fix(secret): gcp code and test

apisix/secret/gcp.lua

@@ -73,18 +73,14 @@ local function fetch_oauth_conf(conf)
         return conf.auth_config
     end
 
-    if not conf.auth_file then
-        return nil, "configuration is not defined"
-    end
-
     local file_content, err = core.io.get_file(conf.auth_file)
-    if not file_content or err then
-        return nil, "failed to read configuration, file: " .. conf.auth_file
+    if not file_content then
+        return nil, "failed to read configuration, file: " .. conf.auth_file .. ", err: " .. err
     end
 
     local config_tab, err = core.json.decode(file_content)
-    if not config_tab or err then
-        return nil, "config parse failure, data: " .. file_content
+    if not config_tab then
+        return nil, "config parse failure, data: " .. file_content .. ", err: " .. err
     end
 
     if not config_tab.client_email or
@@ -128,32 +124,20 @@ local function get_secret(oauth, secrets_id)
     })
 
     if not res then
-        if err then
-            return nil, "invalid response, " .. err
-        end
-
-        return nil, "invalid response"
+        return nil, err
     end
 
     if res.status ~= 200 then
-        if res.body then
-            return nil, "invalid status code " .. res.status .. ", " .. res.body
-        end
-
-        return nil, "invalid status code" .. res.status
+        return nil, res.body
     end
 
-    res, err = core.json.decode(res.body)
-    if not res then
-        if err then
-            return nil, "failed to parse response data, " .. err
-        end
-
-        return nil, "failed to parse response data"
+    local body, err = core.json.decode(res.body)
+    if not body then
+        return nil, "failed to parse response data, " .. err
     end
 
-    local payload = res.payload
-    if type(payload) ~= "table" then
+    local payload = body.payload
+    if not payload then
         return nil, "invalid payload"
     end
 
@@ -175,16 +159,16 @@ local function make_request_to_gcp(conf, key)
     local lru_key =  auth_config.client_email .. "#" .. auth_config.project_id
 
     local oauth, err = lrucache(lru_key, "gcp", create_oauth_object, auth_config, conf.ssl_verify)
-    if not oauth or err then
-        return nil, "failed to create oauth object"
+    if not oauth then
+        return nil, "failed to create oauth object, " .. err
     end
 
     local secret, err = get_secret(oauth, key)
     if not secret then
         return nil, err
     end
 
-    return secret, nil
+    return secret
 end
 
 local function get(conf, key)
@@ -212,19 +196,14 @@ local function get(conf, key)
         return nil, "failed to retrtive data from gcp secret manager: " .. err
     end
 
-    local data, err = core.json.decode(res)
-    if not data then
-        if err then
-            return nil, "failed to decode result, res:" .. res .. ", ".. err
-        end
-
+    local ret = core.json.decode(res)
+    if not ret then
         return nil, "failed to decode result, res: " .. res
     end
 
-    return data[sub_key]
+    return ret[sub_key]
 end
 
 _M.get = get
 
-
 return _M

t/lib/server.lua

@@ -646,7 +646,7 @@ function _M.google_secret_apisix_jack()
     ngx.say(json_encode(response))
 end
 
-function _M.google_secret_fail_apisix_jack()
+function _M.google_secret_apisix_error_jack()
     local args = ngx.req.get_uri_args()
     local args_token_type = args.token_type or "Bearer"
     local jwt = require("resty.jwt")
@@ -684,7 +684,7 @@ function _M.google_secret_fail_apisix_jack()
     end
 
     local response = {
-        name = "projects/647037004838/secrets/apisix/versions/1",
+        name = "projects/647037004838/secrets/apisix_error/versions/1",
         payload = {
           data = "eyJrZXkiOiJ2YWx1ZSJ9",
           dataCrc32c = "2296192492"

t/secret/gcp.t

@@ -304,7 +304,73 @@ nil
 
 
 
-=== TEST 5: get value from gcp
+=== TEST 5: get value from gcp by auth_file(fetch_oatuh_conf failed, read failed)
+--- config
+    location /t {
+        content_by_lua_block {
+            local conf = {
+                auth_file = "t/secret/conf/nofind.json",
+            }
+            local gcp = require("apisix.secret.gcp")
+            local value, err = gcp.get(conf, "jack/key")
+            if not value then
+                return ngx.say(err)
+            end
+            ngx.say(value)
+        }
+    }
+--- request
+GET /t
+--- response_body
+failed to retrtive data from gcp secret manager: failed to read configuration, file: t/secret/conf/nofind.json, err: t/secret/conf/nofind.json: No such file or directory
+
+
+
+=== TEST 6: get value from gcp by auth_file(fetch_oatuh_conf success)
+--- config
+    location /t {
+        content_by_lua_block {
+            local conf = {
+                auth_file = "t/secret/conf/success.json",
+            }
+            local gcp = require("apisix.secret.gcp")
+            local value, err = gcp.get(conf, "jack/key")
+            if not value then
+                return ngx.say(err)
+            end
+            ngx.say(value)
+        }
+    }
+--- request
+GET /t
+--- response_body
+value
+
+
+
+=== TEST 7: get value from gcp by auth_file(fetch_oatuh_conf failed, undefined)
+--- config
+    location /t {
+        content_by_lua_block {
+            local conf = {
+                auth_file = "t/secret/conf/error.json",
+            }
+            local gcp = require("apisix.secret.gcp")
+            local value, err = gcp.get(conf, "jack/key")
+            if not value then
+                return ngx.say(err)
+            end
+            ngx.say(value)
+        }
+    }
+--- request
+GET /t
+--- response_body
+failed to retrtive data from gcp secret manager: configuration is undefined, file: t/secret/conf/error.json
+
+
+
+=== TEST 8: get value from gcp
 --- config
     location /t {
         content_by_lua_block {
@@ -361,7 +427,7 @@ value
 
