(err)
+ end
+
+ ngx.print("value")
+ }
+ }
+--- request
+GET /t
+--- response_body_like
+failed to decode result, res: {\"errors\":\[\"permission denied\"\]}\n
+
+
+
+=== TEST 9: get value from vault: token env var contains wrong token
+--- config
+ location /t {
+ content_by_lua_block {
+ local vault = require("apisix.secret.vault")
+ local conf = {
+ prefix = "kv/apisix",
+ token = "$ENV://WRONG_VAULT_TOKEN",
+ uri = "http://127.0.0.1:8200";
+ }
+ local value, err = vault.get(conf, "/apisix-key/jack/key")
+ if err then
+ return ngx.say(err)
+ end
+
+ ngx.print("value")
+ }
+ }
+--- request
+GET /t
+--- response_body_like
+failed to decode result, res: {\"errors\":\[\"permission denied\"\]}\n
