-
Notifications
You must be signed in to change notification settings - Fork 2.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support gcp secret manager (#11436)
- Loading branch information
1 parent
a393320
commit 2fcfbd8
Showing
8 changed files
with
1,383 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,202 @@ | ||
-- | ||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||
-- contributor license agreements. See the NOTICE file distributed with | ||
-- this work for additional information regarding copyright ownership. | ||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||
-- (the "License"); you may not use this file except in compliance with | ||
-- the License. You may obtain a copy of the License at | ||
-- | ||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||
-- | ||
-- Unless required by applicable law or agreed to in writing, software | ||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
-- See the License for the specific language governing permissions and | ||
-- limitations under the License. | ||
-- | ||
|
||
--- GCP Tools. | ||
local core = require("apisix.core") | ||
local http = require("resty.http") | ||
local google_oauth = require("apisix.utils.google-cloud-oauth") | ||
|
||
local str_sub = core.string.sub | ||
local str_find = core.string.find | ||
local decode_base64 = ngx.decode_base64 | ||
|
||
local lrucache = core.lrucache.new({ ttl = 300, count = 8 }) | ||
|
||
local schema = { | ||
type = "object", | ||
properties = { | ||
auth_config = { | ||
type = "object", | ||
properties = { | ||
client_email = { type = "string" }, | ||
private_key = { type = "string" }, | ||
project_id = { type = "string" }, | ||
token_uri = { | ||
type = "string", | ||
default = "https://oauth2.googleapis.com/token" | ||
}, | ||
scope = { | ||
type = "array", | ||
items = { | ||
type = "string" | ||
}, | ||
default = { | ||
"https://www.googleapis.com/auth/cloud-platform" | ||
} | ||
}, | ||
entries_uri = { | ||
type = "string", | ||
default = "https://secretmanager.googleapis.com/v1" | ||
}, | ||
}, | ||
required = { "client_email", "private_key", "project_id" } | ||
}, | ||
ssl_verify = { | ||
type = "boolean", | ||
default = true | ||
}, | ||
auth_file = { type = "string" }, | ||
}, | ||
oneOf = { | ||
{ required = { "auth_config" } }, | ||
{ required = { "auth_file" } }, | ||
}, | ||
} | ||
|
||
local _M = { | ||
schema = schema | ||
} | ||
|
||
local function fetch_oauth_conf(conf) | ||
if conf.auth_config then | ||
return conf.auth_config | ||
end | ||
|
||
local file_content, err = core.io.get_file(conf.auth_file) | ||
if not file_content then | ||
return nil, "failed to read configuration, file: " .. conf.auth_file .. ", err: " .. err | ||
end | ||
|
||
local config_tab, err = core.json.decode(file_content) | ||
if not config_tab then | ||
return nil, "config parse failure, data: " .. file_content .. ", err: " .. err | ||
end | ||
|
||
local config = { | ||
auth_config = { | ||
client_email = config_tab.client_email, | ||
private_key = config_tab.private_key, | ||
project_id = config_tab.project_id | ||
} | ||
} | ||
|
||
local ok, err = core.schema.check(schema, config) | ||
if not ok then | ||
return nil, "config parse failure, file: " .. conf.auth_file .. ", err: " .. err | ||
end | ||
|
||
return config_tab | ||
end | ||
|
||
|
||
local function get_secret(oauth, secrets_id) | ||
local httpc = http.new() | ||
|
||
local access_token = oauth:generate_access_token() | ||
if not access_token then | ||
return nil, "failed to get google oauth token" | ||
end | ||
|
||
local entries_uri = oauth.entries_uri .. "/projects/" .. oauth.project_id | ||
.. "/secrets/" .. secrets_id .. "/versions/latest:access" | ||
|
||
local res, err = httpc:request_uri(entries_uri, { | ||
ssl_verify = oauth.ssl_verify, | ||
method = "GET", | ||
headers = { | ||
["Content-Type"] = "application/json", | ||
["Authorization"] = (oauth.access_token_type or "Bearer") .. " " .. access_token, | ||
}, | ||
}) | ||
|
||
if not res then | ||
return nil, err | ||
end | ||
|
||
if res.status ~= 200 then | ||
return nil, res.body | ||
end | ||
|
||
local body, err = core.json.decode(res.body) | ||
if not body then | ||
return nil, "failed to parse response data, " .. err | ||
end | ||
|
||
local payload = body.payload | ||
if not payload then | ||
return nil, "invalid payload" | ||
end | ||
|
||
return decode_base64(payload.data) | ||
end | ||
|
||
|
||
local function make_request_to_gcp(conf, secrets_id) | ||
local auth_config, err = fetch_oauth_conf(conf) | ||
if not auth_config then | ||
return nil, err | ||
end | ||
|
||
local lru_key = auth_config.client_email .. "#" .. auth_config.project_id | ||
|
||
local oauth, err = lrucache(lru_key, "gcp", google_oauth.new, auth_config, conf.ssl_verify) | ||
if not oauth then | ||
return nil, "failed to create oauth object, " .. err | ||
end | ||
|
||
