Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(vault): vault lua module, integration with jwt-auth authentication plugin #5745

Merged
merged 28 commits into from
Dec 15, 2021
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
b2788ff
vault-auth init
bisakhmondal Dec 3, 2021
a88c615
vault storage kv engine integration
bisakhmondal Dec 6, 2021
17b3c23
not required file
bisakhmondal Dec 6, 2021
7605c38
integrating vault storage backend with jwt-auth authentication plugin
bisakhmondal Dec 8, 2021
ae240ed
Merge branch 'master' into vault-jwt
bisakhmondal Dec 9, 2021
876cce3
Merge branch 'master' into vault-jwt
bisakhmondal Dec 9, 2021
c3a7d4a
openssl rsa-2048 pem public private keypairs
bisakhmondal Dec 9, 2021
ed628b2
vault integration tests with corner cases
bisakhmondal Dec 9, 2021
9ec682a
minor updates
bisakhmondal Dec 9, 2021
36f0141
adding real vault server into CIs
bisakhmondal Dec 9, 2021
c3aaf8f
lint fix
bisakhmondal Dec 9, 2021
80358b9
suggestions
bisakhmondal Dec 9, 2021
e4d10da
now get doesnot returns vault data
bisakhmondal Dec 9, 2021
f927fb9
update exposed port address
bisakhmondal Dec 9, 2021
ee251aa
documentation
bisakhmondal Dec 9, 2021
6158837
blank commit
bisakhmondal Dec 9, 2021
f9cdc4e
remove custom path support from mvp
bisakhmondal Dec 10, 2021
6729106
trimming down validation and key generation if vault config is enabled
bisakhmondal Dec 10, 2021
83b3fe0
remove redundant codes
bisakhmondal Dec 10, 2021
58292d2
Ci fix
bisakhmondal Dec 10, 2021
55c105d
changing vault kv suffix to /consumer/<username>/jwt-auth
bisakhmondal Dec 10, 2021
1f2ff22
update tests and modify the way http status code were sent
bisakhmondal Dec 10, 2021
cac28d1
fix doc broken link
bisakhmondal Dec 10, 2021
f78cf89
comment out vault config in yaml and update tests accordingly
bisakhmondal Dec 12, 2021
6a28225
Merge branch 'master' into vault-jwt
bisakhmondal Dec 13, 2021
2d44654
change yaml_config to extra_yaml_config
bisakhmondal Dec 13, 2021
66ee305
single extra yaml config
bisakhmondal Dec 13, 2021
a56ed8e
suggestion
bisakhmondal Dec 14, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions apisix/core/vault.lua
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements. See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License. You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--

local core = require("apisix.core")
local http = require("resty.http")
local json = require("cjson")

local fetch_local_conf = require("apisix.core.config_local").local_conf
local norm_path = require("pl.path").normpath

local _M = {}

local function fetch_vault_conf()
local conf, err = fetch_local_conf()
if not conf then
return nil, "failed to fetch vault configuration from config yaml: " .. err
end

if not conf.vault then
return nil, "accessing vault data requires configuration information"
end
return conf.vault
end


local function make_request_to_vault(method, key, rel_path, data)
local vault, err = fetch_vault_conf()
if not vault then
return nil, err
end

local httpc = http.new()
-- config timeout or default to 5000 ms
httpc:set_timeout((vault.timeout or 5)*1000)

local req_addr = vault.host
if rel_path then
req_addr = req_addr .. norm_path("/v1/"
.. vault.prefix .. "/" .. key)
else
req_addr = req_addr .. norm_path("/v1/" .. key)
end

local res, err = httpc:request_uri(req_addr, {
method = method,
headers = {
["X-Vault-Token"] = vault.token
},
body = core.json.encode(data or {}, true)
})
if not res then
return nil, err
end

return res.body
end

-- key is the vault kv engine path, joined with config yaml vault prefix
local function get(key, rel_path)
core.log.info("fetching data from vault for key: ", key)

local res, err = make_request_to_vault("GET", key, rel_path)
if not res or err then
return nil, "failed to retrtive data from vault kv engine " .. err
end

return json.decode(res)
end

_M.get = get

-- key is the vault kv engine path, data is json key vaule pair
local function set(key, data, rel_path)
core.log.info("stroing data into vault for key: ", key,
"and value: ", core.json.delay_encode(data, true))

