From aa8b1bdf6ad97fae2ac8deaa5543f1c065b0ca9a Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 14:17:48 +0530 Subject: [PATCH 01/23] feat: use env var instead of plain text --- apisix/secret/vault.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apisix/secret/vault.lua b/apisix/secret/vault.lua index eb2e6564cd94..01aab91ca354 100644 --- a/apisix/secret/vault.lua +++ b/apisix/secret/vault.lua @@ -26,6 +26,7 @@ local norm_path = require("pl.path").normpath local sub = core.string.sub local rfind_char = core.string.rfind_char +local env = require("apisix.core.env") local schema = { type = "object", @@ -56,7 +57,7 @@ local function make_request_to_vault(conf, method, key, data) local res, err = httpc:request_uri(req_addr, { method = method, headers = { - ["X-Vault-Token"] = conf.token + ["X-Vault-Token"] = env.fetch_by_uri(conf.token) }, body = core.json.encode(data or {}, true) }) From 7f938e2500be1bcda8d9b156087290c72f5dd16d Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 14:18:40 +0530 Subject: [PATCH 02/23] modify tests to use env var --- t/config-center-yaml/secret.t | 10 +++++----- t/plugin/basic-auth.t | 2 +- t/plugin/hmac-auth4.t | 2 +- t/plugin/jwt-auth3.t | 2 +- t/plugin/key-auth.t | 2 +- t/plugin/ldap-auth.t | 2 +- t/plugin/wolf-rbac.t | 2 +- t/secret/vault.t | 10 +++++----- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index 82fefd3a576b..96c5b1d06376 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -61,7 +61,7 @@ __DATA__ secrets: - id: vault/1 prefix: kv/apisix - token: root + token: "$ENV://VAULT_TOKEN" uri: 127.0.0.1:8200 #END --- config @@ -86,7 +86,7 @@ property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da secrets: - id: hhh/1 prefix: kv/apisix - token: root + token: "$ENV://VAULT_TOKEN" uri: 127.0.0.1:8200 #END --- config @@ -111,7 +111,7 @@ secret manager not exits secrets: - id: vault/1 prefix: kv/apisix - token: root + token: "$ENV://VAULT_TOKEN" uri: http://127.0.0.1:8200 #END --- config @@ -133,7 +133,7 @@ GET /t len: 1 id: vault/1 prefix: kv/apisix -token: root +token: $ENV://VAULT_TOKEN uri: http://127.0.0.1:8200 @@ -151,7 +151,7 @@ Success! Data written to: kv/apisix/apisix-key secrets: - id: vault/1 prefix: kv/apisix - token: root + token: "$ENV://VAULT_TOKEN" uri: http://127.0.0.1:8200 #END --- config diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index 533dda6266b0..f40bfc21ae92 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -468,7 +468,7 @@ GET /t [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "root" + "token" : "$ENV://VAULT_TOKEN" }]] ) diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index 2316e07ae6d2..829c3f617057 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -49,7 +49,7 @@ __DATA__ [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "root" + "token" : "$ENV://VAULT_TOKEN" }]] ) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index ac4587de0ed7..e4139598bd25 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -458,7 +458,7 @@ GET /t [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "root" + "token" : "$ENV://VAULT_TOKEN" }]] ) diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 850a65e183e9..36a30fcf367d 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -590,7 +590,7 @@ auth: authone [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "root" + "token" : "$ENV://VAULT_TOKEN" }]] ) diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index b8f3936ef411..3cfa206daa22 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -456,7 +456,7 @@ GET /t [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "root" + "token" : "$ENV://VAULT_TOKEN" }]] ) diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index af3be4524206..6cff5c818f2a 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -560,7 +560,7 @@ ERR_TOKEN_INVALID [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "root" + "token" : "$ENV://VAULT_TOKEN" }]] ) diff --git a/t/secret/vault.t b/t/secret/vault.t index 2ab74c99a13e..a33c015d0507 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -32,7 +32,7 @@ __DATA__ local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "root", + token = "$ENV://VAULT_TOKEN", uri = "http://127.0.0.1:2800" } local data, err = vault.get(conf, "apisix") @@ -57,7 +57,7 @@ error key format, key: apisix local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "root", + token = "$ENV://VAULT_TOKEN", uri = "http://127.0.0.1:2800" } local data, err = vault.get(conf, "/apisix") @@ -82,7 +82,7 @@ can't find main key, key: /apisix local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "root", + token = "$ENV://VAULT_TOKEN", uri = "http://127.0.0.1:2800" } local data, err = vault.get(conf, "apisix/") @@ -107,7 +107,7 @@ can't find sub key, key: apisix/ local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "root", + token = "$ENV://VAULT_TOKEN", uri = "http://127.0.0.2:2800" } local data, err = vault.get(conf, "/apisix/sub") @@ -141,7 +141,7 @@ Success! Data written to: kv/apisix/apisix-key/jack local vault = require("apisix.secret.vault") local conf = { prefix = "kv/apisix", - token = "root", + token = "$ENV://VAULT_TOKEN", uri = "http://127.0.0.1:8200" } local value, err = vault.get(conf, "/apisix-key/jack/key") From c13c6ec2fbc9a64bb88cc11e4f24bd2063d7f53b Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 14:18:53 +0530 Subject: [PATCH 03/23] export env var --- ci/linux_openresty_common_runner.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/linux_openresty_common_runner.sh b/ci/linux_openresty_common_runner.sh index 4029d851bd16..37db99c0e0b0 100755 --- a/ci/linux_openresty_common_runner.sh +++ b/ci/linux_openresty_common_runner.sh @@ -85,6 +85,7 @@ script() { sleep 1 done + export VAULT_TOKEN="root" # APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t FLUSH_ETCD=1 prove --timer -Itest-nginx/lib -I./ -r $TEST_FILE_SUB_DIR | tee /tmp/test.result rerun_flaky_tests /tmp/test.result From 6bc6d618de2a772dce14d9869b54bb3260aab052 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 15:06:35 +0530 Subject: [PATCH 04/23] export env var for centos --- ci/centos7-ci.