| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| use t::APISIX 'no_plan'; |
| |
| repeat_each(1); |
| no_long_string(); |
| no_root_location(); |
| no_shuffle(); |
| log_level("info"); |
| |
| add_block_preprocessor(sub { |
| my ($block) = @_; |
| |
| if (!$block->request) { |
| $block->set_value("request", "GET /t"); |
| } |
| }); |
| |
| run_tests; |
| |
| __DATA__ |
| |
| === TEST 1: sanity |
| # the sensitive data is encrypted in etcd, and it is normal to read it from the admin API |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local json = require("toolkit.json") |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "foo", |
| "plugins": { |
| "basic-auth": { |
| "username": "foo", |
| "password": "bar" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(body) |
| return |
| end |
| |
| ngx.sleep(0.1) |
| |
| -- get plugin conf from admin api, password is decrypted |
| local code, message, res = t('/apisix/admin/consumers/foo', |
| ngx.HTTP_GET |
| ) |
| res = json.decode(res) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(message) |
| return |
| end |
| |
| ngx.say(res.value.plugins["basic-auth"].password) |
| |
| -- get plugin conf from etcd, password is encrypted |
| local etcd = require("apisix.core.etcd") |
| local res = assert(etcd.get('/consumers/foo')) |
| ngx.say(res.body.node.value.plugins["basic-auth"].password) |
| |
| } |
| } |
| --- response_body |
| bar |
| 77+NmbYqNfN+oLm0aX5akg== |
| |
| |
| |
| === TEST 2: enable basic auth plugin |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/routes/1', |
| ngx.HTTP_PUT, |
| [[{ |
| "plugins": { |
| "basic-auth": {} |
| }, |
| "upstream": { |
| "nodes": { |
| "127.0.0.1:1980": 1 |
| }, |
| "type": "roundrobin" |
| }, |
| "uri": "/hello" |
| }]] |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| end |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 3: verify |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- request |
| GET /hello |
| --- more_headers |
| Authorization: Basic Zm9vOmJhcg== |
| --- response_body |
| hello world |
| |
| |
| |
| === TEST 4: multiple auth plugins work well |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local json = require("toolkit.json") |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "foo", |
| "plugins": { |
| "basic-auth": { |
| "username": "foo", |
| "password": "bar" |
| }, |
| "key-auth": { |
| "key": "auth-one" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(body) |
| return |
| end |
| |
| ngx.sleep(0.1) |
| local code, message, res = t('/apisix/admin/consumers/foo', |
| ngx.HTTP_GET |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(message) |
| return |
| end |
| |
| ngx.say("done") |
| } |
| } |
| --- response_body |
| done |
| |
| |
| |
| === TEST 5: enable multiple auth plugins on route |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/routes/1', |
| ngx.HTTP_PUT, |
| [[{ |
| "plugins": { |
| "basic-auth": {}, |
| "key-auth": {} |
| }, |
| "upstream": { |
| "nodes": { |
| "127.0.0.1:1980": 1 |
| }, |
| "type": "roundrobin" |
| }, |
| "uri": "/hello" |
| }]] |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| end |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 6: verify |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- request |
| GET /hello |
| --- more_headers |
| apikey: auth-one |
| Authorization: Basic Zm9vOmJhcg== |
| --- response_body |
| hello world |
| |
| |
| |
| === TEST 7: disable data_encryption |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: false |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local json = require("toolkit.json") |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "foo", |
| "plugins": { |
| "basic-auth": { |
| "username": "foo", |
| "password": "bar" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(body) |
| return |
| end |
| |
| ngx.sleep(0.1) |
| |
| -- get plugin conf from etcd, password is encrypted |
| local etcd = require("apisix.core.etcd") |
| local res = assert(etcd.get('/consumers/foo')) |
| ngx.say(res.body.node.value.plugins["basic-auth"].password) |
| |
| } |
| } |
| --- response_body |
| bar |
| |
| |
| |
| === TEST 8: etcd store unencrypted password, enable data_encryption, decryption fails, use original password |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| local core = require("apisix.core") |
| -- get plugin conf from etcd, password is encrypted |
| local etcd = require("apisix.core.etcd") |
| local res, err = core.etcd.set("/consumers/foo2", core.json.decode([[{ |
| "username":"foo2", |
| "plugins":{ |
| "basic-auth":{ |
| "username":"foo2", |
| "password":"bar" |
| } |
| } |
| }]])) |
| |
| -- get plugin conf from admin api, password is decrypted |
| local code, message, res = t('/apisix/admin/consumers/foo2', |
| ngx.HTTP_GET |
| ) |
| res = core.json.decode(res) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(message) |
