Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(secret): add ci and doc for some auth plugins #8601

Merged
merged 9 commits into from
Jan 6, 2023
Merged

feat(secret): add ci and doc for some auth plugins #8601

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d9023f5
feat(secret): add ci and doc for some auth plugins
Jan 3, 2023
7d62c57
fix test case
Jan 3, 2023
a005f87
add more test cases
Jan 5, 2023
83b4141
fix lint
Jan 5, 2023
0f3cb19
fix test cases
Jan 5, 2023
fcfe7fb
fix test cases
Jan 5, 2023
69cd49d
fix test cases
Jan 5, 2023
43178a7
fix test case
Jan 5, 2023
6b6c35d
fix comment
Jan 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/en/latest/plugins/basic-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ For Consumer:
| Name | Type | Required | Description |
|----------|--------|----------|------------------------------------------------------------------------------------------------------------------------|
| username | string | True | Unique username for a Consumer. If multiple Consumers use the same `username`, a request matching exception is raised. |
| password | string | True | Password of the user. |
| password | string | True | Password of the user. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |

NOTE: `encrypt_fields = {"password"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields).

Expand Down
2 changes: 1 addition & 1 deletion docs/en/latest/plugins/hmac-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ This Plugin works with a [Consumer](../terminology/consumer.md) object and a con
| Name | Type | Required | Default | Valid values | Description |
|-----------------------|---------------|----------|---------------|---------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| access_key | string | True | | | Unique key of a Consumer. If different Consumers have the same key, a request matching exception will occur. |
| secret_key | string | True | | | Used in pair with `access_key`. |
| secret_key | string | True | | | Used in pair with `access_key`. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
| algorithm | string | False | "hmac-sha256" | ["hmac-sha1", "hmac-sha256", "hmac-sha512"] | Encryption algorithm used. |
| clock_skew | integer | False | 0 | | Clock skew allowed by the signature in seconds. Setting it to `0` will skip checking the date. |
| signed_headers | array[string] | False | | | List of headers to be used in the encryption algorithm. If specified, the client request can only contain the specified headers. When unspecified, all the headers are used in the encryption algorithm. |
Expand Down
2 changes: 1 addition & 1 deletion docs/en/latest/plugins/key-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ For Consumer:

| Name | Type | Requirement | Description |
|------|--------|-------------|----------------------------|
| key | string | required | Unique key for a Consumer. |
| key | string | required | Unique key for a Consumer. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |

NOTE: `encrypt_fields = {"key"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields).

Expand Down
2 changes: 1 addition & 1 deletion docs/en/latest/plugins/wolf-rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ The `wolf-rbac` Plugin provides a [role-based access control](https://en.wikiped
| Name | Type | Required | Default | Description |
|---------------|--------|----------|--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| server | string | False | "http://127.0.0.1:12180" | Service address of wolf server. |
| appid | string | False | "unset" | App id added in wolf console. |
| appid | string | False | "unset" | App id added in wolf console. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. |
| header_prefix | string | False | "X-" | Prefix for a custom HTTP header. After authentication is successful, three headers will be added to the request header (for backend) and response header (for frontend) namely: `X-UserId`, `X-Username`, and `X-Nickname`. |

## API
Expand Down
2 changes: 1 addition & 1 deletion docs/zh/latest/plugins/basic-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Consumer 端:
| 名称 | 类型 | 必选项 | 描述 |
| -------- | ------ | -----| ----------------------------------------------------------------------------------------------- |
| username | string | 是 | Consumer 的用户名并且该用户名是唯一,如果多个 Consumer 使用了相同的 `username`,将会出现请求匹配异常。|
| password | string | 是 | 用户的密码。 |
| password | string | 是 | 用户的密码。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |

注意:schema 中还定义了 `encrypt_fields = {"password"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。

Expand Down
2 changes: 1 addition & 1 deletion docs/zh/latest/plugins/hmac-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ description: 本文介绍了关于 Apache APISIX `hmac-auth` 插件的基本信
| 名称 | 类型 | 必选项 | 默认值 | 有效值 | 描述 |
| ---------------- | ------------- | ------ | ------------- | ------------------------------------------| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| access_key | string | 是 | | | Consumer 的 `access_key` 必须是唯一的。如果不同 Consumer 使用了相同的 `access_key` ,将会出现请求匹配异常。 |
| secret_key | string | 是 | | | 与 `access_key` 配对使用。 |
| secret_key | string | 是 | | | 与 `access_key` 配对使用。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
| algorithm | string | 否 | "hmac-sha256" | ["hmac-sha1", "hmac-sha256", "hmac-sha512"] | 可以使用的加密算法。 |
| clock_skew | integer | 否 | 0 | | 签名允许的时间偏移(以秒为单位)。比如允许时间偏移 10 秒钟,那么就应设置为 `10`。如果将其设置为 `0`,则表示表示跳过日期检查。 |
| signed_headers | array[string] | 否 | | | 要在加密计算中使用的 headers 列表。指定后客户端请求只能在此范围内指定 headers,如果未指定,就会在所有客户端请求指定的 headers 加入加密计算。如: ["User-Agent", "Accept-Language", "x-custom-a"]。 |
Expand Down
2 changes: 1 addition & 1 deletion docs/zh/latest/plugins/key-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ Consumer 端:

