From ef2067a1b0954b026a6bbb087a226902d31475b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Mon, 23 Sep 2024 11:51:49 +0800 Subject: [PATCH 01/29] feat: remove /jwt/sign --- apisix/plugins/jwt-auth.lua | 48 ----- t/plugin/jwt-auth.t | 357 ------------------------------------ t/plugin/jwt-auth3.t | 45 ----- t/plugin/jwt-auth4.t | 122 ------------ t/plugin/multi-auth.t | 75 -------- t/plugin/plugin.t | 43 ----- t/plugin/public-api.t | 44 +---- 7 files changed, 1 insertion(+), 733 deletions(-) delete mode 100644 t/plugin/jwt-auth4.t diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 9fdc7a9b5b18..8ea15ed96c51 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -387,52 +387,4 @@ function _M.rewrite(conf, ctx) end -local function gen_token() - local args = core.request.get_uri_args() - if not args or not args.key then - return core.response.exit(400) - end - - local key = args.key - local payload = args.payload - if payload then - payload = ngx.unescape_uri(payload) - end - - local consumer_conf = consumer_mod.plugin(plugin_name) - if not consumer_conf then - return core.response.exit(404) - end - - local consumers = consumer_mod.consumers_kv(plugin_name, consumer_conf, "key") - - core.log.info("consumers: ", core.json.delay_encode(consumers)) - local consumer = consumers[key] - if not consumer then - return core.response.exit(404) - end - - core.log.info("consumer: ", core.json.delay_encode(consumer)) - - local sign_handler = algorithm_handler(consumer, true) - local jwt_token = sign_handler(key, consumer, payload) - if jwt_token then - return core.response.exit(200, jwt_token) - end - - return core.response.exit(404) -end - - -function _M.api() - return { - { - methods = {"GET"}, - uri = "/apisix/plugin/jwt/sign", - handler = gen_token, - } - } -end - - return _M diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index f47b37c96457..812ebde30b0a 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -135,67 +135,6 @@ passed -=== TEST 5: create public API route (jwt-auth sign) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed - - - -=== TEST 6: sign / verify in argument ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - -=== TEST 7: test for unsupported method ---- request -PATCH /apisix/plugin/jwt/sign?key=user-key ---- error_code: 404 - - - === TEST 8: verify, missing token --- request GET /hello @@ -318,18 +257,12 @@ JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 code, body = t('/apisix/admin/consumers/jack', ngx.HTTP_DELETE) ngx.say("code: ", code < 300, " body: ", body) - - ngx.sleep(1) - code, body = t('/apisix/plugin/jwt/sign?key=chen-key', - ngx.HTTP_GET) - ngx.say("code: ", code < 300, " body: ", body) } } --- response_body code: true body: passed code: true body: passed code: true body: passed -code: true body: passed @@ -394,34 +327,6 @@ passed -=== TEST 19: sign / verify ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - === TEST 20: verify: invalid JWT token --- request GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68 @@ -597,36 +502,6 @@ passed -=== TEST 29: sign/verify use RS256 algorithm(private_key numbits = 512) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world ---- skip_eval -1: $ENV{OPENSSL_FIPS} eq 'yes' - - - === TEST 30: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) --- config location /t { @@ -693,66 +568,6 @@ passed -=== TEST 32: sign/verify use RS256 algorithm(private_key numbits = 1024) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world ---- skip_eval -1: $ENV{OPENSSL_FIPS} eq 'yes' - - - -=== TEST 33: sign/verify use RS256 algorithm(private_key numbits = 1024,with extra payload) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256&payload=%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world ---- skip_eval -1: $ENV{OPENSSL_FIPS} eq 'yes' - - - === TEST 34: add consumer with username and plugins with public_key, private_key(private_key numbits = 2048) --- config location /t { @@ -816,62 +631,6 @@ passed -=== TEST 36: sign/verify use RS256 algorithm(private_key numbits = 2048) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - -=== TEST 37: sign/verify use RS256 algorithm(private_key numbits = 2048,with extra payload) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256&payload=%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - === TEST 38: JWT sign with the public key when using the RS256 algorithm --- config location /t { @@ -932,15 +691,6 @@ passed -=== TEST 40: sign failed ---- request -GET /apisix/plugin/jwt/sign?key=user-key-rs256 ---- error_code: 500 ---- response_body eval -qr/failed to sign jwt/ - - - === TEST 41: sanity(algorithm = HS512) --- config location /t { @@ -1022,62 +772,6 @@ passed -=== TEST 44: sign / verify (algorithm = HS512) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-HS512', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - -=== TEST 45: sign / verify (algorithm = HS512,with extra payload) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-HS512&payload=%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - === TEST 46: test for unsupported algorithm --- config location /t { @@ -1152,27 +846,6 @@ passed -=== TEST 49: when the exp value is not set, sign jwt use the default value(86400) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body, res_data = t('/apisix/plugin/jwt/sign?key=exp-not-set', - ngx.HTTP_GET) - - local jwt = require("resty.jwt") - local jwt_obj = jwt:load_jwt(res_data) - local exp_in_jwt = jwt_obj.payload.exp - local ngx_time = ngx.time - local use_default_exp = ngx_time() + 86400 - 1 <= exp_in_jwt and exp_in_jwt <= ngx_time() + 86400 - ngx.say(use_default_exp) - } - } ---- response_body -true - - - === TEST 50: RS256 without public key --- config location /t { @@ -1290,33 +963,3 @@ passed passed --- skip_eval 1: $ENV{OPENSSL_FIPS} eq 'yes' - - - -=== TEST 54: sign/verify use ES256 algorithm(private_key numbits = 512) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-es256', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world ---- skip_eval -1: $ENV{OPENSSL_FIPS} eq 'yes' diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index c28fad3075a7..f4a8ae188baa 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -575,22 +575,6 @@ Success! Data written to: kv/apisix/rsa1 return ngx.say(body) end - -- create public API route (jwt-auth sign) - local code, body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - - if code >= 300 then - ngx.status = code - return ngx.say(body) - end - local code, body = t('/apisix/admin/consumers', ngx.HTTP_PUT, [[{ @@ -618,35 +602,6 @@ passed -=== TEST 21: sign a jwt with with rsa key pair and access /hello ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=rsa1', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - if code >= 300 then - ngx.status = code - end - ngx.print(res) - } - } ---- response_body -hello world - - - === TEST 22: set jwt-auth conf with the token in an env var: secret uses secret ref --- request GET /t diff --git a/t/plugin/jwt-auth4.t b/t/plugin/jwt-auth4.t deleted file mode 100644 index f91b233f4c4f..000000000000 --- a/t/plugin/jwt-auth4.t +++ /dev/null @@ -1,122 +0,0 @@ -# -# Licensed to the Apache Software Foundation (ASF) under one or more -# contributor license agreements. See the NOTICE file distributed with -# this work for additional information regarding copyright ownership. -# The ASF licenses this file to You under the Apache License, Version 2.0 -# (the "License"); you may not use this file except in compliance with -# the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -BEGIN { - $ENV{VAULT_TOKEN} = "root"; -} - -use t::APISIX 'no_plan'; - -repeat_each(1); -no_long_string(); -no_root_location(); -no_shuffle(); - -add_block_preprocessor(sub { - my ($block) = @_; - - if ((!defined $block->error_log) && (!defined $block->no_error_log)) { - $block->set_value("no_error_log", "[error]"); - } - - if (!defined $block->request) { - $block->set_value("request", "GET /t"); - if (!$block->response_body) { - $block->set_value("response_body", "passed\n"); - } - } -}); - -run_tests; - -__DATA__ - -=== TEST 1: verify the real_payload's value (key & exp) is not overridden by malicious payload ---- config - location /t { - content_by_lua_block { - local core = require("apisix.core") - local t = require("lib.test_admin").test - - -- prepare consumer - local csm_code, csm_body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "jack", - "plugins": { - "jwt-auth": { - "key": "user-key", - "secret": "my-secret-key" - } - } - }]] - ) - - if csm_code >= 300 then - ngx.status = csm_code - ngx.say(csm_body) - return - end - - -- prepare sign api - local rot_code, rot_body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - - if rot_code >= 300 then - ngx.status = rot_code - ngx.say(rot_body) - return - end - - -- generate jws - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key&payload={"key":"letmein","exp":1234567890}', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - -- get payload section from jws - local payload = string.match(sign,"^.+%.(.+)%..+$") - - if not payload then - ngx.say("sign-failed") - return - end - - -- check payload value - local res = core.json.decode(ngx.decode_base64(payload)) - - if res.key == 'user-key' and res.exp ~= 1234567890 then - ngx.say("safe-jws") - return - end - - ngx.say("fake-jws") - } - } ---- response_body -safe-jws diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index aacfe200f7e9..b8293da37e45 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -485,34 +485,6 @@ qr/\{"error_msg":"failed to check the configuration of plugin multi-auth err: pr -=== TEST 19: create public API route (jwt-auth sign) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- request -GET /t ---- response_body -passed - - - === TEST 20: add consumer with username and jwt-auth plugins --- config location /t { @@ -544,36 +516,6 @@ passed -=== TEST 21: sign / verify jwt-auth ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- request -GET /t ---- response_body -hello world - - - === TEST 22: verify multi-auth with plugin config will cause the conf_version change --- config location /t { @@ -633,23 +575,6 @@ hello world return end ngx.sleep(0.1) - - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) } } --- request diff --git a/t/plugin/plugin.t b/t/plugin/plugin.t index 28fd81868483..5e4d16119525 100644 --- a/t/plugin/plugin.t +++ b/t/plugin/plugin.t @@ -108,49 +108,6 @@ passed -=== TEST 3: sign and verify ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - - local code, err = t('/apisix/admin/routes/jwt', - ngx.HTTP_PUT, - [[{ - "uri": "/apisix/plugin/jwt/sign", - "plugins": { "public-api": {} } - }]] - ) - - if code >= 300 then - ngx.status = code - ngx.say(err) - return - end - - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return - end - - local code, _, res = t('/hello?jwt=' .. sign, - ngx.HTTP_GET - ) - - ngx.status = code - ngx.print(res) - } - } ---- response_body -hello world - - - === TEST 4: delete /* and define route for /apisix/plugin/blah --- config location /t { diff --git a/t/plugin/public-api.t b/t/plugin/public-api.t index dab4f10a9357..d6eac00eccfb 100644 --- a/t/plugin/public-api.t +++ b/t/plugin/public-api.t @@ -71,21 +71,6 @@ property "uri" validation failed: wrong type: expected string, got number } }]] }, - { - uri = "/apisix/admin/routes/custom-jwt-sign", - data = [[{ - "plugins": { - "public-api": { - "uri": "/apisix/plugin/jwt/sign" - }, - "serverless-pre-function": { - "phase": "rewrite", - "functions": ["return function(conf, ctx) require(\"apisix.core\").log.warn(\"custom-jwt-sign was triggered\"); end"] - } - }, - "uri": "/gen_token" - }]], - }, { uri = "/apisix/admin/routes/direct-wolf-rbac-userinfo", data = [[{ @@ -121,34 +106,7 @@ property "uri" validation failed: wrong type: expected string, got number } } --- response_body eval -"201passed\n" x 4 - - - -=== TEST 3: hit route (custom-jwt-sign) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - - local code, body, jwt = t("/gen_token?key=user-key", ngx.HTTP_GET, "", nil, {apikey = "testkey"}) - if code >= 300 then - ngx.status = code - end - - local header = string.sub(jwt, 1, 36) - - if header == "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" or - header == "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9" then - ngx.say("passed") - return - end - - ngx.say("failed") - } - } ---- response_body -passed +"201passed\n" x 3 From cffae79986cac2430182f6bddc365914597e99d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Mon, 23 Sep 2024 14:35:04 +0800 Subject: [PATCH 02/29] fix tests --- t/config-center-yaml/consumer.t | 4 +- t/plugin/jwt-auth.t | 154 -------------------------------- t/plugin/multi-auth.t | 7 ++ t/plugin/plugin.t | 19 ++++ t/plugin/public-api.t | 10 +-- 5 files changed, 33 insertions(+), 161 deletions(-) diff --git a/t/config-center-yaml/consumer.t b/t/config-center-yaml/consumer.t index 4fb356185933..fb4ad3cbd559 100644 --- a/t/config-center-yaml/consumer.t +++ b/t/config-center-yaml/consumer.t @@ -83,7 +83,7 @@ plugin jwt-auth err: property "key" is required === TEST 3: provide default value for the plugin --- apisix_yaml routes: - - uri: /apisix/plugin/jwt/sign + - uri: /apisix/plugin/wolf-rbac/user_info plugins: public-api: {} consumers: @@ -94,7 +94,7 @@ consumers: secret: my-secret-key #END --- request -GET /apisix/plugin/jwt/sign?key=user-key +GET /apisix/plugin/wolf-rbac/user_info?key=user-key --- error_code: 200 diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 812ebde30b0a..2cc7df57f09f 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -631,66 +631,6 @@ passed -=== TEST 38: JWT sign with the public key when using the RS256 algorithm ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "kerouac", - "plugins": { - "jwt-auth": { - "key": "user-key-rs256", - "algorithm": "RS256", - "private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - "public_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } - } - }]] - ) - ngx.status = code - ngx.say(body) - } - } ---- response_body -passed - - - -=== TEST 39: JWT sign and verify RS256 ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "jwt-auth": {} - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed - - - === TEST 41: sanity(algorithm = HS512) --- config location /t { @@ -712,66 +652,6 @@ qr/{"algorithm":"HS512","base64_secret":false,"exp":86400,"key":"123","lifetime_ -=== TEST 42: add consumer with username and plugins use HS512 algorithm ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "kerouac", - "plugins": { - "jwt-auth": { - "key": "user-key-HS512", - "algorithm": "HS512", - "secret": "my-secret-key" - } - } - }]] - ) - - ngx.status = code - ngx.say(body) - } - } ---- response_body -passed - - - -=== TEST 43: JWT sign and verify use HS512 algorithm ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "jwt-auth": {} - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed - - - === TEST 46: test for unsupported algorithm --- config location /t { @@ -929,37 +809,3 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ } --- response_body passed - - - -=== TEST 53: JWT sign and verify use ES256 algorithm(private_key numbits = 512) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/1', - ngx.HTTP_PUT, - [[{ - "plugins": { - "jwt-auth": {} - }, - "upstream": { - "nodes": { - "127.0.0.1:1980": 1 - }, - "type": "roundrobin" - }, - "uri": "/hello" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed ---- skip_eval -1: $ENV{OPENSSL_FIPS} eq 'yes' diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index b8293da37e45..a6d5dec514da 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -575,6 +575,13 @@ passed return end ngx.sleep(0.1) + + local code, _, res = t('/hello?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs', + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) } } --- request diff --git a/t/plugin/plugin.t b/t/plugin/plugin.t index 5e4d16119525..53c87b0b5133 100644 --- a/t/plugin/plugin.t +++ b/t/plugin/plugin.t @@ -108,6 +108,25 @@ passed +=== TEST 3: sign and verify +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + + local code, _, res = t('/hello?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs', + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world + + + === TEST 4: delete /* and define route for /apisix/plugin/blah --- config location /t { diff --git a/t/plugin/public-api.t b/t/plugin/public-api.t index d6eac00eccfb..83b37af6c78d 100644 --- a/t/plugin/public-api.t +++ b/t/plugin/public-api.t @@ -150,15 +150,15 @@ GET /wrong-public-api }]] }, { - uri = "/apisix/admin/routes/custom-jwt-sign", + uri = "/apisix/admin/routes/custom-user-info", data = [[{ "plugins": { "public-api": { - "uri": "/apisix/plugin/jwt/sign" + "uri": "/apisix/plugin/wolf-rbac/user_info" }, "key-auth": {} }, - "uri": "/gen_token" + "uri": "/get_user_info" }]], } } @@ -179,7 +179,7 @@ GET /wrong-public-api === TEST 8: hit route (with key-auth header) --- request -GET /gen_token?key=user-key +GET /get_user_info?key=user-key --- more_headers apikey: testkey @@ -187,5 +187,5 @@ apikey: testkey === TEST 9: hit route (without key-auth header) --- request -GET /gen_token?key=user-key +GET /get_user_info?key=user-key --- error_code: 401 From ed0f740de14761c6caf1c8ca51b91d2797cd7a88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Mon, 23 Sep 2024 16:28:15 +0800 Subject: [PATCH 03/29] fix tests --- apisix/plugins/jwt-auth.lua | 7 +++ t/config-center-yaml/consumer.t | 8 +-- t/fips/jwt-auth.t | 93 +++++++++++++++++---------------- t/plugin/jwt-auth2.t | 78 +++++++++++---------------- t/plugin/public-api.t | 13 ++++- 5 files changed, 100 insertions(+), 99 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 8ea15ed96c51..7602d5d20225 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -387,4 +387,11 @@ function _M.rewrite(conf, ctx) end +function _M.gen_token(key, payload, consumer) + local sign_handler = algorithm_handler(consumer, true) + local jwt_token = sign_handler(key, consumer, payload) + return jwt_token +end + + return _M diff --git a/t/config-center-yaml/consumer.t b/t/config-center-yaml/consumer.t index fb4ad3cbd559..ca00c9596850 100644 --- a/t/config-center-yaml/consumer.t +++ b/t/config-center-yaml/consumer.t @@ -63,7 +63,7 @@ property "username" validation failed === TEST 2: validate the plugin under consumer --- apisix_yaml routes: - - uri: /apisix/plugin/jwt/sign + - uri: /apisix/status plugins: public-api: {} consumers: @@ -73,7 +73,7 @@ consumers: secret: my-secret-key #END --- request -GET /apisix/plugin/jwt/sign?key=user-key +GET /apisix/status?key=user-key --- error_log plugin jwt-auth err: property "key" is required --- error_code: 404 @@ -83,7 +83,7 @@ plugin jwt-auth err: property "key" is required === TEST 3: provide default value for the plugin --- apisix_yaml routes: - - uri: /apisix/plugin/wolf-rbac/user_info + - uri: /apisix/status plugins: public-api: {} consumers: @@ -94,7 +94,7 @@ consumers: secret: my-secret-key #END --- request -GET /apisix/plugin/wolf-rbac/user_info?key=user-key +GET /apisix/status?key=user-key --- error_code: 200 diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index ec1061315775..c851d80d3acc 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -33,31 +33,6 @@ run_tests; __DATA__ -=== TEST 1: create public API route (jwt-auth sign) ---- config - location /t { - content_by_lua_block { - local t = require("lib.test_admin").test - local code, body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - - if code >= 300 then - ngx.status = code - end - ngx.say(body) - } - } ---- response_body -passed - - === TEST 2: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) --- config @@ -127,13 +102,21 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + local sign = gen_token(key, nil, consumer) + if not sign then + ngx.status = 404 + ngx.say("failed to gen_token") return end @@ -217,13 +200,21 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + } + } + local sign = gen_token(key, nil, consumer) + if not sign then + ngx.status = 404 + ngx.say("failed to gen_token") return end @@ -245,13 +236,23 @@ JWT token invalid: invalid jwt string location /t { content_by_lua_block { local t = require("lib.test_admin").test - local code, err, sign = t('/apisix/plugin/jwt/sign?key=user-key-rs256&payload=%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") -- {"aaa":"11","bb":"222"} + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + } + } + + local sign = gen_token(key, payload, consumer) + if not sign then + ngx.status = 404 + ngx.say("failed to gen_token") return end diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t index 412bd04b3613..471450ee61ba 100644 --- a/t/plugin/jwt-auth2.t +++ b/t/plugin/jwt-auth2.t @@ -151,6 +151,7 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test + local jwt_sign = require("apisix.plugins.jwt-auth").gen_token -- in order to modify the system_leeway in jwt-validators module local code, body = t('/apisix/admin/routes/1', @@ -257,30 +258,20 @@ hello world ngx.say(body) end - -- resgiter jwt sign api - local code, body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - if code >= 300 then - ngx.status = code - ngx.say(body) - end - - -- get JWT token - local code, err, sign = t('/apisix/plugin/jwt/sign?key=test-jwt-a', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return + local key = "test-jwt-a" + local consumer = { + auth_conf = { + exp = 1, + algorithm = "HS256", + base64_secret = false, + secret = "test-jwt-secret", + key = "test-jwt-a" + } + } + local sign = gen_token(key, nil, consumer) + if not sign then + ngx.status = 404 + ngx.say("failed to gen_token") end -- verify JWT token @@ -316,6 +307,7 @@ qr/ailed to verify jwt: 'exp' claim expired at/ location /t { content_by_lua_block { local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token -- in order to modify the system_leeway in jwt-validators module local code, body = t('/apisix/admin/routes/1', @@ -423,30 +415,22 @@ qr/ailed to verify jwt: 'exp' claim expired at/ ngx.say(body) end - -- resgiter jwt sign api - local code, body = t('/apisix/admin/routes/2', - ngx.HTTP_PUT, - [[{ - "plugins": { - "public-api": {} - }, - "uri": "/apisix/plugin/jwt/sign" - }]] - ) - if code >= 300 then - ngx.status = code - ngx.say(body) - end - -- get JWT token - local code, err, sign = t('/apisix/plugin/jwt/sign?key=test-jwt-a', - ngx.HTTP_GET - ) - - if code > 200 then - ngx.status = code - ngx.say(err) - return + local key = "test-jwt-a" + local consumer = { + auth_conf = { + exp = 1, + algorithm = "HS256", + base64_secret = false, + secret = "test-jwt-secret", + key = "test-jwt-a", + lifetime_grace_period = 2 + } + } + local sign = gen_token(key, nil, consumer) + if not sign then + ngx.status = 404 + ngx.say("failed to gen_token") end -- verify JWT token diff --git a/t/plugin/public-api.t b/t/plugin/public-api.t index 83b37af6c78d..25fae6437a11 100644 --- a/t/plugin/public-api.t +++ b/t/plugin/public-api.t @@ -37,7 +37,7 @@ __DATA__ location /t { content_by_lua_block { local test_cases = { - {uri = "/apisix/plugin/jwt/sign"}, + {uri = "/apisix/plugin/wolf-rbac/user_info"}, {uri = 3233} } local plugin = require("apisix.plugins.public-api") @@ -156,7 +156,11 @@ GET /wrong-public-api "public-api": { "uri": "/apisix/plugin/wolf-rbac/user_info" }, - "key-auth": {} + "key-auth": {}, + "serverless-pre-function": { + "phase": "rewrite", + "functions": ["return function(conf, ctx) require(\"apisix.core\").log.warn(\"direct-wolf-rbac-userinfo was triggered\"); end"] + } }, "uri": "/get_user_info" }]], @@ -182,6 +186,9 @@ GET /wrong-public-api GET /get_user_info?key=user-key --- more_headers apikey: testkey +--- error_code: 401 +--- error_log +direct-wolf-rbac-userinfo was triggered @@ -189,3 +196,5 @@ apikey: testkey --- request GET /get_user_info?key=user-key --- error_code: 401 +--- response_body +{"message":"Missing API key in request"} From fdf7b09a906f49dfbafc2f768930696bbc5ae681 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Mon, 23 Sep 2024 17:59:52 +0800 Subject: [PATCH 04/29] typo --- apisix/plugins/jwt-auth.lua | 2 +- t/fips/jwt-auth.t | 6 +++--- t/plugin/jwt-auth2.t | 8 ++++---- t/plugin/public-api.t | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 7602d5d20225..b9701dbe99c3 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -387,7 +387,7 @@ function _M.rewrite(conf, ctx) end -function _M.gen_token(key, payload, consumer) +function _M.gen_token(key, consumer, payload) local sign_handler = algorithm_handler(consumer, true) local jwt_token = sign_handler(key, consumer, payload) return jwt_token diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index c851d80d3acc..3d2fdc730b0d 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -113,7 +113,7 @@ passed private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" } } - local sign = gen_token(key, nil, consumer) + local sign = gen_token(key, consumer) if not sign then ngx.status = 404 ngx.say("failed to gen_token") @@ -211,7 +211,7 @@ passed private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" } } - local sign = gen_token(key, nil, consumer) + local sign = gen_token(key, consumer) if not sign then ngx.status = 404 ngx.say("failed to gen_token") @@ -249,7 +249,7 @@ JWT token invalid: invalid jwt string } } - local sign = gen_token(key, payload, consumer) + local sign = gen_token(key, consumer, payload) if not sign then ngx.status = 404 ngx.say("failed to gen_token") diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t index 471450ee61ba..44c61a00e75a 100644 --- a/t/plugin/jwt-auth2.t +++ b/t/plugin/jwt-auth2.t @@ -151,7 +151,6 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local jwt_sign = require("apisix.plugins.jwt-auth").gen_token -- in order to modify the system_leeway in jwt-validators module local code, body = t('/apisix/admin/routes/1', @@ -258,6 +257,7 @@ hello world ngx.say(body) end + local gen_token = require("apisix.plugins.jwt-auth").gen_token local key = "test-jwt-a" local consumer = { auth_conf = { @@ -268,7 +268,7 @@ hello world key = "test-jwt-a" } } - local sign = gen_token(key, nil, consumer) + local sign = gen_token(key, consumer) if not sign then ngx.status = 404 ngx.say("failed to gen_token") @@ -307,7 +307,6 @@ qr/ailed to verify jwt: 'exp' claim expired at/ location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token -- in order to modify the system_leeway in jwt-validators module local code, body = t('/apisix/admin/routes/1', @@ -416,6 +415,7 @@ qr/ailed to verify jwt: 'exp' claim expired at/ end -- get JWT token + local gen_token = require("apisix.plugins.jwt-auth").gen_token local key = "test-jwt-a" local consumer = { auth_conf = { @@ -427,7 +427,7 @@ qr/ailed to verify jwt: 'exp' claim expired at/ lifetime_grace_period = 2 } } - local sign = gen_token(key, nil, consumer) + local sign = gen_token(key, consumer) if not sign then ngx.status = 404 ngx.say("failed to gen_token") diff --git a/t/plugin/public-api.t b/t/plugin/public-api.t index 25fae6437a11..595e618f9d8c 100644 --- a/t/plugin/public-api.t +++ b/t/plugin/public-api.t @@ -177,7 +177,7 @@ GET /wrong-public-api } --- response_body 201passed -200passed +201passed From b6492b8ed81ccea0846e466a4b922d0d18a76b9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 09:25:07 +0800 Subject: [PATCH 05/29] fix tests index --- t/config-center-yaml/consumer.t | 41 +--------------------- t/fips/jwt-auth.t | 14 ++++---- t/perf/test_http.py | 35 +------------------ t/plugin/jwt-auth.t | 62 ++++++++++++++++----------------- t/plugin/jwt-auth3.t | 4 +-- t/plugin/multi-auth.t | 4 +-- t/plugin/public-api.t | 12 +++---- 7 files changed, 50 insertions(+), 122 deletions(-) diff --git a/t/config-center-yaml/consumer.t b/t/config-center-yaml/consumer.t index ca00c9596850..7a3709203711 100644 --- a/t/config-center-yaml/consumer.t +++ b/t/config-center-yaml/consumer.t @@ -60,46 +60,7 @@ property "username" validation failed -=== TEST 2: validate the plugin under consumer ---- apisix_yaml -routes: - - uri: /apisix/status - plugins: - public-api: {} -consumers: - - username: jwt - plugins: - jwt-auth: - secret: my-secret-key -#END ---- request -GET /apisix/status?key=user-key ---- error_log -plugin jwt-auth err: property "key" is required ---- error_code: 404 - - - -=== TEST 3: provide default value for the plugin ---- apisix_yaml -routes: - - uri: /apisix/status - plugins: - public-api: {} -consumers: - - username: jwt - plugins: - jwt-auth: - key: user-key - secret: my-secret-key -#END ---- request -GET /apisix/status?key=user-key ---- error_code: 200 - - - -=== TEST 4: consumer restriction +=== TEST 2: consumer restriction --- apisix_yaml consumers: - username: jack diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index 3d2fdc730b0d..3794a530bf72 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -34,7 +34,7 @@ run_tests; __DATA__ -=== TEST 2: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) +=== TEST 1: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -65,7 +65,7 @@ passed -=== TEST 3: JWT sign and verify use RS256 algorithm(private_key numbits = 512) +=== TEST 2: JWT sign and verify use RS256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -97,7 +97,7 @@ passed -=== TEST 4: sign/verify use RS256 algorithm(private_key numbits = 512) +=== TEST 3: sign/verify use RS256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -133,7 +133,7 @@ JWT token invalid: invalid jwt string -=== TEST 5: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) +=== TEST 4: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) --- config location /t { content_by_lua_block { @@ -163,7 +163,7 @@ passed -=== TEST 6: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) +=== TEST 5: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) --- config location /t { content_by_lua_block { @@ -195,7 +195,7 @@ passed -=== TEST 7: sign/verify use RS256 algorithm(private_key numbits = 1024) +=== TEST 6: sign/verify use RS256 algorithm(private_key numbits = 1024) --- config location /t { content_by_lua_block { @@ -231,7 +231,7 @@ JWT token invalid: invalid jwt string -=== TEST 8: sign/verify use RS256 algorithm(private_key numbits = 1024,with extra payload) +=== TEST 7: sign/verify use RS256 algorithm(private_key numbits = 1024,with extra payload) --- config location /t { content_by_lua_block { diff --git a/t/perf/test_http.py b/t/perf/test_http.py index 36bb236b4d0b..c3bd2df7ea4d 100755 --- a/t/perf/test_http.py +++ b/t/perf/test_http.py @@ -58,12 +58,6 @@ def create_conf(): i = str(i) consumers.append({ "username": "jack" + i, - "plugins": { - "jwt-auth": { - "key": "user-key-" + i, - "secret": "my-secret-key" - } - } }) routes.append({ "upstream_id": 1, @@ -74,8 +68,6 @@ def create_conf(): "count": 1e8, "time_window": 3600, }, - "jwt-auth": { - }, "proxy-rewrite": { "uri": "/" + i, "headers": { @@ -97,16 +89,6 @@ def create_conf(): "type": "roundrobin" }] - # expose public api - routes.append({ - "uri": "/gen_token", - "plugins": { - "public-api": { - "uri": "/apisix/plugin/jwt/sign" - } - }, - }) - conf = {} conf["routes"] = routes conf["consumers"] = consumers @@ -155,31 +137,16 @@ def setUp(self): self.tempdir = tempdir def test_perf(self): - signs = [] - conn = http.client.HTTPConnection("127.0.0.1", port=9080) - for i in range(RULE_SIZE): - i = str(i) - conn.request("GET", "/gen_token?key=user-key-" + i) - response = conn.getresponse() - if response.status >= 300: - print("failed to sign, got: %s" % response.read()) - conn.close() - return - signs.append('"' + response.read().decode() + '"') - conn.close() - script = os.path.join(self.tempdir, "wrk.lua") with open(script, "w") as f: sign_list = ",\n".join(signs) s = """ - signs = {%s} function request() local i = math.random(%s) - 1 wrk.headers["Host"] = "test" .. i .. ".com" - wrk.headers["Authorization"] = signs[i+1] return wrk.format() end - """ % (sign_list, RULE_SIZE) + """ % (RULE_SIZE) f.write(s) # We use https://github.com/giltene/wrk2 subprocess.run(["wrk", diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 2cc7df57f09f..4c4108016749 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -135,7 +135,7 @@ passed -=== TEST 8: verify, missing token +=== TEST 5: verify, missing token --- request GET /hello --- error_code: 401 @@ -144,7 +144,7 @@ GET /hello -=== TEST 9: verify: invalid JWT token +=== TEST 6: verify: invalid JWT token --- request GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68 --- error_code: 401 @@ -155,7 +155,7 @@ JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 -=== TEST 10: verify: expired JWT token +=== TEST 7: verify: expired JWT token --- request GET /hello?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68 --- error_code: 401 @@ -166,7 +166,7 @@ failed to verify jwt: 'exp' claim expired at Tue, 23 Jul 2019 08:28:21 GMT -=== TEST 11: verify (in header) +=== TEST 8: verify (in header) --- request GET /hello --- more_headers @@ -176,7 +176,7 @@ hello world -=== TEST 12: verify (in cookie) +=== TEST 9: verify (in cookie) --- request GET /hello --- more_headers @@ -186,7 +186,7 @@ hello world -=== TEST 13: verify (in header without Bearer) +=== TEST 10: verify (in header without Bearer) --- request GET /hello --- more_headers @@ -196,7 +196,7 @@ hello world -=== TEST 14: verify (header with bearer) +=== TEST 11: verify (header with bearer) --- request GET /hello --- more_headers @@ -206,7 +206,7 @@ hello world -=== TEST 15: verify (invalid bearer token) +=== TEST 12: verify (invalid bearer token) --- request GET /hello --- more_headers @@ -219,7 +219,7 @@ JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 -=== TEST 16: delete a exist consumer +=== TEST 13: delete a exist consumer --- config location /t { content_by_lua_block { @@ -266,7 +266,7 @@ code: true body: passed -=== TEST 17: add consumer with username and plugins with base64 secret +=== TEST 14: add consumer with username and plugins with base64 secret --- config location /t { content_by_lua_block { @@ -296,7 +296,7 @@ passed -=== TEST 18: enable jwt auth plugin with base64 secret +=== TEST 15: enable jwt auth plugin with base64 secret --- config location /t { content_by_lua_block { @@ -327,7 +327,7 @@ passed -=== TEST 20: verify: invalid JWT token +=== TEST 16: verify: invalid JWT token --- request GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68 --- error_code: 401 @@ -338,7 +338,7 @@ JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 -=== TEST 21: verify: invalid signature +=== TEST 17: verify: invalid signature --- request GET /hello --- more_headers @@ -351,7 +351,7 @@ failed to verify jwt: signature mismatch: fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnV -=== TEST 22: verify: happy path +=== TEST 18: verify: happy path --- request GET /hello --- more_headers @@ -361,7 +361,7 @@ hello world -=== TEST 23: without key +=== TEST 19: without key --- config location /t { content_by_lua_block { @@ -381,7 +381,7 @@ property "key" is required -=== TEST 24: get the schema by schema_type +=== TEST 20: get the schema by schema_type --- config location /t { content_by_lua_block { @@ -399,7 +399,7 @@ property "key" is required -=== TEST 25: get the schema by error schema_type +=== TEST 21: get the schema by error schema_type --- config location /t { content_by_lua_block { @@ -417,7 +417,7 @@ property "key" is required -=== TEST 26: get the schema by default schema_type +=== TEST 22: get the schema by default schema_type --- config location /t { content_by_lua_block { @@ -435,7 +435,7 @@ property "key" is required -=== TEST 27: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) +=== TEST 23: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -468,7 +468,7 @@ passed -=== TEST 28: JWT sign and verify use RS256 algorithm(private_key numbits = 512) +=== TEST 24: JWT sign and verify use RS256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -502,7 +502,7 @@ passed -=== TEST 30: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) +=== TEST 25: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) --- config location /t { content_by_lua_block { @@ -534,7 +534,7 @@ passed -=== TEST 31: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) +=== TEST 26: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) --- config location /t { content_by_lua_block { @@ -568,7 +568,7 @@ passed -=== TEST 34: add consumer with username and plugins with public_key, private_key(private_key numbits = 2048) +=== TEST 27: add consumer with username and plugins with public_key, private_key(private_key numbits = 2048) --- config location /t { content_by_lua_block { @@ -599,7 +599,7 @@ passed -=== TEST 35: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) +=== TEST 28: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) --- config location /t { content_by_lua_block { @@ -631,7 +631,7 @@ passed -=== TEST 41: sanity(algorithm = HS512) +=== TEST 29: sanity(algorithm = HS512) --- config location /t { content_by_lua_block { @@ -652,7 +652,7 @@ qr/{"algorithm":"HS512","base64_secret":false,"exp":86400,"key":"123","lifetime_ -=== TEST 46: test for unsupported algorithm +=== TEST 30: test for unsupported algorithm --- config location /t { content_by_lua_block { @@ -673,7 +673,7 @@ qr/property "algorithm" validation failed/ -=== TEST 47: wrong format of secret +=== TEST 31: wrong format of secret --- config location /t { content_by_lua_block { @@ -696,7 +696,7 @@ base64_secret required but the secret is not in base64 format -=== TEST 48: when the exp value is not set, make sure the default value(86400) works +=== TEST 32: when the exp value is not set, make sure the default value(86400) works --- config location /t { content_by_lua_block { @@ -726,7 +726,7 @@ passed -=== TEST 50: RS256 without public key +=== TEST 33: RS256 without public key --- config location /t { content_by_lua_block { @@ -753,7 +753,7 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ -=== TEST 51: RS256 without private key +=== TEST 34: RS256 without private key --- config location /t { content_by_lua_block { @@ -781,7 +781,7 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ -=== TEST 52: add consumer with username and plugins with