 
 
-=== TEST 6: get value from gcp (failed to get google oauth token:no access to this scopes)
+=== TEST 9: get value from gcp(failed to get google oauth token)
 --- config
     location /t {
         content_by_lua_block {
@@ -422,49 +488,64 @@ qr/\{\"error\"\:\"[\w+\s+]*\"\}/
 
 
 
-=== TEST 7: get value from gcp (failed to get google oauth token:identity authentication failed)
+=== TEST 10: get value from gcp (not res)
 --- config
     location /t {
         content_by_lua_block {
             local conf = {
                 auth_config = {
                     client_email = "email@apisix.iam.gserviceaccount.com",
                     private_key = [[
------BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBAKeXgPvU/dAfVhOPk5BTBXCaOXy/0S3mY9VHyqvWZBJ97g6tGbLZ
-psn6Gw0wC4mxDfEY5ER4YwU1NWCVtIr1XxcCAwEAAQJADkoowVBD4/8IA9r2JhQu
-Ho/H3w8r8tH2KTVZ3pUFK15WGJf8vCF9LznVNKCP0X1NMLGvf4yRELx8jjpwJztI
-gQIhANdWaJ3AGftJNaF5qXWwniFP1BcyCPSzn3q0rn19NhyHAiEAxz0HN8Yd+7vR
-pi0w/L2I/2nLqgPFtqSGpL2KkJYcXPECIQCdM/PD1k4haNzCOXNA++M1JnYLSPfI
-zKkMh4MrEZHDWQIhAKasRiKBaUnTCIJ04bs9L6NDtO4Ic9jj8ANW0Nk9yoJxAiAA
-tBXLQH7fw5H8RaxBN91yQUZombw6JnRBXKKohWHZ3Q==
------END RSA PRIVATE KEY-----]],
-                    project_id = "/fail/apisix",
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDzrFwnA3EvYyR
+aeMgaLD3hBjvxKrz10uox1X8q7YYhf2ViRtLRUMa2bEMYksE5hbhwpNf6mKAnLOC
+UuAT6cPPdUl/agKpJXviBPIR2LuzD17WsLJHp1HxUDssSkgfCaGcOGGNfLUhhIpF
+2JUctLmxiZoAZySlSjcwupSuDJ0aPm0XO8r9H8Qu5kF2Vkz5e5bFivLTmvzrQTe4
+v5V1UI6hThElCSeUmdNF3uG3wopxlvq4zXgLTnuLbrNf/Gc4mlpV+UDgTISj32Ep
+AB2vxKEbvQw4ti8YJnGXWjxLerhfrszFw+V8lpeduiDYA44ZFoVqvzxeIsVZNtcw
+Iu7PvEPNAgMBAAECggEAVpyN9m7A1F631/aLheFpLgMbeKt4puV7zQtnaJ2XrZ9P
+PR7pmNDpTu4uF3k/D8qrIm+L+uhVa+hkquf3wDct6w1JVnfQ93riImbnoKdK13ic
+DcEZCwLjByfjFMNCxZ/gAZca55fbExlqhFy6EHmMjhB8s2LsXcTHRuGxNI/Vyi49
+sxECibe0U53aqdJbVWrphIS67cpwl4TUkN6mrHsNuDYNJ9dgkpapoqp4FTFQsBqC
+afOK5qgJ68dWZ47FBUng+AZjdCncqAIuJxxItGVQP6YPsFs+OXcivIVHJr363TpC
+l85FfdvqWV5OGBbwSKhNwiTNUVvfSQVmtURGWG/HbQKBgQD4gZ1z9+Lx19kT9WTz
+lw93lxso++uhAPDTKviyWSRoEe5aN3LCd4My+/Aj+sk4ON/s2BV3ska5Im93j+vC
+rCv3uPn1n2jUhWuJ3bDqipeTW4n/CQA2m/8vd26TMk22yOkkqw2MIA8sjJ//SD7g
+tdG7up6DgGMP4hgbO89uGU7DAwKBgQDJtkKd0grh3u52Foeh9YaiAgYRwc65IE16
+UyD1OJxIuX/dYQDLlo5KyyngFa1ZhWIs7qC7r3xXH+10kfJY+Q+5YMjmZjlL8SR1
+Ujqd02R9F2//6OeswyReachJZbZdtiEw3lPa4jVFYfhSe0M2ZPxMwvoXb25eyCNI
+1lYjSKq87wKBgHnLTNghjeDp4UKe6rNYPgRm0rDrhziJtX5JeUov1mALKb6dnmkh
+GfRK9g8sQqKDfXwfC6Z2gaMK9YaryujGaWYoCpoPXtmJ6oLPXH4XHuLh4mhUiP46
+xn8FEfSimuQS4/FMxH8A128GHQSI7AhGFFzlwfrBWcvXC+mNDsTvMmLxAoGARc+4
+upppfccETQZ7JsitMgD1TMwA2f2eEwoWTAitvlXFNT9PYSbYVHaAJbga6PLLCbYF
+FzAjHpxEOKYSdEyu7n/ayDL0/Z2V+qzc8KarDsg/0RgwppBbU/nUgeKb/U79qcYo
+y4ai3UKNCS70Ei1dTMvmdpnwXwlxfNIBufB6dy0CgYBMYq9Lc31GkC6PcGEEbx6W
+vjImOadWZbuOVnvEQjb5XCdcOsWsMcg96PtoeuyyHmhnEF1GsMzcIdQv/PHrvYpK
+Yp8D0aqsLEgwGrJQER26FPpKmyIwvcL+nm6q5W31PnU9AOC/WEkB6Zs58hsMzD2S
+kEJQcmfVew5mFXyxuEn3zA==
+-----END PRIVATE KEY-----]],
+                    project_id = "apisix_error",
                     token_uri = "http://127.0.0.1:1980/google/secret/token",
                     scopes = "https://www.googleapis.com/auth/cloud",
-                    entries_uri = "http://127.0.0.1:1980/google/secret/"
+                    entries_uri = "http://127.0.0.1:1980/google/"
                 },
             }
             local gcp = require("apisix.secret.gcp")
             local value, err = gcp.get(conf, "jack/key")
             if not value then
-                return ngx.say(err)
+                return ngx.say("err")
             end
             ngx.say(value)
         }
     }
 --- request
 GET /t
 --- response_body
-failed to retrtive data from gcp secret manager: failed to get google oauth token
---- grep_error_log eval
-qr/\{\"error\"\:\"[\w+\s+]*\"\}/
---- grep_error_log_out
-{"error":"identity authentication failed"}
+err
 
