| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| BEGIN { |
| $ENV{VAULT_TOKEN} = "root"; |
| } |
| |
| use t::APISIX 'no_plan'; |
| |
| repeat_each(1); |
| no_long_string(); |
| no_shuffle(); |
| no_root_location(); |
| |
| add_block_preprocessor(sub { |
| my ($block) = @_; |
| |
| if (!$block->request) { |
| $block->set_value("request", "GET /t"); |
| } |
| |
| if (!$block->no_error_log && !$block->error_log) { |
| $block->set_value("no_error_log", "[error]\n[alert]"); |
| } |
| }); |
| |
| run_tests; |
| |
| __DATA__ |
| |
| === TEST 1: set hmac-auth conf: secret_key uses secret ref |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| -- put secret vault config |
| local code, body = t('/apisix/admin/secrets/vault/test1', |
| ngx.HTTP_PUT, |
| [[{ |
| "uri": "http://127.0.0.1:8200", |
| "prefix" : "kv/apisix", |
| "token" : "root" |
| }]] |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| return ngx.say(body) |
| end |
| |
| -- change consumer with secrets ref: vault |
| code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "jack", |
| "plugins": { |
| "hmac-auth": { |
| "key_id": "my-access-key", |
| "secret_key": "$secret://vault/test1/jack/secret_key" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| return ngx.say(body) |
| end |
| |
| -- set route |
| code, body = t('/apisix/admin/routes/1', |
| ngx.HTTP_PUT, |
| [[{ |
| "plugins": { |
| "hmac-auth": {} |
| }, |
| "upstream": { |
| "nodes": { |
| "127.0.0.1:1980": 1 |
| }, |
| "type": "roundrobin" |
| }, |
| "uri": "/hello" |
| }]] |
| ) |
| |
| if code >= 300 then |
| ngx.status = code |
| end |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 2: store secret into vault |
| --- exec |
| VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret_key=my-secret-key |
| --- response_body |
| Success! Data written to: kv/apisix/jack |
| |
| |
| |
| === TEST 3: verify: ok |
| --- config |
| location /t { |
| content_by_lua_block { |
| local ngx_time = ngx.time |
| local ngx_http_time = ngx.http_time |
| local core = require("apisix.core") |
| local t = require("lib.test_admin") |
| local hmac = require("resty.hmac") |
| local ngx_encode_base64 = ngx.encode_base64 |
| |
| local secret_key = "my-secret-key" |
| local timestamp = ngx_time() |
| local gmt = ngx_http_time(timestamp) |
| local key_id = "my-access-key" |
| local custom_header_a = "asld$%dfasf" |
| local custom_header_b = "23879fmsldfk" |
| |
| local signing_string = { |
| key_id, |
| "GET /hello", |
| "date: " .. gmt, |
| "x-custom-header-a: " .. custom_header_a, |
| "x-custom-header-b: " .. custom_header_b |
| } |
| signing_string = core.table.concat(signing_string, "\n") .. "\n" |
| core.log.info("signing_string:", signing_string) |
| |
| local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) |
| core.log.info("signature:", ngx_encode_base64(signature)) |
| local headers = {} |
| headers["Date"] = gmt |
| headers["Authorization"] = "Signature keyId=\"" .. key_id .. "\",algorithm=\"hmac-sha256\"" .. ",headers=\"@request-target date x-custom-header-a x-custom-header-b\",signature=\"" .. ngx_encode_base64(signature) .. "\"" |
| headers["x-custom-header-a"] = custom_header_a |
| headers["x-custom-header-b"] = custom_header_b |
| |
| local code, body = t.test('/hello', |
| ngx.HTTP_GET, |
| "", |
| nil, |
| headers |
| ) |
| |
| ngx.status = code |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 4: set hmac-auth conf with the token in an env var: secret_key uses secret ref |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| -- put secret vault config |
| local code, body = t('/apisix/admin/secrets/vault/test1', |
| ngx.HTTP_PUT, |
| [[{ |
| "uri": "http://127.0.0.1:8200", |
| "prefix" : "kv/apisix", |
| "token" : "$ENV://VAULT_TOKEN" |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| return ngx.say(body) |
| end |
| -- change consumer with secrets ref: vault |
| code, body = t('/apisix/admin/consumers', |
| ngx.HTTP_PUT, |
| [[{ |
| "username": "jack", |
| "plugins": { |
| "hmac-auth": { |
| "key_id": "my-access-key", |
| "secret_key": "$secret://vault/test1/jack/secret_key" |
| } |
| } |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| return ngx.say(body) |
| end |
| -- set route |
| code, body = t('/apisix/admin/routes/1', |
| ngx.HTTP_PUT, |
| [[{ |
| "plugins": { |
| "hmac-auth": {} |
| }, |
| "upstream": { |
| "nodes": { |
| "127.0.0.1:1980": 1 |
| }, |
| "type": "roundrobin" |
| }, |
| "uri": "/hello" |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| end |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 5: verify: ok |
| --- config |
| location /t { |
| content_by_lua_block { |
| local ngx_time = ngx.time |
| local ngx_http_time = ngx.http_time |
| local core = require("apisix.core") |
| local t = require("lib.test_admin") |
| local hmac = require("resty.hmac") |
| local ngx_encode_base64 = ngx.encode_base64 |
| |
| local secret_key = "my-secret-key" |
| local timestamp = ngx_time() |
| local gmt = ngx_http_time(timestamp) |
| local key_id = "my-access-key" |
| local custom_header_a = "asld$%dfasf" |
| local custom_header_b = "23879fmsldfk" |
| |
| local signing_string = { |
| key_id, |
| "GET /hello", |
| "date: " .. gmt, |
| "x-custom-header-a: " .. custom_header_a, |
| "x-custom-header-b: " .. custom_header_b |
| } |
| signing_string = core.table.concat(signing_string, "\n") .. "\n" |
| core.log.info("signing_string:", signing_string) |
| |
| local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) |
| core.log.info("signature:", ngx_encode_base64(signature)) |
| local headers = {} |
| headers["Date"] = gmt |
| headers["Authorization"] = "Signature keyId=\"" .. key_id .. "\",algorithm=\"hmac-sha256\"" .. ",headers=\"@request-target date x-custom-header-a x-custom-header-b\",signature=\"" .. ngx_encode_base64(signature) .. "\"" |
| headers["x-custom-header-a"] = custom_header_a |
| headers["x-custom-header-b"] = custom_header_b |
| |
| local code, body = t.test('/hello', |
| ngx.HTTP_GET, |
| "", |
| nil, |
| headers |
| ) |
| |
| ngx.status = code |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
