From 648800db4fa7a82827e1335cbee920074159b129 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 27 Mar 2024 13:11:32 +0545 Subject: [PATCH 01/14] feat: support more sensitive fields for encryption --- apisix/plugins/aws-lambda.lua | 3 ++- apisix/plugins/azure-functions.lua | 6 ++++-- apisix/plugins/jwe-decrypt.lua | 1 + apisix/plugins/openid-connect.lua | 2 +- apisix/plugins/openwhisk.lua | 3 ++- apisix/utils/redis-schema.lua | 1 + t/plugin/authz-casdoor.t | 6 ++++-- 7 files changed, 15 insertions(+), 7 deletions(-) diff --git a/apisix/plugins/aws-lambda.lua b/apisix/plugins/aws-lambda.lua index 1b172af4135d..2cfd85a41685 100644 --- a/apisix/plugins/aws-lambda.lua +++ b/apisix/plugins/aws-lambda.lua @@ -82,7 +82,8 @@ local aws_authz_schema = { }, required = {"accesskey", "secretkey"} } - } + }, + encrypt_fields = {"apikey", "iam.accesskey", "iam.secretkey"} } local function request_processor(conf, ctx, params) diff --git a/apisix/plugins/azure-functions.lua b/apisix/plugins/azure-functions.lua index 0b0e64d4f050..a5545f23cd3c 100644 --- a/apisix/plugins/azure-functions.lua +++ b/apisix/plugins/azure-functions.lua @@ -22,7 +22,8 @@ local azure_authz_schema = { properties = { apikey = {type = "string"}, clientid = {type = "string"} - } + }, + encrypt_fields = {"apikey"}, } local metadata_schema = { @@ -30,7 +31,8 @@ local metadata_schema = { properties = { master_apikey = {type = "string", default = ""}, master_clientid = {type = "string", default = ""} - } + }, + encrypt_fields = {"master_apikey"} } local function request_processor(conf, ctx, params) diff --git a/apisix/plugins/jwe-decrypt.lua b/apisix/plugins/jwe-decrypt.lua index 0e4447e02432..b4ce25150f68 100644 --- a/apisix/plugins/jwe-decrypt.lua +++ b/apisix/plugins/jwe-decrypt.lua @@ -51,6 +51,7 @@ local consumer_schema = { is_base64_encoded = { type = "boolean" }, }, required = { "key", "secret" }, + encrypt_fields = { "key", "secret" }, } diff --git a/apisix/plugins/openid-connect.lua b/apisix/plugins/openid-connect.lua index 435cf63631e9..da334ebfb682 100644 --- a/apisix/plugins/openid-connect.lua +++ b/apisix/plugins/openid-connect.lua @@ -268,7 +268,7 @@ local schema = { } } }, - encrypt_fields = {"client_secret"}, + encrypt_fields = {"client_secret", "client_rsa_private_key"}, required = {"client_id", "client_secret", "discovery"} } diff --git a/apisix/plugins/openwhisk.lua b/apisix/plugins/openwhisk.lua index 7043f14f5a05..718513adcb2f 100644 --- a/apisix/plugins/openwhisk.lua +++ b/apisix/plugins/openwhisk.lua @@ -49,7 +49,8 @@ local schema = { keepalive_timeout = {type = "integer", minimum = 1000, default = 60000}, keepalive_pool = {type = "integer", minimum = 1, default = 5} }, - required = {"api_host", "service_token", "namespace", "action"} + required = {"api_host", "service_token", "namespace", "action"}, + encrypt_fields = {"service_token"} } diff --git a/apisix/utils/redis-schema.lua b/apisix/utils/redis-schema.lua index c9fdec41d8fc..2e9242928b16 100644 --- a/apisix/utils/redis-schema.lua +++ b/apisix/utils/redis-schema.lua @@ -44,6 +44,7 @@ local policy_to_additional_properties = { }, }, required = {"redis_host"}, + encrypt_fields = {"redis_password"} }, ["redis-cluster"] = { properties = { diff --git a/t/plugin/authz-casdoor.t b/t/plugin/authz-casdoor.t index aef07faccbd8..be3af5c20b40 100644 --- a/t/plugin/authz-casdoor.t +++ b/t/plugin/authz-casdoor.t @@ -137,7 +137,7 @@ done "upstream": { "type": "roundrobin", "nodes": { - "test.com:1980": 1 + "127.0.0.1:1980": 1 } } }]] @@ -477,7 +477,7 @@ apisix: "upstream": { "type": "roundrobin", "nodes": { - "test.com:1980": 1 + "127.0.0.1:1980": 1 } } }]] @@ -506,6 +506,8 @@ apisix: -- get plugin conf from etcd, password is encrypted local etcd = require("apisix.core.etcd") local res = assert(etcd.get('/routes/1')) + local core = require("apisix.core") + core.log.warn("dibag", core.json.encode(res.body.node.value.plugins["authz-casdoor"].client_secret)) ngx.say(res.body.node.value.plugins["authz-casdoor"].client_secret) } } From dc6999dc0afafa16081bbdb26ac3b5d6183838b8 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 27 Mar 2024 14:07:50 +0545 Subject: [PATCH 02/14] remove unwanted changes --- t/plugin/authz-casdoor.t | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/t/plugin/authz-casdoor.t