feat(vault): vault lua module, integration with jwt-auth authentication plugin

apisix/admin/consumers.lua

@@ -18,6 +18,7 @@ local core    = require("apisix.core")
 local plugins = require("apisix.admin.plugins")
 local utils   = require("apisix.admin.utils")
 local plugin  = require("apisix.plugin")
+local vault   = require("apisix.core.vault")
 local pairs   = pairs
 
 local _M = {
@@ -102,6 +103,33 @@ function _M.get(consumer_name)
     end
 
     utils.fix_count(res.body, consumer_name)
+
+    if consumer_name then
+        -- if data is queried for a single consumer, and there is any plugin where the vault config
+        -- is enabled - it fetches vault data and returns combined with etcd response.
+        local vault_fetch = {}
+        local attach_response = false
+        local _plugins = res.body.node.value.plugins or {}
+        for plugin_name, _schema in pairs(_plugins) do
+            if _schema.vault then
+                local res, err = vault.get(_schema.vault.path, _schema.vault.add_prefix)
+                if not res then
+                    core.log.error("failed to get data from vault for plugin: ", plugin_name,
+                                    "err: ", err)
+                else
+                    attach_response = true
+                    vault_fetch[plugin_name] = res.data
+                end
+            end
+        end
+
+        if attach_response then
+            res.body.vault = {
+                ["data-fetched"] = vault_fetch
+            }
+        end
+    end
+
     return res.status, res.body
 end
 

apisix/core/vault.lua

@@ -0,0 +1,116 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+local core = require("apisix.core")
+local http = require("resty.http")
+local json = require("cjson")
+
+local fetch_local_conf = require("apisix.core.config_local").local_conf
+local norm_path = require("pl.path").normpath
+
+local _M = {}
+
+local function fetch_vault_conf()
+    local conf, err = fetch_local_conf()
+    if not conf then
+        return nil, "failed to fetch vault configuration from config yaml: " .. err
+    end
+
+    if not conf.vault then
+        return nil, "accessing vault data requires configuration information"
+    end
+    return conf.vault
+end
+
+
+local function make_request_to_vault(method, key, rel_path, data)
+    local vault, err = fetch_vault_conf()
+    if not vault then
+        return nil, err
+    end
+
+    local httpc = http.new()
+    -- config timeout or default to 5000 ms
+    httpc:set_timeout((vault.timeout or 5)*1000)
+
+    local req_addr = vault.host
+    if rel_path then
+        req_addr = req_addr .. norm_path("/v1/"
+                .. vault.prefix .. "/" .. key)
+    else
+        req_addr = req_addr .. norm_path("/" .. key)
+    end
+
+    local res, err = httpc:request_uri(req_addr, {
+        method = method,
+        headers = {
+            ["X-Vault-Token"] = vault.token
+        },
+        body = core.json.encode(data or  {}, true)
+    })
+    if not res then
+        return nil, err
+    end
+
+    return res.body
+end
+
+-- key is the vault kv engine path, joined with config yaml vault prefix
+local function get(key, rel_path)
+    core.log.info("fetching data from vault for key: ", key)
+
+    local res, err = make_request_to_vault("GET", key, rel_path)
+    if not res or err then
+        return nil, "failed to retrtive data from vault kv engine " .. err
+    end
+
+    return json.decode(res)
+end
+
+_M.get = get
+
+-- key is the vault kv engine path, data is json key vaule pair
+local function set(key, data, rel_path)
+    core.log.info("stroing data into vault for key: ", key,
+                    "and value: ", core.json.delay_encode(data, true))
+
+    local res, err = make_request_to_vault("POST", key, rel_path, data)
+    if not res or err then
+        return nil, "failed to store data into vault kv engine " .. err
+    end
+
+    return {status = "success"}
+end
+_M.set = set
+
+
+-- key is the vault kv engine path, joined with config yaml vault prefix
+local function delete(key, rel_path)
+    core.log.info("deleting data from vault for key: ", key)
+
+    local res, err = make_request_to_vault("DELETE", key, rel_path)
+
+    if not res or err then
+        return nil, "failed to delete data into vault kv engine " .. err
+    end
+
+    return {status = "success"}
+end
+
+_M.delete = delete
+
+return _M