-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(vault): vault lua module, integration with jwt-auth authentication plugin #5745
Merged
+777
−46
Merged
Changes from 23 commits
Commits
Show all changes
28 commits
Select commit
Hold shift + click to select a range
b2788ff
vault-auth init
bisakhmondal a88c615
vault storage kv engine integration
bisakhmondal 17b3c23
not required file
bisakhmondal 7605c38
integrating vault storage backend with jwt-auth authentication plugin
bisakhmondal ae240ed
Merge branch 'master' into vault-jwt
bisakhmondal 876cce3
Merge branch 'master' into vault-jwt
bisakhmondal c3a7d4a
openssl rsa-2048 pem public private keypairs
bisakhmondal ed628b2
vault integration tests with corner cases
bisakhmondal 9ec682a
minor updates
bisakhmondal 36f0141
adding real vault server into CIs
bisakhmondal c3aaf8f
lint fix
bisakhmondal 80358b9
suggestions
bisakhmondal e4d10da
now get doesnot returns vault data
bisakhmondal f927fb9
update exposed port address
bisakhmondal ee251aa
documentation
bisakhmondal 6158837
blank commit
bisakhmondal f9cdc4e
remove custom path support from mvp
bisakhmondal 6729106
trimming down validation and key generation if vault config is enabled
bisakhmondal 83b3fe0
remove redundant codes
bisakhmondal 58292d2
Ci fix
bisakhmondal 55c105d
changing vault kv suffix to /consumer/<username>/jwt-auth
bisakhmondal 1f2ff22
update tests and modify the way http status code were sent
bisakhmondal cac28d1
fix doc broken link
bisakhmondal f78cf89
comment out vault config in yaml and update tests accordingly
bisakhmondal 6a28225
Merge branch 'master' into vault-jwt
bisakhmondal 2d44654
change yaml_config to extra_yaml_config
bisakhmondal 66ee305
single extra yaml config
bisakhmondal a56ed8e
suggestion
bisakhmondal File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
-- | ||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||
-- contributor license agreements. See the NOTICE file distributed with | ||
-- this work for additional information regarding copyright ownership. | ||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||
-- (the "License"); you may not use this file except in compliance with | ||
-- the License. You may obtain a copy of the License at | ||
-- | ||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||
-- | ||
-- Unless required by applicable law or agreed to in writing, software | ||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
-- See the License for the specific language governing permissions and | ||
-- limitations under the License. | ||
-- | ||
|
||
local core = require("apisix.core") | ||
local http = require("resty.http") | ||
local json = require("cjson") | ||
|
||
local fetch_local_conf = require("apisix.core.config_local").local_conf | ||
local norm_path = require("pl.path").normpath | ||
|
||
local _M = {} | ||
|
||
local function fetch_vault_conf() | ||
local conf, err = fetch_local_conf() | ||
if not conf then | ||
return nil, "failed to fetch vault configuration from config yaml: " .. err | ||
end | ||
|
||
if not conf.vault then | ||
return nil, "accessing vault data requires configuration information" | ||