b/t/plugin/authz-casdoor.t index be3af5c20b40..aef07faccbd8 100644 --- a/t/plugin/authz-casdoor.t +++ b/t/plugin/authz-casdoor.t @@ -137,7 +137,7 @@ done "upstream": { "type": "roundrobin", "nodes": { - "127.0.0.1:1980": 1 + "test.com:1980": 1 } } }]] @@ -477,7 +477,7 @@ apisix: "upstream": { "type": "roundrobin", "nodes": { - "127.0.0.1:1980": 1 + "test.com:1980": 1 } } }]] @@ -506,8 +506,6 @@ apisix: -- get plugin conf from etcd, password is encrypted local etcd = require("apisix.core.etcd") local res = assert(etcd.get('/routes/1')) - local core = require("apisix.core") - core.log.warn("dibag", core.json.encode(res.body.node.value.plugins["authz-casdoor"].client_secret)) ngx.say(res.body.node.value.plugins["authz-casdoor"].client_secret) } } From 84caf2257cde872faa9d3d7cd6002f5a931a9a15 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Wed, 27 Mar 2024 20:33:59 +0545 Subject: [PATCH 03/14] revert --- apisix/plugins/aws-lambda.lua | 3 +-- apisix/plugins/azure-functions.lua | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/apisix/plugins/aws-lambda.lua b/apisix/plugins/aws-lambda.lua index 2cfd85a41685..1b172af4135d 100644 --- a/apisix/plugins/aws-lambda.lua +++ b/apisix/plugins/aws-lambda.lua @@ -82,8 +82,7 @@ local aws_authz_schema = { }, required = {"accesskey", "secretkey"} } - }, - encrypt_fields = {"apikey", "iam.accesskey", "iam.secretkey"} + } } local function request_processor(conf, ctx, params) diff --git a/apisix/plugins/azure-functions.lua b/apisix/plugins/azure-functions.lua index a5545f23cd3c..0b0e64d4f050 100644 --- a/apisix/plugins/azure-functions.lua +++ b/apisix/plugins/azure-functions.lua @@ -22,8 +22,7 @@ local azure_authz_schema = { properties = { apikey = {type = "string"}, clientid = {type = "string"} - }, - encrypt_fields = {"apikey"}, + } } local metadata_schema = { @@ -31,8 +30,7 @@ local metadata_schema = { properties = { master_apikey = {type = "string", default = ""}, master_clientid = {type = "string", default = ""} - }, - encrypt_fields = {"master_apikey"} + } } local function request_processor(conf, ctx, params) From 79e6b2622294c0d7094a46ad74ed3a58ff389c16 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 08:39:16 +0545 Subject: [PATCH 04/14] cover jwe-decrypt --- apisix/plugins/jwe-decrypt.lua | 30 +++++++++++++++++++++--------- t/plugin/jwe-decrypt.t | 8 ++++++++ 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/apisix/plugins/jwe-decrypt.lua b/apisix/plugins/jwe-decrypt.lua index b4ce25150f68..3af195d08fbc 100644 --- a/apisix/plugins/jwe-decrypt.lua +++ b/apisix/plugins/jwe-decrypt.lua @@ -15,6 +15,7 @@ -- limitations under the License. -- local core = require("apisix.core") +local plugin = require("apisix.plugin") local consumer_mod = require("apisix.consumer") local base64 = require("ngx.base64") local aes = require("resty.aes") @@ -72,15 +73,26 @@ function _M.check_schema(conf, schema_type) return false, err end - -- restrict the length of secret, we use A256GCM for encryption, - -- so the length should be 32 chars only - if conf.is_base64_encoded then - if #base64.decode_base64url(conf.secret) ~= 32 then - return false, "the secret length after base64 decode should be 32 chars" - end - else - if #conf.secret ~= 32 then - return false, "the secret length should be 32 chars" + local local_conf, err = core.config.local_conf(true) + if not local_conf then + return false, "failed to load the configuration file: " .. err + end + + local encrypted = core.table.try_read_attr(local_conf, "apisix", "data_encryption", + "enable_encrypt_fields") and (core.config.type == "etcd") + + -- if encrypted, the secret length will exceed 32 so don't check + if not encrypted then + -- restrict the length of secret, we use A256GCM for encryption, + -- so the length should be 32 chars only + if conf.is_base64_encoded then + if #base64.decode_base64url(conf.secret) ~= 32 then + return false, "the secret length after base64 decode should be 32 chars" + end + else + if #conf.secret ~= 32 then + return false, "the secret length should be 32 chars" + end end end diff --git a/t/plugin/jwe-decrypt.t b/t/plugin/jwe-decrypt.t index e7fcf7756f50..f8285d9a3021 100644 --- a/t/plugin/jwe-decrypt.t +++ b/t/plugin/jwe-decrypt.t @@ -95,6 +95,10 @@ done === TEST 4: secret length too long +--- yaml_config +apisix: + data_encryption: + enable_encrypt_fields: false --- config location /t { content_by_lua_block { @@ -115,6 +119,10 @@ done === TEST 5: secret length too long(base64 encode) +--- yaml_config +apisix: + data_encryption: + enable_encrypt_fields: false --- config location /t { content_by_lua_block { From dc80600eeb815be877fa263a7495a2feb103ee29 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 09:19:05 +0545 Subject: [PATCH 05/14] test for redis --- t/plugin/limit-conn-redis.t | 41 ++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/t/plugin/limit-conn-redis.t b/t/plugin/limit-conn-redis.t index a121453707d7..80ff9d3e45c9 100644 --- a/t/plugin/limit-conn-redis.t +++ b/t/plugin/limit-conn-redis.t @@ -294,7 +294,46 @@ status:503, count:4 "type": "roundrobin" }, "uri": "/limit_conn" - }]] + }]], + [[{ + "value": { + "status": 1, + "priority": 0, + "uri": "/limit_conn", + "plugins": { + "limit-conn": { + "redis_ssl": false, + "redis_ssl_verify": false, + "redis_host": "127.0.0.1", + "redis_port": 6379, + "redis_password": "somepassword", + "redis_username": "alice", + "key": "remote_addr", + "burst": 1, + "default_conn_delay": 0.1, + "only_use_default_delay": false, + "key_type": "var", + "conn": 5, + "policy": "redis", + "allow_degradation": false, + "rejected_code": 503, + "redis_timeout": 1000, + "redis_database": 0 + } + }, + "upstream": { + "scheme": "http", + "pass_host": "pass", + "hash_on": "vars", + "type": "roundrobin", + "nodes": { + "127.0.0.1:1980": 1 + } + }, + "id": "1" + }, + "key": "/apisix/routes/1" + }]] ) if code >= 300 then From d0c168984038646b86fd16a9cb038049f9384290 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 10:08:00 +0545 Subject: [PATCH 06/14] openwhisk test --- t/plugin/openwhisk.t | 52 ++++++++++++++++++++++++++++++-------------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/t/plugin/openwhisk.t b/t/plugin/openwhisk.t index f906c9994fb0..4e8254a73124 100644 --- a/t/plugin/openwhisk.t +++ b/t/plugin/openwhisk.t @@ -117,7 +117,27 @@ passed -=== TEST 5: hit route (with GET request) +=== TEST 5: verify encrypted field +--- config + location /t { + content_by_lua_block { + local json = require("toolkit.json") + local t = require("lib.test_admin").test + + + -- get plugin conf from etcd, password is encrypted + local etcd = require("apisix.core.etcd") + local res = assert(etcd.get('/routes/1')) + ngx.say(res.body.node.value.plugins["openwhisk"].service_token) + + } + } +--- response_body +pe14btxogtzJ4qPM/W2qj0AQeUK/O5oegLkKJLkkSEsKUIjP+bgyO+qsTXuLrY/h/esLKrRulD2TOtf+Zt/Us+hxZ/svsMwXZqZ9T9/2wWyi8SKALLfTUZDiV69mxCwD2zNBze1jslMlPtdA9JFIOQ== + + + +=== TEST 6: hit route (with GET request) --- request GET /hello --- response_body chomp @@ -125,7 +145,7 @@ GET /hello -=== TEST 6: hit route (with POST method and non-json format request body) +=== TEST 7: hit route (with POST method and non-json format request body) --- request POST /hello test=test @@ -137,7 +157,7 @@ qr/"error":"The request content was malformed/ -=== TEST 7: setup route with plugin +=== TEST 8: setup route with plugin --- config location /t { content_by_lua_block { @@ -172,7 +192,7 @@ passed -=== TEST 8: hit route (with POST and correct request body) +=== TEST 9: hit route (with POST and correct request body) --- request POST /hello {"name": "world"} @@ -183,7 +203,7 @@ Content-Type: application/json -=== TEST 9: reset route to non-existent action +=== TEST 10: reset route to non-existent action --- config location /t { content_by_lua_block { @@ -218,7 +238,7 @@ passed -=== TEST 10: hit route (with non-existent action) +=== TEST 11: hit route (with non-existent action) --- request POST /hello {"name": "world"} @@ -230,7 +250,7 @@ qr/"error":"The requested resource does not exist."