# # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # BEGIN { $ENV{VAULT_TOKEN} = "root"; } use t::APISIX 'no_plan'; repeat_each(1); no_long_string(); no_root_location(); no_shuffle(); add_block_preprocessor(sub { my ($block) = @_; if ((!defined $block->error_log) && (!defined $block->no_error_log)) { $block->set_value("no_error_log", "[error]"); } if (!defined $block->request) { $block->set_value("request", "GET /t"); if (!$block->response_body) { $block->set_value("response_body", "passed\n"); } } }); run_tests; __DATA__ === TEST 1: add consumer with username and plugins --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "jack", "plugins": { "jwt-auth": { "key": "user-key", "secret": "my-secret-key" } } }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } === TEST 2: enable jwt auth plugin using admin api with custom parameter --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": false } }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/echo" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } === TEST 3: verify (in header) not hiding credentials --- request GET /echo --- more_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs === TEST 4: verify (in cookie) not hiding credentials --- request GET /echo --- more_headers Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers Cookie: jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs === TEST 5: enable jwt auth plugin using admin api without hiding credentials --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": false } }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/plugin_proxy_rewrite_args" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } === TEST 6: verify (in query) without hiding credentials --- request GET /plugin_proxy_rewrite_args?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body uri: /plugin_proxy_rewrite_args foo: bar hello: world jwt-query: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs === TEST 7: enable jwt auth plugin using admin api with hiding credentials --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": true } }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/echo" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } === TEST 8: verify (in header) with hiding credentials --- request GET /echo --- more_headers jwt-header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers !jwt-header === TEST 9: enable jwt auth plugin using admin api with hiding credentials --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": true } }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/plugin_proxy_rewrite_args" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } === TEST 10: verify (in query) with hiding credentials --- request GET /plugin_proxy_rewrite_args?foo=bar&hello=world&jwt-query=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_body uri: /plugin_proxy_rewrite_args foo: bar hello: world === TEST 11: verify (in cookie) with hiding credentials --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": true } }, "upstream": { "nodes": { "test.com:1980": 1 }, "type": "roundrobin" }, "uri": "/hello" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } === TEST 12: verify (in cookie) with hiding credentials --- request GET /hello --- more_headers Cookie: hello=world; jwt-cookie=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs; foo=bar --- response_body hello world === TEST 13: delete exist consumers --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test -- delete exist consumers local code, body = t('/apisix/admin/consumers/jack', ngx.HTTP_DELETE) ngx.say(body) } } --- response_body passed === TEST 14: data encryption for secret --- yaml_config apisix: data_encryption: enable_encrypt_fields: true keyring: - edd1c9f0985e76a2 --- config location /t { content_by_lua_block { local json = require("toolkit.json") local t = require("lib.test_admin").test local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "jack", "plugins": { "jwt-auth": { "key": "user-key", "secret": "my-secret-key" } } }]] ) if code >= 300 then ngx.status = code ngx.say(body) return end ngx.sleep(0.1) -- get plugin conf from admin api, password is decrypted local code, message, res = t('/apisix/admin/consumers/jack', ngx.HTTP_GET ) res = json.decode(res) if code >= 300 then ngx.status = code ngx.say(message) return end ngx.say(res.value.plugins["jwt-auth"].secret) -- get plugin conf from etcd, password is encrypted local etcd = require("apisix.core.etcd") local res = assert(etcd.get('/consumers/jack')) ngx.say(res.body.node.value.plugins["jwt-auth"].secret) } } --- response_body my-secret-key IRWpPjbDq5BCgHyIllnOMA== === TEST 15: set jwt-auth conf: secret uses secret ref --- request GET /t --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test -- put secret vault config local code, body = t('/apisix/admin/secrets/vault/test1', ngx.HTTP_PUT, [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", "token" : "root" }]] ) if code >= 300 then ngx.status = code return ngx.say(body) end -- change consumer with secrets ref: vault code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "jack", "plugins": { "jwt-auth": { "key": "user-key", "secret": "$secret://vault/test1/jack/secret" } } }]] ) if code >= 300 then ngx.status = code return ngx.say(body) end -- set route code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": false } }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/echo" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } --- response_body passed === TEST 16: store secret into vault --- exec VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret=my-secret-key --- response_body Success! Data written to: kv/apisix/jack === TEST 17: verify (in header) not hiding credentials --- request GET /echo --- more_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs === TEST 18: store rsa key pairs and secret into vault from local filesystem --- exec VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 secret=$3nsitiv3-c8d3 public_key=@t/certs/public.pem --- response_body Success! Data written to: kv/apisix/rsa1 === TEST 19: create consumer for RS256 algorithm with public key fetched from vault and public key in consumer schema --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test -- enable jwt auth plugin using admin api local code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": {} }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/hello" }]] ) if code >= 300 then ngx.status = code return ngx.say(body) end local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "john", "plugins": { "jwt-auth": { "key": "rsa1", "algorithm": "RS256", "secret": "$secret://vault/test1/rsa1/secret", "public_key": "$secret://vault/test1/rsa1/public_key" } } }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } --- response_body passed === TEST 20: set jwt-auth conf with the token in an env var: secret uses secret ref --- request GET /t --- config location /t { content_by_lua_block { local t = require("lib.test_admin").test -- put secret vault config local code, body = t('/apisix/admin/secrets/vault/test1', ngx.HTTP_PUT, [[{ "uri": "http://127.0.0.1:8200", "prefix" : "kv/apisix", "token" : "$ENV://VAULT_TOKEN" }]] ) if code >= 300 then ngx.status = code return ngx.say(body) end -- change consumer with secrets ref: vault code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ "username": "jack", "plugins": { "jwt-auth": { "key": "user-key", "secret": "$secret://vault/test1/jack/secret" } } }]] ) if code >= 300 then ngx.status = code return ngx.say(body) end -- set route code, body = t('/apisix/admin/routes/1', ngx.HTTP_PUT, [[{ "plugins": { "jwt-auth": { "header": "jwt-header", "query": "jwt-query", "cookie": "jwt-cookie", "hide_credentials": false } }, "upstream": { "nodes": { "127.0.0.1:1980": 1 }, "type": "roundrobin" }, "uri": "/echo" }]] ) if code >= 300 then ngx.status = code end ngx.say(body) } } --- response_body passed === TEST 21: verify (in header) not hiding credentials --- request GET /echo --- more_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs --- response_headers jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs