You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/05/22 14:59:09 UTC
[GitHub] [apisix-ingress-controller] Fatpa opened a new pull request, #1035: feat: add hmac-auth authorization method
Fatpa opened a new pull request, #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035
<!-- Please answer these questions before submitting a pull request -->
### Type of change:
<!-- Please delete options that are not relevant. -->
- [ ] Bugfix
- [x] New feature provided
- [ ] Improve performance
- [ ] Backport patches
### What this PR does / why we need it:
<!--- Why is this change required? What problem does it solve? -->
<!--- If it fixes an open issue, please link to the issue here. -->
[#990 ](https://github.com/apache/apisix-ingress-controller/issues/990)
### Pre-submission checklist:
<!--
Please follow the requirements:
1. Use Draft if the PR is not ready to be reviewed
2. Test is required for the feat/fix PR, unless you have a good reason
3. Doc is required for the feat PR
4. Use a new commit to resolve review instead of `push -f`
5. Use "request review" to notify the reviewer once you have resolved the review
-->
* [ ] Did you explain what problem does this PR solve? Or what new features have been added?
* [x] Have you added corresponding test cases?
* [ ] Have you modified the corresponding document?
* [ ] Is this PR backward compatible? **If it is not backward compatible, please discuss on the [mailing list](https://github.com/apache/apisix-ingress-controller#community) first**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on a diff in pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on code in PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#discussion_r882374057
##########
test/e2e/suite-features/consumer.go:
##########
@@ -636,6 +636,208 @@ spec:
assert.Contains(ginkgo.GinkgoT(), msg401, "Missing rbac token in request")
})
+ ginkgo.It("ApisixRoute with hmacAuth consumer", func() {
+ ac := `
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixConsumer
+metadata:
+ name: hmacvalue
+spec:
+ authParameter:
+ hmacAuth:
+ value:
+ access_key: papa
+ secret_key: fatpa
+ algorithm: "hmac-sha256"
+ clock_skew: 0
+`
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ac), "creating hmacAuth ApisixConsumer")
+
+ // Wait until the ApisixConsumer create event was delivered.
+ time.Sleep(6 * time.Second)
+
+ grs, err := s.ListApisixConsumers()
+ assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+ assert.Len(ginkgo.GinkgoT(), grs, 1)
+ assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+ hmacAuth, _ := grs[0].Plugins["hmac-auth"].(map[string]interface{})
+ assert.Equal(ginkgo.GinkgoT(), "papa", hmacAuth["access_key"])
+ assert.Equal(ginkgo.GinkgoT(), "fatpa", hmacAuth["secret_key"])
+ assert.Equal(ginkgo.GinkgoT(), "hmac-sha256", hmacAuth["algorithm"])
+ assert.Equal(ginkgo.GinkgoT(), float64(0), hmacAuth["clock_skew"])
+
+ backendSvc, backendPorts := s.DefaultHTTPBackend()
+ ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /ip
+ exprs:
+ - subject:
+ scope: Header
+ name: X-Foo
+ op: Equal
+ value: bar
+ backends:
+ - serviceName: %s
+ servicePort: %d
+ authentication:
+ enable: true
+ type: hmacAuth
+`, backendSvc, backendPorts[0])
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar), "creating ApisixRoute with hmacAuth")
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixRoutesCreated(1), "Checking number of routes")
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixUpstreamsCreated(1), "Checking number of upstreams")
+
+ _ = s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "bar").
+ WithHeader("X-HMAC-SIGNATURE", "l3Uka7E1kxPA/owQ2+OqJUmflRppjD5q8xPcWbyKKrg=").
+ WithHeader("X-HMAC-ACCESS-KEY", "papa").
+ WithHeader("X-HMAC-ALGORITHM", "hmac-sha256").
+ WithHeader("X-HMAC-SIGNED-HEADERS", "User-Agent;X-Foo").
+ WithHeader("User-Agent", "curl/7.29.0").
+ Expect().
+ Status(http.StatusOK)
+
+ msg := s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "bar").
+ Expect().
+ Status(http.StatusUnauthorized).
+ Body().
+ Raw()
+ assert.Contains(ginkgo.GinkgoT(), msg, "access key or signature missing")
+
+ msg = s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "baz").
+ WithHeader("X-HMAC-SIGNATURE", "MhGJMkEYFD+98qtvoDPlvCGIUSmmUaw0In/D0vt2Z4E=").
+ WithHeader("X-HMAC-ACCESS-KEY", "papa").
+ WithHeader("X-HMAC-ALGORITHM", "hmac-sha256").
+ WithHeader("X-HMAC-SIGNED-HEADERS", "User-Agent;X-Foo").
+ WithHeader("User-Agent", "curl/7.29.0").
+ Expect().
+ Status(http.StatusNotFound).
+ Body().
+ Raw()
+ assert.Contains(ginkgo.GinkgoT(), msg, "404 Route Not Found")
+ })
+
+ ginkgo.It("ApisixRoute with hmacAuth consumer using secret", func() {
+ secret := `
+apiVersion: v1
+kind: Secret
+metadata:
+ name: hmac
+data:
+ access_key: cGFwYQ==
+ secret_key: ZmF0cGE=
+ algorithm: aG1hYy1zaGEyNTY=
+ clock_skew: MA==
+`
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(secret), "creating hmac secret for ApisixConsumer")
+
+ ac := `
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixConsumer
+metadata:
+ name: hmacvalue
+spec:
+ authParameter:
+ hmacAuth:
+ secretRef:
+ name: hmac
+`
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ac), "creating hmacAuth ApisixConsumer")
+
+ // Wait until the ApisixConsumer create event was delivered.
+ time.Sleep(6 * time.Second)
+
+ grs, err := s.ListApisixConsumers()
+ assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+ assert.Len(ginkgo.GinkgoT(), grs, 1)
+ assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+ hmacAuth, _ := grs[0].Plugins["hmac-auth"].(map[string]interface{})
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["access_key"], "papa")
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["secret_key"], "fatpa")
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["algorithm"], "hmac-sha256")
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["clock_skew"], float64(0))
Review Comment:
the order
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1136683395
approved. thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Fatpa commented on a diff in pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
Fatpa commented on code in PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#discussion_r882258246
##########
pkg/kube/translation/plugin_test.go:
##########
@@ -914,25 +914,111 @@ func TestTranslateConsumerWolfRBACWithSecretRef(t *testing.T) {
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
delete(sec.Data, "appid")
_, err = client.CoreV1().Secrets("default").Update(context.Background(), sec, metav1.UpdateOptions{})
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
delete(sec.Data, "header_prefix")
_, err = client.CoreV1().Secrets("default").Update(context.Background(), sec, metav1.UpdateOptions{})
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
close(processCh)
close(stopCh)
}
+
+func TestTranslateConsumerHMACAuthPluginWithInPlaceValue(t *testing.T) {
+ hmacAuth := &configv2beta3.ApisixConsumerHMACAuth{
+ Value: &configv2beta3.ApisixConsumerHMACAuthValue{
+ AccessKey: "foo",
+ SecretKey: "foo-secret",
+ ClockSkew: 0,
+ SignedHeaders: []string{"User-Agent"},
+ },
+ }
+ cfg, err := (&translator{}).translateConsumerHMACAuthPluginV2beta3("default", hmacAuth)
+ assert.Nil(t, err)
+ assert.Equal(t, "foo", cfg.AccessKey)
+ assert.Equal(t, "foo-secret", cfg.SecretKey)
+ assert.Equal(t, int64(0), cfg.ClockSkew)
+ assert.Equal(t, []string{"User-Agent"}, cfg.SignedHeaders)
+}
+
+func TestTranslateConsumerHMACAuthPluginWithSecretRed(t *testing.T) {
Review Comment:
Yes, and I had renamed it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] codecov-commenter commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1134097302
# [Codecov](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#1035](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (ce5333b) into [master](https://codecov.io/gh/apache/apisix-ingress-controller/commit/9bd4b714ceb8fd427b325757e10090f056803cd3?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (9bd4b71) will **increase** coverage by `0.31%`.
> The diff coverage is `62.06%`.