/ -=== TEST 11: reset route to wrong api_host +=== TEST 12: reset route to wrong api_host --- config location /t { content_by_lua_block { @@ -265,7 +285,7 @@ passed -=== TEST 12: hit route (with wrong api_host) +=== TEST 13: hit route (with wrong api_host) --- request POST /hello {"name": "world"} @@ -277,7 +297,7 @@ failed to process openwhisk action, err: -=== TEST 13: reset route to packaged action +=== TEST 14: reset route to packaged action --- config location /t { content_by_lua_block { @@ -313,7 +333,7 @@ passed -=== TEST 14: hit route (with packaged action) +=== TEST 15: hit route (with packaged action) --- request GET /hello --- response_body chomp @@ -321,7 +341,7 @@ GET /hello -=== TEST 15: reset route to status code action +=== TEST 16: reset route to status code action --- config location /t { content_by_lua_block { @@ -356,14 +376,14 @@ passed -=== TEST 16: hit route (with packaged action) +=== TEST 17: hit route (with packaged action) --- request GET /hello --- error_code: 407 -=== TEST 17: reset route to headers action +=== TEST 18: reset route to headers action --- config location /t { content_by_lua_block { @@ -398,7 +418,7 @@ passed -=== TEST 18: hit route (with headers action) +=== TEST 19: hit route (with headers action) --- request GET /hello --- response_headers @@ -406,7 +426,7 @@ test: header -=== TEST 19: reset route to body action +=== TEST 20: reset route to body action --- config location /t { content_by_lua_block { @@ -441,7 +461,7 @@ passed -=== TEST 20: hit route (with body action) +=== TEST 21: hit route (with body action) --- request GET /hello --- response_body From 3e0356438fd621b7caf82e070e2bc58ccb9f902b Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 10:08:34 +0545 Subject: [PATCH 07/14] revert conn test --- t/plugin/limit-conn-redis.t | 41 +------------------------------------ 1 file changed, 1 insertion(+), 40 deletions(-) diff --git a/t/plugin/limit-conn-redis.t b/t/plugin/limit-conn-redis.t index 80ff9d3e45c9..a121453707d7 100644 --- a/t/plugin/limit-conn-redis.t +++ b/t/plugin/limit-conn-redis.t @@ -294,46 +294,7 @@ status:503, count:4 "type": "roundrobin" }, "uri": "/limit_conn" - }]], - [[{ - "value": { - "status": 1, - "priority": 0, - "uri": "/limit_conn", - "plugins": { - "limit-conn": { - "redis_ssl": false, - "redis_ssl_verify": false, - "redis_host": "127.0.0.1", - "redis_port": 6379, - "redis_password": "somepassword", - "redis_username": "alice", - "key": "remote_addr", - "burst": 1, - "default_conn_delay": 0.1, - "only_use_default_delay": false, - "key_type": "var", - "conn": 5, - "policy": "redis", - "allow_degradation": false, - "rejected_code": 503, - "redis_timeout": 1000, - "redis_database": 0 - } - }, - "upstream": { - "scheme": "http", - "pass_host": "pass", - "hash_on": "vars", - "type": "roundrobin", - "nodes": { - "127.0.0.1:1980": 1 - } - }, - "id": "1" - }, - "key": "/apisix/routes/1" - }]] + }]] ) if code >= 300 then From 6b0f3255d7e83d348e0b49e66625980a8284987d Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 10:22:32 +0545 Subject: [PATCH 08/14] test oidc --- t/plugin/openid-connect.t | 91 ++++++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 35 deletions(-) diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 6a883486724a..64323a70a081 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -106,6 +106,7 @@ done "openid-connect": { "client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH", "client_secret": "60Op4HFM0I8ajz0WdiStAbziZ-VFQttXuxixHHs2R7r7-CW8GR79l-mmLqMhc-Sa", + "client_rsa_private_key": "89ae4c8edadf1cd1c9f034335f136f87ad84b625c8f1", "discovery": "http://127.0.0.1:1980/.well-known/openid-configuration", "redirect_uri": "https://iresty.com", "ssl_verify": false, @@ -135,7 +136,27 @@ passed -=== TEST 5: Access route w/o bearer token. Should redirect to authentication endpoint of ID provider. +=== TEST 5: verify encrypted field +--- config + location /t { + content_by_lua_block { + local json = require("toolkit.json") + local t = require("lib.test_admin").test + + + -- get plugin conf from etcd, password is encrypted + local etcd = require("apisix.core.etcd") + local res = assert(etcd.get('/routes/1')) + ngx.say(res.body.node.value.plugins["openid-connect"].client_rsa_private_key) + + } + } +--- response_body +qO8TJbXcxCUnkkaTs3PxWDk5a54lv7FmngKQaxuXV4cL+7Kp1R4D8NS4w88so4e+ + + + +=== TEST 6: Access route w/o bearer token. Should redirect to authentication endpoint of ID provider. --- config location /t { content_by_lua_block { @@ -161,7 +182,7 @@ true -=== TEST 6: Modify route to match catch-all URI `/*` and point plugin to local Keycloak instance. +=== TEST 7: Modify route to match catch-all URI `/*` and point plugin to local Keycloak instance. --- config location /t { content_by_lua_block { @@ -208,7 +229,7 @@ passed -=== TEST 7: Access route w/o bearer token and go through the full OIDC Relying Party authentication process. +=== TEST 8: Access route w/o bearer token and go through the full OIDC Relying Party authentication process. --- config location /t { content_by_lua_block { @@ -266,7 +287,7 @@ x-userinfo: ey.