spacewander commented on a change in pull request #5745: URL: https://github.com/apache/apisix/pull/5745#discussion_r766469765
########## File path: t/plugin/jwt-auth-vault.t ########## @@ -0,0 +1,369 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +no_shuffle(); + +add_block_preprocessor(sub { + my ($block) = @_; + + my $http_config = $block->http_config // <<_EOC_; + + server { + listen 8777; + + location /secure-endpoint { + content_by_lua_block { + ngx.say("successfully invoked secure endpoint") + } + } + } +_EOC_ + + $block->set_value("http_config", $http_config); + + if (!$block->request) { + $block->set_value("request", "GET /t"); + } + if (!$block->no_error_log && !$block->error_log) { + $block->set_value("no_error_log", "[error]\n[alert]"); + } +}); + +run_tests; + +__DATA__ + +=== TEST 1: schema - if public and private key are not provided for RS256 +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.jwt-auth") + local core = require("apisix.core") + local conf = { + key = "key-1", + algorithm = "RS256" + } + + local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER) Review comment: We can use table drive test for check_schema. You can take this as an example: https://github.com/apache/apisix/blob/c178435d7ada4eeb713d9a1688fb5f54f971abdf/t/plugin/gzip.t#L494 ########## File path: docs/en/latest/plugins/jwt-auth.md ########## @@ -51,6 +55,9 @@ For more information on JWT, refer to [JWT](https://jwt.io/) for more informatio | algorithm | string | optional | "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. | | exp | integer | optional | 86400 | [1,...] | token's expire time, in seconds | | base64_secret | boolean | optional | false | | whether secret is base64 encoded | +| vault | dictionary | optional | | | whether vault to be used for secret (secret for HS256/HS512 or public_key and private_key for RS256) storage and retrieval. The plugin by default uses the vault path as `kv/apisix/jwt-auth/keys/<jwt-auth.key>` for secret retrieval. | Review comment: ```suggestion | vault | object | optional | | | whether vault to be used for secret (secret for HS256/HS512 or public_key and private_key for RS256) storage and retrieval. The plugin by default uses the vault path as `kv/apisix/jwt-auth/keys/<jwt-auth.key>` for secret retrieval. | ``` ########## File path: apisix/plugins/jwt-auth.lua ########## @@ -28,7 +29,7 @@ local ngx_time = ngx.time local sub_str = string.sub local plugin_name = "jwt-auth" local pcall = pcall - +local jwt_vault_prefix = "jwt-auth/keys/" Review comment: What about changing it to `consumer/<username>/jwt-auth/`? I think about it several times. Although it requires to change several places in this PR, the new format is more extendable, and easier to recognize. People will remember the username better than the key. ########## File path: docs/en/latest/plugins/jwt-auth.md ########## @@ -51,6 +55,9 @@ For more information on JWT, refer to [JWT](https://jwt.io/) for more informatio | algorithm | string | optional | "HS256" | ["HS256", "HS512", "RS256"] | encryption algorithm. | | exp | integer | optional | 86400 | [1,...] | token's expire time, in seconds | | base64_secret | boolean | optional | false | | whether secret is base64 encoded | +| vault | dictionary | optional | | | whether vault to be used for secret (secret for HS256/HS512 or public_key and private_key for RS256) storage and retrieval. The plugin by default uses the vault path as `kv/apisix/jwt-auth/keys/<jwt-auth.key>` for secret retrieval. | + +**Note**: To enable vault integration, first visit the [config-default.yaml](https://github.com/apache/apisix/blob/master/conf/config-default.yaml) and update the yaml vault attributes with your vault server configuration. Review comment: The `config-default.yaml` is used for an example, people should set their vault configuration in the `config.yaml`. ########## File path: conf/config-default.yaml ########## @@ -281,6 +281,17 @@ etcd: # the default value is true, e.g. the certificate will be verified strictly. #sni: # the SNI for etcd TLS requests. If missed, the host part of the URL will be used. +# storage backend for sensitive data storage and retrieval +vault: Review comment: Let's comment out this section, we do not need to require vault by default. ########## File path: docs/en/latest/plugins/jwt-auth.md ########## @@ -110,6 +117,68 @@ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f13 }' ``` +### Enable jwt-auth with Vault Compatibility + +Sometimes, it's quite natural in production to have a centralized key management solution like vault where you don't have to update the APISIX consumer each time some part of your organization changes the signing secret key (secret for HS256/HS512 or public_key and private_key for RS256) and/or for privacy concerns you don't want to use the key through APISIX admin APIs. APISIX got you covered here. The `jwt-auth` is capable of referencing keys from vault. + +**Note**: For early version of this integration support, the plugin expects the key name of secrets stored into the vault path is among [ `secret`, `public_key`, `private_key` ] to successfully use the key. In next release we are going to add the support of referencing custom named keys. + +To enable vault compatibility, just add the empty vault object inside the jwt-auth plugin. + +1. You have stored HS256 signing secret inside vault and you want to use it for jwt signing and verification. + +```shell +curl http://127.0.0.1:9080/apisix/admin/consumers -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d ' +{ + "username": "jack", + "plugins": { + "jwt-auth": { + "key": "key-1", + "vault": {} + } + } +}' +``` + +Here the plugin looks up for key `secret` inside vault path (`<vault.prefix from default-conf.yaml>/jwt-auth/keys/key-1`) for key `key-1` mentioned in the consumer config and uses it for subsequent signing and jwt verification. If the key is not found in the same path, the plugin logs error and fails to perform jwt authentication. Review comment: ```suggestion Here the plugin looks up for key `secret` inside vault path (`<vault.prefix from conf.yaml>/jwt-auth/keys/key-1`) for key `key-1` mentioned in the consumer config and uses it for subsequent signing and jwt verification. If the key is not found in the same path, the plugin logs error and fails to perform jwt authentication. ``` Please update similar places. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