> :exclamation: Current head ce5333b differs from pull request most recent head 7b511c4. Consider uploading reports for the commit 7b511c4 to get more accurate results
```diff
@@ Coverage Diff @@
## master #1035 +/- ##
==========================================
+ Coverage 31.00% 31.32% +0.31%
==========================================
Files 74 74
Lines 8404 8491 +87
==========================================
+ Hits 2606 2660 +54
- Misses 5520 5543 +23
- Partials 278 288 +10
```
| [Impacted Files](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [pkg/kube/translation/apisix\_route.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL2t1YmUvdHJhbnNsYXRpb24vYXBpc2l4X3JvdXRlLmdv) | `20.73% <0.00%> (-0.14%)` | :arrow_down: |
| [pkg/kube/translation/apisix\_consumer.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL2t1YmUvdHJhbnNsYXRpb24vYXBpc2l4X2NvbnN1bWVyLmdv) | `67.74% <60.00%> (-1.49%)` | :arrow_down: |
| [pkg/kube/translation/plugin.go](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-cGtnL2t1YmUvdHJhbnNsYXRpb24vcGx1Z2luLmdv) | `86.01% <65.38%> (-13.99%)` | :arrow_down: |
------
[Continue to review full report at Codecov](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035?src=pr&el=continue&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
> **Legend** - [Click here to learn more](https://docs.codecov.io/docs/codecov-delta?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
> `Δ = absolute <relative> (impact)`, `ø = not affected`, `? = missing data`
> Powered by [Codecov](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035?src=pr&el=footer&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Last update [bef2010...7b511c4](https://codecov.io/gh/apache/apisix-ingress-controller/pull/1035?src=pr&el=lastupdated&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation). Read the [comment docs](https://docs.codecov.io/docs/pull-request-comments?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1134328313
@lingsamuel I think it's possible to merge #989 first and then merge this. let's move forward
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Fatpa commented on a diff in pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
Fatpa commented on code in PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#discussion_r878998866
##########
test/e2e/suite-features/consumer.go:
##########
@@ -636,6 +636,212 @@ spec:
assert.Contains(ginkgo.GinkgoT(), msg401, "Missing rbac token in request")
})
+ ginkgo.It("ApisixRoute with hmacAuth consumer", func() {
+ ac := `
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixConsumer
+metadata:
+ name: hmacvalue
+spec:
+ authParameter:
+ hmacAuth:
+ value:
+ access_key: papa
+ secret_key: fatpa
+ algorithm: "hmac-sha256"
+ clock_skew: 0
+`
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ac), "creating hmacAuth ApisixConsumer")
+
+ // Wait until the ApisixConsumer create event was delivered.
+ time.Sleep(6 * time.Second)
+
+ grs, err := s.ListApisixConsumers()
+ assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+ assert.Len(ginkgo.GinkgoT(), grs, 1)
+ assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+ hmacAuth, _ := grs[0].Plugins["hmac-auth"]
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth, map[string]interface{}{
+ "access_key": "papa",
+ "secret_key": "fatpa",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 0,
+ })
+
+ backendSvc, backendPorts := s.DefaultHTTPBackend()
+ ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /ip
+ exprs:
+ - subject:
+ scope: Header
+ name: X-Foo
+ op: Equal
+ value: bar
+ backends:
+ - serviceName: %s
+ servicePort: %d
+ authentication:
+ enable: true
+ type: hmacAuth
+`, backendSvc, backendPorts[0])
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar), "creating ApisixRoute with hmacAuth")
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixRoutesCreated(1), "Checking number of routes")
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixUpstreamsCreated(1), "Checking number of upstreams")
+
+ _ = s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "bar").
+ WithHeader("X-HMAC-SIGNATURE", "0K5jRBTxMVHHJAVoxMtWbKu9toFtTsUdHvQ3Xq/8zfY=").
+ WithHeader("X-HMAC-ACCESS-KEY", "papa").
+ WithHeader("X-HMAC-ALGORITHM", "hmac-sha256").
+ WithHeader("X-HMAC-SIGNED-HEADERS", "User-Agent").
+ WithHeader("User-Agent", "curl/7.29.0").
+ Expect().
+ Status(http.StatusOK)
+
+ msg := s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "bar").
+ Expect().
