Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use env var instead of plain text for vault token #8866

Merged
merged 24 commits into from
Feb 24, 2023
Merged

feat: use env var instead of plain text for vault token #8866

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
aa8b1bd
feat: use env var instead of plain text
shreemaan-abhishek Feb 15, 2023
7f938e2
modify tests to use env var
shreemaan-abhishek Feb 15, 2023
c13c6ec
export env var
shreemaan-abhishek Feb 15, 2023
6bc6d61
export env var for centos
shreemaan-abhishek Feb 15, 2023
111ac11
fix breaking change, allow plain text env vars
shreemaan-abhishek Feb 15, 2023
2d988b7
Revert "modify tests to use env var"
shreemaan-abhishek Feb 15, 2023
62eb6f9
add tests
shreemaan-abhishek Feb 15, 2023
26627b7
place env var in correct place
shreemaan-abhishek Feb 16, 2023
0868b43
Revert "add tests"
shreemaan-abhishek Feb 16, 2023
c562216
add tests
shreemaan-abhishek Feb 16, 2023
206dd90
fix tests
shreemaan-abhishek Feb 16, 2023
3aeed0d
Merge branch 'master' into vault-token-env-var
shreemaan-abhishek Feb 16, 2023
6c8cf91
add quotes
shreemaan-abhishek Feb 16, 2023
756f3b4
use print instead of "say"
shreemaan-abhishek Feb 17, 2023
37a3406
Revert "add quotes"
shreemaan-abhishek Feb 17, 2023
d4d5fb3
add line break
shreemaan-abhishek Feb 17, 2023
30a296b
replace with \R
shreemaan-abhishek Feb 18, 2023
1626dce
remove directory added by mistake
shreemaan-abhishek Feb 18, 2023
46b992e
use regex
shreemaan-abhishek Feb 18, 2023
f2c1c27
trigger build
shreemaan-abhishek Feb 18, 2023
9bfaede
remove unnecessary env var
shreemaan-abhishek Feb 20, 2023
234346a
clean way to import
shreemaan-abhishek Feb 21, 2023
8b72f12
remove newline
shreemaan-abhishek Feb 22, 2023
74b3e66
trigger build
shreemaan-abhishek Feb 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion apisix/secret/vault.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ local norm_path = require("pl.path").normpath
local sub = core.string.sub
local rfind_char = core.string.rfind_char

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can avoid the blank line here? Other files don't add a blank line among localized variables.

local env = require("apisix.core.env")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we import it like core.string.sub?


local schema = {
type = "object",
Expand Down Expand Up @@ -53,10 +54,15 @@ local function make_request_to_vault(conf, method, key, data)
local req_addr = conf.uri .. norm_path("/v1/"
.. conf.prefix .. "/" .. key)

local token, _ = env.fetch_by_uri(conf.token)
soulbird marked this conversation as resolved.
Show resolved Hide resolved
if not token then
token = conf.token
end

local res, err = httpc:request_uri(req_addr, {
method = method,
headers = {
["X-Vault-Token"] = conf.token
["X-Vault-Token"] = token
},
body = core.json.encode(data or {}, true)
})
Expand Down
132 changes: 132 additions & 0 deletions t/config-center-yaml/secret.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this added?

}

use t::APISIX 'no_plan';

repeat_each(1);
Expand Down Expand Up @@ -388,3 +392,131 @@ env secret=apisix;
GET /t
--- response_body
nil



=== TEST 17: validate secret/vault with the token in an env var: wrong schema
--- apisix_yaml
secrets:
- id: vault/1
prefix: kv/apisix
token: "$ENV://VAULT_TOKEN"
uri: 127.0.0.1:8200
#END
--- config
location /t {
content_by_lua_block {
local secret = require("apisix.secret")
local values = secret.secrets()
ngx.say(#values)
}
}
--- request
GET /t
--- response_body
0
--- error_log
property "uri" validation failed: failed to match pattern "^[^\\/]+:\\/\\/([\\da-zA-Z.-]+|\\[[\\da-fA-F:]+\\])(:\\d+)?"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why add this test case? It doesn't look like it has anything to do with your modification?