| return |
| end |
| |
| ngx.say(res.value.plugins["basic-auth"].password) |
| |
| -- get plugin conf from etcd, password is encrypted |
| local etcd = require("apisix.core.etcd") |
| local res = assert(etcd.get('/consumers/foo2')) |
| ngx.say(res.body.node.value.plugins["basic-auth"].password) |
| } |
| } |
| --- response_body |
| bar |
| bar |
| --- error_log |
| failed to decrypt the conf of plugin [basic-auth] key [password], err: decrypt ssl key failed |
| |
| |
| |
| === TEST 9: etcd stores both encrypted and unencrypted data |
| # enable data_encryption, decryption of encrypted data succeeds |
| # decryption of unencrypted data fails, make sure it works well |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| local core = require("apisix.core") |
| -- get plugin conf from etcd, password is encrypted |
| local etcd = require("apisix.core.etcd") |
| local res, err = core.etcd.set("/consumers/foo2", core.json.decode([[{ |
| "username":"foo2", |
| "plugins":{ |
| "basic-auth":{ |
| "username":"foo2", |
| "password":"bar" |
| }, |
| "key-auth": { |
| "key": "vU/ZHVJw7b0XscDJ1Fhtig==" |
| } |
| } |
| }]])) |
| |
| -- get plugin conf from admin api, password is decrypted |
| local code, message, res = t('/apisix/admin/consumers/foo2', |
| ngx.HTTP_GET |
| ) |
| res = core.json.decode(res) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(message) |
| return |
| end |
| |
| ngx.say(res.value.plugins["basic-auth"].password) |
| ngx.say(res.value.plugins["key-auth"].key) |
| |
| -- get plugin conf from etcd, password is encrypted |
| local etcd = require("apisix.core.etcd") |
| local res = assert(etcd.get('/consumers/foo2')) |
| ngx.say(res.body.node.value.plugins["basic-auth"].password) |
| ngx.say(res.body.node.value.plugins["key-auth"].key) |
| } |
| } |
| --- response_body |
| bar |
| auth-two |
| bar |
| vU/ZHVJw7b0XscDJ1Fhtig== |
| --- error_log |
| failed to decrypt the conf of plugin [basic-auth] key [password], err: decrypt ssl key failed |
| |
| |
| |
| === TEST 10: verify, use the foo2 consumer |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- request |
| GET /hello |
| --- more_headers |
| apikey: auth-two |
| Authorization: Basic Zm9vMjpiYXI= |
| --- response_body |
| hello world |
| |
| |
| |
| === TEST 11: keyring rotate, encrypt with edd1c9f0985e76a2 |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local json = require("toolkit.json") |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "foo", |
| "plugins": { |
| "basic-auth": { |
| "username": "foo", |
| "password": "bar" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(body) |
| return |
| end |
| |
| ngx.sleep(0.1) |
| |
| local code, body = t('/apisix/admin/routes/1', |
| ngx.HTTP_PUT, |
| [[{ |
| "plugins": { |
| "basic-auth": {} |
| }, |
| "upstream": { |
| "nodes": { |
| "127.0.0.1:1980": 1 |
| }, |
| "type": "roundrobin" |
| }, |
| "uri": "/hello" |
| }]] |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| end |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 12: keyring rotate, decrypt with qeddd145sfvddff3 would fail, but encrypt with edd1c9f0985e76a2 would success |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - qeddd145sfvddff3 |
| - edd1c9f0985e76a2 |
| --- request |
| GET /hello |
| --- more_headers |
| Authorization: Basic Zm9vOmJhcg== |
| --- response_body |
| hello world |
| |
| |
| |
| === TEST 13: search consumer list |
| --- yaml_config |
| apisix: |
| data_encryption: |
| enable_encrypt_fields: true |
| keyring: |
| - edd1c9f0985e76a2 |
| --- config |
| location /t { |
| content_by_lua_block { |
| local json = require("toolkit.json") |
| local t = require("lib.test_admin").test |
| |
| -- dletet exist consumers |
| t('/apisix/admin/consumers/foo', ngx.HTTP_DELETE) |
| t('/apisix/admin/consumers/foo2', ngx.HTTP_DELETE) |
| |
| local code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "foo", |
| "plugins": { |
| "basic-auth": { |
| "username": "foo", |
| "password": "bar" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(body) |
| return |
| end |
| |
| ngx.sleep(0.1) |
| |
| local code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "test", |
| "plugins": { |
| "basic-auth": { |
| "username": "test", |
| "password": "test" |
| } |
| } |
| }]] |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(body) |
| return |
| end |
| |
| ngx.sleep(0.1) |
| |
| -- get plugin conf from admin api, password is decrypted |
| local code, message, res = t('/apisix/admin/consumers', |
| ngx.HTTP_GET |
| ) |
| res = json.decode(res) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(message) |
| return |
| end |
| |
| local pwds = {} |
| table.insert(pwds, res.list[1].value.plugins["basic-auth"].password) |
| table.insert(pwds, res.list[2].value.plugins["basic-auth"].password) |
| |
| ngx.say(json.encode(pwds)) |
| } |
| } |
| --- response_body |
| ["bar","test"] |