+ Status(http.StatusUnauthorized).
+ Body().
+ Raw()
+ assert.Contains(ginkgo.GinkgoT(), msg, "Missing authorization in request")
+
+ msg = s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "baz").
+ WithHeader("X-HMAC-SIGNATURE", "0K5jRBTxMVHHJAVoxMtWbKu9toFtTsUdHvQ3Xq/8zfY=").
+ WithHeader("X-HMAC-ACCESS-KEY", "papa").
+ WithHeader("X-HMAC-ALGORITHM", "hmac-sha256").
+ WithHeader("X-HMAC-SIGNED-HEADERS", "User-Agent").
+ WithHeader("User-Agent", "curl/7.29.0").
+ Expect().
+ Status(http.StatusNotFound).
+ Body().
+ Raw()
+ assert.Contains(ginkgo.GinkgoT(), msg, "404 Route Not Found")
+ })
+
+ ginkgo.It("ApisixRoute with hmacAuth consumer using secret", func() {
+ secret := `
+apiVersion: v1
+kind: Secret
+metadata:
+ name: hmac
+data:
+ access_key: papa
+ secret_key: fatpa
+ algorithm: "hmac-sha256"
+ clock_skew: 0
Review Comment:
I will fix it soon.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1135380049
thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Fatpa commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
Fatpa commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1135318037
I think I should compatible with the PR above first.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1137022629
re-run all jobs.
I will finish review today, it's on my list. thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on a diff in pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on code in PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#discussion_r881925503
##########
pkg/kube/translation/plugin_test.go:
##########
@@ -914,25 +914,111 @@ func TestTranslateConsumerWolfRBACWithSecretRef(t *testing.T) {
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
delete(sec.Data, "appid")
_, err = client.CoreV1().Secrets("default").Update(context.Background(), sec, metav1.UpdateOptions{})
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
delete(sec.Data, "header_prefix")
_, err = client.CoreV1().Secrets("default").Update(context.Background(), sec, metav1.UpdateOptions{})
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
close(processCh)
close(stopCh)
}
+
+func TestTranslateConsumerHMACAuthPluginWithInPlaceValue(t *testing.T) {
+ hmacAuth := &configv2beta3.ApisixConsumerHMACAuth{
+ Value: &configv2beta3.ApisixConsumerHMACAuthValue{
+ AccessKey: "foo",
+ SecretKey: "foo-secret",
+ ClockSkew: 0,
+ SignedHeaders: []string{"User-Agent"},
+ },
+ }
+ cfg, err := (&translator{}).translateConsumerHMACAuthPluginV2beta3("default", hmacAuth)
+ assert.Nil(t, err)
+ assert.Equal(t, "foo", cfg.AccessKey)
+ assert.Equal(t, "foo-secret", cfg.SecretKey)
+ assert.Equal(t, int64(0), cfg.ClockSkew)
+ assert.Equal(t, []string{"User-Agent"}, cfg.SignedHeaders)
+}
+
+func TestTranslateConsumerHMACAuthPluginWithSecretRed(t *testing.T) {
Review Comment:
```suggestion
func TestTranslateConsumerHMACAuthPluginWithSecretRef(t *testing.T) {
```
do you mean Ref?
##########
test/e2e/suite-features/consumer.go:
##########
@@ -636,6 +636,208 @@ spec:
assert.Contains(ginkgo.GinkgoT(), msg401, "Missing rbac token in request")
})
+ ginkgo.It("ApisixRoute with hmacAuth consumer", func() {
+ ac := `
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixConsumer
+metadata:
+ name: hmacvalue
+spec:
+ authParameter:
+ hmacAuth:
+ value:
+ access_key: papa
+ secret_key: fatpa
+ algorithm: "hmac-sha256"
+ clock_skew: 0
+`
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ac), "creating hmacAuth ApisixConsumer")
+
+ // Wait until the ApisixConsumer create event was delivered.
