mirror of
https://gitee.com/iresty/apisix.git
synced 2024-12-12 11:55:28 +08:00
363 lines
10 KiB
Perl
363 lines
10 KiB
Perl
|
#
|
||
|
# Licensed to the Apache Software Foundation (ASF) under one or more
|
||
|
# contributor license agreements. See the NOTICE file distributed with
|
||
|
# this work for additional information regarding copyright ownership.
|
||
|
# The ASF licenses this file to You under the Apache License, Version 2.0
|
||
|
# (the "License"); you may not use this file except in compliance with
|
||
|
# the License. You may obtain a copy of the License at
|
||
|
#
|
||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||
|
#
|
||
|
# Unless required by applicable law or agreed to in writing, software
|
||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||
|
# See the License for the specific language governing permissions and
|
||
|
# limitations under the License.
|
||
|
#
|
||
|
use t::APISIX 'no_plan';
|
||
|
|
||
|
repeat_each(1);
|
||
|
no_long_string();
|
||
|
no_root_location();
|
||
|
no_shuffle();
|
||
|
|
||
|
add_block_preprocessor(sub {
|
||
|
my ($block) = @_;
|
||
|
|
||
|
my $http_config = $block->http_config // <<_EOC_;
|
||
|
|
||
|
server {
|
||
|
listen 8777;
|
||
|
|
||
|
location /secure-endpoint {
|
||
|
content_by_lua_block {
|
||
|
ngx.say("successfully invoked secure endpoint")
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
_EOC_
|
||
|
|
||
|
$block->set_value("http_config", $http_config);
|
||
|
|
||
|
my $vault_config = $block->extra_yaml_config // <<_EOC_;
|
||
|
vault:
|
||
|
host: "http://0.0.0.0:8200"
|
||
|
timeout: 10
|
||
|
prefix: kv/apisix
|
||
|
token: root
|
||
|
_EOC_
|
||
|
|
||
|
$block->set_value("extra_yaml_config", $vault_config);
|
||
|
|
||
|
if (!$block->request) {
|
||
|
$block->set_value("request", "GET /t");
|
||
|
}
|
||
|
if (!$block->no_error_log && !$block->error_log) {
|
||
|
$block->set_value("no_error_log", "[error]\n[alert]");
|
||
|
}
|
||
|
});
|
||
|
|
||
|
run_tests;
|
||
|
|
||
|
__DATA__
|
||
|
|
||
|
=== TEST 1: schema check
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local plugin = require("apisix.plugins.jwt-auth")
|
||
|
local core = require("apisix.core")
|
||
|
for _, conf in ipairs({
|
||
|
{
|
||
|
-- public and private key are not provided for RS256, returns error
|
||
|
key = "key-1",
|
||
|
algorithm = "RS256"
|
||
|
},
|
||
|
{
|
||
|
-- public and private key are not provided but vault config is enabled.
|
||
|
key = "key-1",
|
||
|
algorithm = "RS256",
|
||
|
vault = {}
|
||
|
}
|
||
|
}) do
|
||
|
local ok, err = plugin.check_schema(conf, core.schema.TYPE_CONSUMER)
|
||
|
if not ok then
|
||
|
ngx.say(err)
|
||
|
else
|
||
|
ngx.say("ok")
|
||
|
end
|
||
|
end
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
failed to validate dependent schema for "algorithm": value should match only one schema, but matches none
|
||
|
ok
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 2: create a consumer with plugin and username
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, body = t('/apisix/admin/consumers',
|
||
|
ngx.HTTP_PUT,
|
||
|
[[{
|
||
|
"username": "jack",
|
||
|
"plugins": {
|
||
|
"jwt-auth": {
|
||
|
"key": "key-hs256",
|
||
|
"algorithm": "HS256",
|
||
|
"vault":{}
|
||
|
}
|
||
|
}
|
||
|
}]]
|
||
|
)
|
||
|
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.say(body)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
passed
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 3: enable jwt auth plugin using admin api
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, body = t('/apisix/admin/routes/1',
|
||
|
ngx.HTTP_PUT,
|
||
|
[[{
|
||
|
"plugins": {
|
||
|
"jwt-auth": {}
|
||
|
},
|
||
|
"upstream": {
|
||
|
"nodes": {
|
||
|
"127.0.0.1:8777": 1
|
||
|
},
|
||
|
"type": "roundrobin"
|
||
|
},
|
||
|
"uri": "/secure-endpoint"
|
||
|
}]]
|
||
|
)
|
||
|
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.say(body)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
passed
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 4: sign a jwt and access/verify /secure-endpoint, fails as no secret entry into vault
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, err, sign = t('/apisix/plugin/jwt/sign?key=key-hs256',
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
|
||
|
if code > 200 then
|
||
|
ngx.status = code
|
||
|
ngx.say(err)
|
||
|
return
|
||
|
end
|
||
|
|
||
|
local code, _, res = t('/secure-endpoint?jwt=' .. sign,
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.print(res)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
failed to sign jwt
|
||
|
--- error_code: 503
|
||
|
--- error_log eval
