Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: use env var instead of plain text for vault token #8866

Merged
merged 24 commits into from
Feb 24, 2023
Merged

feat: use env var instead of plain text for vault token #8866

Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
aa8b1bd
feat: use env var instead of plain text
shreemaan-abhishek Feb 15, 2023
7f938e2
modify tests to use env var
shreemaan-abhishek Feb 15, 2023
c13c6ec
export env var
shreemaan-abhishek Feb 15, 2023
6bc6d61
export env var for centos
shreemaan-abhishek Feb 15, 2023
111ac11
fix breaking change, allow plain text env vars
shreemaan-abhishek Feb 15, 2023
2d988b7
Revert "modify tests to use env var"
shreemaan-abhishek Feb 15, 2023
62eb6f9
add tests
shreemaan-abhishek Feb 15, 2023
26627b7
place env var in correct place
shreemaan-abhishek Feb 16, 2023
0868b43
Revert "add tests"
shreemaan-abhishek Feb 16, 2023
c562216
add tests
shreemaan-abhishek Feb 16, 2023
206dd90
fix tests
shreemaan-abhishek Feb 16, 2023
3aeed0d
Merge branch 'master' into vault-token-env-var
shreemaan-abhishek Feb 16, 2023
6c8cf91
add quotes
shreemaan-abhishek Feb 16, 2023
756f3b4
use print instead of "say"
shreemaan-abhishek Feb 17, 2023
37a3406
Revert "add quotes"
shreemaan-abhishek Feb 17, 2023
d4d5fb3
add line break
shreemaan-abhishek Feb 17, 2023
30a296b
replace with \R
shreemaan-abhishek Feb 18, 2023
1626dce
remove directory added by mistake
shreemaan-abhishek Feb 18, 2023
46b992e
use regex
shreemaan-abhishek Feb 18, 2023
f2c1c27
trigger build
shreemaan-abhishek Feb 18, 2023
9bfaede
remove unnecessary env var
shreemaan-abhishek Feb 20, 2023
234346a
clean way to import
shreemaan-abhishek Feb 21, 2023
8b72f12
remove newline
shreemaan-abhishek Feb 22, 2023
74b3e66
trigger build
shreemaan-abhishek Feb 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion apisix/secret/vault.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can avoid the blank line here? Other files don't add a blank line among localized variables.

local env = require("apisix.core.env")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we import it like core.string.sub?


local schema = {
type = "object",
Expand Down Expand Up @@ -53,10 +54,15 @@ local function make_request_to_vault(conf, method, key, data)
local req_addr = conf.uri .. norm_path("/v1/"
.. conf.prefix .. "/" .. key)

local token, _ = env.fetch_by_uri(conf.token)
soulbird marked this conversation as resolved.
Show resolved Hide resolved
if not token then
token = conf.token
end

local res, err = httpc:request_uri(req_addr, {
method = method,
headers = {
["X-Vault-Token"] = conf.token
["X-Vault-Token"] = token
},
body = core.json.encode(data or {}, true)
})
Expand Down
1 change: 1 addition & 0 deletions t/config-center-yaml/secret.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#

use t::APISIX 'no_plan';

repeat_each(1);
Expand Down
80 changes: 80 additions & 0 deletions t/plugin/basic-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
}

use t::APISIX 'no_plan';

repeat_each(2);
Expand Down Expand Up @@ -540,3 +544,79 @@ GET /echo
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==



=== TEST 25: set basic-auth conf with the token in an env var: password uses secret ref
--- request
GET /t
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "$ENV://VAULT_TOKEN"
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end
-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "$secret://vault/test1/foo/passwd"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end
-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {
"hide_credentials": false
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only configured the route, you also need to verify whether the route is effective




=== TEST 26: verify Authorization with foo/bar, request header should not hidden
--- request
GET /echo
--- more_headers
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==
122 changes: 122 additions & 0 deletions t/plugin/hmac-auth4.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
}

use t::APISIX 'no_plan';

Expand Down Expand Up @@ -166,3 +169,122 @@ location /t {
}
--- response_body
passed



=== TEST 4: set hmac-auth conf with the token in an env var: secret_key uses secret ref
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "$ENV://VAULT_TOKEN"
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end
-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"hmac-auth": {
"access_key": "my-access-key",
"secret_key": "$secret://vault/test1/jack/secret_key"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end
-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"hmac-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed



=== TEST 5: verify: ok
--- config
location /t {
content_by_lua_block {
local ngx_time = ngx.time
local ngx_http_time = ngx.http_time
local core = require("apisix.core")
local t = require("lib.test_admin")
local hmac = require("resty.hmac")
local ngx_encode_base64 = ngx.encode_base64

local secret_key = "my-secret-key"
local timestamp = ngx_time()
local gmt = ngx_http_time(timestamp)
local access_key = "my-access-key"
local custom_header_a = "asld$%dfasf"
local custom_header_b = "23879fmsldfk"

local signing_string = {
"GET",
"/hello",
"",
access_key,
gmt,
"x-custom-header-a:" .. custom_header_a,
"x-custom-header-b:" .. custom_header_b
}
signing_string = core.table.concat(signing_string, "\n") .. "\n"
core.log.info("signing_string:", signing_string)

local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string)
core.log.info("signature:", ngx_encode_base64(signature))
local headers = {}
headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature)
headers["X-HMAC-ALGORITHM"] = "hmac-sha256"
headers["Date"] = gmt
headers["X-HMAC-ACCESS-KEY"] = access_key
headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b"
headers["x-custom-header-a"] = custom_header_a
headers["x-custom-header-b"] = custom_header_b

local code, body = t.test('/hello',
ngx.HTTP_GET,
"",
nil,
headers
)

ngx.status = code
ngx.say(body)
}
}
--- response_body
passed
83 changes: 83 additions & 0 deletions t/plugin/jwt-auth3.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
}

use t::APISIX 'no_plan';

repeat_each(1);
Expand Down Expand Up @@ -640,3 +644,82 @@ passed
}
--- response_body
hello world



=== TEST 22: set jwt-auth conf with the token in an env var: secret uses secret ref
--- request
GET /t
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "$ENV://VAULT_TOKEN"
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end
-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"jwt-auth": {
"key": "user-key",
"secret": "$secret://vault/test1/jack/secret"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end
-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"jwt-auth": {
"header": "jwt-header",
"query": "jwt-query",
"cookie": "jwt-cookie",
"hide_credentials": false
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed



=== TEST 23: verify (in header) not hiding credentials
--- request
GET /echo
--- more_headers
jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
--- response_headers
jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs
Loading