feature: support etcd auth (#1769)

Fix #1713 , #1770

.travis.yml

@@ -1,4 +1,4 @@
-dist: xenial
+dist: bionic
 sudo: required
 
 matrix:

.travis/linux_apisix_current_luarocks_runner.sh

@@ -47,6 +47,11 @@ script() {
     export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
     openresty -V
     sudo service etcd start
+    sudo service etcd stop
+    mkdir -p ~/etcd-data
+    /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 &
+    etcd --version
+    sleep 5
 
     sudo rm -rf /usr/local/apisix
 

.travis/linux_apisix_master_luarocks_runner.sh

@@ -47,7 +47,11 @@ script() {
     export_or_prefix
     export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
     openresty -V
-    sudo service etcd start
+    sudo service etcd stop
+    mkdir -p ~/etcd-data
+    /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 &
+    etcd --version
+    sleep 5
 
     sudo rm -rf /usr/local/apisix
 

.travis/linux_openresty_runner.sh

@@ -128,7 +128,11 @@ script() {
     export_or_prefix
     export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
     openresty -V
-    sudo service etcd start
+    sudo service etcd stop
+    mkdir -p ~/etcd-data
+    /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 &
+    etcd --version
+    sleep 5
 
     ./build-cache/grpc_server_example &
 
@@ -147,7 +151,7 @@ script() {
     sleep 1
 
     make lint && make license-check || exit 1
-    APISIX_ENABLE_LUACOV=1 prove -Itest-nginx/lib -r t
+    APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t
 }
 
 after_success() {

.travis/linux_tengine_runner.sh

@@ -271,7 +271,11 @@ script() {
     export_or_prefix
     export PATH=$OPENRESTY_PREFIX/nginx/sbin:$OPENRESTY_PREFIX/luajit/bin:$OPENRESTY_PREFIX/bin:$PATH
     openresty -V
-    sudo service etcd start
+    sudo service etcd stop
+    mkdir -p ~/etcd-data
+    /usr/bin/etcd --listen-client-urls 'http://0.0.0.0:2379' --advertise-client-urls='http://0.0.0.0:2379' --data-dir ~/etcd-data > /dev/null 2>&1 &
+    etcd --version
+    sleep 5
 
     ./build-cache/grpc_server_example &
 
@@ -284,7 +288,7 @@ script() {
     ./bin/apisix stop
     sleep 1
     make lint && make license-check || exit 1
-    APISIX_ENABLE_LUACOV=1 prove -Itest-nginx/lib -r t
+    APISIX_ENABLE_LUACOV=1 PERL5LIB=.:$PERL5LIB prove -Itest-nginx/lib -r t
 }
 
 after_success() {

conf/config.yaml

@@ -122,7 +122,8 @@ etcd:
     - "http://127.0.0.1:2379"     # multiple etcd address
   prefix: "/apisix"               # apisix configurations prefix
   timeout: 3                      # 3 seconds
-
+  # user: root                     # root username for etcd
+  # password: 5tHkHhYkjr6cQY        # root password for etcd
 #eureka:
 #  host:                           # it's possible to define multiple eureka hosts addresses of the same eureka cluster.
 #    - "http://127.0.0.1:8761"

t/APISIX.pm

@@ -79,6 +79,14 @@ $yaml_config =~ s/enable_heartbeat: true/enable_heartbeat: false/;
 $yaml_config =~ s/  # stream_proxy:/  stream_proxy:\n    tcp:\n      - 9100/;
 $yaml_config =~ s/admin_key:/disable_admin_key:/;
 
+my $etcd_enable_auth = $ENV{"ETCD_ENABLE_AUTH"} || "false";
+
+if ($etcd_enable_auth eq "true") {
+    $yaml_config =~ s/  # user:/  user:/;
+    $yaml_config =~ s/  # password:/  password:/;
+}
+
+
 my $profile = $ENV{"APISIX_PROFILE"};
 
 
@@ -102,6 +110,7 @@ add_block_preprocessor(sub {
 
     my $main_config = $block->main_config // <<_EOC_;
 worker_rlimit_core  500M;
+env ENABLE_ETCD_AUTH;
 env APISIX_PROFILE;
 _EOC_
 

t/core/etcd-auth-fail.t

@@ -0,0 +1,56 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+BEGIN {
+    $ENV{"ETCD_ENABLE_AUTH"} = "false"
+}
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+# Authentication is enabled at etcd and credentials are set
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY user add root:5tHkHhYkjr6cQY');
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth enable');
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role revoke --path "/*" -rw guest');
+
+run_tests;
+
+# Authentication is disabled at etcd & guest access is granted
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth disable');
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role grant --path "/*" -rw guest');
+
+
+__DATA__
+
+=== TEST 1: Set and Get a value pass
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local key = "/test_key"
+            local val = "test_value"
+            local res, err = core.etcd.set(key, val)
+            ngx.say(err)
+        }
+    }
+--- request
+GET /t
+--- response_body
+insufficient credentials code: 401

t/core/etcd-auth.t

@@ -0,0 +1,59 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+BEGIN {
+    $ENV{"ETCD_ENABLE_AUTH"} = "true"
+}
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_root_location();
+log_level("info");
+
+# Authentication is enabled at etcd and credentials are set
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY user add root:5tHkHhYkjr6cQY');
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth enable');
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role revoke --path "/*" -rw guest');
+
+run_tests;
+
+# Authentication is disabled at etcd & guest access is granted
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY auth disable');
+system('etcdctl --endpoints="http://127.0.0.1:2379" -u root:5tHkHhYkjr6cQY role grant --path "/*" -rw guest');
+
+__DATA__
+
+=== TEST 1: Set and Get a value pass with authentication
+--- config
+    location /t {
+        content_by_lua_block {
+            local core = require("apisix.core")
+            local key = "/test_key"
+            local val = "test_value"
+            core.etcd.set(key, val)
+            local res, err = core.etcd.get(key)
+            ngx.say(res.body.node.value)
+            core.etcd.delete(val)
+        }
+    }
+--- request
+GET /t
+--- response_body
+test_value
+--- no_error_log
+[error]