end | ||
return conf.vault | ||
end | ||
|
||
|
||
local function make_request_to_vault(method, key, skip_prefix, data) | ||
local vault, err = fetch_vault_conf() | ||
if not vault then | ||
return nil, err | ||
end | ||
|
||
local httpc = http.new() | ||
-- config timeout or default to 5000 ms | ||
httpc:set_timeout((vault.timeout or 5)*1000) | ||
|
||
local req_addr = vault.host | ||
if not skip_prefix then | ||
req_addr = req_addr .. norm_path("/v1/" | ||
.. vault.prefix .. "/" .. key) | ||
else | ||
req_addr = req_addr .. norm_path("/v1/" .. key) | ||
end | ||
|
||
local res, err = httpc:request_uri(req_addr, { | ||
method = method, | ||
headers = { | ||
["X-Vault-Token"] = vault.token | ||
}, | ||
body = core.json.encode(data or {}, true) | ||
}) | ||
if not res then | ||
return nil, err | ||
end | ||
|
||
return res.body | ||
end | ||
|
||
-- key is the vault kv engine path, joined with config yaml vault prefix. | ||
-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the | ||
-- prefix defined inside config yaml under vault config for fetching data. | ||
local function get(key, skip_prefix) | ||
core.log.info("fetching data from vault for key: ", key) | ||
|
||
local res, err = make_request_to_vault("GET", key, skip_prefix) | ||
if not res or err then | ||
return nil, "failed to retrtive data from vault kv engine " .. err | ||
end | ||
|
||
return json.decode(res) | ||
end | ||
|
||
_M.get = get | ||
|
||
-- key is the vault kv engine path, data is json key vaule pair. | ||
-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the | ||
-- prefix defined inside config yaml under vault config for storing data. | ||
local function set(key, data, skip_prefix) | ||
core.log.info("stroing data into vault for key: ", key, | ||
"and value: ", core.json.delay_encode(data, true)) | ||
|
||
local res, err = make_request_to_vault("POST", key, skip_prefix, data) | ||
if not res or err then | ||
return nil, "failed to store data into vault kv engine " .. err | ||
end | ||
|
||
return true | ||
end | ||
_M.set = set | ||
|
||
|
||
-- key is the vault kv engine path, joined with config yaml vault prefix. | ||
-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the | ||
-- prefix defined inside config yaml under vault config for deleting data. | ||
local function delete(key, skip_prefix) | ||
core.log.info("deleting data from vault for key: ", key) | ||
|
||
local res, err = make_request_to_vault("DELETE", key, skip_prefix) | ||
|
||
if not res or err then | ||
return nil, "failed to delete data into vault kv engine " .. err | ||
end | ||
|
||
return true | ||
end | ||
|
||
_M.delete = delete | ||
|
||
return _M |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
-----BEGIN RSA PRIVATE KEY----- | ||
MIIEowIBAAKCAQEA79XYBopfnVMKxI533oU2VFQbEdSPtWRD+xSl73lHLVboGP1l | ||
SIZtnEj5AcTN2uDW6AYPiWL2iA3lEEsDTs7JBUXyl6pysBPfrqC8n/MOXKaD4e8U | ||
5GAHFiwHWg2WzHlfFSlFkLjzp0vPkDK+fQ4Clrd7shAyitB7use6DHcVCKuI4bFO | ||
oFbdI5sBGeyoD833g+ql9bRkH/vf8O+rPwHAM+47r1iv3lY3ex0P45PRd7U7rq8P | ||
8UIw6qOI1tiYuKlFJmjFdcwtYG0dctxWwgL1+7njrVQoWvuOTSsc9TDMhZkmmSsU | ||