public_key, private_key(ES256) +=== TEST 35: add consumer with username and plugins with public_key, private_key(ES256) --- config location /t { content_by_lua_block { diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index f4a8ae188baa..80b7a90e57a5 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -602,7 +602,7 @@ passed -=== TEST 22: set jwt-auth conf with the token in an env var: secret uses secret ref +=== TEST 21: set jwt-auth conf with the token in an env var: secret uses secret ref --- request GET /t --- config @@ -671,7 +671,7 @@ passed -=== TEST 23: verify (in header) not hiding credentials +=== TEST 22: verify (in header) not hiding credentials --- request GET /echo --- more_headers diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index a6d5dec514da..c6ce3f0ee33f 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -485,7 +485,7 @@ qr/\{"error_msg":"failed to check the configuration of plugin multi-auth err: pr -=== TEST 20: add consumer with username and jwt-auth plugins +=== TEST 19: add consumer with username and jwt-auth plugins --- config location /t { content_by_lua_block { @@ -516,7 +516,7 @@ passed -=== TEST 22: verify multi-auth with plugin config will cause the conf_version change +=== TEST 20: verify multi-auth with plugin config will cause the conf_version change --- config location /t { content_by_lua_block { diff --git a/t/plugin/public-api.t b/t/plugin/public-api.t index 595e618f9d8c..6b4c9f3c7e7b 100644 --- a/t/plugin/public-api.t +++ b/t/plugin/public-api.t @@ -110,7 +110,7 @@ property "uri" validation failed: wrong type: expected string, got number -=== TEST 4: hit route (direct-wolf-rbac-userinfo) +=== TEST 3: hit route (direct-wolf-rbac-userinfo) --- request GET /apisix/plugin/wolf-rbac/user_info --- error_code: 401 @@ -119,21 +119,21 @@ direct-wolf-rbac-userinfo was triggered -=== TEST 5: missing route (non-exist public API) +=== TEST 4: missing route (non-exist public API) --- request GET /apisix/plugin/balalbala --- error_code: 404 -=== TEST 6: hit route (wrong public-api uri) +=== TEST 5: hit route (wrong public-api uri) --- request GET /wrong-public-api --- error_code: 404 -=== TEST 7: setup route (protect public API) +=== TEST 6: setup route (protect public API) --- config location /t { content_by_lua_block { @@ -181,7 +181,7 @@ GET /wrong-public-api -=== TEST 8: hit route (with key-auth header) +=== TEST 7: hit route (with key-auth header) --- request GET /get_user_info?key=user-key --- more_headers @@ -192,7 +192,7 @@ direct-wolf-rbac-userinfo was triggered -=== TEST 9: hit route (without key-auth header) +=== TEST 8: hit route (without key-auth header) --- request GET /get_user_info?key=user-key --- error_code: 401 From 1fbeaefd28d47bbbe72ec092b2e9b9721d7bb7e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 10:55:33 +0800 Subject: [PATCH 06/29] reindex --- t/fips/jwt-auth.t | 1 - 1 file changed, 1 deletion(-) diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index 3794a530bf72..47390362cde1 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -33,7 +33,6 @@ run_tests; __DATA__ - === TEST 1: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) --- config location /t { From 7d116ee08ed2865d80280eaca0d59712b60ec9ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 12:08:12 +0800 Subject: [PATCH 07/29] refactor document --- docs/en/latest/plugin-develop.md | 15 +++---- docs/en/latest/plugins/jwt-auth.md | 56 +------------------------- docs/en/latest/plugins/public-api.md | 34 ++++++++++------ docs/zh/latest/plugin-develop.md | 13 +++--- docs/zh/latest/plugins/jwt-auth.md | 59 +--------------------------- docs/zh/latest/plugins/public-api.md | 44 +++++++++++---------- 6 files changed, 62 insertions(+), 159 deletions(-) diff --git a/docs/en/latest/plugin-develop.md b/docs/en/latest/plugin-develop.md index ff9cfae79a0f..d42f7f0ce8a3 100644 --- a/docs/en/latest/plugin-develop.md +++ b/docs/en/latest/plugin-develop.md @@ -439,20 +439,21 @@ end ## register public API -A plugin can register API which exposes to the public. Take jwt-auth plugin as an example, this plugin registers `GET /apisix/plugin/jwt/sign` to allow client to sign its key: +A plugin can register API which exposes to the public. Take wolf-rbac plugin as an example, this plugin registers `POST /apisix/plugin/wolf-rbac/login` to allow a client to login and get the wolf rbac_token: ```lua -local function gen_token() - --... +function wolf_rbac_login() + -- ... end function _M.api() return { { - methods = {"GET"}, - uri = "/apisix/plugin/jwt/sign", - handler = gen_token, - } + methods = {"POST"}, + uri = "/apisix/plugin/wolf-rbac/login", + handler = wolf_rbac_login, + }, + -- ... } end ``` diff --git a/docs/en/latest/plugins/jwt-auth.md b/docs/en/latest/plugins/jwt-auth.md index e44fd58a5880..c61ee60e0b87 100644 --- a/docs/en/latest/plugins/jwt-auth.md +++ b/docs/en/latest/plugins/jwt-auth.md @@ -62,14 +62,6 @@ For Route: You can implement `jwt-auth` with [HashiCorp Vault](https://www.vaultproject.io/) to store and fetch secrets and RSA keys pairs from its [encrypted KV engine](https://developer.hashicorp.com/vault/docs/secrets/kv) using the [APISIX Secret](../terminology/secret.md) resource. -## API - -This Plugin adds `/apisix/plugin/jwt/sign` as an endpoint. - -:::note - -You may need to use the [public-api](public-api.md) plugin to expose this endpoint. - ::: ## Enable Plugin @@ -148,53 +140,7 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X P ## Example usage -You need to first setup a Route for an API that signs the token using the [public-api](public-api.md) Plugin: - -```shell -curl http://127.0.0.1:9180/apisix/admin/routes/jas -H "X-API-KEY: $admin_key" -X PUT -d ' -{ - "uri": "/apisix/plugin/jwt/sign", - "plugins": { - "public-api": {} - } -}' -``` - -Now, we can get a token: - -- Without extension payload: - -```shell -curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key -i -``` - -``` -HTTP/1.1 200 OK -Date: Wed, 24 Jul 2019 10:33:31 GMT -Content-Type: text/plain -Transfer-Encoding: chunked -Connection: keep-alive -Server: APISIX web server - -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMX0.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI -``` - -- With extension payload: - -```shell -curl -G --data-urlencode 'payload={"uid":10000,"uname":"test"}' http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key -i -``` - -``` -HTTP/1.1 200 OK -Date: Wed, 21 Apr 2021 06:43:59 GMT -Content-Type: text/plain; charset=utf-8 -Transfer-Encoding: chunked -Connection: keep-alive -Server: APISIX/2.4 - -eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1bmFtZSI6InRlc3QiLCJ1aWQiOjEwMDAwLCJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTYxOTA3MzgzOX0.jI9-Rpz1gc3u8Y6lZy8I43RXyCu0nSHANCvfn0YZUCY -``` +You need first to issue a JWT token using some tool such as [JWT.io's debugger](https://jwt.io/#debugger-io) or a programming language. You can now use this token while making requests: diff --git a/docs/en/latest/plugins/public-api.md b/docs/en/latest/plugins/public-api.md index d55131992f0d..d1c4acbd8e1f 100644 --- a/docs/en/latest/plugins/public-api.md +++ b/docs/en/latest/plugins/public-api.md @@ -30,7 +30,7 @@ description: The public-api is used for exposing an API endpoint through a gener The `public-api` is used for exposing an API endpoint through a general HTTP API router. -When you are using custom Plugins, you can use the `public-api` Plugin to define a fixed, public API for a particular functionality. For example, you can create a public API endpoint `/apisix/plugin/jwt/sign` for JWT authentication using the [jwt-auth](./jwt-auth.md) Plugin. +When you are using custom Plugins, you can use the `public-api` Plugin to define a fixed, public API for a particular functionality. For example, you can create a public API endpoint `/apisix/plugin/wolf-rbac/login` for wolf-rbac using the [wolf-rbac](./wolf-rbac.md) Plugin. :::note @@ -46,7 +46,9 @@ The public API added in a custom Plugin is not exposed by default and the user s ## Example usage -The example below uses the [jwt-auth](./jwt-auth.md) Plugin and the [key-auth](./key-auth.md) Plugin along with the `public-api` Plugin. Refer to their documentation for it configuration. This step is omitted below and only explains the configuration of the `public-api` Plugin. +The example below uses the [wolf-rbac](./wolf-rbac.md) Plugin and the [key-auth](./key-auth.md) Plugin along with the `public-api` Plugin. Refer to their documentation for its configuration. This step is omitted below and only explains the configuration of the `public-api` Plugin. + +Note: 使用 [wolf-rbac](./wolf-rbac.md) 插件的需要一些前提条件 [wolf-rbac](./wolf-rbac.md#pre-requisites) ### Basic usage @@ -57,17 +59,19 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \ -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/apisix/plugin/jwt/sign", + "uri": "/apisix/plugin/wolf-rbac/login", "plugins": { "public-api": {} } }' ``` -Now, if you make a request to the configured URI, you will receive a JWT response: +Now, if you make a request to the configured URI, you will receive a rbac_token response: ```shell -curl 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key' +curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \ + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ### Using custom URI @@ -79,10 +83,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/gen_token", + "uri": "/wolf-rbac-login", "plugins": { "public-api": { - "uri": "/apisix/plugin/jwt/sign" + "uri": "/apisix/plugin/wolf-rbac/login" } } }' @@ -91,7 +95,9 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ Now you can make requests to this new endpoint: ```shell -curl 'http://127.0.0.1:9080/gen_token?key=user-key' +curl http://127.0.0.1:9080/wolf-rbac-login -i \ + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ### Securing the Route @@ -103,10 +109,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/gen_token", + "uri": "/wolf-rbac-login", "plugins": { "public-api": { - "uri": "/apisix/plugin/jwt/sign" + "uri": "/apisix/plugin/wolf-rbac/login" }, "key-auth": {} } @@ -116,8 +122,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ Now, only authenticated requests are allowed: ```shell -curl -i 'http://127.0.0.1:9080/gen_token?key=user-key' \ +curl http://127.0.0.1:9080/wolf-rbac-login -i \ -H "apikey: test-apikey" + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ```shell @@ -127,7 +135,9 @@ HTTP/1.1 200 OK The below request will fail: ```shell -curl -i 'http://127.0.0.1:9080/gen_token?key=user-key' +curl http://127.0.0.1:9080/wolf-rbac-login -i \ + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ```shell diff --git a/docs/zh/latest/plugin-develop.md b/docs/zh/latest/plugin-develop.md index c893088f454a..1c78961d2cf3 100644 --- a/docs/zh/latest/plugin-develop.md +++ b/docs/zh/latest/plugin-develop.md @@ -417,20 +417,21 @@ end ## 注册公共接口 -插件可以注册暴露给公网的接口。以 jwt-auth 插件为例,这个插件为了让客户端能够签名,注册了 `GET /apisix/plugin/jwt/sign` 这个接口: +插件可以注册暴露给公网的接口。以 wolf-rbac 插件为例,这个插件为了让客户端能够登录获取 wolf rbac_token,注册了 `POST /apisix/plugin/wolf-rbac/login` 等接口: ```lua -local function gen_token() +function wolf_rbac_login() -- ... end function _M.api() return { { - methods = {"GET"}, - uri = "/apisix/plugin/jwt/sign", - handler = gen_token, - } + methods = {"POST"}, + uri = "/apisix/plugin/wolf-rbac/login", + handler = wolf_rbac_login, + }, + -- ... } end ``` diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index eed13cf54df9..013e3a322f24 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -62,16 +62,6 @@ Route 端: 您可以使用 [HashiCorp Vault](https://www.vaultproject.io/) 实施 `jwt-auth`,以从其[加密的 KV 引擎](https://developer.hashicorp.com/vault/docs/secrets/kv) 使用 [APISIX Secret](../terminology/secret.md) 资源。 -## 接口 - -该插件会增加 `/apisix/plugin/jwt/sign` 接口。 - -:::note - -你需要通过 [public-api](../../../en/latest/plugins/public-api.md) 插件来暴露它。 - -::: - ## 启用插件 如果想要启用插件,就必须使用 JWT token 创建一个 Consumer 对象,并将 Route 配置为使用 JWT 身份验证。 @@ -146,54 +136,7 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 \ ## 测试插件 -首先,你需要为签发 token 的 API 配置一个 Route,该路由将使用 [public-api](../../../en/latest/plugins/public-api.md) 插件。 - -```shell -curl http://127.0.0.1:9180/apisix/admin/routes/jas \ --H "X-API-KEY: $admin_key" -X PUT -d ' -{ - "uri": "/apisix/plugin/jwt/sign", - "plugins": { - "public-api": {} - } -}' -``` - -之后就可以通过调用它来获取 token 了。 - -* 没有额外的 payload: - -```shell -curl http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key -i -``` - -``` -HTTP/1.1 200 OK -Date: Wed, 24 Jul 2019 10:33:31 GMT -Content-Type: text/plain -Transfer-Encoding: chunked -Connection: keep-alive -Server: APISIX web server - -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2NDA1MDgxMXx.Us8zh_4VjJXF-TmR5f8cif8mBU7SuefPlpxhH0jbPVI -``` - -* 有额外的 payload: - -```shell -curl -G --data-urlencode 'payload={"uid":10000,"uname":"test"}' http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key -i -``` - -``` -HTTP/1.1 200 OK -Date: Wed, 21 Apr 2021 06:43:59 GMT -Content-Type: text/plain; charset=utf-8 -Transfer-Encoding: chunked -Connection: keep-alive -Server: APISIX/2.4 - -eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1bmFtZSI6InRlc3QiLCJ1aWQiOjEwMDAwLCJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTYxOTA3MzgzOX0.jI9-Rpz1gc3u8Y6lZy8I43RXyCu0nSHANCvfn0YZUCY -``` +首先你需要使用诸如 [JWT.io's debugger](https://jwt.io/#debugger-io) 等工具或编程语言来生成一个 JWT token。 现在你可以使用获取到的 token 进行请求尝试 diff --git a/docs/zh/latest/plugins/public-api.md b/docs/zh/latest/plugins/public-api.md index 0a50d0533c9d..cd450f45c1a6 100644 --- a/docs/zh/latest/plugins/public-api.md +++ b/docs/zh/latest/plugins/public-api.md @@ -30,7 +30,7 @@ description: 本文介绍了 public-api 的相关操作,你可以使用 public `public-api` 插件可用于通过创建路由的方式暴露用户自定义的 API。 -你可以通过在路由中添加 `public-api` 插件,来保护**自定义插件为了实现特定功能**而暴露的 API。例如,你可以使用 [`jwt-auth`](./jwt-auth.md) 插件创建一个公共 API 端点 `/apisix/plugin/jwt/sign` 用于 JWT 认证。 +你可以通过在路由中添加 `public-api` 插件,来保护**自定义插件为了实现特定功能**而暴露的 API。例如,你可以使用 [`wolf-rbac`](./wolf-rbac.md) 插件创建一个公共 API 端点 `/apisix/plugin/wolf-rbac/login` 用于登录获取 wolf rbac_token。 :::note 注意 @@ -46,11 +46,13 @@ description: 本文介绍了 public-api 的相关操作,你可以使用 public ## 启用插件 -`public-api` 插件需要与授权插件一起配合使用,以下示例分别用到了 [`jwt-auth`](./jwt-auth.md) 插件和 [`key-auth`](./key-auth.md) 插件。 +`public-api` 插件需要与授权插件一起配合使用,以下示例分别用到了 [wolf-rbac](./wolf-rbac.md) 插件和 [`key-auth`](./key-auth.md) + +注意:使用 [wolf-rbac](./wolf-rbac.md) 需要实现一些前提条件 [wolf-rbac](./wolf-rbac.md#前提条件) ### 基本用法 -首先,你需要启用并配置 `jwt-auth` 插件,详细使用方法请参考 [`jwt-auth`](./jwt-auth.md) 插件文档。 +首先,你需要启用并配置 `wolf-rbac` 插件,详细使用方法请参考 [wolf-rbac](./wolf-rbac.md) 插件文档。 然后,使用以下命令在指定路由上启用并配置 `public-api` 插件: @@ -69,7 +71,7 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \ -H "X-API-KEY: $admin_key" \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/apisix/plugin/jwt/sign", + "uri": "/apisix/plugin/wolf-rbac/login", "plugins": { "public-api": {} } @@ -78,14 +80,12 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \ **测试插件** -向配置的 URI 发出访问请求,如果返回一个包含 JWT Token 的响应,则代表插件生效: - -```shell -curl 'http://127.0.0.1:9080/apisix/plugin/jwt/sign?key=user-key' -``` +向配置的 URI 发出访问请求,会返回一个包含 wolf rbac_token 的响应: ```shell -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTk0Mjg1MzIsImtleSI6InVzZXIta2V5In0.NhrWrO-da4kXezxTLdgFBX2rJA2dF1qESs8IgmwhNd0 +curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \ + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ### 使用自定义 URI @@ -99,10 +99,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ -H "X-API-KEY: $admin_key" \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/gen_token", + "uri": "/wolf-rbac-login", "plugins": { "public-api": { - "uri": "/apisix/plugin/jwt/sign" + "uri": "/apisix/plugin/wolf-rbac/login" } } }' @@ -113,11 +113,9 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ 向自定义的 URI 发出访问请求,如果返回一个包含 JWT Token 的响应,则代表插件生效: ```shell -curl 'http://127.0.0.1:9080/gen_token?key=user-key' -``` - -```shell -eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NTk0Mjg1NjIsImtleSI6InVzZXIta2V5In0.UVkXWbyGb8ajBNtxs0iAaFb2jTEWIlqTR125xr1ZMLc +curl http://127.0.0.1:9080/wolf-rbac-login -i \ + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ### 确保 Route 安全 @@ -129,10 +127,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ -H "X-API-KEY: $admin_key" \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/gen_token", + "uri": "/wolf-rbac-login", "plugins": { "public-api": { - "uri": "/apisix/plugin/jwt/sign" + "uri": "/apisix/plugin/wolf-rbac/login" }, "key-auth": { "key": "test-apikey" @@ -148,8 +146,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ 发出访问请求并指定 `apikey`,如果返回 `200` HTTP 状态码,则说明请求被允许: ```shell -curl -i 'http://127.0.0.1:9080/gen_token?key=user-key' \ +curl http://127.0.0.1:9080/wolf-rbac-login -i \ -H "apikey: test-apikey" + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ```shell @@ -159,7 +159,9 @@ HTTP/1.1 200 OK 发出访问请求,如果返回 `401` HTTP 状态码,则说明请求被阻止,插件生效: ```shell -curl -i 'http://127.0.0.1:9080/gen_token?key=user-key' +curl http://127.0.0.1:9080/wolf-rbac-login -i \ + -H "Content-Type: application/json" \ + -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' ``` ```shell From d4cefb1ebc1a4c2aafbe555fd99fd481e89463e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 15:28:19 +0800 Subject: [PATCH 08/29] jwt-auth plugin no longer need private_key --- apisix/plugins/jwt-auth.lua | 41 ++- t/fips/jwt-auth.t | 19 +- t/plugin/jwt-auth.t | 519 ++++++++++++++++++++++++++++++++++-- t/plugin/jwt-auth2.t | 4 +- t/plugin/jwt-auth3.t | 78 +----- t/plugin/multi-auth.t | 52 +++- 6 files changed, 580 insertions(+), 133 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index b9701dbe99c3..fb1d8692b16a 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -90,17 +90,16 @@ local consumer_schema = { { properties = { public_key = {type = "string"}, - private_key= {type = "string"}, algorithm = { enum = {"RS256", "ES256"}, }, }, - required = {"public_key", "private_key"}, + required = {"public_key"}, }, } } }, - encrypt_fields = {"secret", "private_key"}, + encrypt_fields = {"secret"}, required = {"key"}, } @@ -138,14 +137,10 @@ function _M.check_schema(conf, schema_type) end if conf.algorithm == "RS256" or conf.algorithm == "ES256" then - -- Possible options are a) public key is missing - -- b) private key is missing + -- Possible options is: public key is missing if not conf.public_key then return false, "missing valid public key" end - if not conf.private_key then - return false, "missing valid private key" - end end return true @@ -235,15 +230,10 @@ local function get_rsa_or_ecdsa_keypair(conf) local public_key = conf.public_key local private_key = conf.private_key - if public_key and private_key then - return public_key, private_key - elseif public_key and not private_key then - return nil, nil, "missing private key" - elseif not public_key and private_key then + if not public_key then return nil, nil, "missing public key" - else - return nil, nil, "public and private keys are missing" end + return public_key, private_key end @@ -264,8 +254,7 @@ end local function sign_jwt_with_HS(key, consumer, payload) local