local res, err = make_request_to_vault("POST", key, rel_path, data)
if not res or err then
return nil, "failed to store data into vault kv engine " .. err
end

return true
end
_M.set = set


-- key is the vault kv engine path, joined with config yaml vault prefix
local function delete(key, rel_path)
core.log.info("deleting data from vault for key: ", key)

local res, err = make_request_to_vault("DELETE", key, rel_path)

if not res or err then
return nil, "failed to delete data into vault kv engine " .. err
end

return true
end

_M.delete = delete

return _M
185 changes: 161 additions & 24 deletions apisix/plugins/jwt-auth.lua
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ local jwt = require("resty.jwt")
local ck = require("resty.cookie")
local consumer_mod = require("apisix.consumer")
local resty_random = require("resty.random")
local vault = require("apisix.core.vault")

local ngx_encode_base64 = ngx.encode_base64
local ngx_decode_base64 = ngx.decode_base64
Expand Down Expand Up @@ -54,6 +55,13 @@ local consumer_schema = {
base64_secret = {
type = "boolean",
default = false
},
vault = {
type = "object",
properties = {
path = {type = "string"},
add_prefix = {type = "boolean"}
}
}
},
dependencies = {
Expand All @@ -76,7 +84,23 @@ local consumer_schema = {
},
},
required = {"public_key", "private_key"},
}
},
{
properties = {
vault = {
type = "object",
properties = {
path = {type = "string"},
add_prefix = {type = "boolean"}
bisakhmondal marked this conversation as resolved.
Show resolved Hide resolved
}
},
algorithm = {
enum = {"RS256"},
},
},
required = {"vault"},
},

}
}
},
Expand Down Expand Up @@ -119,29 +143,74 @@ function _M.check_schema(conf, schema_type)
if schema_type == core.schema.TYPE_CONSUMER then
ok, err = core.schema.check(consumer_schema, conf)
else
ok, err = core.schema.check(schema, conf)
return core.schema.check(schema, conf)
end

if not ok then
return false, err
end

if schema_type == core.schema.TYPE_CONSUMER then
if conf.algorithm ~= "RS256" and not conf.secret then
conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
-- in nginx init_worker_by_lua context API calls are disabled,
-- also that is a costly operation during system startup.
if ngx.get_phase() == "init_worker" then
bisakhmondal marked this conversation as resolved.
Show resolved Hide resolved
return true
end

local vout = {}
if conf.vault then
-- create vault path, if not set by admin.
if not conf.vault.path then
conf.vault.path = "jwt-auth/key/" .. conf.key
conf.vault.add_prefix = true
end

-- fetch the data to check if the keys are stored into vault
local res, err = vault.get(conf.vault.path, conf.vault.add_prefix)
if not res or err then
core.log.error("failed to fetch data from vault: ", err)
return false, "error while fetching data from vault, " ..
"please check the connection or remove vault config"
end
-- if there is no data on that path, that's absolutely fine.
vout = res.data or {}
end

if conf.algorithm ~= "RS256" then
local secret = conf.secret or vout.secret
-- if no secret is provided, generate one.
if not secret then
secret = ngx_encode_base64(resty_random.bytes(32, true))

-- if vault config is enabled, lifecycle of the
-- HS256/HS512 secret will be externally managed by vault.
if conf.vault then
local res, err = vault.set(conf.vault.path, {
secret = secret,
}, conf.vault.add_prefix)
if not res or err then
core.log.error("failed to put data into vault: ", err)
return false, "error communicating with vault server"
end
conf.secret = "<vault: " .. conf.vault.path .. ">"
else
conf.secret = secret
end

elseif conf.base64_secret then
if ngx_decode_base64(conf.secret) == nil then
if ngx_decode_base64(secret) == nil then
return false, "base64_secret required but the secret is not in base64 format"
end
end
end

if conf.algorithm == "RS256" then
if not conf.public_key then
return false, "missing valid public key"
end
if not conf.private_key then
return false, "missing valid private key"
end
if conf.algorithm == "RS256" then
-- check from consumer config and vault data store. Possible options are
-- a) both are in vault, b) both in schema, c) one in schema, another in vault.
if not conf.public_key and not vout.public_key then
return false, "missing valid public key"
end
if not conf.private_key and not vout.private_key then
return false, "missing valid private key"
end
end

