Basic authentication

CHANGELOG.md

@@ -7,6 +7,9 @@
 **Fixed**
 - Fixed the problem of linking existing security policies while migration.
 
+**Added**
+- Added Basic Authentication support [Issue #534](https://github.com/TykTechnologies/tyk-operator/issues/534)
+
 ## [v0.12.0](https://github.com/TykTechnologies/tyk-operator/tree/v0.12.0)
 [Full Changelog](https://github.com/TykTechnologies/tyk-operator/compare/v0.11.0...v0.12.0)
 

api/model/api.go

@@ -574,9 +574,11 @@ type APIDefinitionSpec struct {
 	// UseStandardAuth enables simple bearer token authentication
 	UseStandardAuth bool `json:"use_standard_auth,omitempty"`
 
-	// UseBasicAuth               bool                  `json:"use_basic_auth"`
+	// UseBasicAuth enables basic authentication
+	UseBasicAuth bool `json:"use_basic_auth,omitempty"`
 	// BasicAuth                  BasicAuthMeta         `json:"basic_auth"`
 
+	// UseMutualTLSAuth enables mututal TLS authentication
 	UseMutualTLSAuth      bool     `json:"use_mutual_tls_auth,omitempty"`
 	ClientCertificates    []string `json:"client_certificates,omitempty"`
 	ClientCertificateRefs []string `json:"client_certificate_refs,omitempty"`

config/crd/bases/tyk.tyk.io_apidefinitions.yaml

@@ -1105,6 +1105,8 @@ spec:
                   IDs that is used by the Tyk Gateway to provide mTLS support for
                   upstreams
                 type: object
+              use_basic_auth:
+                type: boolean
               use_go_plugin_auth:
                 description: Enable Go Plugin Auth. Needs to be combined with "use_keyless:false"
                 type: boolean

config/samples/basic-auth/httpbin_basic_authentication.yaml

@@ -0,0 +1,21 @@
+# Here we are creating an API definition with basic authentication for httpbin 
+
+apiVersion: tyk.tyk.io/v1alpha1
+kind: ApiDefinition
+metadata:
+  name: httpbin-basic-auth
+spec:
+  name: Httpbin Basic Authentication
+  protocol: http
+  active: true
+  proxy:
+    target_url: http://httpbin.org
+    listen_path: /httpbin
+    strip_listen_path: true
+  version_data:
+    default_version: Default
+    not_versioned: true
+    versions:
+      Default:
+        name: Default
+  use_basic_auth: true 

docs/api_definitions.md

@@ -49,7 +49,7 @@ To check the supported features of the API Definitions CRD version you're curren
 | OpenID Connect                | ❌        | -              | Not implemented | |
 | mTLS                          | ✅      | v0.11              | Only static client mTLS is supported | [Sample](./../config/samples/mtls/client/) |
 | HMAC                          | ❌        | -              | Not implemented | |
-| Basic Authentication          | ❌        | -              | Not implemented | |
+| Basic Authentication          | ✅        | v0.12          | Only enabling with default metadata values is supported  | [Sample](./../config/samples/basic-auth/httpbin_basic_authentication.yaml) |
 | Plugin Auth - Go              | ✅        | v0.11          | - | [Sample](./api_definitions/custom_plugin_goauth.yaml) |
 | Plugin Auth - gRPC            | ✅        | v0.1           | - | [Sample](./../bdd/features/api_http_grpc_plugin.feature) |
 | IP Whitelisting               | ✅        | v0.5           | - | [Sample](./api_definitions/ip.md#whitelisting) |

helm/crds/crds.yaml

@@ -938,6 +938,8 @@ spec:
                   type: string
                 description: UpstreamCertificates is a map of domains and certificate IDs that is used by the Tyk Gateway to provide mTLS support for upstreams
                 type: object
+              use_basic_auth:
+                type: boolean
               use_go_plugin_auth:
                 description: Enable Go Plugin Auth. Needs to be combined with "use_keyless:false"
                 type: boolean