* -=== TEST 8: Re-configure plugin with respect to headers that get sent to upstream. +=== TEST 9: Re-configure plugin with respect to headers that get sent to upstream. --- config location /t { content_by_lua_block { @@ -312,7 +333,7 @@ passed -=== TEST 9: Access route w/o bearer token and go through the full OIDC Relying Party authentication process. +=== TEST 10: Access route w/o bearer token and go through the full OIDC Relying Party authentication process. --- config location /t { content_by_lua_block { @@ -367,7 +388,7 @@ x-real-ip: 127.0.0.1 -=== TEST 10: Update plugin with `bearer_only=true`. +=== TEST 11: Update plugin with `bearer_only=true`. --- config location /t { content_by_lua_block { @@ -408,7 +429,7 @@ passed -=== TEST 11: Access route w/o bearer token. Should return 401 (Unauthorized). +=== TEST 12: Access route w/o bearer token. Should return 401 (Unauthorized). --- timeout: 10s --- request GET /hello @@ -420,7 +441,7 @@ OIDC introspection failed: No bearer token found in request. -=== TEST 12: Access route with invalid Authorization header value. Should return 400 (Bad Request). +=== TEST 13: Access route with invalid Authorization header value. Should return 400 (Bad Request). --- timeout: 10s --- request GET /hello @@ -432,7 +453,7 @@ OIDC introspection failed: Invalid Authorization header format. -=== TEST 13: Update plugin with ID provider public key, so tokens can be validated locally. +=== TEST 14: Update plugin with ID provider public key, so tokens can be validated locally. --- config location /t { content_by_lua_block { @@ -482,7 +503,7 @@ passed -=== TEST 14: Access route with valid token. +=== TEST 15: Access route with valid token. --- config location /t { content_by_lua_block { @@ -506,7 +527,7 @@ true -=== TEST 15: Update route URI to '/uri' where upstream endpoint returns request headers in response body. +=== TEST 16: Update route URI to '/uri' where upstream endpoint returns request headers in response body. --- config location /t { content_by_lua_block { @@ -556,7 +577,7 @@ passed -=== TEST 16: Access route with valid token in `Authorization` header. Upstream should additionally get the token in the `X-Access-Token` header. +=== TEST 17: Access route with valid token in `Authorization` header. Upstream should additionally get the token in the `X-Access-Token` header. --- request GET /uri HTTP/1.1 --- more_headers @@ -572,7 +593,7 @@ x-userinfo: ey.* -=== TEST 17: Update plugin to only use `Authorization` header. +=== TEST 18: Update plugin to only use `Authorization` header. --- config location /t { content_by_lua_block { @@ -626,7 +647,7 @@ passed -=== TEST 18: Access route with valid token in `Authorization` header. Upstream should not get the additional `X-Access-Token` header. +=== TEST 19: Access route with valid token in `Authorization` header. Upstream should not get the additional `X-Access-Token` header. --- request GET /uri HTTP/1.1 --- more_headers @@ -640,7 +661,7 @@ x-real-ip: 127.0.0.1 -=== TEST 19: Switch route URI back to `/hello`. +=== TEST 20: Switch route URI back to `/hello`. --- config location /t { content_by_lua_block { @@ -690,7 +711,7 @@ passed -=== TEST 20: Access route with invalid token. Should return 401. +=== TEST 21: Access route with invalid token. Should return 401. --- config location /t { content_by_lua_block { @@ -719,7 +740,7 @@ jwt signature verification failed -=== TEST 21: Update route with Keycloak introspection endpoint and public key removed. Should now invoke introspection endpoint to validate tokens. +=== TEST 22: Update route with Keycloak introspection endpoint and public key removed. Should now invoke introspection endpoint to validate tokens. --- config location /t { content_by_lua_block { @@ -762,7 +783,7 @@ passed -=== TEST 22: Obtain valid token and access route with it. +=== TEST 23: Obtain valid token and access route with it. --- config