auth_secret, err = get_secret(consumer.auth_conf) if not auth_secret then - core.log.error("failed to sign jwt, err: ", err) - core.response.exit(503, "failed to sign jwt") + return nil, "failed to sign jwt: failed to get auth_secret" end local ok, jwt_token = pcall(jwt.sign, _M, auth_secret, @@ -278,8 +267,10 @@ local function sign_jwt_with_HS(key, consumer, payload) } ) if not ok then - core.log.warn("failed to sign jwt, err: ", jwt_token.reason) - core.response.exit(500, "failed to sign jwt") + if jwt_token and jwt_token.reason then + return nil, "failed to sign jwt: " .. jwt_token.reason + end + return nil, "failed to sign jwt" end return jwt_token end @@ -290,8 +281,10 @@ local function sign_jwt_with_RS256_ES256(key, consumer, payload) consumer.auth_conf ) if not public_key then - core.log.error("failed to sign jwt, err: ", err) - core.response.exit(503, "failed to sign jwt") + return nil, "missing public_key" + end + if not private_key then + return nil, "missing private_key" end local ok, jwt_token = pcall(jwt.sign, _M, @@ -308,8 +301,10 @@ local function sign_jwt_with_RS256_ES256(key, consumer, payload) } ) if not ok then - core.log.warn("failed to sign jwt, err: ", jwt_token.reason) - core.response.exit(500, "failed to sign jwt") + if jwt_token and jwt_token.reason then + return nil, "failed to sign jwt: " .. jwt_token.reason + end + return nil, "failed to sign jwt" end return jwt_token end diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index 47390362cde1..519e65a77a04 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -33,7 +33,7 @@ run_tests; __DATA__ -=== TEST 1: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) +=== TEST 1: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -46,8 +46,7 @@ __DATA__ "jwt-auth": { "key": "user-key-rs256", "algorithm": "RS256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----" } } }]] @@ -64,7 +63,7 @@ passed -=== TEST 2: JWT sign and verify use RS256 algorithm(private_key numbits = 512) +=== TEST 2: JWT sign and verify use RS256 algorithm --- config location /t { content_by_lua_block { @@ -114,7 +113,7 @@ passed } local sign = gen_token(key, consumer) if not sign then - ngx.status = 404 + ngx.status = 500 ngx.say("failed to gen_token") return end @@ -132,7 +131,7 @@ JWT token invalid: invalid jwt string -=== TEST 4: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) +=== TEST 4: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -146,8 +145,6 @@ JWT token invalid: invalid jwt string "key": "user-key-rs256", "algorithm": "RS256", "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - ]] .. [[ - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" } } } @@ -162,7 +159,7 @@ passed -=== TEST 5: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) +=== TEST 5: JWT sign and verify use RS256 algorithm --- config location /t { content_by_lua_block { @@ -212,7 +209,7 @@ passed } local sign = gen_token(key, consumer) if not sign then - ngx.status = 404 + ngx.status = 500 ngx.say("failed to gen_token") return end @@ -250,7 +247,7 @@ JWT token invalid: invalid jwt string local sign = gen_token(key, consumer, payload) if not sign then - ngx.status = 404 + ngx.status = 500 ngx.say("failed to gen_token") return end diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 4c4108016749..e3816d232cfe 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -327,6 +327,41 @@ passed +=== TEST 19: sign / verify +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key" + local consumer = { + auth_conf = { + key = "user-key", + secret = "fo4XKdZ1xSrIZyms4q2BwPrW5lMpls9qqy5tiAk2esc=", + base64_secret = true + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world + + + === TEST 16: verify: invalid JWT token --- request GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68 @@ -389,7 +424,7 @@ property "key" is required local code, body, raw = t('/apisix/admin/schema/plugins/jwt-auth?schema_type=consumer', ngx.HTTP_GET, [[ -{"dependencies":{"algorithm":{"oneOf":[{"properties":{"algorithm":{"default":"HS256","enum":["HS256","HS512"]}}},{"required":["public_key","private_key"],"properties":{"algorithm":{"enum":["RS256","ES256"]},"public_key":{"type":"string"},"private_key":{"type":"string"}}}]}},"required":["key"],"type":"object","properties":{"base64_secret":{"default":false,"type":"boolean"},"secret":{"type":"string"},"algorithm":{"enum":["HS256","HS512","RS256","ES256"],"default":"HS256","type":"string"},"exp":{"minimum":1,"default":86400,"type":"integer"},"key":{"type":"string"}}} +{"dependencies":{"algorithm":{"oneOf":[{"properties":{"algorithm":{"default":"HS256","enum":["HS256","HS512"]}}},{"required":["public_key"],"properties":{"algorithm":{"enum":["RS256","ES256"]},"public_key":{"type":"string"}}}]}},"required":["key"],"type":"object","properties":{"base64_secret":{"default":false,"type":"boolean"},"secret":{"type":"string"},"algorithm":{"enum":["HS256","HS512","RS256","ES256"],"default":"HS256","type":"string"},"exp":{"minimum":1,"default":86400,"type":"integer"},"key":{"type":"string"}}} ]] ) @@ -435,7 +470,7 @@ property "key" is required -=== TEST 23: add consumer with username and plugins with public_key, private_key(private_key numbits = 512) +=== TEST 23: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -448,8 +483,7 @@ property "key" is required "jwt-auth": { "key": "user-key-rs256", "algorithm": "RS256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----" } } }]] @@ -468,7 +502,7 @@ passed -=== TEST 24: JWT sign and verify use RS256 algorithm(private_key numbits = 512) +=== TEST 24: JWT sign and verify use RS256 algorithm --- config location /t { content_by_lua_block { @@ -502,7 +536,45 @@ passed -=== TEST 25: add consumer with username and plugins with public_key, private_key(private_key numbits = 1024) +=== TEST 29: sign/verify use RS256 algorithm(private_key numbits = 512) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world +--- skip_eval +1: $ENV{OPENSSL_FIPS} eq 'yes' + + + +=== TEST 25: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -515,9 +587,7 @@ passed "jwt-auth": { "key": "user-key-rs256", "algorithm": "RS256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - ]] .. [[ - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----" } } } @@ -534,7 +604,7 @@ passed -=== TEST 26: JWT sign and verify use RS256 algorithm(private_key numbits = 1024) +=== TEST 26: JWT sign and verify use RS256 algorithm --- config location /t { content_by_lua_block { @@ -568,7 +638,84 @@ passed -=== TEST 27: add consumer with username and plugins with public_key, private_key(private_key numbits = 2048) +=== TEST 32: sign/verify use RS256 algorithm(private_key numbits = 1024) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world +--- skip_eval +1: $ENV{OPENSSL_FIPS} eq 'yes' + + + +=== TEST 33: sign/verify use RS256 algorithm(private_key numbits = 1024,with extra payload) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") + local sign = gen_token(key, consumer, payload) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world +--- skip_eval +1: $ENV{OPENSSL_FIPS} eq 'yes' + + + +=== TEST 27: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -581,9 +728,7 @@ passed "jwt-auth": { "key": "user-key-rs256", "algorithm": "RS256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", - ]] .. [[ - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----" } } } @@ -599,7 +744,139 @@ passed -=== TEST 28: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) +=== TEST 35: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 36: sign/verify use RS256 algorithm(private_key numbits = 2048) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world + + + +=== TEST 37: sign/verify use RS256 algorithm(private_key numbits = 2048,with extra payload) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-rs256" + local consumer = { + auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + } + } + local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") + local sign = gen_token(key, consumer, payload) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world + + + +=== TEST 38: JWT sign with the public key when using the RS256 algorithm +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-rs256", + "algorithm": "RS256", + "private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----" + } + } + }]] + ) + ngx.status = code + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 39: JWT sign and verify RS256 --- config location /t { content_by_lua_block { @@ -652,6 +929,137 @@ qr/{"algorithm":"HS512","base64_secret":false,"exp":86400,"key":"123","lifetime_ +=== TEST 42: add consumer with username and plugins use HS512 algorithm +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-HS512", + "algorithm": "HS512", + "secret": "my-secret-key" + } + } + }]] + ) + + ngx.status = code + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 43: JWT sign and verify use HS512 algorithm +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed + + + +=== TEST 44: sign / verify (algorithm = HS512) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-HS512" + local consumer = { + auth_conf = { + key = "user-key-HS512", + algorithm = "HS512", + secret = "my-secret-key" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world + + + +=== TEST 45: sign / verify (algorithm = HS512,with extra payload) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-HS512" + local consumer = { + auth_conf = { + key = "user-key-HS512", + algorithm = "HS512", + secret = "my-secret-key" + } + } + local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") + local sign = gen_token(key, consumer, payload) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world + + + === TEST 30: test for unsupported algorithm --- config location /t { @@ -775,13 +1183,11 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ ngx.say(body) } } ---- error_code: 400 ---- response_body_like eval -qr/failed to validate dependent schema for \\"algorithm\\"/ +--- error_code: 200 -=== TEST 35: add consumer with username and plugins with public_key, private_key(ES256) +=== TEST 35: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -794,8 +1200,7 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ "jwt-auth": { "key": "user-key-es256", "algorithm": "ES256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----", - "private_key": "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" + "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----" } } }]] @@ -809,3 +1214,75 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ } --- response_body passed + + + +=== TEST 53: JWT sign and verify use ES256 algorithm(private_key numbits = 512) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "jwt-auth": {} + }, + "upstream": { + "nodes": { + "127.0.0.1:1980": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- response_body +passed +--- skip_eval +1: $ENV{OPENSSL_FIPS} eq 'yes' + + + +=== TEST 54: sign/verify use ES256 algorithm(private_key numbits = 512) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + + local key = "user-key-es256" + local consumer = { + auth_conf = { + key = "user-key-es256", + algorithm = "ES256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- response_body +hello world +--- skip_eval +1: $ENV{OPENSSL_FIPS} eq 'yes' diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t index 44c61a00e75a..dc381a27b6af 100644 --- a/t/plugin/jwt-auth2.t +++ b/t/plugin/jwt-auth2.t @@ -270,7 +270,7 @@ hello world } local sign = gen_token(key, consumer) if not sign then - ngx.status = 404 + ngx.status = 500 ngx.say("failed to gen_token") end @@ -429,7 +429,7 @@ qr/ailed to verify jwt: 'exp' claim expired at/ } local sign = gen_token(key, consumer) if not sign then - ngx.status = 404 + ngx.status = 500 ngx.say("failed to gen_token") end diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index 80b7a90e57a5..aebd58fd08fe 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -378,77 +378,6 @@ IRWpPjbDq5BCgHyIllnOMA== -=== TEST 15: data encryption for private_key ---- yaml_config -apisix: - data_encryption: - enable_encrypt_fields: true - keyring: - - edd1c9f0985e76a2 ---- config - location /t { - content_by_lua_block { - local json = require("toolkit.json") - local t = require("lib.test_admin").test - - -- dletet exist consumers - t('/apisix/admin/consumers/jack', ngx.HTTP_DELETE) - - local code, body = t('/apisix/admin/consumers', - ngx.HTTP_PUT, - [[{ - "username": "jack", - "plugins": { - "jwt-auth": { - "key": "user-key-rs256", - "algorithm": "RS256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } - } - }]] - ) - - if code >= 300 then - ngx.status = code - ngx.say(body) - return - end - ngx.sleep(0.1) - - -- get plugin conf from admin api, password is decrypted - local code, message, res = t('/apisix/admin/consumers/jack', - ngx.HTTP_GET - ) - res = json.decode(res) - if code >= 300 then - ngx.status = code - ngx.say(message) - return - end - - ngx.say(res.value.plugins["jwt-auth"].private_key) - - -- get plugin conf from etcd, password is encrypted - local etcd = require("apisix.core.etcd") - local res = assert(etcd.get('/consumers/jack')) - ngx.say(res.body.node.value.plugins["jwt-auth"].private_key) - } - } ---- response_body ------BEGIN RSA PRIVATE KEY----- -MIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv -0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7 -+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL -wQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF -IeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb -2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs -YvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG ------END RSA PRIVATE KEY----- -HrMHUvE9Esvn7GnZ+vAynaIg/8wlB3r0zm0htmnwofYPZeBpLnpW3iN9UtQG4ZIBYRZih6EBuRK8W3Kychw/SgjIFuzVeTFowBCUfd1wZ4Q+frUOLZ0Xmkh8j3yHUprnh+d9PA8EHCEapdkWY3psJj6rTgrREzjDEVf/TV3EjjfgG16ih5/c3TChApLXwfEwfBp5APSf7kzMccCRbA4bXvMDsQSQAwVsRD8cjJkSdHTvuzfg1g8xoCy4I05DsMM8CybJAd+BDZnJxhrGIQaItu5/0XQJy+uy/niOpzYYN+NDX+8fl65VUxdUtqXF82ChRlmGP3+zKN7epufAsL/36pHOnS73Q7WBKRxyyA16BEBk0wK7rI+KemBfG5YFXjcBnPkxYssSudqhmlcr6e5Tl0LhVj/BIj94fVE3/EJ+NO3BJMrlhjorilrQKAsiCWujWSqAK7gtAp3YEO//yOygh/p8gh22NdIV0ykGAx4QNKINUgdgh+g8DdykNGLGStH8TPUs8GmzV7nxvw/0cbiocLps6uk0VjjVUqUAvOdwpbiRwv6effPUB6cxW3G6QllBbTP8I+eoFIRfYd6cFJPpX1AtISfNZw459WarwZmHrZGOQU4iKlyl2yLcKY634Fx5JykUY5YP+MYYDHbIcD2gxA== - - - === TEST 16: set jwt-auth conf: secret uses secret ref --- request GET /t @@ -542,13 +471,13 @@ jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs === TEST 19: store rsa key pairs and secret into vault from local filesystem --- exec -VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 secret=$3nsitiv3-c8d3 public_key=@t/certs/public.pem private_key=@t/certs/private.pem +VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 secret=$3nsitiv3-c8d3 public_key=@t/certs/public.pem --- response_body Success! Data written to: kv/apisix/rsa1 -=== TEST 20: create consumer for RS256 algorithm with private/public key fetched from vault and public key in consumer schema +=== TEST 20: create consumer for RS256 algorithm with public key fetched from vault and public key in consumer schema --- config location /t { content_by_lua_block { @@ -584,8 +513,7 @@ Success! Data written to: kv/apisix/rsa1 "key": "rsa1", "algorithm": "RS256", "secret": "$secret://vault/test1/rsa1/secret", - "public_key": "$secret://vault/test1/rsa1/public_key", - "private_key": "$secret://vault/test1/rsa1/private_key" + "public_key": "$secret://vault/test1/rsa1/public_key" } } }]] diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index c6ce3f0ee33f..a7cc7c64e565 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -516,6 +516,41 @@ passed +=== TEST 21: sign / verify jwt-auth +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local gen_token = require("apisix.plugins.jwt-auth").gen_token + local key = "user-key" + local consumer = { + auth_conf = { + key = "user-key", + secret = "my-secret-key" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, + ngx.HTTP_GET + ) + + ngx.status = code + ngx.print(res) + } + } +--- request +GET /t +--- response_body +hello world + + + === TEST 20: verify multi-auth with plugin config will cause the conf_version change --- config location /t { @@ -576,7 +611,22 @@ passed end ngx.sleep(0.1) - local code, _, res = t('/hello?