Copy link
Contributor Author

@shreemaan-abhishek shreemaan-abhishek Feb 16, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just duplicated all the test cases containing the token with just one change: replace the token with the environment variable. Let me do something better. 😂




=== TEST 18: validate secrets with the token in an env var: manager not exits
--- apisix_yaml
secrets:
- id: hhh/1
prefix: kv/apisix
token: "$ENV://VAULT_TOKEN"
uri: 127.0.0.1:8200
#END
--- config
location /t {
content_by_lua_block {
local secret = require("apisix.secret")
local values = secret.secrets()
ngx.say(#values)
}
}
--- request
GET /t
--- response_body
0
--- error_log
secret manager not exits
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto




=== TEST 19: load config normal with the token in an env var
--- apisix_yaml
secrets:
- id: vault/1
prefix: kv/apisix
token: "$ENV://VAULT_TOKEN"
uri: http://127.0.0.1:8200
#END
--- config
location /t {
content_by_lua_block {
local secret = require("apisix.secret")
local values = secret.secrets()
ngx.say("len: ", #values)

ngx.say("id: ", values[1].value.id)
ngx.say("prefix: ", values[1].value.prefix)
ngx.say("token: ", values[1].value.token)
ngx.say("uri: ", values[1].value.uri)
}
}
--- request
GET /t
--- response_body
len: 1
id: vault/1
prefix: kv/apisix
token: $ENV://VAULT_TOKEN
uri: http://127.0.0.1:8200

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to add this test



=== TEST 20: secret.fetch_by_uri with the token in an env var: start with $secret://
--- apisix_yaml
secrets:
- id: vault/1
prefix: kv/apisix
token: "$ENV://VAULT_TOKEN"
uri: http://127.0.0.1:8200
#END
--- config
location /t {
content_by_lua_block {
local secret = require("apisix.secret")
local value = secret.fetch_by_uri("$secret://vault/1/apisix-key/key")
ngx.say(value)
}
}
--- request
GET /t
--- response_body
value



=== TEST 21: secret.fetch_by_uri, no sub key value with the token in an env var
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This test case already exists

--- apisix_yaml
secrets:
- id: vault/1
prefix: kv/apisix
token: "$ENV://VAULT_TOKEN"
uri: http://127.0.0.1:8200
#END
--- config
location /t {
content_by_lua_block {
local secret = require("apisix.secret")
local value = secret.fetch_by_uri("$secret://vault/1/apisix-key/bar")
ngx.say(value)
}
}
--- request
GET /t
--- response_body
nil
74 changes: 74 additions & 0 deletions t/plugin/basic-auth.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
}

use t::APISIX 'no_plan';

repeat_each(2);
Expand Down Expand Up @@ -540,3 +544,73 @@ GET /echo
Authorization: Basic Zm9vOmJhcg==
--- response_headers
Authorization: Basic Zm9vOmJhcg==



=== TEST 25: set basic-auth conf with the token in an env var: password uses secret ref
--- request
GET /t
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "$ENV://VAULT_TOKEN"
}]]
)

if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "$secret://vault/test1/foo/passwd"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {
"hide_credentials": false
}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/echo"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only configured the route, you also need to verify whether the route is effective

69 changes: 69 additions & 0 deletions t/plugin/hmac-auth4.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
BEGIN {
$ENV{VAULT_TOKEN} = "root";
}

use t::APISIX 'no_plan';

Expand Down Expand Up @@ -166,3 +169,69 @@ location /t {
}
--- response_body
passed



=== TEST 4: set hmac-auth conf with the token in an env var: secret_key uses secret ref
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
-- put secret vault config
local code, body = t('/apisix/admin/secrets/vault/test1',
ngx.HTTP_PUT,
[[{
"uri": "http://127.0.0.1:8200",
"prefix" : "kv/apisix",
"token" : "$ENV://VAULT_TOKEN"
}]]
)

if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- change consumer with secrets ref: vault
code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"hmac-auth": {
"access_key": "my-access-key",
"secret_key": "$secret://vault/test1/jack/secret_key"
}
}
}]]
)
if code >= 300 then
ngx.status = code
return ngx.say(body)
end

-- set route
code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"hmac-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
Loading