location /t { content_by_lua_block { @@ -822,7 +843,7 @@ token validate successfully by introspection -=== TEST 23: Access route with an invalid token. +=== TEST 24: Access route with an invalid token. --- config location /t { content_by_lua_block { @@ -851,7 +872,7 @@ OIDC introspection failed: invalid token -=== TEST 24: Check defaults. +=== TEST 25: Check defaults. --- config location /t { content_by_lua_block { @@ -880,7 +901,7 @@ OIDC introspection failed: invalid token -=== TEST 25: Update plugin with ID provider jwks endpoint for token verification. +=== TEST 26: Update plugin with ID provider jwks endpoint for token verification. --- config location /t { content_by_lua_block { @@ -924,7 +945,7 @@ passed -=== TEST 26: Obtain valid token and access route with it. +=== TEST 27: Obtain valid token and access route with it. --- config location /t { content_by_lua_block { @@ -984,7 +1005,7 @@ token validate successfully by jwks -=== TEST 27: Access route with an invalid token. +=== TEST 28: Access route with an invalid token. --- config location /t { content_by_lua_block { @@ -1013,7 +1034,7 @@ OIDC introspection failed: invalid jwt: invalid jwt string -=== TEST 28: Modify route to match catch-all URI `/*` and add post_logout_redirect_uri option. +=== TEST 29: Modify route to match catch-all URI `/*` and add post_logout_redirect_uri option. --- config location /t { content_by_lua_block { @@ -1060,7 +1081,7 @@ passed -=== TEST 29: Access route w/o bearer token and request logout to redirect to post_logout_redirect_uri. +=== TEST 30: Access route w/o bearer token and request logout to redirect to post_logout_redirect_uri. --- config location /t { content_by_lua_block { @@ -1126,7 +1147,7 @@ http://127.0.0.1:.*/hello -=== TEST 30: Switch route URI back to `/hello` and enable pkce. +=== TEST 31: Switch route URI back to `/hello` and enable pkce. --- config location /t { content_by_lua_block { @@ -1167,7 +1188,7 @@ passed -=== TEST 31: Access route w/o bearer token. Should redirect to authentication endpoint of ID provider with code_challenge parameters. +=== TEST 32: Access route w/o bearer token. Should redirect to authentication endpoint of ID provider with code_challenge parameters. --- config location /t { content_by_lua_block { @@ -1195,7 +1216,7 @@ true -=== TEST 32: set use_jwks and set_userinfo_header to validate "x-userinfo" in request header +=== TEST 33: set use_jwks and set_userinfo_header to validate "x-userinfo" in request header --- config location /t { content_by_lua_block { @@ -1241,7 +1262,7 @@ passed -=== TEST 33: Access route to validate "x-userinfo" in request header +=== TEST 34: Access route to validate "x-userinfo" in request header --- config location /t { content_by_lua_block { @@ -1306,7 +1327,7 @@ x-userinfo: ey.* -=== TEST 34: Set up new route with plugin matching URI `/*` +=== TEST 35: Set up new route with plugin matching URI `/*` --- config location /t { content_by_lua_block { @@ -1344,7 +1365,7 @@ passed -=== TEST 35: Check whether auth0 can redirect normally using post_logout_redirect_uri configuration +=== TEST 36: Check whether auth0 can redirect normally using post_logout_redirect_uri configuration --- config location /t { content_by_lua_block { @@ -1367,7 +1388,7 @@ true -=== TEST 36: Set up new route with plugin matching URI `/*` +=== TEST 37: Set up new route with plugin matching URI `/*` --- config location /t { content_by_lua_block { @@ -1405,7 +1426,7 @@ passed -=== TEST 37: Check whether google can redirect normally using post_logout_redirect_uri configuration +=== TEST 38: Check whether google can redirect normally using post_logout_redirect_uri configuration --- config location /t { content_by_lua_block { @@ -1428,7 +1449,7 @@ true -=== TEST 38: Update plugin config to use_jwk and bear_only false +=== TEST 39: Update plugin config to use_jwk and bear_only false --- config location /t { content_by_lua_block { @@ -1472,7 +1493,7 @@ passed -=== TEST 39: Test that jwt with bearer_only false still allows a valid Authorization header +=== TEST 40: Test that jwt with bearer_only false still allows a valid Authorization header --- config location /t { content_by_lua_block { From 2ba566a311cf7f824bc34da7172d11e78e41a01d Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 10:22:58 +0545 Subject: [PATCH 09/14] temp --- conf/config-default.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config-default.yaml b/conf/config-default.yaml index 8c1f941a3e63..29f44f83b7ea 100755 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -118,7 +118,7 @@ apisix: disable_sync_configuration_during_start: false # Safe exit. TO BE REMOVED. data_encryption: # Data encryption settings. - enable_encrypt_fields: false # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. + enable_encrypt_fields: true # Whether enable encrypt fields specified in `encrypt_fields` in plugin schema. keyring: # This field is used to encrypt the private key of SSL and the `encrypt_fields` # in plugin schema. - qeddd145sfvddff3 # Set the encryption key for AES-128-CBC. It should be a hexadecimal string From 10c31c713afbee16c81bf4cea7a9e0bb71b3779f Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 13:42:57 +0545 Subject: [PATCH 10/14] fix lint --- t/plugin/openid-connect.t | 2 +- t/plugin/openwhisk.t | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 64323a70a081..486207790225 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -142,7 +142,7 @@ passed content_by_lua_block { local json = require("toolkit.json") local t = require("lib.test_admin").test - + -- get plugin conf from etcd, password is encrypted local etcd = require("apisix.core.etcd") diff --git a/t/plugin/openwhisk.t b/t/plugin/openwhisk.t index 4e8254a73124..b8a09fae099d 100644 --- a/t/plugin/openwhisk.t +++ b/t/plugin/openwhisk.t @@ -123,7 +123,7 @@ passed content_by_lua_block { local json = require("toolkit.json") local t = require("lib.test_admin").test - + -- get plugin conf from etcd, password is encrypted local etcd = require("apisix.core.etcd") From b442984e94f34cf5a75cd4c6a546b17bfe9f8f97 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 13:52:03 +0545 Subject: [PATCH 11/14] fix lint --- apisix/plugins/jwe-decrypt.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/plugins/jwe-decrypt.lua b/apisix/plugins/jwe-decrypt.lua index 3af195d08fbc..b0d1e16f6d2a 100644 --- a/apisix/plugins/jwe-decrypt.lua +++ b/apisix/plugins/jwe-decrypt.lua @@ -15,7 +15,6 @@ -- limitations under the License. -- local core = require("apisix.core") -local plugin = require("apisix.plugin") local consumer_mod = require("apisix.consumer") local base64 = require("ngx.base64") local aes = require("resty.aes") From 94eb907f9bc1d28d7ddc96ae83d9a8a21e35bcaf Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 14:41:47 +0545 Subject: [PATCH 12/14] remove redis schema --- apisix/utils/redis-schema.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/utils/redis-schema.lua b/apisix/utils/redis-schema.lua index 2e9242928b16..c9fdec41d8fc 100644 --- a/apisix/utils/redis-schema.lua +++ b/apisix/utils/redis-schema.lua @@ -44,7 +44,6 @@ local policy_to_additional_properties = { }, }, required = {"redis_host"}, - encrypt_fields = {"redis_password"} }, ["redis-cluster"] = { properties = { From 03504c3143fd3a06028df7b8d835ddcce9a3abc7 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 14:48:17 +0545 Subject: [PATCH 13/14] test jwe-decrypt --- t/plugin/jwe-decrypt.t | 58 ++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 19 deletions(-) diff --git a/t/plugin/jwe-decrypt.t b/t/plugin/jwe-decrypt.t index f8285d9a3021..af2af32919e2 100644 --- a/t/plugin/jwe-decrypt.t +++ b/t/plugin/jwe-decrypt.t @@ -171,7 +171,27 @@ passed -=== TEST 7: enable jwe-decrypt plugin using admin api +=== TEST 7: verify encrypted field +--- config + location /t { + content_by_lua_block { + local json = require("toolkit.json") + local t = require("lib.test_admin").test + + -- get plugin conf from etcd, secret and key is encrypted + local etcd = require("apisix.core.etcd") + local res = assert(etcd.get('/consumers/jack')) + ngx.say(res.body.node.value.plugins["jwe-decrypt"].key) + ngx.say(res.body.node.value.plugins["jwe-decrypt"].secret) + } + } +--- response_body +XU29sA3FEVF68hGcdPo7sg== +f9pGB0Dt4gYNCLKiINPfVSviKjQs2zfkBCT4+XZ3mDABZkJTr0orzYRD5CptDKMc + + + +=== TEST 8: enable jwe-decrypt plugin using admin api --- config location /t { content_by_lua_block { @@ -206,7 +226,7 @@ passed -=== TEST 8: create public API route (jwe-decrypt sign) +=== TEST 9: create public API route (jwe-decrypt sign) --- config location /t { content_by_lua_block { @@ -232,7 +252,7 @@ passed -=== TEST 9: sign / verify in argument +=== TEST 10: sign / verify in argument --- config location /t { content_by_lua_block { @@ -262,14 +282,14 @@ hello world -=== TEST 10: test for unsupported method +=== TEST 11: test for unsupported method --- request PATCH /apisix/plugin/jwe/encrypt?key=user-key --- error_code: 404 -=== TEST 11: verify, missing token +=== TEST 12: verify, missing token --- request GET /hello --- error_code: 403 @@ -278,7 +298,7 @@ GET /hello -=== TEST 12: verify: invalid JWE token +=== TEST 13: verify: invalid JWE token --- request GET /hello --- more_headers @@ -289,7 +309,7 @@ Authorization: invalid-eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ -=== TEST 13: verify (in header) +=== TEST 14: verify (in header) --- request GET /hello --- more_headers @@ -299,7 +319,7 @@ hello world -=== TEST 14: verify (in header without Bearer) +=== TEST 15: verify (in header without Bearer) --- request GET /hello --- more_headers @@ -309,7 +329,7 @@ hello world -=== TEST 15: verify (header with bearer) +=== TEST 16: verify (header with bearer) --- request GET /hello --- more_headers @@ -319,7 +339,7 @@ hello world -=== TEST 16: verify (invalid bearer token) +=== TEST 17: verify (invalid bearer token) --- request GET /hello --- more_headers @@ -330,7 +350,7 @@ Authorization: bearer invalid-eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6Ik -=== TEST 17: delete a exist consumer +=== TEST 18: delete a exist consumer --- config location /t { content_by_lua_block { @@ -380,7 +400,7 @@ code: true body: passed -=== TEST 18: add consumer with username and plugins with base64 secret +=== TEST 19: add consumer with username and plugins with base64 secret --- config location /t { content_by_lua_block { @@ -410,7 +430,7 @@ passed -=== TEST 19: enable jwt decrypt plugin with base64 secret +=== TEST 20: enable jwt decrypt plugin with base64 secret --- config location /t { content_by_lua_block { @@ -444,7 +464,7 @@ passed -=== TEST 20: create public API route (jwe-decrypt sign) +=== TEST 21: create public API route (jwe-decrypt sign) --- config location /t { content_by_lua_block { @@ -470,7 +490,7 @@ passed -=== TEST 21: sign / verify in argument +=== TEST 22: sign / verify in argument --- config location /t { content_by_lua_block { @@ -502,7 +522,7 @@ hello world -=== TEST 22: verify (in header) +=== TEST 23: verify (in header) --- request GET /hello --- more_headers @@ -512,7 +532,7 @@ hello world -=== TEST 23: verify (in header without Bearer) +=== TEST 24: verify (in header without Bearer) --- request GET /hello --- more_headers @@ -522,7 +542,7 @@ hello world -=== TEST 24: enable jwt decrypt plugin with test upstream route +=== TEST 25: enable jwt decrypt plugin with test upstream route --- config location /t { content_by_lua_block { @@ -556,7 +576,7 @@ passed -=== TEST 25: verify in upstream header +=== TEST 26: verify in upstream header --- request GET /headers --- more_headers From 4caad7cea4b21a4b32190a8e6656891ca73e6889 Mon Sep 17 00:00:00 2001 From: Abhishek Choudhary Date: Thu, 28 Mar 2024 14:50:09 +0545 Subject: [PATCH 14/14] fix comment --- t/plugin/openid-connect.t | 2 +- t/plugin/openwhisk.t | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t index 486207790225..427e439ad628 100644 --- a/t/plugin/openid-connect.t +++ b/t/plugin/openid-connect.t @@ -144,7 +144,7 @@ passed local t = require("lib.test_admin").test - -- get plugin conf from etcd, password is encrypted + -- get plugin conf from etcd, client_rsa_private_key is encrypted local etcd = require("apisix.core.etcd") local res = assert(etcd.get('/routes/1')) ngx.say(res.body.node.value.plugins["openid-connect"].client_rsa_private_key) diff --git a/t/plugin/openwhisk.t b/t/plugin/openwhisk.t index b8a09fae099d..dfd4d8398190 100644 --- a/t/plugin/openwhisk.t +++ b/t/plugin/openwhisk.t @@ -125,7 +125,7 @@ passed local t = require("lib.test_admin").test - -- get plugin conf from etcd, password is encrypted + -- get plugin conf from etcd, service_token is encrypted local etcd = require("apisix.core.etcd") local res = assert(etcd.get('/routes/1')) ngx.say(res.body.node.value.plugins["openwhisk"].service_token)