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTg3OTMxODU0MX0.fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnVFSYjs', + local gen_token = require("apisix.plugins.jwt-auth").gen_token + local key = "user-key" + local consumer = { + auth_conf = { + key = "user-key", + secret = "my-secret-key" + } + } + local sign = gen_token(key, consumer) + if not sign then + ngx.status = 500 + ngx.say("failed to gen_token") + return + end + + local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) From 7de67364dfb5591ceb1b1b9a0b1b643112a29f86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 15:28:50 +0800 Subject: [PATCH 09/29] reindex --- t/plugin/jwt-auth.t | 68 +++++++++++++++++++++---------------------- t/plugin/jwt-auth3.t | 14 ++++----- t/plugin/multi-auth.t | 4 +-- 3 files changed, 43 insertions(+), 43 deletions(-) diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index e3816d232cfe..ba685e20df27 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -327,7 +327,7 @@ passed -=== TEST 19: sign / verify +=== TEST 16: sign / verify --- config location /t { content_by_lua_block { @@ -362,7 +362,7 @@ hello world -=== TEST 16: verify: invalid JWT token +=== TEST 17: verify: invalid JWT token --- request GET /hello?jwt=invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsImV4cCI6MTU2Mzg3MDUwMX0.pPNVvh-TQsdDzorRwa-uuiLYiEBODscp9wv0cwD6c68 --- error_code: 401 @@ -373,7 +373,7 @@ JWT token invalid: invalid header: invalid-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 -=== TEST 17: verify: invalid signature +=== TEST 18: verify: invalid signature --- request GET /hello --- more_headers @@ -386,7 +386,7 @@ failed to verify jwt: signature mismatch: fNtFJnNmJgzbiYmGB0Yjvm-l6A6M4jRV1l4mnV -=== TEST 18: verify: happy path +=== TEST 19: verify: happy path --- request GET /hello --- more_headers @@ -396,7 +396,7 @@ hello world -=== TEST 19: without key +=== TEST 20: without key --- config location /t { content_by_lua_block { @@ -416,7 +416,7 @@ property "key" is required -=== TEST 20: get the schema by schema_type +=== TEST 21: get the schema by schema_type --- config location /t { content_by_lua_block { @@ -434,7 +434,7 @@ property "key" is required -=== TEST 21: get the schema by error schema_type +=== TEST 22: get the schema by error schema_type --- config location /t { content_by_lua_block { @@ -452,7 +452,7 @@ property "key" is required -=== TEST 22: get the schema by default schema_type +=== TEST 23: get the schema by default schema_type --- config location /t { content_by_lua_block { @@ -470,7 +470,7 @@ property "key" is required -=== TEST 23: add consumer with username and plugins with public_key +=== TEST 24: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -502,7 +502,7 @@ passed -=== TEST 24: JWT sign and verify use RS256 algorithm +=== TEST 25: JWT sign and verify use RS256 algorithm --- config location /t { content_by_lua_block { @@ -536,7 +536,7 @@ passed -=== TEST 29: sign/verify use RS256 algorithm(private_key numbits = 512) +=== TEST 26: sign/verify use RS256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -574,7 +574,7 @@ hello world -=== TEST 25: add consumer with username and plugins with public_key +=== TEST 27: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -604,7 +604,7 @@ passed -=== TEST 26: JWT sign and verify use RS256 algorithm +=== TEST 28: JWT sign and verify use RS256 algorithm --- config location /t { content_by_lua_block { @@ -638,7 +638,7 @@ passed -=== TEST 32: sign/verify use RS256 algorithm(private_key numbits = 1024) +=== TEST 29: sign/verify use RS256 algorithm(private_key numbits = 1024) --- config location /t { content_by_lua_block { @@ -676,7 +676,7 @@ hello world -=== TEST 33: sign/verify use RS256 algorithm(private_key numbits = 1024,with extra payload) +=== TEST 30: sign/verify use RS256 algorithm(private_key numbits = 1024,with extra payload) --- config location /t { content_by_lua_block { @@ -715,7 +715,7 @@ hello world -=== TEST 27: add consumer with username and plugins with public_key +=== TEST 31: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -744,7 +744,7 @@ passed -=== TEST 35: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) +=== TEST 32: JWT sign and verify use RS256 algorithm(private_key numbits = 2048) --- config location /t { content_by_lua_block { @@ -776,7 +776,7 @@ passed -=== TEST 36: sign/verify use RS256 algorithm(private_key numbits = 2048) +=== TEST 33: sign/verify use RS256 algorithm(private_key numbits = 2048) --- config location /t { content_by_lua_block { @@ -812,7 +812,7 @@ hello world -=== TEST 37: sign/verify use RS256 algorithm(private_key numbits = 2048,with extra payload) +=== TEST 34: sign/verify use RS256 algorithm(private_key numbits = 2048,with extra payload) --- config location /t { content_by_lua_block { @@ -849,7 +849,7 @@ hello world -=== TEST 38: JWT sign with the public key when using the RS256 algorithm +=== TEST 35: JWT sign with the public key when using the RS256 algorithm --- config location /t { content_by_lua_block { @@ -876,7 +876,7 @@ passed -=== TEST 39: JWT sign and verify RS256 +=== TEST 36: JWT sign and verify RS256 --- config location /t { content_by_lua_block { @@ -908,7 +908,7 @@ passed -=== TEST 29: sanity(algorithm = HS512) +=== TEST 37: sanity(algorithm = HS512) --- config location /t { content_by_lua_block { @@ -929,7 +929,7 @@ qr/{"algorithm":"HS512","base64_secret":false,"exp":86400,"key":"123","lifetime_ -=== TEST 42: add consumer with username and plugins use HS512 algorithm +=== TEST 38: add consumer with username and plugins use HS512 algorithm --- config location /t { content_by_lua_block { @@ -957,7 +957,7 @@ passed -=== TEST 43: JWT sign and verify use HS512 algorithm +=== TEST 39: JWT sign and verify use HS512 algorithm --- config location /t { content_by_lua_block { @@ -989,7 +989,7 @@ passed -=== TEST 44: sign / verify (algorithm = HS512) +=== TEST 40: sign / verify (algorithm = HS512) --- config location /t { content_by_lua_block { @@ -1024,7 +1024,7 @@ hello world -=== TEST 45: sign / verify (algorithm = HS512,with extra payload) +=== TEST 41: sign / verify (algorithm = HS512,with extra payload) --- config location /t { content_by_lua_block { @@ -1060,7 +1060,7 @@ hello world -=== TEST 30: test for unsupported algorithm +=== TEST 42: test for unsupported algorithm --- config location /t { content_by_lua_block { @@ -1081,7 +1081,7 @@ qr/property "algorithm" validation failed/ -=== TEST 31: wrong format of secret +=== TEST 43: wrong format of secret --- config location /t { content_by_lua_block { @@ -1104,7 +1104,7 @@ base64_secret required but the secret is not in base64 format -=== TEST 32: when the exp value is not set, make sure the default value(86400) works +=== TEST 44: when the exp value is not set, make sure the default value(86400) works --- config location /t { content_by_lua_block { @@ -1134,7 +1134,7 @@ passed -=== TEST 33: RS256 without public key +=== TEST 45: RS256 without public key --- config location /t { content_by_lua_block { @@ -1161,7 +1161,7 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ -=== TEST 34: RS256 without private key +=== TEST 46: RS256 without private key --- config location /t { content_by_lua_block { @@ -1187,7 +1187,7 @@ qr/failed to validate dependent schema for \\"algorithm\\"/ -=== TEST 35: add consumer with username and plugins with public_key +=== TEST 47: add consumer with username and plugins with public_key --- config location /t { content_by_lua_block { @@ -1217,7 +1217,7 @@ passed -=== TEST 53: JWT sign and verify use ES256 algorithm(private_key numbits = 512) +=== TEST 48: JWT sign and verify use ES256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { @@ -1251,7 +1251,7 @@ passed -=== TEST 54: sign/verify use ES256 algorithm(private_key numbits = 512) +=== TEST 49: sign/verify use ES256 algorithm(private_key numbits = 512) --- config location /t { content_by_lua_block { diff --git a/t/plugin/jwt-auth3.t b/t/plugin/jwt-auth3.t index aebd58fd08fe..0c0d33a902b3 100755 --- a/t/plugin/jwt-auth3.t +++ b/t/plugin/jwt-auth3.t @@ -378,7 +378,7 @@ IRWpPjbDq5BCgHyIllnOMA== -=== TEST 16: set jwt-auth conf: secret uses secret ref +=== TEST 15: set jwt-auth conf: secret uses secret ref --- request GET /t --- config @@ -451,7 +451,7 @@ passed -=== TEST 17: store secret into vault +=== TEST 16: store secret into vault --- exec VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/jack secret=my-secret-key --- response_body @@ -459,7 +459,7 @@ Success! Data written to: kv/apisix/jack -=== TEST 18: verify (in header) not hiding credentials +=== TEST 17: verify (in header) not hiding credentials --- request GET /echo --- more_headers @@ -469,7 +469,7 @@ jwt-header: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIs -=== TEST 19: store rsa key pairs and secret into vault from local filesystem +=== TEST 18: store rsa key pairs and secret into vault from local filesystem --- exec VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/rsa1 secret=$3nsitiv3-c8d3 public_key=@t/certs/public.pem --- response_body @@ -477,7 +477,7 @@ Success! Data written to: kv/apisix/rsa1 -=== TEST 20: create consumer for RS256 algorithm with public key fetched from vault and public key in consumer schema +=== TEST 19: create consumer for RS256 algorithm with public key fetched from vault and public key in consumer schema --- config location /t { content_by_lua_block { @@ -530,7 +530,7 @@ passed -=== TEST 21: set jwt-auth conf with the token in an env var: secret uses secret ref +=== TEST 20: set jwt-auth conf with the token in an env var: secret uses secret ref --- request GET /t --- config @@ -599,7 +599,7 @@ passed -=== TEST 22: verify (in header) not hiding credentials +=== TEST 21: verify (in header) not hiding credentials --- request GET /echo --- more_headers diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index a7cc7c64e565..ba6b9ca775e4 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -516,7 +516,7 @@ passed -=== TEST 21: sign / verify jwt-auth +=== TEST 20: sign / verify jwt-auth --- config location /t { content_by_lua_block { @@ -551,7 +551,7 @@ hello world -=== TEST 20: verify multi-auth with plugin config will cause the conf_version change +=== TEST 21: verify multi-auth with plugin config will cause the conf_version change --- config location /t { content_by_lua_block { From 36b5a36454b19e4cde2ebf02aa7b4493acf1efdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 15:48:02 +0800 Subject: [PATCH 10/29] fix unused variable --- apisix/plugins/jwt-auth.lua | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index fb1d8692b16a..3c700e1cff9a 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -254,6 +254,7 @@ end local function sign_jwt_with_HS(key, consumer, payload) local auth_secret, err = get_secret(consumer.auth_conf) if not auth_secret then + core.log.error("failed to sign jwt, err: ", err) return nil, "failed to sign jwt: failed to get auth_secret" end local ok, jwt_token = pcall(jwt.sign, _M, @@ -267,9 +268,7 @@ local function sign_jwt_with_HS(key, consumer, payload) } ) if not ok then - if jwt_token and jwt_token.reason then - return nil, "failed to sign jwt: " .. jwt_token.reason - end + core.log.warn("failed to sign jwt, err: ", jwt_token.reason) return nil, "failed to sign jwt" end return jwt_token From c08f917a576dd072af1fa152326a96b2c927feba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 16:01:17 +0800 Subject: [PATCH 11/29] fix lint --- apisix/plugins/jwt-auth.lua | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 3c700e1cff9a..3acc262f97c9 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -280,9 +280,11 @@ local function sign_jwt_with_RS256_ES256(key, consumer, payload) consumer.auth_conf ) if not public_key then + core.log.error("failed to sign jwt, err: ", err) return nil, "missing public_key" end if not private_key then + core.log.error("failed to sign jwt, err: ", err) return nil, "missing private_key" end @@ -300,9 +302,7 @@ local function sign_jwt_with_RS256_ES256(key, consumer, payload) } ) if not ok then - if jwt_token and jwt_token.reason then - return nil, "failed to sign jwt: " .. jwt_token.reason - end + core.log.warn("failed to sign jwt, err: ", jwt_token.reason) return nil, "failed to sign jwt" end return jwt_token From 4398e9ed7e0d61f692afeb712197742118e5f1ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 16:47:40 +0800 Subject: [PATCH 12/29] set default fields values in gen_token --- apisix/plugins/jwt-auth.lua | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 3acc262f97c9..56cfb8c9fcb7 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -382,6 +382,15 @@ end function _M.gen_token(key, consumer, payload) + if not consumer.auth_conf then + return nil, "missing auth_conf in consumer" + end + if not consumer.auth_conf.exp then + consumer.auth_conf.exp = 86400 + end + if not consumer.auth_conf.lifetime_grace_period then + consumer.auth_conf.lifetime_grace_period = 0 + end local sign_handler = algorithm_handler(consumer, true) local jwt_token = sign_handler(key, consumer, payload) return jwt_token From b399a554a095a4b0c8df3e26e8539c8d0070e326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 19:39:50 +0800 Subject: [PATCH 13/29] fix tests --- apisix/plugins/jwt-auth.lua | 22 +++--- t/fips/jwt-auth.t | 50 ++++++-------- t/plugin/jwt-auth.t | 131 ++++++++++++++---------------------- t/plugin/jwt-auth2.t | 36 +++++----- t/plugin/multi-auth.t | 22 +++--- 5 files changed, 106 insertions(+), 155 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 56cfb8c9fcb7..7e2f9180b7d9 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -268,7 +268,7 @@ local function sign_jwt_with_HS(key, consumer, payload) } ) if not ok then - core.log.warn("failed to sign jwt, err: ", jwt_token.reason) + core.log.error("failed to sign jwt, err: ", jwt_token.reason) return nil, "failed to sign jwt" end return jwt_token @@ -381,19 +381,19 @@ function _M.rewrite(conf, ctx) end -function _M.gen_token(key, consumer, payload) - if not consumer.auth_conf then - return nil, "missing auth_conf in consumer" +function _M.gen_token(auth_conf, payload) + if not auth_conf.exp then + auth_conf.exp = 86400 end - if not consumer.auth_conf.exp then - consumer.auth_conf.exp = 86400 + if not auth_conf.lifetime_grace_period then + auth_conf.lifetime_grace_period = 0 end - if not consumer.auth_conf.lifetime_grace_period then - consumer.auth_conf.lifetime_grace_period = 0 + if not auth_conf.algorithm then + auth_conf.algorithm = "HS256" end - local sign_handler = algorithm_handler(consumer, true) - local jwt_token = sign_handler(key, consumer, payload) - return jwt_token + local sign_handler = algorithm_handler({ auth_conf = auth_conf }, true) + local jwt_token, err = sign_handler(auth_conf.key, { auth_conf = auth_conf }, payload) + return jwt_token, err end diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index 519e65a77a04..a7b55aae74d0 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -102,16 +102,13 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -144,7 +141,7 @@ JWT token invalid: invalid jwt string "jwt-auth": { "key": "user-key-rs256", "algorithm": "RS256", - "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----" } } } @@ -198,16 +195,13 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -234,18 +228,14 @@ JWT token invalid: invalid jwt string local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") -- {"aaa":"11","bb":"222"} - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" } - - local sign = gen_token(key, consumer, payload) + local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") -- {"aaa":"11","bb":"222"} + local sign = gen_token(auth_conf, payload) if not sign then ngx.status = 500 ngx.say("failed to gen_token") diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index ba685e20df27..49cc9fe504e6 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -334,15 +334,12 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key" - local consumer = { - auth_conf = { - key = "user-key", - secret = "fo4XKdZ1xSrIZyms4q2BwPrW5lMpls9qqy5tiAk2esc=", - base64_secret = true - } + local auth_conf = { + key = "user-key", + secret = "fo4XKdZ1xSrIZyms4q2BwPrW5lMpls9qqy5tiAk2esc=", + base64_secret = true } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -543,16 +540,13 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -645,16 +639,13 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -683,17 +674,14 @@ hello world local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" } local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") - local sign = gen_token(key, consumer, payload) + local sign = gen_token(auth_conf, payload) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -783,16 +771,13 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -819,17 +804,14 @@ hello world local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-rs256" - local consumer = { - auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-rs256", + algorithm = "RS256", + public_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" } local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") - local sign = gen_token(key, consumer, payload) + local sign = gen_token(auth_conf, payload) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -862,7 +844,7 @@ hello world "jwt-auth": { "key": "user-key-rs256", "algorithm": "RS256", - "private_key": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----" + "public_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" } } }]] @@ -996,15 +978,12 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-HS512" - local consumer = { - auth_conf = { - key = "user-key-HS512", - algorithm = "HS512", - secret = "my-secret-key" - } + local auth_conf = { + key = "user-key-HS512", + algorithm = "HS512", + secret = "my-secret-key" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -1031,16 +1010,13 @@ hello world local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-HS512" - local consumer = { - auth_conf = { - key = "user-key-HS512", - algorithm = "HS512", - secret = "my-secret-key" - } + local auth_conf = { + key = "user-key-HS512", + algorithm = "HS512", + secret = "my-secret-key" } local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") - local sign = gen_token(key, consumer, payload) + local sign = gen_token(auth_conf, payload) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -1258,16 +1234,13 @@ passed local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key-es256" - local consumer = { - auth_conf = { - key = "user-key-es256", - algorithm = "ES256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" - } + local auth_conf = { + key = "user-key-es256", + algorithm = "ES256", + public_key = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----", + private_key = "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t index dc381a27b6af..e38e92eceb38 100644 --- a/t/plugin/jwt-auth2.t +++ b/t/plugin/jwt-auth2.t @@ -258,17 +258,14 @@ hello world end local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "test-jwt-a" - local consumer = { - auth_conf = { - exp = 1, - algorithm = "HS256", - base64_secret = false, - secret = "test-jwt-secret", - key = "test-jwt-a" - } + local auth_conf = { + exp = 1, + algorithm = "HS256", + base64_secret = false, + secret = "test-jwt-secret", + key = "test-jwt-a" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -416,18 +413,15 @@ qr/ailed to verify jwt: 'exp' claim expired at/ -- get JWT token local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "test-jwt-a" - local consumer = { - auth_conf = { - exp = 1, - algorithm = "HS256", - base64_secret = false, - secret = "test-jwt-secret", - key = "test-jwt-a", - lifetime_grace_period = 2 - } + local auth_conf = { + exp = 1, + algorithm = "HS256", + base64_secret = false, + secret = "test-jwt-secret", + key = "test-jwt-a", + lifetime_grace_period = 2 } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index ba6b9ca775e4..3f6faa31d5c1 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -522,14 +522,11 @@ passed content_by_lua_block { local t = require("lib.test_admin").test local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key" - local consumer = { - auth_conf = { - key = "user-key", - secret = "my-secret-key" - } + local auth_conf = { + key = "user-key", + secret = "my-secret-key" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") @@ -612,14 +609,11 @@ hello world ngx.sleep(0.1) local gen_token = require("apisix.plugins.jwt-auth").gen_token - local key = "user-key" - local consumer = { - auth_conf = { - key = "user-key", - secret = "my-secret-key" - } + local auth_conf = { + key = "user-key", + secret = "my-secret-key" } - local sign = gen_token(key, consumer) + local sign = gen_token(auth_conf) if not sign then ngx.status = 500 ngx.say("failed to gen_token") From f11dec56fe1000ed1f26dede556289c326211c8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Tue, 24 Sep 2024 22:58:55 +0800 Subject: [PATCH 14/29] fix test_http.py --- t/perf/test_http.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/t/perf/test_http.py b/t/perf/test_http.py index c3bd2df7ea4d..e7d7178b79f0 100755 --- a/t/perf/test_http.py +++ b/t/perf/test_http.py @@ -57,7 +57,7 @@ def create_conf(): for i in range(RULE_SIZE): i = str(i) consumers.append({ - "username": "jack" + i, + "username": "jack" + i }) routes.append({ "upstream_id": 1, @@ -139,7 +139,6 @@ def setUp(self): def test_perf(self): script = os.path.join(self.tempdir, "wrk.lua") with open(script, "w") as f: - sign_list = ",\n".join(signs) s = """ function request() local i = math.random(%s) - 1 From 45002a389a57e0a11c7a3aa546bdcc5c699fd583 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 09:20:31 +0800 Subject: [PATCH 15/29] remove 1 line comment --- apisix/plugins/jwt-auth.