KNEL/KNELProductionContainers
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
integration
KNELProductionContainers/CloudronPackages/APISIX/apisix-source/t/node/data_encrypt.t
ReachableCEO 54cc5f7308 feat(apisix): add Cloudron package 
- Implements Apache APISIX packaging for Cloudron platform.
- Includes Dockerfile, CloudronManifest.json, and start.sh.
- Configured to use Cloudron's etcd addon.

🤖 Generated with Gemini CLI
Co-Authored-By: Gemini <noreply@google.com>
2025-09-04 09:42:47 -05:00

572 lines
15 KiB
Perl
Raw Permalink Blame History

#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';
repeat_each(1);
no_long_string();
no_root_location();
no_shuffle();
log_level("info");
add_block_preprocessor(sub {
my ($block) = @_;
if (!$block->request) {
$block->set_value("request", "GET /t");
}
});
run_tests;
__DATA__
=== TEST 1: sanity
# the sensitive data is encrypted in etcd, and it is normal to read it from the admin API
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local json = require("toolkit.json")
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "bar"
}
}
}]]
)
if code >= 300 then
ngx.status = code
ngx.say(body)
return
end
ngx.sleep(0.1)
-- get plugin conf from admin api, password is decrypted
local code, message, res = t('/apisix/admin/consumers/foo',
ngx.HTTP_GET
)
res = json.decode(res)
if code >= 300 then
ngx.status = code
ngx.say(message)
return
end
ngx.say(res.value.plugins["basic-auth"].password)
-- get plugin conf from etcd, password is encrypted
local etcd = require("apisix.core.etcd")
local res = assert(etcd.get('/consumers/foo'))
ngx.say(res.body.node.value.plugins["basic-auth"].password)
}
}
--- response_body
bar
77+NmbYqNfN+oLm0aX5akg==
=== TEST 2: enable basic auth plugin
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 3: verify
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- request
GET /hello
--- more_headers
Authorization: Basic Zm9vOmJhcg==
--- response_body
hello world
=== TEST 4: multiple auth plugins work well
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local json = require("toolkit.json")
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "bar"
},
"key-auth": {
"key": "auth-one"
}
}
}]]
)
if code >= 300 then
ngx.status = code
ngx.say(body)
return
end
ngx.sleep(0.1)
local code, message, res = t('/apisix/admin/consumers/foo',
ngx.HTTP_GET
)
if code >= 300 then
ngx.status = code
ngx.say(message)
return
end
ngx.say("done")
}
}
--- response_body
done
=== TEST 5: enable multiple auth plugins on route
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {},
"key-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 6: verify
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- request
GET /hello
--- more_headers
apikey: auth-one
Authorization: Basic Zm9vOmJhcg==
--- response_body
hello world
=== TEST 7: disable data_encryption
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: false
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local json = require("toolkit.json")
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "bar"
}
}
}]]
)
if code >= 300 then
ngx.status = code
ngx.say(body)
return
end
ngx.sleep(0.1)
-- get plugin conf from etcd, password is encrypted
local etcd = require("apisix.core.etcd")
local res = assert(etcd.get('/consumers/foo'))
ngx.say(res.body.node.value.plugins["basic-auth"].password)
}
}
--- response_body
bar
=== TEST 8: etcd store unencrypted password, enable data_encryption, decryption fails, use original password
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local core = require("apisix.core")
-- get plugin conf from etcd, password is encrypted
local etcd = require("apisix.core.etcd")
local res, err = core.etcd.set("/consumers/foo2", core.json.decode([[{
"username":"foo2",
"plugins":{
"basic-auth":{
"username":"foo2",
"password":"bar"
}
}
}]]))
-- get plugin conf from admin api, password is decrypted
local code, message, res = t('/apisix/admin/consumers/foo2',
ngx.HTTP_GET
)
res = core.json.decode(res)
if code >= 300 then
ngx.status = code
ngx.say(message)