3wXjaPxJpydck1C/w9ZLqsctKK5swYWhIcbcBQIDAQABAoIBADHXy1FwqHZVr8Mx | ||
qI/CN4xG/mkyN7uG3unrXKDsH3K4wPuQjeAIr/bu43EOqYl3eLI3sDrpKjsUSCqe | ||
rE1QhE5oPwZuEe+t8aqlFQ5YwP9YS8hEm57qpg5hkBWTBWfxQWVwclilV13JT5W0 | ||
NgpfQwJ3l2lmHFrlARHMOEom5WQrewKvLh2YXeJBFQc0shHcjC2Pt7cjR9oAUVi6 | ||
M5h6I+eB5xd9jj2a2fXaFL1SKZXEBVT6agSQqdB0tSuVTUsTBzNnuTL5ngS1wdLa | ||
lEdrw8klOYWrUihKJgYH7rnQrVEVNxGyO6fVs1S9CxMwu/nW2MPcbRBY0WKYCcAO | ||
QFJ4j4ECgYEA+yaEEPp/SH1E+DJi3U35pGdlHqg8yP0R7sik2cvvPUk4VbPrYVDD | ||
NQ8gt2H+06keycfRqJTPptS79db9LpKjG59yYP3aWj2YbGsH1H3XxA3sZiWHkNl0 | ||
7i0ZE0GSCmEMbPe3C0Z3726tD9ZyVdaE5RdvRWdz1IloA+rYr3ypnH0CgYEA9Hdl | ||
KY8qSthtgWsTuthpExcvfppS3Dijgd23+oZJY2JLKf8/yctuBv6rBgqDCwpnUmGR | ||
tnkxPD/igaBnFtaMjDKNMwWwGHyarWkI7Zc+6HUdNcA/BkI3MCxwYQg2fr7HXY0h | ||
FalewOHeJz2Tldaue9DrVIO49jfLtBh2DYZFvCkCgYBV7OmGPY3KqUEtgV+dw43D | ||
l7Ra9shFI4A9J9xuv30MhL6HY9UGKHGA97oDw71BgT0NYBX1DWS1+VaNV46rnnO7 | ||
gaPKV0+bTDOX9E5rftqRMwpMME7fWebNjhRkKCzk7CsqJN41N1jVTBJdtsrLX2d8 | ||
UbY6EpjogFJb9L9J2ubUqQKBgQCk6oKJJbZfJV/CJaz6qBFCOqrkmlD5lQ/ghOUf | ||
EUYi0GVqYHH0vNJtz5EqEx9R7GPFNGLrGRi4z1QLJF1HD9dioJuWZujjq/NgtnG6 | ||
bgSXJqJc52Lc4wB99AyfuL2ihSrTFmjSRx7Puc9241hTha7Rgh+vNOkq2HsH9FR3 | ||
TTRv+QKBgG5ph+SFenSE7MgYXm2NRfG1k8bp86hrt9C8vHJ7DSO2Rr833RtqEiDJ | ||
nD4FbR0IObaBpS2VJdOn/jBYXCG0hFuj+Shxiyg/mZN0fwPVaRWDls7jzqqPsA+b | ||
x3XKRAn57LY8UbsNpOIqZ8kjVLPZhgfYwfOI3yAeSMv4ZnRY/MWe | ||
-----END RSA PRIVATE KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
-----BEGIN PUBLIC KEY----- | ||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA79XYBopfnVMKxI533oU2 | ||
VFQbEdSPtWRD+xSl73lHLVboGP1lSIZtnEj5AcTN2uDW6AYPiWL2iA3lEEsDTs7J | ||
BUXyl6pysBPfrqC8n/MOXKaD4e8U5GAHFiwHWg2WzHlfFSlFkLjzp0vPkDK+fQ4C | ||
lrd7shAyitB7use6DHcVCKuI4bFOoFbdI5sBGeyoD833g+ql9bRkH/vf8O+rPwHA | ||
M+47r1iv3lY3ex0P45PRd7U7rq8P8UIw6qOI1tiYuKlFJmjFdcwtYG0dctxWwgL1 | ||
+7njrVQoWvuOTSsc9TDMhZkmmSsU3wXjaPxJpydck1C/w9ZLqsctKK5swYWhIcbc | ||
BQIDAQAB | ||
-----END PUBLIC KEY----- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,368 @@ | ||
# | ||
# Licensed to the Apache Software Foundation (ASF) under one or more | ||
# contributor license agreements. See the NOTICE file distributed with | ||
# this work for additional information regarding copyright ownership. | ||
# The ASF licenses this file to You under the Apache License, Version 2.0 | ||
# (the "License"); you may not use this file except in compliance with | ||
# the License. You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
use t::APISIX 'no_plan'; | ||
|
||
repeat_each(1); | ||
no_long_string(); | ||
no_root_location(); | ||
no_shuffle(); | ||
|
||
add_block_preprocessor(sub { | ||
my ($block) = @_; | ||
|
||
my $http_config = $block->http_config // <<_EOC_; | ||
server { | ||
listen 8777; | ||
location /secure-endpoint { | ||
content_by_lua_block { | ||
ngx.say("successfully invoked secure endpoint") | ||
} | ||
} | ||
} | ||
_EOC_ | ||
|
||
$block->set_value("http_config", $http_config); | ||
|
||
if (!$block->request) { | ||
$block->set_value("request", "GET /t"); | ||
} | ||
if (!$block->no_error_log && !$block->error_log) { | ||
$block->set_value("no_error_log", "[error]\n[alert]"); | ||
} | ||
}); | ||
|
||
run_tests; | ||
|
||
__DATA__ | ||
=== TEST 1: schema check | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local plugin = require("apisix.plugins.jwt-auth") | ||
local core = require("apisix.core") | ||
for _, conf in ipairs({ | ||
{ | ||
-- public and private key are not provided for RS256, returns error | ||
key = "key-1", | ||
algorithm = "RS256" | ||
}, | ||
{ | ||
-- public and private key are not provided but vault config is enabled. | ||
key = "key-1", | ||
algorithm = "RS256", | ||
vault = {} | ||
} | ||
}) do | ||
local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER) | ||
if not ok then | ||
ngx.say(err) | ||
else | ||
ngx.say("ok") | ||
end | ||
end | ||
} | ||
} | ||
--- response_body | ||
failed to validate dependent schema for "algorithm": value should match only one schema, but matches none | ||
ok | ||
=== TEST 2: create a consumer with plugin and username | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/consumers', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"username": "jack", | ||
"plugins": { | ||
"jwt-auth": { | ||
"key": "key-hs256", | ||
"algorithm": "HS256", | ||
"vault":{} | ||
} | ||
} | ||
}]], | ||
[[{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we remove the expected response? We don't need to check this output anymore. More other tests already do it. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure. Done |
||
"node": { | ||
"value": { | ||
"username": "jack", | ||
"plugins": { | ||
"jwt-auth": { | ||
"key": "key-hs256", | ||
"algorithm": "HS256", | ||
"vault":{} | ||
} | ||
} | ||
} | ||
}, | ||
"action": "set" | ||
}]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.say(body) | ||
} | ||
} | ||
--- response_body | ||
passed | ||
=== TEST 3: enable jwt auth plugin using admin api | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/routes/1', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"plugins": { | ||
"jwt-auth": {} | ||
}, | ||
"upstream": { | ||
"nodes": { | ||
"127.0.0.1:8777": 1 | ||
}, | ||
"type": "roundrobin" | ||
}, | ||
"uri": "/secure-endpoint" | ||
}]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.say(body) | ||
} | ||
} | ||
--- response_body | ||
passed | ||
=== TEST 4: sign a jwt and access/verify /secure-endpoint, fails as no secret entry into vault | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, err, sign = t('/apisix/plugin/jwt/sign?key=key-hs256', | ||
ngx.HTTP_GET | ||
) | ||
if code > 200 then | ||
ngx.status = code | ||
ngx.say(err) | ||
return | ||
end | ||
local code, _, res = t('/secure-endpoint?jwt=' .. sign, | ||
ngx.HTTP_GET | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.print(res) | ||
} | ||
} | ||
--- response_body | ||
failed to sign jwt | ||
--- error_code: 503 | ||
--- error_log: true | ||
--- grep_error_log eval | ||
qr/failed to sign jwt, err: secret could not found in vault/ | ||
--- grep_error_log_out | ||
failed to sign jwt, err: secret could not found in vault | ||
bisakhmondal marked this conversation as resolved.