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 7e2f9180b7d9..b36247b7a837 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -137,7 +137,6 @@ function _M.check_schema(conf, schema_type) end if conf.algorithm == "RS256" or conf.algorithm == "ES256" then - -- Possible options is: public key is missing if not conf.public_key then return false, "missing valid public key" end From 544174b280ddeb03355a52e05990edb57f5a17bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 10:52:47 +0800 Subject: [PATCH 16/29] refactor gen_token --- apisix/plugins/jwt-auth.lua | 179 ++++++++++++++++-------------------- 1 file changed, 77 insertions(+), 102 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index b36247b7a837..d81ac2f1baea 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -224,105 +224,13 @@ local function get_secret(conf) return secret end - -local function get_rsa_or_ecdsa_keypair(conf) - local public_key = conf.public_key - local private_key = conf.private_key - - if not public_key then - return nil, nil, "missing public key" - end - return public_key, private_key -end - - -local function get_real_payload(key, auth_conf, payload) - local real_payload = { - key = key, - exp = ngx_time() + auth_conf.exp - } - if payload then - local extra_payload = core.json.decode(payload) - core.table.merge(extra_payload, real_payload) - return extra_payload - end - return real_payload -end - - -local function sign_jwt_with_HS(key, consumer, payload) - local auth_secret, err = get_secret(consumer.auth_conf) - if not auth_secret then - core.log.error("failed to sign jwt, err: ", err) - return nil, "failed to sign jwt: failed to get auth_secret" - end - local ok, jwt_token = pcall(jwt.sign, _M, - auth_secret, - { - header = { - typ = "JWT", - alg = consumer.auth_conf.algorithm - }, - payload = get_real_payload(key, consumer.auth_conf, payload) - } - ) - if not ok then - core.log.error("failed to sign jwt, err: ", jwt_token.reason) - return nil, "failed to sign jwt" - end - return jwt_token -end - - -local function sign_jwt_with_RS256_ES256(key, consumer, payload) - local public_key, private_key, err = get_rsa_or_ecdsa_keypair( - consumer.auth_conf - ) - if not public_key then - core.log.error("failed to sign jwt, err: ", err) - return nil, "missing public_key" - end - if not private_key then - core.log.error("failed to sign jwt, err: ", err) - return nil, "missing private_key" - end - - local ok, jwt_token = pcall(jwt.sign, _M, - private_key, - { - header = { - typ = "JWT", - alg = consumer.auth_conf.algorithm, - x5c = { - public_key, - } - }, - payload = get_real_payload(key, consumer.auth_conf, payload) - } - ) - if not ok then - core.log.warn("failed to sign jwt, err: ", jwt_token.reason) - return nil, "failed to sign jwt" - end - return jwt_token -end - -- introducing method_only flag (returns respective signing method) to save http API calls. -local function algorithm_handler(consumer, method_only) - if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256" - or consumer.auth_conf.algorithm == "HS512" then - if method_only then - return sign_jwt_with_HS - end - - return get_secret(consumer.auth_conf) - elseif consumer.auth_conf.algorithm == "RS256" or consumer.auth_conf.algorithm == "ES256" then - if method_only then - return sign_jwt_with_RS256_ES256 - end - - local public_key, _, err = get_rsa_or_ecdsa_keypair(consumer.auth_conf) - return public_key, err +local function get_auth_secret(auth_conf) + if not auth_conf.algorithm or auth_conf.algorithm == "HS256" + or auth_conf.algorithm == "HS512" then + return get_secret(auth_conf) + elseif auth_conf.algorithm == "RS256" or auth_conf.algorithm == "ES256" then + return auth_conf.public_key end end @@ -359,7 +267,7 @@ function _M.rewrite(conf, ctx) end core.log.info("consumer: ", core.json.delay_encode(consumer)) - local auth_secret, err = algorithm_handler(consumer) + local auth_secret, err = get_auth_secret(consumer.auth_conf) if not auth_secret then core.log.error("failed to retrieve secrets, err: ", err) return 503, {message = "failed to verify jwt"} @@ -380,7 +288,72 @@ function _M.rewrite(conf, ctx) end -function _M.gen_token(auth_conf, payload) +local function get_real_payload(key, exp, payload) + local real_payload = { + key = key, + exp = ngx_time() + exp + } + if payload then + local extra_payload = core.json.decode(payload) + core.table.merge(extra_payload, real_payload) + return extra_payload + end + return real_payload +end + +local function sign_jwt_with_HS(key, auth_conf, payload) + local auth_secret, err = get_secret(auth_conf) + if not auth_secret then + core.log.error("failed to sign jwt, err: ", err) + return nil, "failed to sign jwt: failed to get auth_secret" + end + local ok, jwt_token = pcall(jwt.sign, _M, + auth_secret, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm + }, + payload = get_real_payload(key, auth_conf.exp, payload) + } + ) + if not ok then + core.log.error("failed to sign jwt, err: ", jwt_token.reason) + return nil, "failed to sign jwt" + end + return jwt_token +end + +local function sign_jwt_with_RS256_ES256(key, auth_conf, payload) + local ok, jwt_token = pcall(jwt.sign, _M, + auth_conf.private_key, + { + header = { + typ = "JWT", + alg = consumer.auth_conf.algorithm, + x5c = { + auth_conf.public_key, + } + }, + payload = get_real_payload(key, auth_conf.exp, payload) + } + ) + if not ok then + core.log.warn("failed to sign jwt, err: ", jwt_token.reason) + return nil, "failed to sign jwt" + end + return jwt_token +end + +local function get_sign_handler(algorithm) + if not algorithm or algorithm == "HS256" or algorithm == "HS512" then + return sign_jwt_with_HS + elseif algorithm == "RS256" or algorithm == "ES256" then + return sign_jwt_with_RS256_ES256 + end +end + +local function gen_token(auth_conf, payload) if not auth_conf.exp then auth_conf.exp = 86400 end @@ -390,10 +363,12 @@ function _M.gen_token(auth_conf, payload) if not auth_conf.algorithm then auth_conf.algorithm = "HS256" end - local sign_handler = algorithm_handler({ auth_conf = auth_conf }, true) - local jwt_token, err = sign_handler(auth_conf.key, { auth_conf = auth_conf }, payload) + local sign_handler = get_sign_handler(auth_conf.algorithm) + local jwt_token, err = sign_handler(auth_conf.key, auth_conf, payload) return jwt_token, err end +_M.gen_token = gen_token + return _M From e1e1c3f595c0c12629094900016d527c1c7ad614 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 10:58:51 +0800 Subject: [PATCH 17/29] remove useless comment --- apisix/plugins/jwt-auth.lua | 1 - 1 file changed, 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index d81ac2f1baea..abfe0545d0b3 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -224,7 +224,6 @@ local function get_secret(conf) return secret end --- introducing method_only flag (returns respective signing method) to save http API calls. local function get_auth_secret(auth_conf) if not auth_conf.algorithm or auth_conf.algorithm == "HS256" or auth_conf.algorithm == "HS512" then From 21bb26cac63f4861336c8e53d365da7c972fc363 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 11:34:13 +0800 Subject: [PATCH 18/29] typo --- apisix/plugins/jwt-auth.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index abfe0545d0b3..01d7e2a5c0f9 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -329,7 +329,7 @@ local function sign_jwt_with_RS256_ES256(key, auth_conf, payload) { header = { typ = "JWT", - alg = consumer.auth_conf.algorithm, + alg = auth_conf.algorithm, x5c = { auth_conf.public_key, } From bccbeda3dbaadde1d539cc2b481eab9e68909014 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 13:45:15 +0800 Subject: [PATCH 19/29] Update apisix/plugins/jwt-auth.lua Co-authored-by: Nic --- apisix/plugins/jwt-auth.lua | 1 + 1 file changed, 1 insertion(+) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 01d7e2a5c0f9..e41b5eced0c6 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -367,6 +367,7 @@ local function gen_token(auth_conf, payload) return jwt_token, err end +-- only for test _M.gen_token = gen_token From 5971c5655ea6a8317a6cbf5f3c5e1eca9e5ec620 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 15:01:40 +0800 Subject: [PATCH 20/29] batch-requests plugin API as the public-api example --- docs/en/latest/plugin-develop.md | 12 +-- docs/en/latest/plugins/public-api.md | 95 ++++++++++++++++------- docs/zh/latest/plugin-develop.md | 12 +-- docs/zh/latest/plugins/public-api.md | 111 ++++++++++++++++++--------- 4 files changed, 157 insertions(+), 73 deletions(-) diff --git a/docs/en/latest/plugin-develop.md b/docs/en/latest/plugin-develop.md index d42f7f0ce8a3..4d0c154c8c7d 100644 --- a/docs/en/latest/plugin-develop.md +++ b/docs/en/latest/plugin-develop.md @@ -439,21 +439,21 @@ end ## register public API -A plugin can register API which exposes to the public. Take wolf-rbac plugin as an example, this plugin registers `POST /apisix/plugin/wolf-rbac/login` to allow a client to login and get the wolf rbac_token: +A plugin can register API which exposes to the public. Take batch-requests plugin as an example, this plugin registers `POST /apisix/batch-requests` to allow developers to group multiple API requests into a single HTTP request/response cycle: ```lua -function wolf_rbac_login() +function batch_requests() -- ... end function _M.api() + -- ... return { { methods = {"POST"}, - uri = "/apisix/plugin/wolf-rbac/login", - handler = wolf_rbac_login, - }, - -- ... + uri = "/apisix/batch-requests", + handler = batch_requests, + } } end ``` diff --git a/docs/en/latest/plugins/public-api.md b/docs/en/latest/plugins/public-api.md index d1c4acbd8e1f..6d1034119cd7 100644 --- a/docs/en/latest/plugins/public-api.md +++ b/docs/en/latest/plugins/public-api.md @@ -30,7 +30,7 @@ description: The public-api is used for exposing an API endpoint through a gener The `public-api` is used for exposing an API endpoint through a general HTTP API router. -When you are using custom Plugins, you can use the `public-api` Plugin to define a fixed, public API for a particular functionality. For example, you can create a public API endpoint `/apisix/plugin/wolf-rbac/login` for wolf-rbac using the [wolf-rbac](./wolf-rbac.md) Plugin. +When you are using custom Plugins, you can use the `public-api` Plugin to define a fixed, public API for a particular functionality. For example, you can create a public API endpoint `/apisix/batch-requests` for grouping multiple API requests in one request using the [batch-requests](./batch-requests.md) Plugin. :::note @@ -46,9 +46,7 @@ The public API added in a custom Plugin is not exposed by default and the user s ## Example usage -The example below uses the [wolf-rbac](./wolf-rbac.md) Plugin and the [key-auth](./key-auth.md) Plugin along with the `public-api` Plugin. Refer to their documentation for its configuration. This step is omitted below and only explains the configuration of the `public-api` Plugin. - -Note: 使用 [wolf-rbac](./wolf-rbac.md) 插件的需要一些前提条件 [wolf-rbac](./wolf-rbac.md#pre-requisites) +The example below uses the [batch-requests](./batch-requests.md) Plugin and the [key-auth](./key-auth.md) Plugin along with the `public-api` Plugin. Refer to their documentation for its configuration. This step is omitted below and only explains the configuration of the `public-api` Plugin. ### Basic usage @@ -59,19 +57,66 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \ -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/apisix/plugin/wolf-rbac/login", - "plugins": { + "uri": "/apisix/batch-requests", + "plugins": { "public-api": {} } }' ``` -Now, if you make a request to the configured URI, you will receive a rbac_token response: +Now, if you make a request to the configured URI, you will receive a batch-requests response: + +```shell +curl --location --request POST 'http://127.0.0.1:9080/apisix/batch-requests' \ +--header 'Content-Type: application/json' \ +--data '{ + "headers": { + "Content-Type": "application/json", + "admin-jwt":"xxxx" + }, + "timeout": 500, + "pipeline": [ + { + "method": "POST", + "path": "/community.GiftSrv/GetGifts", + "body": "test" + }, + { + "method": "POST", + "path": "/community.GiftSrv/GetGifts", + "body": "test2" + } + ] +}' +``` ```shell -curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \ - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' +[ + { + "status": 200, + "reason": "OK", + "body": "{\"ret\":500,\"msg\":\"error\",\"game_info\":null,\"gift\":[],\"to_gets\":0,\"get_all_msg\":\"\"}", + "headers": { + "Connection": "keep-alive", + "Date": "Sat, 11 Apr 2020 17:53:20 GMT", + "Content-Type": "application/json", + "Content-Length": "81", + "Server": "APISIX web server" + } + }, + { + "status": 200, + "reason": "OK", + "body": "{\"ret\":500,\"msg\":\"error\",\"game_info\":null,\"gift\":[],\"to_gets\":0,\"get_all_msg\":\"\"}", + "headers": { + "Connection": "keep-alive", + "Date": "Sat, 11 Apr 2020 17:53:20 GMT", + "Content-Type": "application/json", + "Content-Length": "81", + "Server": "APISIX web server" + } + } +] ``` ### Using custom URI @@ -83,10 +128,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/wolf-rbac-login", - "plugins": { + "uri": "/batch-requests-gifs", + "plugins": { "public-api": { - "uri": "/apisix/plugin/wolf-rbac/login" + "uri": "/apisix/batch-requests" } } }' @@ -95,9 +140,9 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ Now you can make requests to this new endpoint: ```shell -curl http://127.0.0.1:9080/wolf-rbac-login -i \ - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' +curl --location --request POST 'http://127.0.0.1:9080/batch-requests-gifs' \ +--header 'Content-Type: application/json' \ +--data '{...}' ``` ### Securing the Route @@ -109,11 +154,9 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/wolf-rbac-login", + "uri": "/batch-requests-gifs", "plugins": { - "public-api": { - "uri": "/apisix/plugin/wolf-rbac/login" - }, + "public-api": {}, "key-auth": {} } }' @@ -122,10 +165,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ Now, only authenticated requests are allowed: ```shell -curl http://127.0.0.1:9080/wolf-rbac-login -i \ +curl --location --request POST 'http://127.0.0.1:9080/batch-requests-gifs' \ -H "apikey: test-apikey" - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' + -H 'Content-Type: application/json' \ + --data '{...}' ``` ```shell @@ -135,9 +178,9 @@ HTTP/1.1 200 OK The below request will fail: ```shell -curl http://127.0.0.1:9080/wolf-rbac-login -i \ - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' +curl --location --request POST 'http://127.0.0.1:9080/batch-requests-gifs' \ + -H 'Content-Type: application/json' \ + --data '{...}' ``` ```shell diff --git a/docs/zh/latest/plugin-develop.md b/docs/zh/latest/plugin-develop.md index 1c78961d2cf3..e1f64e16b53d 100644 --- a/docs/zh/latest/plugin-develop.md +++ b/docs/zh/latest/plugin-develop.md @@ -417,21 +417,21 @@ end ## 注册公共接口 -插件可以注册暴露给公网的接口。以 wolf-rbac 插件为例,这个插件为了让客户端能够登录获取 wolf rbac_token,注册了 `POST /apisix/plugin/wolf-rbac/login` 等接口: +插件可以注册暴露给公网的接口。以 batch-requests 插件为例,这个插件注册了 `POST /apisix/batch-requests` 接口,让客户端可以将多个 API 请求组合在一个请求/响应中: ```lua -function wolf_rbac_login() +function batch_requests() -- ... end function _M.api() + -- ... return { { methods = {"POST"}, - uri = "/apisix/plugin/wolf-rbac/login", - handler = wolf_rbac_login, - }, - -- ... + uri = "/apisix/batch-requests", + handler = batch_requests, + } } end ``` diff --git a/docs/zh/latest/plugins/public-api.md b/docs/zh/latest/plugins/public-api.md index cd450f45c1a6..56abc253237a 100644 --- a/docs/zh/latest/plugins/public-api.md +++ b/docs/zh/latest/plugins/public-api.md @@ -30,7 +30,7 @@ description: 本文介绍了 public-api 的相关操作,你可以使用 public `public-api` 插件可用于通过创建路由的方式暴露用户自定义的 API。 -你可以通过在路由中添加 `public-api` 插件,来保护**自定义插件为了实现特定功能**而暴露的 API。例如,你可以使用 [`wolf-rbac`](./wolf-rbac.md) 插件创建一个公共 API 端点 `/apisix/plugin/wolf-rbac/login` 用于登录获取 wolf rbac_token。 +你可以通过在路由中添加 `public-api` 插件,来保护**自定义插件为了实现特定功能**而暴露的 API。例如,你可以使用 [batch-requests](./batch-requests.md) 插件创建一个公共 API 端点 `/apisix/batch-requests` 用于在一个请求中组合多个 API 请求。 :::note 注意 @@ -46,13 +46,11 @@ description: 本文介绍了 public-api 的相关操作,你可以使用 public ## 启用插件 -`public-api` 插件需要与授权插件一起配合使用,以下示例分别用到了 [wolf-rbac](./wolf-rbac.md) 插件和 [`key-auth`](./key-auth.md) - -注意:使用 [wolf-rbac](./wolf-rbac.md) 需要实现一些前提条件 [wolf-rbac](./wolf-rbac.md#前提条件) +`public-api` 插件需要与授权插件一起配合使用,以下示例分别用到了 [batch-requests](./batch-requests.md) 插件和 [`key-auth`](./key-auth.md) ### 基本用法 -首先,你需要启用并配置 `wolf-rbac` 插件,详细使用方法请参考 [wolf-rbac](./wolf-rbac.md) 插件文档。 +首先,你需要启用并配置 `batch-requests` 插件,详细使用方法请参考 [batch-requests](./batch-requests.md) 插件文档。 然后,使用以下命令在指定路由上启用并配置 `public-api` 插件: @@ -68,11 +66,11 @@ admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"/ ```shell curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \ - -H "X-API-KEY: $admin_key" \ + -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/apisix/plugin/wolf-rbac/login", - "plugins": { + "uri": "/apisix/batch-requests", + "plugins": { "public-api": {} } }' @@ -80,29 +78,76 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r1' \ **测试插件** -向配置的 URI 发出访问请求,会返回一个包含 wolf rbac_token 的响应: +向配置的 URI 发出访问请求,会返回一个包含多个 API 请求结果的的响应: ```shell -curl http://127.0.0.1:9080/apisix/plugin/wolf-rbac/login -i \ - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' +curl --location --request POST 'http://127.0.0.1:9080/apisix/batch-requests' \ +--header 'Content-Type: application/json' \ +--data '{ + "headers": { + "Content-Type": "application/json", + "admin-jwt":"xxxx" + }, + "timeout": 500, + "pipeline": [ + { + "method": "POST", + "path": "/community.GiftSrv/GetGifts", + "body": "test" + }, + { + "method": "POST", + "path": "/community.GiftSrv/GetGifts", + "body": "test2" + } + ] +}' +``` + +```shell +[ + { + "status": 200, + "reason": "OK", + "body": "{\"ret\":500,\"msg\":\"error\",\"game_info\":null,\"gift\":[],\"to_gets\":0,\"get_all_msg\":\"\"}", + "headers": { + "Connection": "keep-alive", + "Date": "Sat, 11 Apr 2020 17:53:20 GMT", + "Content-Type": "application/json", + "Content-Length": "81", + "Server": "APISIX web server" + } + }, + { + "status": 200, + "reason": "OK", + "body": "{\"ret\":500,\"msg\":\"error\",\"game_info\":null,\"gift\":[],\"to_gets\":0,\"get_all_msg\":\"\"}", + "headers": { + "Connection": "keep-alive", + "Date": "Sat, 11 Apr 2020 17:53:20 GMT", + "Content-Type": "application/json", + "Content-Length": "81", + "Server": "APISIX web server" + } + } +] ``` ### 使用自定义 URI -首先,你需要启用并配置 `jwt-auth` 插件,详细使用方法请参考 [`jwt-auth`](./jwt-auth.md) 插件文档。 +首先,你需要启用并配置 `batch-requests` 插件,详细使用方法请参考 [batch-requests](./batch-requests.md) 插件文档。 然后,你可以使用一个自定义的 URI 来暴露 API: ```shell curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ - -H "X-API-KEY: $admin_key" \ + -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/wolf-rbac-login", - "plugins": { + "uri": "/batch-requests-gifs", + "plugins": { "public-api": { - "uri": "/apisix/plugin/wolf-rbac/login" + "uri": "/apisix/batch-requests" } } }' @@ -110,12 +155,12 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ **测试插件** -向自定义的 URI 发出访问请求,如果返回一个包含 JWT Token 的响应,则代表插件生效: +向自定义的 URI 发出访问请求,如果返回一个包含多个 API 请求结果的响应,则代表插件生效: ```shell -curl http://127.0.0.1:9080/wolf-rbac-login -i \ - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' +curl --location --request POST 'http://127.0.0.1:9080/batch-requests-gifs' \ +--header 'Content-Type: application/json' \ +--data '{...