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/centos7-ci.sh b/ci/centos7-ci.sh index 8103503d3256..f44bd1cb2243 100755 --- a/ci/centos7-ci.sh +++ b/ci/centos7-ci.sh @@ -84,6 +84,7 @@ run_case() { export_or_prefix make init set_coredns + export VAULT_TOKEN="root" # run test cases FLUSH_ETCD=1 prove --timer -Itest-nginx/lib -I./ -r ${TEST_FILE_SUB_DIR} | tee /tmp/test.result rerun_flaky_tests /tmp/test.result From 111ac11cb0bc1b8e71d9c2a834c00bac0a8529c6 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 18:57:36 +0530 Subject: [PATCH 05/23] fix breaking change, allow plain text env vars --- apisix/secret/vault.lua | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apisix/secret/vault.lua b/apisix/secret/vault.lua index 01aab91ca354..ddb4d4de74aa 100644 --- a/apisix/secret/vault.lua +++ b/apisix/secret/vault.lua @@ -54,10 +54,15 @@ local function make_request_to_vault(conf, method, key, data) local req_addr = conf.uri .. norm_path("/v1/" .. conf.prefix .. "/" .. key) + local token, _ = env.fetch_by_uri(conf.token) + if not token then + token = conf.token + end + local res, err = httpc:request_uri(req_addr, { method = method, headers = { - ["X-Vault-Token"] = env.fetch_by_uri(conf.token) + ["X-Vault-Token"] = token }, body = core.json.encode(data or {}, true) }) From 2d988b7cbc355e5bfe4c42a6f6937d42f5329e51 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 18:57:46 +0530 Subject: [PATCH 06/23] Revert "modify tests to use env var" This reverts commit 7f938e2500be1bcda8d9b156087290c72f5dd16d. --- t/config-center-yaml/secret.t | 10 +++++----- t/plugin/basic-auth.t | 2 +- t/plugin/hmac-auth4.t | 2 +- t/plugin/jwt-auth3.t | 2 +- t/plugin/key-auth.t | 2 +- t/plugin/ldap-auth.t | 2 +- t/plugin/wolf-rbac.t | 2 +- t/secret/vault.t | 10 +++++----- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index 96c5b1d06376..82fefd3a576b 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -61,7 +61,7 @@ __DATA__ secrets: - id: vault/1 prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" + token: root uri: 127.0.0.1:8200 #END --- config @@ -86,7 +86,7 @@ property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da secrets: - id: hhh/1 prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" + token: root uri: 127.0.0.1:8200 #END --- config @@ -111,7 +111,7 @@ secret manager not exits secrets: - id: vault/1 prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" + token: root uri: http://127.0.0.1:8200 #END --- config @@ -133,7 +133,7 @@ GET /t len: 1 id: vault/1 prefix: kv/apisix -token: $ENV://VAULT_TOKEN +token: root uri: http://127.0.0.1:8200 @@ -151,7 +151,7 @@ Success! Data written to: kv/apisix/apisix-key secrets: - id: vault/1 prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" + token: root uri: http://127.0.0.1:8200 #END --- config diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index f40bfc21ae92..533dda6266b0 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -468,7 +468,7 @@ GET /t [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" + "token" : "root" }]] ) diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index 829c3f617057..2316e07ae6d2 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -49,7 +49,7 @@ __DATA__ [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" + "token" : "root" }]] ) diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index e4139598bd25..ac4587de0ed7 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -458,7 +458,7 @@ GET /t [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" + "token" : "root" }]] ) diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 36a30fcf367d..850a65e183e9 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -590,7 +590,7 @@ auth: authone [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" + "token" : "root" }]] ) diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index 3cfa206daa22..b8f3936ef411 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -456,7 +456,7 @@ GET /t [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" + "token" : "root" }]] ) diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 6cff5c818f2a..af3be4524206 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -560,7 +560,7 @@ ERR_TOKEN_INVALID [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" + "token" : "root" }]] ) diff --git a/t/secret/vault.t b/t/secret/vault.t index a33c015d0507..2ab74c99a13e 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -32,7 +32,7 @@ __DATA__ local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", + token = "root", uri = "http://127.0.0.1:2800" } local data, err = vault.get(conf, "apisix") @@ -57,7 +57,7 @@ error key format, key: apisix local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", + token = "root", uri = "http://127.0.0.1:2800" } local data, err = vault.get(conf, "/apisix") @@ -82,7 +82,7 @@ can't find main key, key: /apisix local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", + token = "root", uri = "http://127.0.0.1:2800" } local data, err = vault.get(conf, "apisix/") @@ -107,7 +107,7 @@ can't find sub key, key: apisix/ local vault = require("apisix.secret.vault") local conf = { prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", + token = "root", uri = "http://127.0.0.2:2800" } local data, err = vault.get(conf, "/apisix/sub") @@ -141,7 +141,7 @@ Success! Data written to: kv/apisix/apisix-key/jack local vault = require("apisix.secret.vault") local conf = { prefix = "kv/apisix", - token = "$ENV://VAULT_TOKEN", + token = "root", uri = "http://127.0.0.1:8200" } local value, err = vault.get(conf, "/apisix-key/jack/key") From 62eb6f9982764ade3be24d4387ff88d3b1a88a91 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 15 Feb 2023 23:01:05 +0530 Subject: [PATCH 07/23] add tests --- t/config-center-yaml/secret.t | 128 ++++++++++++++++++++++++++++++++++ t/plugin/basic-auth.t | 70 +++++++++++++++++++ t/plugin/hmac-auth4.t | 66 ++++++++++++++++++ t/plugin/jwt-auth3.t | 73 +++++++++++++++++++ t/plugin/key-auth.t | 47 +++++++++++++ t/plugin/ldap-auth.t | 71 +++++++++++++++++++ t/plugin/wolf-rbac.t | 44 ++++++++++++ t/secret/vault.t | 126 +++++++++++++++++++++++++++++++++ 8 files changed, 625 insertions(+) diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index 82fefd3a576b..6d1c7dca3b06 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -388,3 +388,131 @@ env secret=apisix; GET /t --- response_body nil + + + +=== TEST 17: validate secret/vault with the token in an env var: wrong schema +--- apisix_yaml +secrets: + - id: vault/1 + prefix: kv/apisix + token: "$ENV://VAULT_TOKEN" + uri: 127.0.0.1:8200 +#END +--- config + location /t { + content_by_lua_block { + local secret = require("apisix.secret") + local values = secret.secrets() + ngx.say(#values) + } + } +--- request +GET /t +--- response_body +0 +--- error_log +property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da-zA-Z.