integration/apidefinition_test.go

@@ -800,6 +800,112 @@ func TestApiDefinitionUpstreamCertificates(t *testing.T) {
 
 	testenv.Test(t, adCreate)
 }
+func TestApiDefinitionBasicAuth(t *testing.T) {
+	var (
+		apiDefBasicAuth  = "apidef-basic-authentication"
+		defaultVersion   = "Default"
+		opNs             = "tyk-operator-system"
+		tykConnectionURL = ""
+		tykOrg           = ""
+		tykAuth          = ""
+	)
+
+	mode := os.Getenv("TYK_MODE")
+
+	switch mode {
+	case "pro":
+		tykConnectionURL = adminLocalhost
+	case "ce":
+		tykConnectionURL = gatewayLocalhost
+	}
+
+	testBasicAuth := features.New("Basic authentication").
+		Setup(func(ctx context.Context, t *testing.T, envConf *envconf.Config) context.Context {
+			client := envConf.Client()
+			eval := is.New(t)
+			opConfSecret := v1.Secret{}
+
+			err := client.Resources(opNs).Get(ctx, "tyk-operator-conf", opNs, &opConfSecret)
+			eval.NoErr(err)
+
+			data, ok := opConfSecret.Data["TYK_AUTH"]
+			eval.True(ok)
+
+			tykAuth = string(data)
+
+			data, ok = opConfSecret.Data["TYK_ORG"]
+			eval.True(ok)
+
+			tykOrg = string(data)
+
+			return ctx
+		}).
+		Setup(func(ctx context.Context, t *testing.T, envConf *envconf.Config) context.Context {
+			testNS := ctx.Value(ctxNSKey).(string) //nolint:errcheck
+			eval := is.New(t)
+
+			// Create ApiDefinition with Basic Authentication
+			_, err := createTestAPIDef(ctx, testNS, func(apiDef *v1alpha1.ApiDefinition) {
+				apiDef.Name = apiDefBasicAuth
+				apiDef.Spec.UseBasicAuth = true
+				apiDef.Spec.VersionData.DefaultVersion = defaultVersion
+				apiDef.Spec.VersionData.NotVersioned = true
+				apiDef.Spec.VersionData.Versions = map[string]model.VersionInfo{
+					defaultVersion: {Name: defaultVersion},
+				}
+			}, envConf)
+			eval.NoErr(err) // failed to create apiDefinition
+
+			return ctx
+		}).
+		Assess("API must have basic authentication enabled",
+			func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+				eval := is.New(t)
+				client := cfg.Client()
+				testNS := ctx.Value(ctxNSKey).(string) //nolint:errcheck
+
+				var apiDef *model.APIDefinitionSpec
+
+				err := wait.For(func() (done bool, err error) {
+					env := environmet.Env{}
+					env.Mode = v1alpha1.OperatorContextMode(mode)
+					env.Org = tykOrg
+					env.Auth = tykAuth
+					env.URL = tykConnectionURL
+
+					pkgContext := pkgclient.Context{
+						Env: env,
+						Log: log.NullLogger{},
+					}
+
+					reqContext := pkgclient.SetContext(context.Background(), pkgContext)
+
+					// validate basic authentication field was set
+					var apiDefCRD v1alpha1.ApiDefinition
+
+					err = client.Resources().Get(ctx, apiDefBasicAuth, testNS, &apiDefCRD)
+					if err != nil {
+						return false, err
+					}
+
+					apiDef, err = klient.Universal.Api().Get(reqContext, apiDefCRD.Status.ApiID)
+					if err != nil {
+						return false, errors.New("API is not created yet")
+					}
+
+					eval.True(apiDef.UseBasicAuth)
+
+					return true, nil
+				}, wait.WithTimeout(defaultWaitTimeout), wait.WithInterval(defaultWaitInterval))
+				eval.NoErr(err)
+
+				eval.True(apiDef.UseBasicAuth)
+
+				return ctx
+			}).Feature()
+
+	testenv.Test(t, testBasicAuth)
+}
 
 func TestApiDefinitionClientMTLS(t *testing.T) {
 	var (