Show resolved
Hide resolved
|
||
=== TEST 5: store HS256 secret into vault | ||
--- exec | ||
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/consumer/jack/jwt-auth secret=$3nsitiv3-c8d3 | ||
--- response_body | ||
Success! Data written to: kv/apisix/consumer/jack/jwt-auth | ||
=== TEST 6: sign a HS256 jwt and access/verify /secure-endpoint | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, err, sign = t('/apisix/plugin/jwt/sign?key=key-hs256', | ||
ngx.HTTP_GET | ||
) | ||
if code > 200 then | ||
ngx.status = code | ||
ngx.say(err) | ||
return | ||
end | ||
local code, _, res = t('/secure-endpoint?jwt=' .. sign, | ||
ngx.HTTP_GET | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.print(res) | ||
} | ||
} | ||
--- response_body | ||
successfully invoked secure endpoint | ||
=== TEST 7: store rsa key pairs into vault from local filesystem | ||
--- exec | ||
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/consumer/jim/jwt-auth public_key=@t/certs/public.pem private_key=@t/certs/private.pem | ||
--- response_body | ||
Success! Data written to: kv/apisix/consumer/jim/jwt-auth | ||
=== TEST 8: create consumer for RS256 algorithm with keypair fetched from vault | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/consumers', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"username": "jim", | ||
"plugins": { | ||
"jwt-auth": { | ||
"key": "rsa", | ||
"algorithm": "RS256", | ||
"vault":{} | ||
} | ||
} | ||
}]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.say(body) | ||
} | ||
} | ||
--- response_body | ||
passed | ||
=== TEST 9: sign a jwt with with rsa keypair and access /secure-endpoint | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, err, sign = t('/apisix/plugin/jwt/sign?key=rsa', | ||
ngx.HTTP_GET | ||
) | ||
if code > 200 then | ||
ngx.status = code | ||
ngx.say(err) | ||
return | ||
end | ||
local code, _, res = t('/secure-endpoint?jwt=' .. sign, | ||
ngx.HTTP_GET | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.print(res) | ||
} | ||
} | ||
--- response_body | ||
successfully invoked secure endpoint | ||
=== TEST 10: store rsa private key into vault from local filesystem | ||
--- exec | ||
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/consumer/john/jwt-auth private_key=@t/certs/private.pem | ||
--- response_body | ||
Success! Data written to: kv/apisix/consumer/john/jwt-auth | ||
=== TEST 11: create consumer for RS256 algorithm with private key fetched from vault and public key in consumer schema | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, body = t('/apisix/admin/consumers', | ||
ngx.HTTP_PUT, | ||
[[{ | ||
"username": "john", | ||
"plugins": { | ||
"jwt-auth": { | ||
"key": "rsa1", | ||
"algorithm": "RS256", | ||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA79XYBopfnVMKxI533oU2\nVFQbEdSPtWRD+xSl73lHLVboGP1lSIZtnEj5AcTN2uDW6AYPiWL2iA3lEEsDTs7J\nBUXyl6pysBPfrqC8n/MOXKaD4e8U5GAHFiwHWg2WzHlfFSlFkLjzp0vPkDK+fQ4C\nlrd7shAyitB7use6DHcVCKuI4bFOoFbdI5sBGeyoD833g+ql9bRkH/vf8O+rPwHA\nM+47r1iv3lY3ex0P45PRd7U7rq8P8UIw6qOI1tiYuKlFJmjFdcwtYG0dctxWwgL1\n+7njrVQoWvuOTSsc9TDMhZkmmSsU3wXjaPxJpydck1C/w9ZLqsctKK5swYWhIcbc\nBQIDAQAB\n-----END PUBLIC KEY-----\n", | ||
"vault":{} | ||
} | ||
} | ||
}]] | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.say(body) | ||
} | ||
} | ||
--- response_body | ||
passed | ||
=== TEST 12: sign a jwt with with rsa keypair and access /secure-endpoint | ||
--- config | ||
location /t { | ||
content_by_lua_block { | ||
local t = require("lib.test_admin").test | ||
local code, err, sign = t('/apisix/plugin/jwt/sign?key=rsa1', | ||
ngx.HTTP_GET | ||
) | ||
if code > 200 then | ||
ngx.status = code | ||
ngx.say(err) | ||
return | ||
end | ||
local code, _, res = t('/secure-endpoint?jwt=' .. sign, | ||
ngx.HTTP_GET | ||
) | ||
if code >= 300 then | ||
ngx.status = code | ||
end | ||
ngx.print(res) | ||
} | ||
} | ||
--- response_body | ||
successfully invoked secure endpoint |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's comment out this section, we do not need to require vault by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Err. Actually, I mean like this :
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahh, I get it now 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated. Thanks for the review