Expand Down Expand Up @@ -176,11 +245,56 @@ end


local function get_secret(conf)
local secret = conf.secret
if conf.vault then
local res, err = vault.get(conf.vault.path, conf.vault.add_prefix)
if not res or err then
return nil, err
end

if not res.data and not res.data.secret then
return nil, "secret could not found in vault: " .. core.json.encode(res)
end
secret = res.data.secret
end

if conf.base64_secret then
return ngx_decode_base64(conf.secret)
return ngx_decode_base64(secret)
end

return conf.secret
return secret
end


local function get_rsa_keypair(conf)
local public_key = conf.public_key
local private_key = conf.private_key
-- if keys are present in conf, no need to query vault (fallback)
if public_key and private_key then
return public_key, private_key
end

local vout = {}
if conf.vault then
local res, err = vault.get(conf.vault.path, conf.vault.add_prefix)
if not res or err then
return nil, nil, err
end

if not res.data then
return nil, nil, "keypairs could not found in vault: " .. core.json.encode(res)
end
vout = res.data
end

if not public_key and not vout.public_key then
return nil, nil, "missing public key, not found in config/vault"
end
if not private_key and not vout.private_key then
return nil, nil, "missing private key, not found in config/vault"
end

return public_key or vout.public_key, private_key or vout.private_key
end


Expand All @@ -198,7 +312,11 @@ end


local function sign_jwt_with_HS(key, auth_conf, payload)
local auth_secret = get_secret(auth_conf)
local auth_secret, err = get_secret(auth_conf)
if not auth_secret then
core.log.error("failed to sign jwt, err: ", err)
core.response.exit(503, "failed to sign jwt")
end
local ok, jwt_token = pcall(jwt.sign, _M,
auth_secret,
{
Expand All @@ -218,14 +336,20 @@ end


local function sign_jwt_with_RS256(key, auth_conf, payload)
local public_key, private_key, err = get_rsa_keypair(auth_conf)
if not public_key then
core.log.error("failed to sign jwt, err: ", err)
core.response.exit(503, "failed to sign jwt")
end

local ok, jwt_token = pcall(jwt.sign, _M,
auth_conf.private_key,
private_key,
{
header = {
typ = "JWT",
alg = auth_conf.algorithm,
x5c = {
auth_conf.public_key,
public_key,
}
},
payload = get_real_payload(key, auth_conf, payload)
Expand All @@ -238,13 +362,22 @@ local function sign_jwt_with_RS256(key, auth_conf, payload)
return jwt_token
end


local function algorithm_handler(consumer)
-- introducing method_only flag (returns respective signing method) to save http API calls.
local function algorithm_handler(consumer, method_only)
if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256"
or consumer.auth_conf.algorithm == "HS512" then
return sign_jwt_with_HS, get_secret(consumer.auth_conf)
if method_only then
return sign_jwt_with_HS
end

return get_secret(consumer.auth_conf)
elseif consumer.auth_conf.algorithm == "RS256" then
return sign_jwt_with_RS256, consumer.auth_conf.public_key
if method_only then
return sign_jwt_with_RS256
end

local public_key, _, err = get_rsa_keypair(consumer.auth_conf)
return public_key, err
end
end

Expand Down Expand Up @@ -284,7 +417,11 @@ function _M.rewrite(conf, ctx)
end
core.log.info("consumer: ", core.json.delay_encode(consumer))

local _, auth_secret = algorithm_handler(consumer)
local auth_secret, err = algorithm_handler(consumer)
if not auth_secret then
core.log.error("failed to retrive secrets, err: ", err)
return 503, {message = "failed to verify jwt"}
end
jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj)
core.log.info("jwt object: ", core.json.delay_encode(jwt_obj))

Expand Down Expand Up @@ -325,7 +462,7 @@ local function gen_token()

core.log.info("consumer: ", core.json.delay_encode(consumer))

local sign_handler, _ = algorithm_handler(consumer)
local sign_handler = algorithm_handler(consumer, true)
local jwt_token = sign_handler(key, consumer.auth_conf, payload)
if jwt_token then
return core.response.exit(200, jwt_token)
Expand Down
Loading