| 名称 | 类型 | 必选项 | 描述 |
| ---- | ------ | ------ | ------------------------------------------------------------------------------------------------------------- |
| key | string | 是 | 不同的 Consumer 应有不同的 `key`,它应当是唯一的。如果多个 Consumer 使用了相同的 `key`,将会出现请求匹配异常。 |
| key | string | 是 | 不同的 Consumer 应有不同的 `key`,它应当是唯一的。如果多个 Consumer 使用了相同的 `key`,将会出现请求匹配异常。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |

注意:schema 中还定义了 `encrypt_fields = {"key"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。

Expand Down
2 changes: 1 addition & 1 deletion docs/zh/latest/plugins/wolf-rbac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ description: 本文介绍了关于 Apache APISIX `wolf-rbac` 插件的基本信
| 名称 | 类型 | 必选项 | 默认值 | 描述 |
| ------------- | ------ | ------ | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| server | string | 否 | "http://127.0.0.1:12180" | `wolf-server` 的服务地址。 |
| appid | string | 否 | "unset" | 在 `wolf-console` 中已经添加的应用 id。 |
| appid | string | 否 | "unset" | 在 `wolf-console` 中已经添加的应用 id。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 |
| header_prefix | string | 否 | "X-" | 自定义 HTTP 头的前缀。`wolf-rbac` 在鉴权成功后,会在请求头 (用于传给后端) 及响应头 (用于传给前端) 中添加 3 个 header:`X-UserId`, `X-Username`, `X-Nickname`。|

## 接口
Expand Down
96 changes: 96 additions & 0 deletions t/plugin/basic-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -452,3 +452,99 @@ GET /echo
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==



=== TEST 22: set basic-auth conf: password uses secret ref
--- request
GET /t
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
}]],
[[{
"value": {
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
},
"key": "/apisix/secrets/vault/test1"
}]]
)

if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "$secret://vault/test1/foo/passwd"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {
"hide_credentials": false
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed



=== TEST 23: store secret into vault
--- exec
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/foo passwd=bar
--- response_body
Success! Data written to: kv/apisix/foo



=== TEST 24: verify Authorization with foo/bar, request header should not hidden
--- request
GET /echo
--- more_headers
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==
143 changes: 143 additions & 0 deletions t/plugin/hmac-auth3.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -755,3 +755,146 @@ apisix:
--- response_body
my-secret-key
IRWpPjbDq5BCgHyIllnOMA==



=== TEST 15: set hmac-auth conf: secret_key uses secret ref
--- request
GET /t
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
}]],
[[{
"value": {
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "root"
},
"key": "/apisix/secrets/vault/test1"
}]]
)

if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"hmac-auth": {
"access_key": "my-access-key",
"secret_key": "$secret://vault/test1/jack/secret_key"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"hmac-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed



=== TEST 16: store secret into vault
--- exec
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret_key=my-secret-key
--- response_body
Success! Data written to: kv/apisix/jack



=== TEST 17: verify: ok
--- config
location /t {
content_by_lua_block {
local ngx_time = ngx.time
local ngx_http_time = ngx.http_time
local core = require("apisix.core")
local t = require("lib.test_admin")
local hmac = require("resty.hmac")
local ngx_encode_base64 = ngx.encode_base64

local secret_key = "my-secret-key"
local timestamp = ngx_time()
local gmt = ngx_http_time(timestamp)
local access_key = "my-access-key"
local custom_header_a = "asld$%dfasf"
local custom_header_b = "23879fmsldfk"

local signing_string = {
"GET",
"/hello",
"",
access_key,
gmt,
"x-custom-header-a:" .. custom_header_a,
"x-custom-header-b:" .. custom_header_b
}
signing_string = core.table.concat(signing_string, "\n") .. "\n"
core.log.info("signing_string:", signing_string)

local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
core.log.info("signature:", ngx_encode_base64(signature))
local headers = {}
headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
headers["Date"] = gmt
headers["X-HMAC-ACCESS-KEY"] = access_key
headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b"
headers["x-custom-header-a"] = custom_header_a
headers["x-custom-header-b"] = custom_header_b

local code, body = t.test('/hello',
ngx.HTTP_GET,
"",
nil,
headers
)

ngx.status = code
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed
Loading