local secret, err = get_secret(oauth, secrets_id) | ||
if not secret then | ||
return nil, err | ||
end | ||
|
||
return secret | ||
end | ||
|
||
|
||
function _M.get(conf, key) | ||
core.log.info("fetching data from gcp for key: ", key) | ||
|
||
local idx = str_find(key, '/') | ||
|
||
local main_key = idx and str_sub(key, 1, idx - 1) or key | ||
if main_key == "" then | ||
return nil, "can't find main key, key: " .. key | ||
end | ||
|
||
local sub_key = idx and str_sub(key, idx + 1) | ||
|
||
core.log.info("main: ", main_key, sub_key and ", sub: " .. sub_key or "") | ||
|
||
local res, err = make_request_to_gcp(conf, main_key) | ||
if not res then | ||
return nil, "failed to retrtive data from gcp secret manager: " .. err | ||
end | ||
|
||
if not sub_key then | ||
return res | ||
end | ||
|
||
local data, err = core.json.decode(res) | ||
if not data then | ||
return nil, "failed to decode result, err: " .. err | ||
end | ||
|
||
return data[sub_key] | ||
end | ||
|
||
|
||
return _M |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
-- | ||
-- Licensed to the Apache Software Foundation (ASF) under one or more | ||
-- contributor license agreements. See the NOTICE file distributed with | ||
-- this work for additional information regarding copyright ownership. | ||
-- The ASF licenses this file to You under the Apache License, Version 2.0 | ||
-- (the "License"); you may not use this file except in compliance with | ||
-- the License. You may obtain a copy of the License at | ||
-- | ||
-- http://www.apache.org/licenses/LICENSE-2.0 | ||
-- | ||
-- Unless required by applicable law or agreed to in writing, software | ||
-- distributed under the License is distributed on an "AS IS" BASIS, | ||
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
-- See the License for the specific language governing permissions and | ||
-- limitations under the License. | ||
-- | ||
|
||
local core = require("apisix.core") | ||
local type = type | ||
local setmetatable = setmetatable | ||
|
||
local ngx_update_time = ngx.update_time | ||
local ngx_time = ngx.time | ||
local ngx_encode_args = ngx.encode_args | ||
|
||
local http = require("resty.http") | ||
local jwt = require("resty.jwt") | ||
|
||
|
||
local function get_timestamp() | ||
ngx_update_time() | ||
return ngx_time() | ||
end | ||
|
||
|
||
local _M = {} | ||
|
||
|
||
function _M.generate_access_token(self) | ||
if not self.access_token or get_timestamp() > self.access_token_expire_time - 60 then | ||
self:refresh_access_token() | ||
end | ||
return self.access_token | ||
end | ||
|
||
|
||
function _M.refresh_access_token(self) | ||
local http_new = http.new() | ||
local res, err = http_new:request_uri(self.token_uri, { | ||
ssl_verify = self.ssl_verify, | ||
method = "POST", | ||
body = ngx_encode_args({ | ||
grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer", | ||
assertion = self:generate_jwt_token() | ||
}), | ||
headers = { | ||
["Content-Type"] = "application/x-www-form-urlencoded", | ||
}, | ||
}) | ||
|
||
if not res then | ||
core.log.error("failed to refresh google oauth access token, ", err) | ||
return | ||
end | ||
|
||
if res.status ~= 200 then | ||
core.log.error("failed to refresh google oauth access token: ", res.body) | ||
return | ||
end | ||
|
||
res, err = core.json.decode(res.body) | ||
if not res then | ||
core.log.error("failed to parse google oauth response data: ", err) | ||
return | ||
end | ||
|
||
self.access_token = res.access_token | ||
self.access_token_type = res.token_type | ||
self.access_token_expire_time = get_timestamp() + res.expires_in | ||
end | ||
|
||
|
||
function _M.generate_jwt_token(self) | ||
local payload = core.json.encode({ | ||
iss = self.client_email, | ||
aud = self.token_uri, | ||
scope = self.scope, | ||
iat = get_timestamp(), | ||
exp = get_timestamp() + (60 * 60) | ||
}) | ||
|
||
local jwt_token = jwt:sign(self.private_key, { | ||
header = { alg = "RS256", typ = "JWT" }, | ||
payload = payload, | ||
}) | ||
|
||
return jwt_token | ||
end | ||
|
||
|
||
function _M.new(config, ssl_verify) | ||
local oauth = { | ||
client_email = config.client_email, | ||
private_key = config.private_key, | ||
project_id = config.project_id, | ||
token_uri = config.token_uri or "https://oauth2.googleapis.com/token", | ||
auth_uri = config.auth_uri or "https://accounts.google.com/o/oauth2/auth", | ||
entries_uri = config.entries_uri, | ||
access_token = nil, | ||
access_token_type = nil, | ||
access_token_expire_time = 0, | ||
} | ||
|
||
oauth.ssl_verify = ssl_verify | ||
|
||
if config.scope then | ||
if type(config.scope) == "string" then | ||
oauth.scope = config.scope | ||
end | ||
|
||
if type(config.scope) == "table" then | ||
oauth.scope = core.table.concat(config.scope, " ") | ||
end | ||
end | ||
|
||
return setmetatable(oauth, { __index = _M }) | ||
end | ||
|
||
|
||
return _M |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.