-]+|\\[[\\da-fA-F:]+\\])(:\\d+)?" + + + +=== TEST 18: validate secrets with the token in an env var: manager not exits +--- apisix_yaml +secrets: + - id: hhh/1 + prefix: kv/apisix + token: "$ENV://VAULT_TOKEN" + uri: 127.0.0.1:8200 +#END +--- config + location /t { + content_by_lua_block { + local secret = require("apisix.secret") + local values = secret.secrets() + ngx.say(#values) + } + } +--- request +GET /t +--- response_body +0 +--- error_log +secret manager not exits + + + +=== TEST 19: load config normal with the token in an env var +--- apisix_yaml +secrets: + - id: vault/1 + prefix: kv/apisix + token: "$ENV://VAULT_TOKEN" + uri: http://127.0.0.1:8200 +#END +--- config + location /t { + content_by_lua_block { + local secret = require("apisix.secret") + local values = secret.secrets() + ngx.say("len: ", #values) + + ngx.say("id: ", values[1].value.id) + ngx.say("prefix: ", values[1].value.prefix) + ngx.say("token: ", values[1].value.token) + ngx.say("uri: ", values[1].value.uri) + } + } +--- request +GET /t +--- response_body +len: 1 +id: vault/1 +prefix: kv/apisix +token: $ENV://VAULT_TOKEN +uri: http://127.0.0.1:8200 + + + +=== TEST 20: secret.fetch_by_uri with the token in an env var: start with $secret:// +--- apisix_yaml +secrets: + - id: vault/1 + prefix: kv/apisix + token: "$ENV://VAULT_TOKEN" + uri: http://127.0.0.1:8200 +#END +--- config + location /t { + content_by_lua_block { + local secret = require("apisix.secret") + local value = secret.fetch_by_uri("$secret://vault/1/apisix-key/key") + ngx.say(value) + } + } +--- request +GET /t +--- response_body +value + + + +=== TEST 21: secret.fetch_by_uri, no sub key value with the token in an env var +--- apisix_yaml +secrets: + - id: vault/1 + prefix: kv/apisix + token: "$ENV://VAULT_TOKEN" + uri: http://127.0.0.1:8200 +#END +--- config + location /t { + content_by_lua_block { + local secret = require("apisix.secret") + local value = secret.fetch_by_uri("$secret://vault/1/apisix-key/bar") + ngx.say(value) + } + } +--- request +GET /t +--- response_body +nil diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index 533dda6266b0..d4d549a8abba 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -540,3 +540,73 @@ GET /echo Authorization: Basic Zm9vOmJhcg== --- response_headers Authorization: Basic Zm9vOmJhcg== + + + +=== TEST 25: set basic-auth conf with the token in an env var: password uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "foo", + "plugins": { + "basic-auth": { + "username": "foo", + "password": "$secret://vault/test1/foo/passwd" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "basic-auth": { + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index 2316e07ae6d2..a8b67cb2f081 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -166,3 +166,69 @@ location /t { } --- response_body passed + + + +=== TEST 4: set hmac-auth conf with the token in an env var: secret_key uses secret ref +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "hmac-auth": { + "access_key": "my-access-key", + "secret_key": "$secret://vault/test1/jack/secret_key" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "hmac-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index ac4587de0ed7..95bb1ba66d70 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -640,3 +640,76 @@ passed } --- response_body hello world + + + +=== TEST 22: set jwt-auth conf with the token in an env var: secret uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "jwt-auth": { + "key": "user-key", + "secret": "$secret://vault/test1/jack/secret" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 850a65e183e9..34882f98853b 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -638,3 +638,50 @@ Success! Data written to: kv/apisix/jack GET /hello?auth=authtwo --- response_args auth: authtwo + + + +=== TEST 31: set key-auth conf with the token in an env var: key uses secret ref +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local etcd = require("apisix.core.etcd") + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "key-auth": { + "key": "$secret://vault/test1/jack/key" + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index b8f3936ef411..e9ca902ebe4e 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -531,3 +531,74 @@ Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ== hello world --- error_log find consumer user01 + + + +=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "user01", + "plugins": { + "ldap-auth": { + "user_dn": "$secret://vault/test1/user01/user_dn" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "ldap-auth": { + "base_dn": "ou=users,dc=example,dc=org", + "ldap_uri": "127.0.0.1:1389", + "uid": "cn" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index af3be4524206..ddd6a88050ea 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -619,3 +619,47 @@ Success! Data written to: kv/apisix/wolf_rbac_unit_test ngx.status = code } } + + + +=== TEST 34: set hmac-auth conf with the token in an env var: appid uses secret ref +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "wolf_rbac_unit_test", + "plugins": { + "wolf-rbac": { + "appid": "$secret://vault/test1/wolf_rbac_unit_test/appid", + "server": "http://127.0.0.1:1982" + } + } + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed diff --git a/t/secret/vault.t b/t/secret/vault.t index 2ab74c99a13e..b106a1e3e67f 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -156,3 +156,129 @@ Success! Data written to: kv/apisix/apisix-key/jack GET /t --- response_body value + + + +=== TEST 7: check key with the token in an env var: error format +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "/kv/prefix", + token = "$ENV://VAULT_TOKEN", + uri = "http://127.0.0.1:2800" + } + local data, err = vault.get(conf, "apisix") + if err then + return ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +error key format, key: apisix + + + +=== TEST 8: check key with the token in an env var: no main key +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "/kv/prefix", + token = "$ENV://VAULT_TOKEN", + uri = "http://127.0.0.1:2800" + } + local data, err = vault.get(conf, "/apisix") + if err then + return ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +can't find main key, key: /apisix + + + +=== TEST 9: check key with the token in an env var: no sub key +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "/kv/prefix", + token = "$ENV://VAULT_TOKEN", + uri = "http://127.0.0.1:2800" + } + local data, err = vault.get(conf, "apisix/") + if err then + return ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +can't find sub key, key: apisix/ + + + +=== TEST 10: error vault uri (with the token in an env var) +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "/kv/prefix", + token = "$ENV://VAULT_TOKEN", + uri = "http://127.0.0.2:2800" + } + local data, err = vault.get(conf, "/apisix/sub") + if err then + return ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +failed to retrtive data from vault kv engine: connection refused +--- timeout: 6 + + + +=== TEST 11: get value from vault with the token in an env var +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "kv/apisix", + token = "$ENV://VAULT_TOKEN", + uri = "http://127.0.0.1:8200" + } + local value, err = vault.get(conf, "/apisix-key/jack/key") + if err then + return ngx.say(err) + end + + ngx.say("value") + } + } +--- request +GET /t +--- response_body +value From 26627b776ebed8c83776e735153d01d8ec81eade Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 16 Feb 2023 07:50:13 +0530 Subject: [PATCH 08/23] place env var in correct place --- ci/centos7-ci.sh | 1 - ci/linux_openresty_common_runner.sh | 1 - t/config-center-yaml/secret.t | 4 ++++ t/plugin/basic-auth.t | 4 ++++ t/plugin/hmac-auth4.t | 3 +++ t/plugin/jwt-auth3.t | 4 ++++ t/plugin/key-auth.t | 4 ++++ t/plugin/ldap-auth.t | 4 ++++ t/plugin/wolf-rbac.t | 4 ++++ t/secret/vault.t | 4 ++++ 10 files changed, 31 insertions(+), 2 deletions(-) diff --git a/ci/centos7-ci.sh b/ci/centos7-ci.sh index f44bd1cb2243..8103503d3256 100755 --- a/ci/centos7-ci.sh +++ b/ci/centos7-ci.sh @@ -84,7 +84,6 @@ run_case() { export_or_prefix make init set_coredns - export VAULT_TOKEN="root" # run test cases FLUSH_ETCD=1 prove --timer -Itest-nginx/lib -I./ -r ${TEST_FILE_SUB_DIR} | tee /tmp/test.result rerun_flaky_tests /tmp/test.result diff --git a/ci/linux_openresty_common_runner.sh b/ci/linux_openresty_common_runner.sh index 37db99c0e0b0..4029d851bd16 100755 --- a/ci/linux_openresty_common_runner.sh +++ b/ci/linux_openresty_common_runner.sh @@ -85,7 +85,6 @@ script() { sleep 1 done - export VAULT_TOKEN="root" # APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t FLUSH_ETCD=1 prove --timer -Itest-nginx/lib -I./ -r $TEST_FILE_SUB_DIR | tee /tmp/test.result rerun_flaky_tests /tmp/test.result diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index 6d1c7dca3b06..982c49cced4a 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; repeat_each(1); diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index d4d549a8abba..0db834dd5ea9 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; repeat_each(2); diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index a8b67cb2f081..6b0cac48b126 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -14,6 +14,9 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} use t::APISIX 'no_plan'; diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 95bb1ba66d70..f982aaa3bac8 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; repeat_each(1); diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 34882f98853b..b0e24c93721c 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; repeat_each(2); diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index e9ca902ebe4e..0d3278fba596 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; repeat_each(2); diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index ddd6a88050ea..65ef8a289f68 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; diff --git a/t/secret/vault.t b/t/secret/vault.t index b106a1e3e67f..719d7b496b2c 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -14,6 +14,10 @@ # See the License for the specific language governing permissions and # limitations under the License. # +BEGIN { + $ENV{VAULT_TOKEN} = "root"; +} + use t::APISIX 'no_plan'; repeat_each(1); From 0868b431dec5c9804a87a35e149c7439f097a2af Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 16 Feb 2023 08:54:34 +0530 Subject: [PATCH 09/23] Revert "add tests" This reverts commit 62eb6f9982764ade3be24d4387ff88d3b1a88a91. --- t/config-center-yaml/secret.t | 128 ---------------------------------- t/plugin/basic-auth.t | 70 ------------------- t/plugin/hmac-auth4.t | 66 ------------------ t/plugin/jwt-auth3.t | 73 ------------------- t/plugin/key-auth.t | 47 ------------- t/plugin/ldap-auth.t | 71 ------------------- t/plugin/wolf-rbac.t | 44 ------------ t/secret/vault.t | 126 --------------------------------- 8 files changed, 625 deletions(-) diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index 982c49cced4a..c4e4aef80153 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -392,131 +392,3 @@ env secret=apisix; GET /t --- response_body nil - - - -=== TEST 17: validate secret/vault with the token in an env var: wrong schema ---- apisix_yaml -secrets: - - id: vault/1 - prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" - uri: 127.0.0.1:8200 -#END ---- config - location /t { - content_by_lua_block { - local secret = require("apisix.secret") - local values = secret.secrets() - ngx.say(#values) - } - } ---- request -GET /t ---- response_body -0 ---- error_log -property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da-zA-Z.-]+|\\[[\\da-fA-F:]+\\])(:\\d+)?" - - - -=== TEST 18: validate secrets with the token in an env var: manager not exits ---- apisix_yaml -secrets: - - id: hhh/1 - prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" - uri: 127.0.0.1:8200 -#END ---- config - location /t { - content_by_lua_block { - local secret = require("apisix.secret") - local values = secret.secrets() - ngx.say(#values) - } - } ---- request -GET /t ---- response_body -0 ---- error_log -secret manager not exits - - - -=== TEST 19: load config normal with the token in an env var ---- apisix_yaml -secrets: - - id: vault/1 - prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" - uri: http://127.0.0.1:8200 -#END ---- config - location /t { - content_by_lua_block { - local secret = require("apisix.secret") - local values = secret.secrets() - ngx.say("len: ", #values) - - ngx.say("id: ", values[1].value.id) - ngx.say("prefix: ", values[1].value.prefix) - ngx.say("token: ", values[1].value.token) - ngx.say("uri: ", values[1].value.uri) - } - } ---- request -GET /t ---- response_body -len: 1 -id: vault/1 -prefix: kv/apisix -token: $ENV://VAULT_TOKEN -uri: http://127.0.0.1:8200 - - - -=== TEST 20: secret.fetch_by_uri with the token in an env var: start with $secret:// ---- apisix_yaml -secrets: - - id: vault/1 - prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" - uri: http://127.0.0.1:8200 -#END ---- config - location /t { - content_by_lua_block { - local secret = require("apisix.secret") - local value = secret.fetch_by_uri("$secret://vault/1/apisix-key/key") - ngx.say(value) - } - } ---- request -GET /t ---- response_body -value - - - -=== TEST 21: secret.fetch_by_uri, no sub key value with the token in an env var ---- apisix_yaml -secrets: - - id: vault/1 - prefix: kv/apisix - token: "$ENV://VAULT_TOKEN" - uri: http://127.0.0.1:8200 -#END ---- config - location /t { - content_by_lua_block { - local secret = require("apisix.secret") - local value = secret.fetch_by_uri("$secret://vault/1/apisix-key/bar") - ngx.say(value) - } - } ---- request -GET /t ---- response_body -nil diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index 0db834dd5ea9..55048d2cd224 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -544,73 +544,3 @@ GET /echo Authorization: Basic Zm9vOmJhcg== --- response_headers Authorization: Basic Zm9vOmJhcg== - - - -=== TEST 25: set basic-auth conf with the token in an env var: password uses secret ref ---- request -GET /t ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- change consumer with secrets ref: vault - code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "foo", - "plugins": { - "basic-auth": { - "username": "foo", - "password": "$secret://vault/test1/foo/passwd" - } - } - }]] - ) - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- set route - code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "basic-auth": { - "hide_credentials": false - } - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/echo" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index 6b0cac48b126..b234ddf6b12a 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -169,69 +169,3 @@ location /t { } --- response_body passed - - - -=== TEST 4: set hmac-auth conf with the token in an env var: secret_key uses secret ref ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- change consumer with secrets ref: vault - code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "jack", - "plugins": { - "hmac-auth": { - "access_key": "my-access-key", - "secret_key": "$secret://vault/test1/jack/secret_key" - } - } - }]] - ) - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- set route - code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "hmac-auth": {} - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index f982aaa3bac8..e6d73a7375be 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -644,76 +644,3 @@ passed } --- response_body hello world - - - -=== TEST 22: set jwt-auth conf with the token in an env var: secret uses secret ref ---- request -GET /t ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- change consumer with secrets ref: vault - code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "jack", - "plugins": { - "jwt-auth": { - "key": "user-key", - "secret": "$secret://vault/test1/jack/secret" - } - } - }]] - ) - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- set route - code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "jwt-auth": { - "header": "jwt-header", - "query": "jwt-query", - "cookie": "jwt-cookie", - "hide_credentials": false - } - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/echo" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index b0e24c93721c..97ed94c334bf 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -642,50 +642,3 @@ Success! Data written to: kv/apisix/jack GET /hello?auth=authtwo --- response_args auth: authtwo - - - -=== TEST 31: set key-auth conf with the token in an env var: key uses secret ref ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local etcd = require("apisix.core.etcd") - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- change consumer with secrets ref: vault - local code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "jack", - "plugins": { - "key-auth": { - "key": "$secret://vault/test1/jack/key" - } - } - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- request -GET /t ---- response_body -passed diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index 0d3278fba596..b9866fa342ac 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -535,74 +535,3 @@ Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ== hello world --- error_log find consumer user01 - - - -=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses secret ref ---- request -GET /t ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- change consumer with secrets ref: vault - code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "user01", - "plugins": { - "ldap-auth": { - "user_dn": "$secret://vault/test1/user01/user_dn" - } - } - }]] - ) - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - -- set route - code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "ldap-auth": { - "base_dn": "ou=users,dc=example,dc=org", - "ldap_uri": "127.0.0.1:1389", - "uid": "cn" - } - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 65ef8a289f68..214ec93fd772 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -623,47 +623,3 @@ Success! Data written to: kv/apisix/wolf_rbac_unit_test ngx.status = code } } - - - -=== TEST 34: set hmac-auth conf with the token in an env var: appid uses secret ref ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - -- put secret vault config - local code, body = t('/apisix/admin/secrets/vault/test1', - ngx.HTTP_PUT, - [[{ - "uri": "http://127.0.0.1:8200", - "prefix" : "kv/apisix", - "token" : "$ENV://VAULT_TOKEN" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - - code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "wolf_rbac_unit_test", - "plugins": { - "wolf-rbac": { - "appid": "$secret://vault/test1/wolf_rbac_unit_test/appid", - "server": "http://127.0.0.1:1982" - } - } - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed diff --git a/t/secret/vault.t b/t/secret/vault.t index 719d7b496b2c..47031f9a7e45 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -160,129 +160,3 @@ Success! Data written to: kv/apisix/apisix-key/jack GET /t --- response_body value - - - -=== TEST 7: check key with the token in an env var: error format ---- config - location /t { - content_by_lua_block { - local vault = require("apisix.secret.vault") - local conf = { - prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", - uri = "http://127.0.0.1:2800" - } - local data, err = vault.get(conf, "apisix") - if err then - return ngx.say(err) - end - - ngx.say("done") - } - } ---- request -GET /t ---- response_body -error key format, key: apisix - - - -=== TEST 8: check key with the token in an env var: no main key ---- config - location /t { - content_by_lua_block { - local vault = require("apisix.secret.vault") - local conf = { - prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", - uri = "http://127.0.0.1:2800" - } - local