Google Git
Sign in
apache / apisix / refs/tags/2.13.0 / . / apisix / core / vault.lua
blob: aeb8485d97ef5005c4d44ecf7ba891b9a373467b [file] [log] [blame]
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
--- Vault Tools.
-- Vault is an identity-based secrets and encryption management system.
--
-- @module core.vault
local core = require("apisix.core")
local http = require("resty.http")
local json = require("cjson")
local fetch_local_conf = require("apisix.core.config_local").local_conf
local norm_path = require("pl.path").normpath
local _M = {}
local function fetch_vault_conf()
local conf, err = fetch_local_conf()
if not conf then
return nil, "failed to fetch vault configuration from config yaml: " .. err
end
if not conf.vault then
return nil, "accessing vault data requires configuration information"
end
return conf.vault
end
local function make_request_to_vault(method, key, skip_prefix, data)
local vault, err = fetch_vault_conf()
if not vault then
return nil, err
end
local httpc = http.new()
-- config timeout or default to 5000 ms
httpc:set_timeout((vault.timeout or 5)*1000)
local req_addr = vault.host
if not skip_prefix then
req_addr = req_addr .. norm_path("/v1/"
.. vault.prefix .. "/" .. key)
else
req_addr = req_addr .. norm_path("/v1/" .. key)
end
local res, err = httpc:request_uri(req_addr, {
method = method,
headers = {
["X-Vault-Token"] = vault.token
},
body = core.json.encode(data or {}, true)
})
if not res then
return nil, err
end
return res.body
end
-- key is the vault kv engine path, joined with config yaml vault prefix.
-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the
-- prefix defined inside config yaml under vault config for fetching data.
local function get(key, skip_prefix)
core.log.info("fetching data from vault for key: ", key)
local res, err = make_request_to_vault("GET", key, skip_prefix)
if not res then
return nil, "failed to retrtive data from vault kv engine " .. err
end
return json.decode(res)
end
_M.get = get
-- key is the vault kv engine path, data is json key value pair.
-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the
-- prefix defined inside config yaml under vault config for storing data.
local function set(key, data, skip_prefix)
core.log.info("storing data into vault for key: ", key,
"and value: ", core.json.delay_encode(data, true))
local res, err = make_request_to_vault("POST", key, skip_prefix, data)
if not res then
return nil, "failed to store data into vault kv engine " .. err
end
return true
end
_M.set = set
-- key is the vault kv engine path, joined with config yaml vault prefix.
-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the
-- prefix defined inside config yaml under vault config for deleting data.
local function delete(key, skip_prefix)
core.log.info("deleting data from vault for key: ", key)
local res, err = make_request_to_vault("DELETE", key, skip_prefix)
if not res then
return nil, "failed to delete data into vault kv engine " .. err
end
return true
end
_M.delete = delete
return _M