return
end
ngx.say(res.value.plugins["basic-auth"].password)
-- get plugin conf from etcd, password is encrypted
local etcd = require("apisix.core.etcd")
local res = assert(etcd.get('/consumers/foo2'))
ngx.say(res.body.node.value.plugins["basic-auth"].password)
}
}
--- response_body
bar
bar
--- error_log
failed to decrypt the conf of plugin [basic-auth] key [password], err: decrypt ssl key failed
=== TEST 9: etcd stores both encrypted and unencrypted data
# enable data_encryption, decryption of encrypted data succeeds
# decryption of unencrypted data fails, make sure it works well
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local core = require("apisix.core")
-- get plugin conf from etcd, password is encrypted
local etcd = require("apisix.core.etcd")
local res, err = core.etcd.set("/consumers/foo2", core.json.decode([[{
"username":"foo2",
"plugins":{
"basic-auth":{
"username":"foo2",
"password":"bar"
},
"key-auth": {
"key": "vU/ZHVJw7b0XscDJ1Fhtig=="
}
}
}]]))
-- get plugin conf from admin api, password is decrypted
local code, message, res = t('/apisix/admin/consumers/foo2',
ngx.HTTP_GET
)
res = core.json.decode(res)
if code >= 300 then
ngx.status = code
ngx.say(message)
return
end
ngx.say(res.value.plugins["basic-auth"].password)
ngx.say(res.value.plugins["key-auth"].key)
-- get plugin conf from etcd, password is encrypted
local etcd = require("apisix.core.etcd")
local res = assert(etcd.get('/consumers/foo2'))
ngx.say(res.body.node.value.plugins["basic-auth"].password)
ngx.say(res.body.node.value.plugins["key-auth"].key)
}
}
--- response_body
bar
auth-two
bar
vU/ZHVJw7b0XscDJ1Fhtig==
--- error_log
failed to decrypt the conf of plugin [basic-auth] key [password], err: decrypt ssl key failed
=== TEST 10: verify, use the foo2 consumer
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- request
GET /hello
--- more_headers
apikey: auth-two
Authorization: Basic Zm9vMjpiYXI=
--- response_body
hello world
=== TEST 11: keyring rotate, encrypt with edd1c9f0985e76a2
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local json = require("toolkit.json")
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "bar"
}
}
}]]
)
if code >= 300 then
ngx.status = code
ngx.say(body)
return
end
ngx.sleep(0.1)
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"basic-auth": {}
},
"upstream": {
"nodes": {
"127.0.0.1:1980": 1
},
"type": "roundrobin"
},
"uri": "/hello"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 12: keyring rotate, decrypt with qeddd145sfvddff3 would fail, but encrypt with edd1c9f0985e76a2 would success
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- qeddd145sfvddff3
- edd1c9f0985e76a2
--- request
GET /hello
--- more_headers
Authorization: Basic Zm9vOmJhcg==
--- response_body
hello world
=== TEST 13: search consumer list
--- yaml_config
apisix:
data_encryption:
enable_encrypt_fields: true
keyring:
- edd1c9f0985e76a2
--- config
location /t {
content_by_lua_block {
local json = require("toolkit.json")
local t = require("lib.test_admin").test
-- dletet exist consumers
t('/apisix/admin/consumers/foo', ngx.HTTP_DELETE)
t('/apisix/admin/consumers/foo2', ngx.HTTP_DELETE)
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "foo",
"plugins": {
"basic-auth": {
"username": "foo",
"password": "bar"
}
}
}]]
)
if code >= 300 then
ngx.status = code
ngx.say(body)
return
end
ngx.sleep(0.1)
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "test",
"plugins": {
"basic-auth": {
"username": "test",
"password": "test"
}
}
}]]
)
if code >= 300 then
ngx.status = code
ngx.say(body)
return
end
ngx.sleep(0.1)
-- get plugin conf from admin api, password is decrypted
local code, message, res = t('/apisix/admin/consumers',
ngx.HTTP_GET
)
res = json.decode(res)
if code >= 300 then
ngx.status = code
ngx.say(message)
return
end
local pwds = {}
table.insert(pwds, res.list[1].value.plugins["basic-auth"].password)
table.insert(pwds, res.list[2].value.plugins["basic-auth"].password)
ngx.say(json.encode(pwds))
}
}
--- response_body
["bar","test"]
View Git Blame Copy Permalink