data, err = vault.get(conf, "/apisix") - if err then - return ngx.say(err) - end - - ngx.say("done") - } - } ---- request -GET /t ---- response_body -can't find main key, key: /apisix - - - -=== TEST 9: check key with the token in an env var: no sub key ---- config - location /t { - content_by_lua_block { - local vault = require("apisix.secret.vault") - local conf = { - prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", - uri = "http://127.0.0.1:2800" - } - local data, err = vault.get(conf, "apisix/") - if err then - return ngx.say(err) - end - - ngx.say("done") - } - } ---- request -GET /t ---- response_body -can't find sub key, key: apisix/ - - - -=== TEST 10: error vault uri (with the token in an env var) ---- config - location /t { - content_by_lua_block { - local vault = require("apisix.secret.vault") - local conf = { - prefix = "/kv/prefix", - token = "$ENV://VAULT_TOKEN", - uri = "http://127.0.0.2:2800" - } - local data, err = vault.get(conf, "/apisix/sub") - if err then - return ngx.say(err) - end - - ngx.say("done") - } - } ---- request -GET /t ---- response_body -failed to retrtive data from vault kv engine: connection refused ---- timeout: 6 - - - -=== TEST 11: get value from vault with the token in an env var ---- config - location /t { - content_by_lua_block { - local vault = require("apisix.secret.vault") - local conf = { - prefix = "kv/apisix", - token = "$ENV://VAULT_TOKEN", - uri = "http://127.0.0.1:8200" - } - local value, err = vault.get(conf, "/apisix-key/jack/key") - if err then - return ngx.say(err) - end - - ngx.say("value") - } - } ---- request -GET /t ---- response_body -value From c562216f5230d4730c347caa92dd9996d352eb89 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 16 Feb 2023 11:48:50 +0530 Subject: [PATCH 10/23] add tests --- t/plugin/basic-auth.t | 76 +++++++++++++++++++++++++++ t/plugin/hmac-auth4.t | 119 ++++++++++++++++++++++++++++++++++++++++++ t/plugin/jwt-auth3.t | 79 ++++++++++++++++++++++++++++ t/plugin/key-auth.t | 52 ++++++++++++++++++ t/plugin/ldap-auth.t | 79 ++++++++++++++++++++++++++++ t/plugin/wolf-rbac.t | 62 ++++++++++++++++++++++ t/secret/vault.t | 76 +++++++++++++++++++++++++++ 7 files changed, 543 insertions(+) diff --git a/t/plugin/basic-auth.t b/t/plugin/basic-auth.t index 55048d2cd224..4a19cf138656 100644 --- a/t/plugin/basic-auth.t +++ b/t/plugin/basic-auth.t @@ -544,3 +544,79 @@ GET /echo Authorization: Basic Zm9vOmJhcg== --- response_headers Authorization: Basic Zm9vOmJhcg== + + + +=== TEST 25: set basic-auth conf with the token in an env var: password uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "foo", + "plugins": { + "basic-auth": { + "username": "foo", + "password": "$secret://vault/test1/foo/passwd" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "basic-auth": { + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 26: verify Authorization with foo/bar, request header should not hidden +--- request +GET /echo +--- more_headers +Authorization: Basic Zm9vOmJhcg== +--- response_headers +Authorization: Basic Zm9vOmJhcg== diff --git a/t/plugin/hmac-auth4.t b/t/plugin/hmac-auth4.t index b234ddf6b12a..78b89b58c7ce 100644 --- a/t/plugin/hmac-auth4.t +++ b/t/plugin/hmac-auth4.t @@ -169,3 +169,122 @@ location /t { } --- response_body passed + + + +=== TEST 4: set hmac-auth conf with the token in an env var: secret_key uses secret ref +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "hmac-auth": { + "access_key": "my-access-key", + "secret_key": "$secret://vault/test1/jack/secret_key" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "hmac-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 5: verify: ok +--- config +location /t { + content_by_lua_block { + local ngx_time = ngx.time + local ngx_http_time = ngx.http_time + local core = require("apisix.core") + local t = require("lib.test_admin") + local hmac = require("resty.hmac") + local ngx_encode_base64 = ngx.encode_base64 + + local secret_key = "my-secret-key" + local timestamp = ngx_time() + local gmt = ngx_http_time(timestamp) + local access_key = "my-access-key" + local custom_header_a = "asld$%dfasf" + local custom_header_b = "23879fmsldfk" + + local signing_string = { + "GET", + "/hello", + "", + access_key, + gmt, + "x-custom-header-a:" .. custom_header_a, + "x-custom-header-b:" .. custom_header_b + } + signing_string = core.table.concat(signing_string, "\n") .. "\n" + core.log.info("signing_string:", signing_string) + + local signature = hmac:new(secret_key, hmac.ALGOS.SHA256):final(signing_string) + core.log.info("signature:", ngx_encode_base64(signature)) + local headers = {} + headers["X-HMAC-SIGNATURE"] = ngx_encode_base64(signature) + headers["X-HMAC-ALGORITHM"] = "hmac-sha256" + headers["Date"] = gmt + headers["X-HMAC-ACCESS-KEY"] = access_key + headers["X-HMAC-SIGNED-HEADERS"] = "x-custom-header-a;x-custom-header-b" + headers["x-custom-header-a"] = custom_header_a + headers["x-custom-header-b"] = custom_header_b + + local code, body = t.test('/hello', + ngx.HTTP_GET, + "", + nil, + headers + ) + + ngx.status = code + ngx.say(body) + } +} +--- response_body +passed diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index e6d73a7375be..7daf6cf164a3 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -644,3 +644,82 @@ passed } --- response_body hello world + + + +=== TEST 22: set jwt-auth conf with the token in an env var: secret uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "jwt-auth": { + "key": "user-key", + "secret": "$secret://vault/test1/jack/secret" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": { + "header": "jwt-header", + "query": "jwt-query", + "cookie": "jwt-cookie", + "hide_credentials": false + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/echo" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 23: verify (in header) not hiding credentials +--- request +GET /echo +--- more_headers +jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs +--- response_headers +jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs diff --git a/t/plugin/key-auth.t b/t/plugin/key-auth.t index 97ed94c334bf..138f1d647124 100644 --- a/t/plugin/key-auth.t +++ b/t/plugin/key-auth.t @@ -642,3 +642,55 @@ Success! Data written to: kv/apisix/jack GET /hello?auth=authtwo --- response_args auth: authtwo + + + +=== TEST 31: set key-auth conf with the token in an env var: key uses secret ref +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local etcd = require("apisix.core.etcd") + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- change consumer with secrets