|
||
|
qr/failed to sign jwt, err: secret could not found in vault/
|
||
|
--- grep_error_log_out
|
||
|
failed to sign jwt, err: secret could not found in vault
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 5: store HS256 secret into vault
|
||
|
--- exec
|
||
|
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/consumer/jack/jwt-auth secret=$3nsitiv3-c8d3
|
||
|
--- response_body
|
||
|
Success! Data written to: kv/apisix/consumer/jack/jwt-auth
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 6: sign a HS256 jwt and access/verify /secure-endpoint
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, err, sign = t('/apisix/plugin/jwt/sign?key=key-hs256',
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
|
||
|
if code > 200 then
|
||
|
ngx.status = code
|
||
|
ngx.say(err)
|
||
|
return
|
||
|
end
|
||
|
|
||
|
local code, _, res = t('/secure-endpoint?jwt=' .. sign,
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.print(res)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
successfully invoked secure endpoint
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 7: store rsa key pairs into vault from local filesystem
|
||
|
--- exec
|
||
|
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/consumer/jim/jwt-auth public_key=@t/certs/public.pem private_key=@t/certs/private.pem
|
||
|
--- response_body
|
||
|
Success! Data written to: kv/apisix/consumer/jim/jwt-auth
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 8: create consumer for RS256 algorithm with keypair fetched from vault
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, body = t('/apisix/admin/consumers',
|
||
|
ngx.HTTP_PUT,
|
||
|
[[{
|
||
|
"username": "jim",
|
||
|
"plugins": {
|
||
|
"jwt-auth": {
|
||
|
"key": "rsa",
|
||
|
"algorithm": "RS256",
|
||
|
"vault":{}
|
||
|
}
|
||
|
}
|
||
|
}]]
|
||
|
)
|
||
|
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.say(body)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
passed
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 9: sign a jwt with with rsa keypair and access /secure-endpoint
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, err, sign = t('/apisix/plugin/jwt/sign?key=rsa',
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
|
||
|
if code > 200 then
|
||
|
ngx.status = code
|
||
|
ngx.say(err)
|
||
|
return
|
||
|
end
|
||
|
|
||
|
local code, _, res = t('/secure-endpoint?jwt=' .. sign,
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.print(res)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
successfully invoked secure endpoint
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 10: store rsa private key into vault from local filesystem
|
||
|
--- exec
|
||
|
VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/consumer/john/jwt-auth private_key=@t/certs/private.pem
|
||
|
--- response_body
|
||
|
Success! Data written to: kv/apisix/consumer/john/jwt-auth
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 11: create consumer for RS256 algorithm with private key fetched from vault and public key in consumer schema
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, body = t('/apisix/admin/consumers',
|
||
|
ngx.HTTP_PUT,
|
||
|
[[{
|
||
|
"username": "john",
|
||
|
"plugins": {
|
||
|
"jwt-auth": {
|
||
|
"key": "rsa1",
|
||
|
"algorithm": "RS256",
|
||
|
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA79XYBopfnVMKxI533oU2\nVFQbEdSPtWRD+xSl73lHLVboGP1lSIZtnEj5AcTN2uDW6AYPiWL2iA3lEEsDTs7J\nBUXyl6pysBPfrqC8n/MOXKaD4e8U5GAHFiwHWg2WzHlfFSlFkLjzp0vPkDK+fQ4C\nlrd7shAyitB7use6DHcVCKuI4bFOoFbdI5sBGeyoD833g+ql9bRkH/vf8O+rPwHA\nM+47r1iv3lY3ex0P45PRd7U7rq8P8UIw6qOI1tiYuKlFJmjFdcwtYG0dctxWwgL1\n+7njrVQoWvuOTSsc9TDMhZkmmSsU3wXjaPxJpydck1C/w9ZLqsctKK5swYWhIcbc\nBQIDAQAB\n-----END PUBLIC KEY-----\n",
|
||
|
"vault":{}
|
||
|
}
|
||
|
}
|
||
|
}]]
|
||
|
)
|
||
|
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.say(body)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
passed
|
||
|
|
||
|
|
||
|
|
||
|
=== TEST 12: sign a jwt with with rsa keypair and access /secure-endpoint
|
||
|
--- config
|
||
|
location /t {
|
||
|
content_by_lua_block {
|
||
|
local t = require("lib.test_admin").test
|
||
|
local code, err, sign = t('/apisix/plugin/jwt/sign?key=rsa1',
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
|
||
|
if code > 200 then
|
||
|
ngx.status = code
|
||
|
ngx.say(err)
|
||
|
return
|
||
|
end
|
||
|
|
||
|
local code, _, res = t('/secure-endpoint?jwt=' .. sign,
|
||
|
ngx.HTTP_GET
|
||
|
)
|
||
|
if code >= 300 then
|
||
|
ngx.status = code
|
||
|
end
|
||
|
ngx.print(res)
|
||
|
}
|
||
|
}
|
||
|
--- response_body
|
||
|
successfully invoked secure endpoint
|