}' ``` ### 确保 Route 安全 @@ -124,17 +169,13 @@ curl http://127.0.0.1:9080/wolf-rbac-login -i \ ```shell curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ - -H "X-API-KEY: $admin_key" \ + -H 'X-API-KEY: ' \ -H 'Content-Type: application/json' \ -d '{ - "uri": "/wolf-rbac-login", + "uri": "/batch-requests-gifs", "plugins": { - "public-api": { - "uri": "/apisix/plugin/wolf-rbac/login" - }, - "key-auth": { - "key": "test-apikey" - } + "public-api": {}, + "key-auth": {} } }' ``` @@ -146,10 +187,10 @@ curl -X PUT 'http://127.0.0.1:9180/apisix/admin/routes/r2' \ 发出访问请求并指定 `apikey`,如果返回 `200` HTTP 状态码,则说明请求被允许: ```shell -curl http://127.0.0.1:9080/wolf-rbac-login -i \ +curl --location --request POST 'http://127.0.0.1:9080/batch-requests-gifs' \ -H "apikey: test-apikey" - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' + -H 'Content-Type: application/json' \ + --data '{...}' ``` ```shell @@ -159,9 +200,9 @@ HTTP/1.1 200 OK 发出访问请求,如果返回 `401` HTTP 状态码,则说明请求被阻止,插件生效: ```shell -curl http://127.0.0.1:9080/wolf-rbac-login -i \ - -H "Content-Type: application/json" \ - -d '{"appid": "restful", "username":"test", "password":"user-password", "authType":1}' +curl --location --request POST 'http://127.0.0.1:9080/batch-requests-gifs' \ + -H 'Content-Type: application/json' \ + --data '{...}' ``` ```shell From 9f0c3f33b0e7325b4ddd2540cf305b0dd6f68f3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 15:05:21 +0800 Subject: [PATCH 21/29] remove redundant schema validation --- apisix/plugins/jwt-auth.lua | 6 ------ 1 file changed, 6 deletions(-) diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index e41b5eced0c6..0b3a7eb8960b 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -136,12 +136,6 @@ function _M.check_schema(conf, schema_type) end end - if conf.algorithm == "RS256" or conf.algorithm == "ES256" then - if not conf.public_key then - return false, "missing valid public key" - end - end - return true end From 80a7c7fbc38e3a95c9f2c4d6bd44a324376aa846 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 16:21:56 +0800 Subject: [PATCH 22/29] remove code for test from jwt-auth.lua --- apisix/plugins/jwt-auth.lua | 86 --------------------- t/fips/jwt-auth.t | 6 +- t/lib/apisix/plugins/jwt-auth.lua | 122 ++++++++++++++++++++++++++++++ t/plugin/jwt-auth.t | 18 ++--- t/plugin/jwt-auth2.t | 4 +- t/plugin/multi-auth.t | 4 +- 6 files changed, 138 insertions(+), 102 deletions(-) create mode 100644 t/lib/apisix/plugins/jwt-auth.lua diff --git a/apisix/plugins/jwt-auth.lua b/apisix/plugins/jwt-auth.lua index 0b3a7eb8960b..740efcdc6b4e 100644 --- a/apisix/plugins/jwt-auth.lua +++ b/apisix/plugins/jwt-auth.lua @@ -23,13 +23,11 @@ local new_tab = require ("table.new") local ngx_encode_base64 = ngx.encode_base64 local ngx_decode_base64 = ngx.decode_base64 local ngx = ngx -local ngx_time = ngx.time local sub_str = string.sub local table_insert = table.insert local table_concat = table.concat local ngx_re_gmatch = ngx.re.gmatch local plugin_name = "jwt-auth" -local pcall = pcall local schema = { @@ -281,88 +279,4 @@ function _M.rewrite(conf, ctx) end -local function get_real_payload(key, exp, payload) - local real_payload = { - key = key, - exp = ngx_time() + exp - } - if payload then - local extra_payload = core.json.decode(payload) - core.table.merge(extra_payload, real_payload) - return extra_payload - end - return real_payload -end - -local function sign_jwt_with_HS(key, auth_conf, payload) - local auth_secret, err = get_secret(auth_conf) - if not auth_secret then - core.log.error("failed to sign jwt, err: ", err) - return nil, "failed to sign jwt: failed to get auth_secret" - end - local ok, jwt_token = pcall(jwt.sign, _M, - auth_secret, - { - header = { - typ = "JWT", - alg = auth_conf.algorithm - }, - payload = get_real_payload(key, auth_conf.exp, payload) - } - ) - if not ok then - core.log.error("failed to sign jwt, err: ", jwt_token.reason) - return nil, "failed to sign jwt" - end - return jwt_token -end - -local function sign_jwt_with_RS256_ES256(key, auth_conf, payload) - local ok, jwt_token = pcall(jwt.sign, _M, - auth_conf.private_key, - { - header = { - typ = "JWT", - alg = auth_conf.algorithm, - x5c = { - auth_conf.public_key, - } - }, - payload = get_real_payload(key, auth_conf.exp, payload) - } - ) - if not ok then - core.log.warn("failed to sign jwt, err: ", jwt_token.reason) - return nil, "failed to sign jwt" - end - return jwt_token -end - -local function get_sign_handler(algorithm) - if not algorithm or algorithm == "HS256" or algorithm == "HS512" then - return sign_jwt_with_HS - elseif algorithm == "RS256" or algorithm == "ES256" then - return sign_jwt_with_RS256_ES256 - end -end - -local function gen_token(auth_conf, payload) - if not auth_conf.exp then - auth_conf.exp = 86400 - end - if not auth_conf.lifetime_grace_period then - auth_conf.lifetime_grace_period = 0 - end - if not auth_conf.algorithm then - auth_conf.algorithm = "HS256" - end - local sign_handler = get_sign_handler(auth_conf.algorithm) - local jwt_token, err = sign_handler(auth_conf.key, auth_conf, payload) - return jwt_token, err -end - --- only for test -_M.gen_token = gen_token - - return _M diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index a7b55aae74d0..077e39e1e72a 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -100,7 +100,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -193,7 +193,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -226,7 +226,7 @@ JWT token invalid: invalid jwt string location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", diff --git a/t/lib/apisix/plugins/jwt-auth.lua b/t/lib/apisix/plugins/jwt-auth.lua new file mode 100644 index 000000000000..56b5b1f3326d --- /dev/null +++ b/t/lib/apisix/plugins/jwt-auth.lua @@ -0,0 +1,122 @@ +-- +-- Licensed to the Apache Software Foundation (ASF) under one or more +-- contributor license agreements. See the NOTICE file distributed with +-- this work for additional information regarding copyright ownership. +-- The ASF licenses this file to You under the Apache License, Version 2.0 +-- (the "License"); you may not use this file except in compliance with +-- the License. You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +local core = require("apisix.core") +local jwt = require("resty.jwt") + +local ngx_time = ngx.time +local ngx_decode_base64 = ngx.decode_base64 +local pcall = pcall + + +local _M = {} + + +local function get_secret(conf) + local secret = conf.secret + + if conf.base64_secret then + return ngx_decode_base64(secret) + end + + return secret +end + +local function get_real_payload(key, exp, payload) + local real_payload = { + key = key, + exp = ngx_time() + exp + } + if payload then + local extra_payload = core.json.decode(payload) + core.table.merge(extra_payload, real_payload) + return extra_payload + end + return real_payload +end + +local function sign_jwt_with_HS(key, auth_conf, payload) + local auth_secret, err = get_secret(auth_conf) + if not auth_secret then + core.log.error("failed to sign jwt, err: ", err) + return nil, "failed to sign jwt: failed to get auth_secret" + end + local ok, jwt_token = pcall(jwt.sign, _M, + auth_secret, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm + }, + payload = get_real_payload(key, auth_conf.exp, payload) + } + ) + if not ok then + core.log.error("failed to sign jwt, err: ", jwt_token.reason) + return nil, "failed to sign jwt" + end + return jwt_token +end + +local function sign_jwt_with_RS256_ES256(key, auth_conf, payload) + local ok, jwt_token = pcall(jwt.sign, _M, + auth_conf.private_key, + { + header = { + typ = "JWT", + alg = auth_conf.algorithm, + x5c = { + auth_conf.public_key, + } + }, + payload = get_real_payload(key, auth_conf.exp, payload) + } + ) + if not ok then + core.log.error("failed to sign jwt, err: ", jwt_token.reason) + return nil, "failed to sign jwt" + end + return jwt_token +end + +local function get_sign_handler(algorithm) + if not algorithm or algorithm == "HS256" or algorithm == "HS512" then + return sign_jwt_with_HS + elseif algorithm == "RS256" or algorithm == "ES256" then + return sign_jwt_with_RS256_ES256 + end +end + +local function gen_token(auth_conf, payload) + if not auth_conf.exp then + auth_conf.exp = 86400 + end + if not auth_conf.lifetime_grace_period then + auth_conf.lifetime_grace_period = 0 + end + if not auth_conf.algorithm then + auth_conf.algorithm = "HS256" + end + local sign_handler = get_sign_handler(auth_conf.algorithm) + local jwt_token, err = sign_handler(auth_conf.key, auth_conf, payload) + return jwt_token, err +end + + +_M.gen_token = gen_token + +return _M diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 49cc9fe504e6..b57a819d94b1 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -332,7 +332,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key", @@ -538,7 +538,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -637,7 +637,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -672,7 +672,7 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -769,7 +769,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -802,7 +802,7 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-rs256", @@ -976,7 +976,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-HS512", @@ -1008,7 +1008,7 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-HS512", @@ -1232,7 +1232,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key-es256", diff --git a/t/plugin/jwt-auth2.t b/t/plugin/jwt-auth2.t index e38e92eceb38..965771197271 100644 --- a/t/plugin/jwt-auth2.t +++ b/t/plugin/jwt-auth2.t @@ -257,7 +257,7 @@ hello world ngx.say(body) end - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { exp = 1, algorithm = "HS256", @@ -412,7 +412,7 @@ qr/ailed to verify jwt: 'exp' claim expired at/ end -- get JWT token - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { exp = 1, algorithm = "HS256", diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index 3f6faa31d5c1..5b9ff409cc7a 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -521,7 +521,7 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key", secret = "my-secret-key" @@ -608,7 +608,7 @@ hello world end ngx.sleep(0.1) - local gen_token = require("apisix.plugins.jwt-auth").gen_token + local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token local auth_conf = { key = "user-key", secret = "my-secret-key" From 46cb2d333dcc7dcf26e638df39594c8e9ee12220 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 22:19:27 +0800 Subject: [PATCH 23/29] gen_jwt_token locally in test_http.py --- t/perf/requirements.txt | 1 + t/perf/test_http.py | 21 +++++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/t/perf/requirements.txt b/t/perf/requirements.txt index 932bd69ef8b6..235f349871ae 100644 --- a/t/perf/requirements.txt +++ b/t/perf/requirements.txt @@ -1 +1,2 @@ PyYAML==5.4.1 +pyjwt==2.9.0 diff --git a/t/perf/test_http.py b/t/perf/test_http.py index e7d7178b79f0..1277478d9cce 100755 --- a/t/perf/test_http.py +++ b/t/perf/test_http.py @@ -28,6 +28,7 @@ import time import unittest import yaml +import jwt RULE_SIZE = 100 @@ -57,7 +58,13 @@ def create_conf(): for i in range(RULE_SIZE): i = str(i) consumers.append({ - "username": "jack" + i + "username": "jack" + i, + "plugins": { + "jwt-auth": { + "key": "user-key-" + i, + "secret": "my-secret-key" + } + } }) routes.append({ "upstream_id": 1, @@ -68,6 +75,8 @@ def create_conf(): "count": 1e8, "time_window": 3600, }, + "jwt-auth": { + }, "proxy-rewrite": { "uri": "/" + i, "headers": { @@ -122,6 +131,9 @@ def create_env(): os.mkdir(os.path.join(temp, "logs")) return temp +def gen_jwt_token(key, secret): + return jwt.encode(payload={"key": key}, key=secret, algorithm="HS256", headers={"typ": "JWT", "alg": "HS256"}) + class TestHTTP(unittest.TestCase): @@ -137,15 +149,20 @@ def setUp(self): self.tempdir = tempdir def test_perf(self): + signs = ['"'+gen_jwt_token("user-key-" + str(i), "my-secret-key")+'"' for i in range (0, RULE_SIZE)] + script = os.path.join(self.tempdir, "wrk.lua") with open(script, "w") as f: + sign_list = ",\n".join(signs) s = """ + signs = {%s} function request() local i = math.random(%s) - 1 wrk.headers["Host"] = "test" .. i .. ".com" + wrk.headers["Authorization"] = signs[i+1] return wrk.format() end - """ % (RULE_SIZE) + """ % (sign_list, RULE_SIZE) f.write(s) # We use https://github.com/giltene/wrk2 subprocess.run(["wrk", From fcc286b8027711b20e4ff03f082b06e61409ca6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 22:42:36 +0800 Subject: [PATCH 24/29] update document: remove descriptions about private_key --- docs/en/latest/plugins/jwt-auth.md | 16 ++++++++++------ docs/zh/latest/plugins/jwt-auth.md | 14 ++++++++++---- t/perf/test_http.py | 2 +- 3 files changed, 21 insertions(+), 11 deletions(-) diff --git a/docs/en/latest/plugins/jwt-auth.md b/docs/en/latest/plugins/jwt-auth.md index c61ee60e0b87..a3522efe730a 100644 --- a/docs/en/latest/plugins/jwt-auth.md +++ b/docs/en/latest/plugins/jwt-auth.md @@ -43,13 +43,12 @@ For Consumer: | key | string | True | | | Unique key for a Consumer. | | secret | string | False | | | The encryption key. If unspecified, auto generated in the background. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | | public_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA public key. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | -| private_key | string | True if `RS256` or `ES256` is set for the `algorithm` attribute. | | | RSA or ECDSA private key. This field supports saving the value in Secret Manager using the [APISIX Secret](../terminology/secret.md) resource. | | algorithm | string | False | "HS256" | ["HS256", "HS512", "RS256", "ES256"] | Encryption algorithm. | | exp | integer | False | 86400 | [1,...] | Expiry time of the token in seconds. | | base64_secret | boolean | False | false | | Set to true if the secret is base64 encoded. | | lifetime_grace_period | integer | False | 0 | [0,...] | Define the leeway in seconds to account for clock skew between the server that generated the jwt and the server validating it. Value should be zero (0) or a positive integer. | -NOTE: `encrypt_fields = {"secret", "private_key"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). +NOTE: `encrypt_fields = {"secret"}` is also defined in the schema, which means that the field will be stored encrypted in etcd. See [encrypted storage fields](../plugin-develop.md#encrypted-storage-fields). For Route: @@ -62,8 +61,6 @@ For Route: You can implement `jwt-auth` with [HashiCorp Vault](https://www.vaultproject.io/) to store and fetch secrets and RSA keys pairs from its [encrypted KV engine](https://developer.hashicorp.com/vault/docs/secrets/kv) using the [APISIX Secret](../terminology/secret.md) resource. -::: - ## Enable Plugin To enable the Plugin, you have to create a Consumer object with the JWT token and configure your Route to use JWT authentication. @@ -94,7 +91,7 @@ curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X :::note -The `jwt-auth` Plugin uses the HS256 algorithm by default. To use the RS256 algorithm, you can configure the public key and private key and specify the algorithm: +The `jwt-auth` Plugin uses the HS256 algorithm by default. To use the RS256 algorithm, you can configure the public key and specify the algorithm: ```shell curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X PUT -d ' @@ -104,7 +101,6 @@ curl http://127.0.0.1:9180/apisix/admin/consumers -H "X-API-KEY: $admin_key" -X "jwt-auth": { "key": "user-key", "public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----", "algorithm": "RS256" } } @@ -142,6 +138,14 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X P You need first to issue a JWT token using some tool such as [JWT.io's debugger](https://jwt.io/#debugger-io) or a programming language. +:::note + +When you are issuing a JWT token, you have to update the payload with `key` matching the credential key you would like to use; and `exp` or `nbf` in UNIX timestamp. + +e.g. payload=`{"key": "user-key", "exp": 1727274983}` + +::: + You can now use this token while making requests: ```shell diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index 013e3a322f24..78b8c1f06b4d 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -43,13 +43,12 @@ Consumer 端: | key | string | 是 | | | Consumer 的 `access_key` 必须是唯一的。如果不同 Consumer 使用了相同的 `access_key` ,将会出现请求匹配异常。 | | secret | string | 否 | | | 加密秘钥。如果未指定,后台将会自动生成。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | public_key | string | 否 | | | RSA 或 ECDSA 公钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | -| private_key | string | 否 | | | RSA 或 ECDSA 私钥, `algorithm` 属性选择 `RS256` 或 `ES256` 算法时必选。该字段支持使用 [APISIX Secret](../terminology/secret.md) 资源,将值保存在 Secret Manager 中。 | | algorithm | string | 否 | "HS256" | ["HS256", "HS512", "RS256", "ES256"] | 加密算法。 | | exp | integer | 否 | 86400 | [1,...] | token 的超时时间。 | | base64_secret | boolean | 否 | false | | 当设置为 `true` 时,密钥为 base64 编码。 | | lifetime_grace_period | integer | 否 | 0 | [0,...] | 定义生成 JWT 的服务器和验证 JWT 的服务器之间的时钟偏移。该值应该是零(0)或一个正整数。 | -注意:schema 中还定义了 `encrypt_fields = {"secret", "private_key"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 +注意:schema 中还定义了 `encrypt_fields = {"secret"}`,这意味着该字段将会被加密存储在 etcd 中。具体参考 [加密存储字段](../plugin-develop.md#加密存储字段)。 Route 端: @@ -94,7 +93,7 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \ :::note -`jwt-auth` 默认使用 `HS256` 算法,如果使用 `RS256` 算法,需要指定算法,并配置公钥与私钥,示例如下: +`jwt-auth` 默认使用 `HS256` 算法,如果使用 `RS256` 算法,需要指定算法,并配置公钥,示例如下: ```shell curl http://127.0.0.1:9180/apisix/admin/consumers \ @@ -105,7 +104,6 @@ curl http://127.0.0.1:9180/apisix/admin/consumers \ "jwt-auth": { "key": "user-key", "public_key": "-----BEGIN PUBLIC KEY-----\n……\n-----END PUBLIC KEY-----", - "private_key": "-----BEGIN RSA PRIVATE KEY-----\n……\n-----END RSA PRIVATE KEY-----", "algorithm": "RS256" } } @@ -138,6 +136,14 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 \ 首先你需要使用诸如 [JWT.io's debugger](https://jwt.io/#debugger-io) 等工具或编程语言来生成一个 JWT token。 +:::note + +生成 JWT token 时, payload 中 `key` 字段是必要的,值为所要用到的凭证的 key; 且 `exp` 或 `nbf` 至少填写其中一个,值为 UNIX 时间戳. + +示例: payload=`{"key": "user-key", "exp": 1727274983}` + +::: + 现在你可以使用获取到的 token 进行请求尝试 * token 放到请求头中: diff --git a/t/perf/test_http.py b/t/perf/test_http.py index 1277478d9cce..2dcf9c38fc67 100755 --- a/t/perf/test_http.py +++ b/t/perf/test_http.py @@ -132,7 +132,7 @@ def create_env(): return temp def gen_jwt_token(key, secret): - return jwt.encode(payload={"key": key}, key=secret, algorithm="HS256", headers={"typ": "JWT", "alg": "HS256"}) + return jwt.encode(payload={"key": key, "exp": int(time.time())+86400}, key=secret, algorithm="HS256", headers={"typ": "JWT", "alg": "HS256"}) class TestHTTP(unittest.TestCase): From 92cc2733e01da13a36e038a49746f2705708e65e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Wed, 25 Sep 2024 22:48:00 +0800 Subject: [PATCH 25/29] lint doc --- docs/zh/latest/plugins/jwt-auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/zh/latest/plugins/jwt-auth.md b/docs/zh/latest/plugins/jwt-auth.md index 78b8c1f06b4d..88065cb50cd9 100644 --- a/docs/zh/latest/plugins/jwt-auth.md +++ b/docs/zh/latest/plugins/jwt-auth.md @@ -138,9 +138,9 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 \ :::note -生成 JWT token 时, payload 中 `key` 字段是必要的,值为所要用到的凭证的 key; 且 `exp` 或 `nbf` 至少填写其中一个,值为 UNIX 时间戳. +生成 JWT token 时,payload 中 `key` 字段是必要的,值为所要用到的凭证的 key; 且 `exp` 或 `nbf` 至少填写其中一个,值为 UNIX 时间戳。 -示例: payload=`{"key": "user-key", "exp": 1727274983}` +示例:payload=`{"key": "user-key", "exp": 1727274983}` ::: From 9c9b0cfc13d09ae990f9f83ea2d6cd8c0588629e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Thu, 26 Sep 2024 00:53:29 +0800 Subject: [PATCH 26/29] Instead of using a local jwt library to generate jwt tokens, use a third-party tool to generate them if you don't have to. --- t/fips/jwt-auth.t | 53 +++------------ t/plugin/jwt-auth.t | 152 ++++++++---------------------------------- t/plugin/multi-auth.t | 25 +------ 3 files changed, 38 insertions(+), 192 deletions(-) diff --git a/t/fips/jwt-auth.t b/t/fips/jwt-auth.t index 077e39e1e72a..a289ac3f900e 100644 --- a/t/fips/jwt-auth.t +++ b/t/fips/jwt-auth.t @@ -100,21 +100,10 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + + local sign = "eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1Gd3dEUVlKS29aSWh2Y05BUUVCQlFBRFN3QXdTQUpCQUtlYkR4bHZRTUd5RWVzQUwxcjFuSUpCa1NkcXUzSHJcbjdub3EvMHVraVpxVlFMU0pQTU92MG94UVN1dHZ2SzNob2lid0dha0RPemEreFJJVEI3Y3MyY0VDQXdFQUFRPT1cbi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLSJdLCJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjcyNzQ5ODMsImtleSI6InVzZXIta2V5LXJzMjU2In0.Vrw0-Z6hYa8unzgxOjYv4U59LqhwYuefsZ2N5GSfJG5dbOrR4Dnk2tA8MNvTonKt4ShAvrGyTBuqWlbpubArrQ" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -193,21 +182,10 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + + local sign = "eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREd4T2ZWZS9zZVA1VC9WOHBrUzVZTkFQUkNcbjNGZnh4ZWRpN3YwcHlaaC80ZDRwOVF4MFA5d09tQUx3bE9xNEZ0Z2tzMzExcHhHMHpMMExjVEpZNGlrYmMzcjBcbmg4U00weWhqOVVWMVZHdHVpYTRZYWtvYnZwTTlVK2txM2x5SU1POVpQUmV6MGNQM0FKSVlDdDV5ZjhFN2JOWUpcbmpiSk5qbDhXeHZNMXRESHFWUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIl0sImFsZyI6IlJTMjU2IiwidHlwIjoiSldUIn0.eyJuYmYiOjE3MjcyNzQ5ODMsImtleSI6InVzZXIta2V5LXJzMjU2In0.gIXtrAzmKBZ1ekySR9loFXWyed9up4xy0k51ZWjG3JFet_sOyKGnika9X2c91yAn7n_K1x7DJR_WgAbR8D_knm9J3CoAvZzy2ODfqLrPZWSqXuQH8qxPeqrlHQPQdEUN7EBRm23gg3pFg7gmHeKNJQUjUNhQFzfNXZfJgYo1bM8" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -226,22 +204,11 @@ JWT token invalid: invalid jwt string location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" - } - local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") -- {"aaa":"11","bb":"222"} - local sign = gen_token(auth_conf, payload) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + -- payload = {"aaa":"11","bb":"222"} + + local sign = "eyJ4NWMiOlsiLS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS1cbk1JR2ZNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0R05BRENCaVFLQmdRREd4T2ZWZS9zZVA1VC9WOHBrUzVZTkFQUkNcbjNGZnh4ZWRpN3YwcHlaaC80ZDRwOVF4MFA5d09tQUx3bE9xNEZ0Z2tzMzExcHhHMHpMMExjVEpZNGlrYmMzcjBcbmg4U00weWhqOVVWMVZHdHVpYTRZYWtvYnZwTTlVK2txM2x5SU1POVpQUmV6MGNQM0FKSVlDdDV5ZjhFN2JOWUpcbmpiSk5qbDhXeHZNMXRESHFWUUlEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tIl0sInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhYWEiOiIxMSIsImJiIjoiMjIyIiwibmJmIjoxNzI3Mjc0OTgzLCJrZXkiOiJ1c2VyLWtleS1yczI1NiJ9.MYxhZUK_vohfFJcqaZZtFXTXkNXPDnDPe6wfAv2ILAqZC4zbMWabpfa_CCXJXqhJXRlh4R1cy1GyfO_MC5MQPE6Gl7Ykb37sKoTUgUqtqirFjq4si8nJ49WXvbuaAVSxessfNanCA9oeV7CqRn75_vO8kliDNGiim8ZOjaOSFRg" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index b57a819d94b1..a7db4c972762 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -332,20 +332,9 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key", - secret = "fo4XKdZ1xSrIZyms4q2BwPrW5lMpls9qqy5tiAk2esc=", - base64_secret = true - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- sign is generated via https://jwt.io/#debugger-io. This is the case for all other test cases and is not specified further + local sign = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsIm5iZiI6MTcyNzI3NDk4M30._Z8b_Asb2ROvGX4R5sNMbgJNQXB6x7aQeuVjmjY21Nw" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -538,21 +527,10 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr\n7noq/0ukiZqVQLSJPMOv0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQ==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" + + local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.FaV6N-bWaSXkRrF2ec28hH5QENl-8I0LCONdNnQpB1YOb4akP-lKnwtABgfsQ_eKaEIf1PWNoghyByLejXaPbQ" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -637,21 +615,10 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + + local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.FG-PAyscR-pFyw1a5ZiRxHLxzSI1jyVyZxm-fj3-u5igjacJY7UByCUKDnieV9-Ft81X15gdHAcrumUsTbu-77F50Bp5A1sxzdL_PXVLJ1cc8UP2ltvQwf1YWdutK7CI_uNLaeCYPZd9tWPhnfpsv4AdTdaCWeFyoaZSNOdw4oA" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -672,22 +639,11 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGxOfVe/seP5T/V8pkS5YNAPRC\n3Ffxxedi7v0pyZh/4d4p9Qx0P9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0\nh8SM0yhj9UV1VGtuia4YakobvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJ\njbJNjl8WxvM1tDHqVQIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" - } - local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") - local sign = gen_token(auth_conf, payload) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" + -- payload = {"aaa":"11","bb":"222"} + + local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.FG-PAyscR-pFyw1a5ZiRxHLxzSI1jyVyZxm-fj3-u5igjacJY7UByCUKDnieV9-Ft81X15gdHAcrumUsTbu-77F50Bp5A1sxzdL_PXVLJ1cc8UP2ltvQwf1YWdutK7CI_uNLaeCYPZd9tWPhnfpsv4AdTdaCWeFyoaZSNOdw4oA" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -769,21 +725,10 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" + + local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.Zvp8dXefvGXrKgeoaNsA3sbV_3fw1w6Te7a0B_UANzef7gGJwvlnD6c3-f4yAy7GPgNzP_H1-atcF-sgLHAYpUa14XKe22a9S_BJSoQszoZuqGgpnGcjSzDMK9JX3FLUtzOFMQR5C4_3d7_z0NlepNo2xdQ6IQj0SvS1jrNwydpA9L89N07id3EO739uNw339g78N9QHP-j8nWItfbjo31xefCWTHtcloGkfaJOhcr06qmSbrivBU1AuPA8T3ZVumqw6fcRJzrvQJdKEfVyP-IPUtUy8SM1yLqstaKojJtU3A2HKaeb4fycwHXxtl52xhzIshr_I3iUhX_ak-z7m0A" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -802,22 +747,11 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-rs256", - algorithm = "RS256", - public_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv5LHjZ4FxQ9jk6eQGDRt\noRwFVkLq+dUBebs97hrzirokVr2B+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6\nnWSqTQpWbQ8c7CrF31EkIHUYRzZvWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqx\nnj9npDqKrMODOENy31SqZNerWZsdgGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4\nNaxnnzcvll4yqwrBELSeDZEAt0+e/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5Ex\ntLHXVzgx752PHMwmuj9mO1ko6p8FOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U\n8wIDAQAB\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" - } - local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") - local sign = gen_token(auth_conf, payload) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" + -- payload = {"aaa":"11","bb":"222"} + + local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.Zvp8dXefvGXrKgeoaNsA3sbV_3fw1w6Te7a0B_UANzef7gGJwvlnD6c3-f4yAy7GPgNzP_H1-atcF-sgLHAYpUa14XKe22a9S_BJSoQszoZuqGgpnGcjSzDMK9JX3FLUtzOFMQR5C4_3d7_z0NlepNo2xdQ6IQj0SvS1jrNwydpA9L89N07id3EO739uNw339g78N9QHP-j8nWItfbjo31xefCWTHtcloGkfaJOhcr06qmSbrivBU1AuPA8T3ZVumqw6fcRJzrvQJdKEfVyP-IPUtUy8SM1yLqstaKojJtU3A2HKaeb4fycwHXxtl52xhzIshr_I3iUhX_ak-z7m0A" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -976,20 +910,8 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-HS512", - algorithm = "HS512", - secret = "my-secret-key" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + local sign = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1IUzUxMiIsIm5iZiI6MTcyNzI3NDk4M30.emzmjIbFqkRAr55YW5YobdXDxYWiMuUNLPooE5G_bbme1ul19p1dKW7ESrlqvr4BPJRKThm4PnkNC4h9xSJpBQ" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -1008,21 +930,10 @@ hello world location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-HS512", - algorithm = "HS512", - secret = "my-secret-key" - } - local payload = ngx.unescape_uri("%7B%22aaa%22%3A%2211%22%2C%22bb%22%3A%22222%22%7D") - local sign = gen_token(auth_conf, payload) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- payload = {"aaa":"11","bb":"222"} + + local sign = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhYWEiOiIxMSIsImJiIjoiMjIyIiwia2V5IjoidXNlci1rZXktSFM1MTIiLCJuYmYiOjE3MjcyNzQ5ODN9.s6E3-wNJypgJL71MxoyTTHBDeqdrGQddFjkhLlh3ZN6IZwgpFRlFT1_8suQg9dWUDHGQqgejULyLPhmBMIbw2A" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -1232,21 +1143,10 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - - local auth_conf = { - key = "user-key-es256", - algorithm = "ES256", - public_key = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEVs/o5+uQbTjL3chynL4wXgUg2R9\nq9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==\n-----END PUBLIC KEY-----", - private_key = "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + -- private_key = "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" + + local sign = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1lczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.t-CZzJRSxIuVVjU3m8_zDtb7h9x2R2s3BJWmerh0hw-RMIklBqLJ3V9kYAWl7DIyXlp0jQCPDZ_M7mhr1Q3HPw" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) diff --git a/t/plugin/multi-auth.t b/t/plugin/multi-auth.t index 5b9ff409cc7a..2bb3babb8a26 100644 --- a/t/plugin/multi-auth.t +++ b/t/plugin/multi-auth.t @@ -521,18 +521,8 @@ passed location /t { content_by_lua_block { local t = require("lib.test_admin").test - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - local auth_conf = { - key = "user-key", - secret = "my-secret-key" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end + local sign = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsIm5iZiI6MTcyNzI3NDk4M30.N6ebc4U5ms976pwKZ_iQ88w_uJKqUVNtTYZ_nXhRpWo" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) @@ -608,18 +598,7 @@ hello world end ngx.sleep(0.1) - local gen_token = require("lib.apisix.plugins.jwt-auth").gen_token - local auth_conf = { - key = "user-key", - secret = "my-secret-key" - } - local sign = gen_token(auth_conf) - if not sign then - ngx.status = 500 - ngx.say("failed to gen_token") - return - end - + local sign = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleSIsIm5iZiI6MTcyNzI3NDk4M30.N6ebc4U5ms976pwKZ_iQ88w_uJKqUVNtTYZ_nXhRpWo" local code, _, res = t('/hello?jwt=' .. sign, ngx.HTTP_GET ) From fa8bf8905298005eba61f1c54bb5560533b3ea71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Fri, 27 Sep 2024 10:27:51 +0800 Subject: [PATCH 27/29] add test cases to test jwt-auth schema --- t/plugin/jwt-auth.t | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index a7db4c972762..c1311e1f550f 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -1159,3 +1159,59 @@ passed hello world --- skip_eval 1: $ENV{OPENSSL_FIPS} eq 'yes' + + + +=== TEST 50: add consumer missing public_key (algorithm=RS256) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-res256", + "algorithm": "RS256" + } + } + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- error_code: 400 +--- response_body +{"error_msg":"invalid plugins configuration: failed to check the configuration of plugin jwt-auth err: failed to validate dependent schema for \"algorithm\": value should match only one schema, but matches none"} + + + +=== TEST 51: add consumer missing public_key (algorithm=RS256) +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/consumers', + ngx.HTTP_PUT, + [[{ + "username": "kerouac", + "plugins": { + "jwt-auth": { + "key": "user-key-es256", + "algorithm": "ES256" + } + } + }]] + ) + + ngx.status = code + ngx.print(body) + } + } +--- error_code: 400 +--- response_body +{"error_msg":"invalid plugins configuration: failed to check the configuration of plugin jwt-auth err: failed to validate dependent schema for \"algorithm\": value should match only one schema, but matches none"} From 3ad1c3af8f79b543309abbde70d56b599b5a84aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Fri, 27 Sep 2024 10:36:09 +0800 Subject: [PATCH 28/29] comment that why needs private_key in test cases --- t/plugin/jwt-auth.t | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index c1311e1f550f..78f513734768 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -528,6 +528,7 @@ passed content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this private_key -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIBOgIBAAJBAKebDxlvQMGyEesAL1r1nIJBkSdqu3Hr7noq/0ukiZqVQLSJPMOv\n0oxQSutvvK3hoibwGakDOza+xRITB7cs2cECAwEAAQJAYPWh6YvjwWobVYC45Hz7\n+pqlt1DWeVQMlN407HSWKjdH548ady46xiQuZ5Cfx3YyCcnsfVWaQNbC+jFbY4YL\nwQIhANfASwz8+2sKg1xtvzyaChX5S5XaQTB+azFImBJumixZAiEAxt93Td6JH1RF\nIeQmD/K+DClZMqSrliUzUqJnCPCzy6kCIAekDsRh/UF4ONjAJkKuLedDUfL3rNFb\n2M4BBSm58wnZAiEAwYLMOg8h6kQ7iMDRcI9I8diCHM8yz0SfbfbsvzxIFxECICXs\nYvIufaZvBa8f+E/9CANlVhm5wKAyM8N8GJsiCyEG\n-----END RSA PRIVATE KEY-----" local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.FaV6N-bWaSXkRrF2ec28hH5QENl-8I0LCONdNnQpB1YOb4akP-lKnwtABgfsQ_eKaEIf1PWNoghyByLejXaPbQ" @@ -616,6 +617,7 @@ passed content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this private_key -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.FG-PAyscR-pFyw1a5ZiRxHLxzSI1jyVyZxm-fj3-u5igjacJY7UByCUKDnieV9-Ft81X15gdHAcrumUsTbu-77F50Bp5A1sxzdL_PXVLJ1cc8UP2ltvQwf1YWdutK7CI_uNLaeCYPZd9tWPhnfpsv4AdTdaCWeFyoaZSNOdw4oA" @@ -640,6 +642,7 @@ hello world content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this private_key and payload -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQDGxOfVe/seP5T/V8pkS5YNAPRC3Ffxxedi7v0pyZh/4d4p9Qx0\nP9wOmALwlOq4Ftgks311pxG0zL0LcTJY4ikbc3r0h8SM0yhj9UV1VGtuia4Yakob\nvpM9U+kq3lyIMO9ZPRez0cP3AJIYCt5yf8E7bNYJjbJNjl8WxvM1tDHqVQIDAQAB\nAoGAYFy9eAXvLC7u8QuClzT9vbgksvVXvWKQVqo+GbAeOoEpz3V5YDJFYN3ZLwFC\n+ZQ5nTFXNV6Veu13CMEMA4NBIa8I4r3aYzSjq7X7UEBkLDBtEUge52mYakNfXD8D\nqViHkyJqvtVnBl7jNZVqbBderQnXA0kigaeZPL3+hkYKBgECQQDmiDbUL3FBynLy\nNX6/JdAbO4g1Nl/1RsGg8svhb6vRM8WQyIQWt5EKi7yoP/9nIRXcIgdwpVO6wZRU\nDojL0oy1AkEA3LpjqXxIRzcy2ALsqKN3hoNPGAlkPyG3Mlph91mqSZ2jYpXCX9LW\nhhQdf9GmfO8jZtYhYAJqEMOJrKeZHToLIQJBAJbrJbnTNTn05ztZehh5ELxDRPBR\nIJDaOXi8emyjRsA2PGiEXLTih7l3sZIUE4fYSQ9L18MO+LmScSB2Q2fr9uECQFc7\nIh/dCgN7ARD1Nun+kEIMqrlpHMEGZgv0RDsoqG+naOaRINwVysn6MR5OkGlXaLo/\nbbkvuxMc88/T/GLciYECQQC4oUveCOic4Qs6TQfMUKKv/kJ09slbD70HkcBzA5nY\nyro4RT4z/SN6T3SD+TuWn2//I5QxiQEIbOCTySci7yuh\n-----END RSA PRIVATE KEY-----" -- payload = {"aaa":"11","bb":"222"} @@ -726,6 +729,7 @@ passed content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this private_key -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" local sign = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1yczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.Zvp8dXefvGXrKgeoaNsA3sbV_3fw1w6Te7a0B_UANzef7gGJwvlnD6c3-f4yAy7GPgNzP_H1-atcF-sgLHAYpUa14XKe22a9S_BJSoQszoZuqGgpnGcjSzDMK9JX3FLUtzOFMQR5C4_3d7_z0NlepNo2xdQ6IQj0SvS1jrNwydpA9L89N07id3EO739uNw339g78N9QHP-j8nWItfbjo31xefCWTHtcloGkfaJOhcr06qmSbrivBU1AuPA8T3ZVumqw6fcRJzrvQJdKEfVyP-IPUtUy8SM1yLqstaKojJtU3A2HKaeb4fycwHXxtl52xhzIshr_I3iUhX_ak-z7m0A" @@ -748,6 +752,7 @@ hello world content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this private_key and payload -- private_key = "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAv5LHjZ4FxQ9jk6eQGDRtoRwFVkLq+dUBebs97hrzirokVr2B\n+RoxqdLfKAM+AsN2DadawZ2GqlCV9DL0/gz6nWSqTQpWbQ8c7CrF31EkIHUYRzZv\nWy17K3WC9Odk/gM1FVd0HbZ2Rjuqj9ADeeqxnj9npDqKrMODOENy31SqZNerWZsd\ngGkML5JYbX5hbI2L9LREvRU21fDgSfGL6Mw4Naxnnzcvll4yqwrBELSeDZEAt0+e\n/p1dO7moxF+b1pFkh9vQl6zGvnvf8fOqn5ExtLHXVzgx752PHMwmuj9mO1ko6p8F\nOM0JHDnooI+5rwK4j3I27Ho5nnatVWUaxK4U8wIDAQABAoIBAFsFQC73H8KrNyKW\ngI4fit77U0XS8ZXWMKdH4XrZ71DAdDeKPtC+M05+1GxMbhAeEl8WXraTQ8J0G2s1\nMtXqEMDrbUbBXKLghVtoTy91e/a369sZ7/qgN19Eq/30WzWdDIGhVZgwcy2Xd8hw\nitZIPi/z7ChJcE35bsUytseJkJPsWeMJNq4mLbHqMSBQWze/vNvIeGYr2xfqXc6H\nywGWGlk46RI28mOf7PecU0DxFoTBNcntZrpOwaIrTDsC7E6uNvhVbtsneseTlQuj\nihS7DAH72Zx3CXc9+SL3b5QNRD1Rnp+gKM6itjW1yduOj2dS0p8YzcUYNtxnw5Gv\nuLoHwuECgYEA58NhvnHn10YLBEMYxb30tDobdGfOjBSfih8K53+/SJhqF5mv4qZX\nUfw3o5R+CkkrhbZ24yst7wqKFYZ+LfazOqljOPOrBsgIIry/sXBlcbGLCw9MYFfB\nejKTt/xZjqLdDCcEbiSB0L2xNuyF/TZOu8V5Nu55LXKBqeW4yISQ5FkCgYEA05t1\n2cq8gE1jMfGXQNFIpUDG2j4wJXAPqnJZSUF/BICa55mH/HYRKoP2uTSvAnqNrdGt\nsnjnnMA7T+fGogB4STif1POWfj+BTKVa/qhUX9ytH6TeI4aqPXSZdTVEPRfR7bG1\nIB/j2lyPkiNi2VijMx33xqxIaQUUsvxIT95GSisCgYAdaJFylQmSK3UiaVEvZlcy\nt1zcfH+dDtDfueisT216TLzJmdrTq7/Qy2xT+Xe03mwDX4/ea5A8kN3MtXA1bOR5\nQR0yENlW1vMRVVoNrfFxZ9H46UwLvZbzZo+P/RlwHAJolFrfjwpZ7ngaPBEUfFup\nP/mNmt0Ng0YoxNmZuBiaoQKBgQCa2d4RRgpRvdAEYW41UbHetJuQZAfprarZKZrr\nP9HKoq45I6Je/qurOCzZ9ZLItpRtic6Zl16u2AHPhKZYMQ3VT2mvdZ5AvwpI44zG\nZLpx+FR8nrKsvsRf+q6+Ff/c0Uyfq/cHDi84wZmS8PBKa1Hqe1ix+6t1pvEx1eq4\n/8jiRwKBgGOZzt5H5P0v3cFG9EUPXtvf2k81GmZjlDWu1gu5yWSYpqCfYr/K/1Md\ndaQ/YCKTc12SYL7hZ2j+2/dGFXNXwknIyKNj76UxjUpJywWI5mUaXJZJDkLCRvxF\nkk9nWvPorpjjjxaIVN+TkGgDd/60at/tI6HxzZitVyla5rB8hoPm\n-----END RSA PRIVATE KEY-----" -- payload = {"aaa":"11","bb":"222"} @@ -1144,6 +1149,7 @@ passed content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this private_key -- private_key = "-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2\nOF/2NxApJCzGCEDdfSp6VQO30hyhRANCAAQRWz+jn65BtOMvdyHKcvjBeBSDZH2r\n1RTwjmYSi9R/zpBnuQ4EiMnCqfMPWiZqB4QdbAd0E7oH50VpuZ1P087G\n-----END PRIVATE KEY-----" local sign = "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJrZXkiOiJ1c2VyLWtleS1lczI1NiIsIm5iZiI6MTcyNzI3NDk4M30.t-CZzJRSxIuVVjU3m8_zDtb7h9x2R2s3BJWmerh0hw-RMIklBqLJ3V9kYAWl7DIyXlp0jQCPDZ_M7mhr1Q3HPw" From ee706a12395e24c8bd6c935c20947796456dff8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=82=9F=E7=A9=BA?= Date: Fri, 27 Sep 2024 10:50:24 +0800 Subject: [PATCH 29/29] comment that why needs payload in test cases --- t/plugin/jwt-auth.t | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/t/plugin/jwt-auth.t b/t/plugin/jwt-auth.t index 78f513734768..1c28123e3b7b 100644 --- a/t/plugin/jwt-auth.t +++ b/t/plugin/jwt-auth.t @@ -936,6 +936,7 @@ hello world content_by_lua_block { local t = require("lib.test_admin").test + -- the jwt signature is encoded with this payload -- payload = {"aaa":"11","bb":"222"} local sign = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhYWEiOiIxMSIsImJiIjoiMjIyIiwia2V5IjoidXNlci1rZXktSFM1MTIiLCJuYmYiOjE3MjcyNzQ5ODN9.s6E3-wNJypgJL71MxoyTTHBDeqdrGQddFjkhLlh3ZN6IZwgpFRlFT1_8suQg9dWUDHGQqgejULyLPhmBMIbw2A" @@ -1196,7 +1197,7 @@ hello world -=== TEST 51: add consumer missing public_key (algorithm=RS256) +=== TEST 51: add consumer missing public_key (algorithm=ES256) --- config location /t { content_by_lua_block {