ref: vault + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "jack", + "plugins": { + "key-auth": { + "key": "$secret://vault/test1/jack/key" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed + + + +=== TEST 32: verify auth request +--- request +GET /hello?auth=authtwo +--- response_args +auth: authtwo diff --git a/t/plugin/ldap-auth.t b/t/plugin/ldap-auth.t index b9866fa342ac..e16bc05135a3 100644 --- a/t/plugin/ldap-auth.t +++ b/t/plugin/ldap-auth.t @@ -535,3 +535,82 @@ Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ== hello world --- error_log find consumer user01 + + + +=== TEST 24: set ldap-auth conf with the token in an env var: user_dn uses secret ref +--- request +GET /t +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- change consumer with secrets ref: vault + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "user01", + "plugins": { + "ldap-auth": { + "user_dn": "$secret://vault/test1/user01/user_dn" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + -- set route + code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "ldap-auth": { + "base_dn": "ou=users,dc=example,dc=org", + "ldap_uri": "127.0.0.1:1389", + "uid": "cn" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 25: verify +--- request +GET /hello +--- more_headers +Authorization: Basic dXNlcjAxOnBhc3N3b3JkMQ== +--- response_body +hello world +--- error_log +find consumer user01 diff --git a/t/plugin/wolf-rbac.t b/t/plugin/wolf-rbac.t index 214ec93fd772..34c7068ca56f 100644 --- a/t/plugin/wolf-rbac.t +++ b/t/plugin/wolf-rbac.t @@ -623,3 +623,65 @@ Success! Data written to: kv/apisix/wolf_rbac_unit_test ngx.status = code } } + + + +=== TEST 34: set hmac-auth conf with the token in an env var: appid uses secret ref +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + -- put secret vault config + local code, body = t('/apisix/admin/secrets/vault/test1', + ngx.HTTP_PUT, + [[{ + "uri": "http://127.0.0.1:8200", + "prefix" : "kv/apisix", + "token" : "$ENV://VAULT_TOKEN" + }]] + ) + if code >= 300 then + ngx.status = code + return ngx.say(body) + end + code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "wolf_rbac_unit_test", + "plugins": { + "wolf-rbac": { + "appid": "$secret://vault/test1/wolf_rbac_unit_test/appid", + "server": "http://127.0.0.1:1982" + } + } + }]] + ) + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 35: login successfully +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/plugin/wolf-rbac/login', + ngx.HTTP_POST, + [[ + {"appid": "wolf-rbac-app", "username": "admin","password": "123456"} + ]], + [[ + {"rbac_token":"V1#wolf-rbac-app#wolf-rbac-token","user_info":{"nickname":"administrator","username":"admin","id":"100"}} + ]], + {["Content-Type"] = "application/json"} + ) + ngx.status = code + } + } diff --git a/t/secret/vault.t b/t/secret/vault.t index 47031f9a7e45..e2b2dd64aed0 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -16,6 +16,7 @@ # BEGIN { $ENV{VAULT_TOKEN} = "root"; + $ENV{WRONG_VAULT_TOKEN} = "squareroot" } use t::APISIX 'no_plan'; @@ -160,3 +161,78 @@ Success! Data written to: kv/apisix/apisix-key/jack GET /t --- response_body value + + + +=== TEST 7: get value from vault using token in an env var +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "kv/apisix", + token = "$ENV://VAULT_TOKEN", + uri = "http://127.0.0.1:8200" + } + local value, err = vault.get(conf, "/apisix-key/jack/key") + if err then + return ngx.say(err) + end + + ngx.say("value") + } + } +--- request +GET /t +--- response_body +value + + + +=== TEST 8: get value from vault: token env var wrong/missing +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "kv/apisix", + token = "$ENV://VALT_TOKEN", + uri = "http://127.0.0.1:8200" + } + local value, err = vault.get(conf, "/apisix-key/jack/key") + if err then + return ngx.say(err) + end + + ngx.say("value") + } + } +--- request +GET /t +--- response_body +failed to decode result, res: {"errors":["missing client token"]} + + + +=== TEST 9: get value from vault: token env var contains wrong token +--- config + location /t { + content_by_lua_block { + local vault = require("apisix.secret.vault") + local conf = { + prefix = "kv/apisix", + token = "$ENV://WRONG_VAULT_TOKEN", + uri = "http://127.0.0.1:8200" + } + local value, err = vault.get(conf, "/apisix-key/jack/key") + if err then + return ngx.say(err) + end + + ngx.say("value") + } + } +--- request +GET /t +--- response_body +permission denied From 206dd90cb3a9c2f2d5c87d4adc7be693675b9fed Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 16 Feb 2023 12:32:12 +0530 Subject: [PATCH 11/23] fix tests --- t/secret/vault.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/secret/vault.t b/t/secret/vault.t index e2b2dd64aed0..c8eed4e72dd4 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -210,7 +210,7 @@ value --- request GET /t --- response_body -failed to decode result, res: {"errors":["missing client token"]} +failed to decode result, res: {"errors":["permission denied"]} @@ -235,4 +235,4 @@ failed to decode result, res: {"errors":["missing client token"]} --- request GET /t --- response_body -permission denied +failed to decode result, res: {"errors":["permission denied"]} From 6c8cf9174c5e83e612b9689089a25bb9434677c0 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 16 Feb 2023 22:29:43 +0530 Subject: [PATCH 12/23] add quotes --- t/secret/vault.t | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/t/secret/vault.t b/t/secret/vault.t index c8eed4e72dd4..830e4b5e4451 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -210,7 +210,9 @@ value --- request GET /t --- response_body -failed to decode result, res: {"errors":["permission denied"]} +"failed to decode result, res: {"errors":["permission denied"]} + +" @@ -235,4 +237,6 @@ failed to decode result, res: {"errors":["permission denied"]} --- request GET /t --- response_body -failed to decode result, res: {"errors":["permission denied"]} +"failed to decode result, res: {"errors":["permission denied"]} + +" From 756f3b48fbb644d897e69a52796610e0ac305dae Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 17 Feb 2023 11:49:40 +0530 Subject: [PATCH 13/23] use print instead of "say" --- Library/Caches/Snowflake/ocsp_response_cache.json | 0 t/secret/vault.t | 4 ++-- 2 files changed, 2 insertions(+), 2 deletions(-) create mode 100755 Library/Caches/Snowflake/ocsp_response_cache.json diff --git a/Library/Caches/Snowflake/ocsp_response_cache.json b/Library/Caches/Snowflake/ocsp_response_cache.json new file mode 100755 index 000000000000..e69de29bb2d1 diff --git a/t/secret/vault.t b/t/secret/vault.t index 830e4b5e4451..cdb8c5fe023c 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -204,7 +204,7 @@ value return ngx.say(err) end - ngx.say("value") + ngx.print("value") } } --- request @@ -231,7 +231,7 @@ GET /t return ngx.say(err) end - ngx.say("value") + ngx.print("value") } } --- request From 37a340618e105b4e62352c2b56bbf35bf25d7504 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 17 Feb 2023 11:49:52 +0530 Subject: [PATCH 14/23] Revert "add quotes" This reverts commit 6c8cf9174c5e83e612b9689089a25bb9434677c0. --- t/secret/vault.t | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/t/secret/vault.t b/t/secret/vault.t index cdb8c5fe023c..4f466ea7d04f 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -210,9 +210,7 @@ value --- request GET /t --- response_body -"failed to decode result, res: {"errors":["permission denied"]} - -" +failed to decode result, res: {"errors":["permission denied"]} @@ -237,6 +235,4 @@ GET /t --- request GET /t --- response_body -"failed to decode result, res: {"errors":["permission denied"]} - -" +failed to decode result, res: {"errors":["permission denied"]} From d4d5fb3312cc79f5193a906cc7d22cda5c6a8c0a Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Fri, 17 Feb 2023 13:51:41 +0530 Subject: [PATCH 15/23] add line break --- t/secret/vault.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/secret/vault.t b/t/secret/vault.t index 4f466ea7d04f..7466af181033 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -210,7 +210,7 @@ value --- request GET /t --- response_body -failed to decode result, res: {"errors":["permission denied"]} +failed to decode result, res: {"errors":["permission denied"]}\n @@ -235,4 +235,4 @@ failed to decode result, res: {"errors":["permission denied"]} --- request GET /t --- response_body -failed to decode result, res: {"errors":["permission denied"]} +failed to decode result, res: {"errors":["permission denied"]}\n From 30a296b403515a877f9a13f2da2bd39bb66fa2be Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sat, 18 Feb 2023 15:09:28 +0530 Subject: [PATCH 16/23] replace with \R --- t/secret/vault.t | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/t/secret/vault.t b/t/secret/vault.t index 7466af181033..8233584d0321 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -210,7 +210,7 @@ value --- request GET /t --- response_body -failed to decode result, res: {"errors":["permission denied"]}\n +failed to decode result, res: {"errors":["permission denied"]}\R @@ -235,4 +235,4 @@ failed to decode result, res: {"errors":["permission denied"]}\n --- request GET /t --- response_body -failed to decode result, res: {"errors":["permission denied"]}\n +failed to decode result, res: {"errors":["permission denied"]}\R From 1626dce84f04fe1e9ac9d2852e4cb869719e8ea8 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sat, 18 Feb 2023 15:10:05 +0530 Subject: [PATCH 17/23] remove directory added by mistake --- Library/Caches/Snowflake/ocsp_response_cache.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100755 Library/Caches/Snowflake/ocsp_response_cache.json diff --git a/Library/Caches/Snowflake/ocsp_response_cache.json b/Library/Caches/Snowflake/ocsp_response_cache.json deleted file mode 100755 index e69de29bb2d1..000000000000 From 46b992e5ee0fb9345ffcc4c40faca9a311b799e8 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sat, 18 Feb 2023 15:44:47 +0530 Subject: [PATCH 18/23] use regex --- t/secret/vault.t | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/t/secret/vault.t b/t/secret/vault.t index 8233584d0321..a31183e37a2c 100644 --- a/t/secret/vault.t +++ b/t/secret/vault.t @@ -209,8 +209,8 @@ value } --- request GET /t ---- response_body -failed to decode result, res: {"errors":["permission denied"]}\R +--- response_body_like +failed to decode result, res: {\"errors\":\[\"permission denied\"\]}\n @@ -234,5 +234,5 @@ failed to decode result, res: {"errors":["permission denied"]}\R } --- request GET /t ---- response_body -failed to decode result, res: {"errors":["permission denied"]}\R +--- response_body_like +failed to decode result, res: {\"errors\":\[\"permission denied\"\]}\n From f2c1c27b78339198dd17a1d877c052667df78eb0 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Sat, 18 Feb 2023 16:55:46 +0530 Subject: [PATCH 19/23] trigger build From 9bfaededefdbe5eb162c5eb5f2a3842ebb80c95d Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Mon, 20 Feb 2023 08:55:47 +0530 Subject: [PATCH 20/23] remove unnecessary env var --- t/config-center-yaml/secret.t | 3 --- 1 file changed, 3 deletions(-) diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index c4e4aef80153..9cd5e75aa7d4 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -14,9 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # -BEGIN { - $ENV{VAULT_TOKEN} = "root"; -} use t::APISIX 'no_plan'; From 234346a1eddf4254e3dca591ee1772cbfa3c9289 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Tue, 21 Feb 2023 08:31:31 +0530 Subject: [PATCH 21/23] clean way to import --- apisix/secret/vault.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/secret/vault.lua b/apisix/secret/vault.lua index ddb4d4de74aa..79331b658488 100644 --- a/apisix/secret/vault.lua +++ b/apisix/secret/vault.lua @@ -26,7 +26,7 @@ local norm_path = require("pl.path").normpath local sub = core.string.sub local rfind_char = core.string.rfind_char -local env = require("apisix.core.env") +local env = core.env local schema = { type = "object", From 8b72f12324dd17dc17f68428aff9d59a668afe2f Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 22 Feb 2023 08:24:22 +0530 Subject: [PATCH 22/23] remove newline --- apisix/secret/vault.lua | 1 - t/config-center-yaml/secret.t | 1 - 2 files changed, 2 deletions(-) diff --git a/apisix/secret/vault.lua b/apisix/secret/vault.lua index 79331b658488..f5dcb7a24628 100644 --- a/apisix/secret/vault.lua +++ b/apisix/secret/vault.lua @@ -25,7 +25,6 @@ local norm_path = require("pl.path").normpath local sub = core.string.sub local rfind_char = core.string.rfind_char - local env = core.env local schema = { diff --git a/t/config-center-yaml/secret.t b/t/config-center-yaml/secret.t index 9cd5e75aa7d4..82fefd3a576b 100644 --- a/t/config-center-yaml/secret.t +++ b/t/config-center-yaml/secret.t @@ -14,7 +14,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # - use t::APISIX 'no_plan'; repeat_each(1); From 74b3e663466e7cd6ef7c295679caf89022947523 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 22 Feb 2023 09:27:52 +0530 Subject: [PATCH 23/23] trigger build