 
 
-=== TEST 8: get value from gcp (invalid response:no access to this scopes)
+=== TEST 11: get value from gcp (res status ~= 200)
 --- config
     location /t {
         content_by_lua_block {
@@ -500,7 +581,7 @@ vjImOadWZbuOVnvEQjb5XCdcOsWsMcg96PtoeuyyHmhnEF1GsMzcIdQv/PHrvYpK
 Yp8D0aqsLEgwGrJQER26FPpKmyIwvcL+nm6q5W31PnU9AOC/WEkB6Zs58hsMzD2S
 kEJQcmfVew5mFXyxuEn3zA==
 -----END PRIVATE KEY-----]],
-                    project_id = "/fail/apisix",
+                    project_id = "apisix_error",
                     token_uri = "http://127.0.0.1:1980/google/secret/token",
                     scopes = "https://www.googleapis.com/auth/cloud",
                     entries_uri = "http://127.0.0.1:1980/google/secret/"
@@ -518,69 +599,3 @@ kEJQcmfVew5mFXyxuEn3zA==
 GET /t
 --- response_body
 err
-
-
-
-=== TEST 9: get value from gcp by auth_file(no find file)
---- config
-    location /t {
-        content_by_lua_block {
-            local conf = {
-                auth_file = "t/secret/conf/nofind.json",
-            }
-            local gcp = require("apisix.secret.gcp")
-            local value, err = gcp.get(conf, "jack/key")
-            if not value then
-                return ngx.say(err)
-            end
-            ngx.say(value)
-        }
-    }
---- request
-GET /t
---- response_body
-failed to retrtive data from gcp secret manager: failed to read configuration, file: t/secret/conf/nofind.json
-
-
-
-=== TEST 10: get value from gcp by auth_file(read success)
---- config
-    location /t {
-        content_by_lua_block {
-            local conf = {
-                auth_file = "t/secret/conf/success.json",
-            }
-            local gcp = require("apisix.secret.gcp")
-            local value, err = gcp.get(conf, "jack/key")
-            if not value then
-                return ngx.say(err)
-            end
-            ngx.say(value)
-        }
-    }
---- request
-GET /t
---- response_body
-value
-
-
-
-=== TEST 11: get value from gcp by auth_file(configuration is undefined)
---- config
-    location /t {
-        content_by_lua_block {
-            local conf = {
-                auth_file = "t/secret/conf/error.json",
-            }
-            local gcp = require("apisix.secret.gcp")
-            local value, err = gcp.get(conf, "jack/key")
-            if not value then
-                return ngx.say(err)
-            end
-            ngx.say(value)
-        }
-    }
---- request
-GET /t
---- response_body
-failed to retrtive data from gcp secret manager: configuration is undefined, file: t/secret/conf/error.json