+ time.Sleep(6 * time.Second)
+
+ grs, err := s.ListApisixConsumers()
+ assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+ assert.Len(ginkgo.GinkgoT(), grs, 1)
+ assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+ hmacAuth, _ := grs[0].Plugins["hmac-auth"].(map[string]interface{})
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["access_key"], "papa")
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["secret_key"], "fatpa")
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["algorithm"], "hmac-sha256")
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth["clock_skew"], float64(0))
+
Review Comment:
Equal(t, expected, actual, msgAndArgs)
You need to modify the order of the parameters
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] lingsamuel commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
lingsamuel commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1134324792
This PR affects #989, which one should be merged first (the later one needs to be modified accordingly)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 merged pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 merged PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Fatpa commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
Fatpa commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1136682726
Please approve the workflows. @tao12345666333
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Fatpa commented on pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
Fatpa commented on PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#issuecomment-1136703019
I have no idea about the failure of the suite-ingress.
Could you help me to see what happened to this error? @tao12345666333
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] tao12345666333 commented on a diff in pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
tao12345666333 commented on code in PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#discussion_r878987682
##########
pkg/kube/apisix/apis/config/v2beta3/types.go:
##########
@@ -342,6 +342,7 @@ type ApisixConsumerAuthParameter struct {
KeyAuth *ApisixConsumerKeyAuth `json:"keyAuth,omitempty" yaml:"keyAuth"`
WolfRBAC *ApisixConsumerWolfRBAC `json:"wolfRBAC,omitempty" yaml:"wolfRBAC"`
JwtAuth *ApisixConsumerJwtAuth `json:"jwtAuth,omitempty" yaml:"jwtAuth"`
+ HMacAuth *ApisixConsumerHMacAuth `json:"hmacAuth,omitempty" yaml:"hmacAuth"`
Review Comment:
according to [RFC 2104](https://datatracker.ietf.org/doc/html/rfc2104) I suggest to name this field HMACAuth
```suggestion
HMACAuth *ApisixConsumerHMACAuth `json:"hmacAuth,omitempty" yaml:"hmacAuth"`
```
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -452,7 +476,14 @@ spec:
type: boolean
type:
type: string
- enum: [ "basicAuth", "keyAuth", "jwtAuth", "wolfRBAC" ]
+ enum:
+ [
+ "basicAuth",
+ "keyAuth",
+ "jwtAuth",
+ "wolfRBAC",
+ "hmacAuth",
+ ]
Review Comment:
ditto
##########
test/e2e/suite-features/consumer.go:
##########
@@ -636,6 +636,212 @@ spec:
assert.Contains(ginkgo.GinkgoT(), msg401, "Missing rbac token in request")
})
+ ginkgo.It("ApisixRoute with hmacAuth consumer", func() {
+ ac := `
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixConsumer
+metadata:
+ name: hmacvalue
+spec:
+ authParameter:
+ hmacAuth:
+ value:
+ access_key: papa
+ secret_key: fatpa
+ algorithm: "hmac-sha256"
+ clock_skew: 0
+`
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ac), "creating hmacAuth ApisixConsumer")
+
+ // Wait until the ApisixConsumer create event was delivered.
+ time.Sleep(6 * time.Second)
+
+ grs, err := s.ListApisixConsumers()
+ assert.Nil(ginkgo.GinkgoT(), err, "listing consumer")
+ assert.Len(ginkgo.GinkgoT(), grs, 1)
+ assert.Len(ginkgo.GinkgoT(), grs[0].Plugins, 1)
+ hmacAuth, _ := grs[0].Plugins["hmac-auth"]
+ assert.Equal(ginkgo.GinkgoT(), hmacAuth, map[string]interface{}{
+ "access_key": "papa",
+ "secret_key": "fatpa",
+ "algorithm": "hmac-sha256",
+ "clock_skew": 0,
+ })
+
+ backendSvc, backendPorts := s.DefaultHTTPBackend()
+ ar := fmt.Sprintf(`
+apiVersion: apisix.apache.org/v2beta3
+kind: ApisixRoute
+metadata:
+ name: httpbin-route
+spec:
+ http:
+ - name: rule1
+ match:
+ hosts:
+ - httpbin.org
+ paths:
+ - /ip
+ exprs:
+ - subject:
+ scope: Header
+ name: X-Foo
+ op: Equal
+ value: bar
+ backends:
+ - serviceName: %s
+ servicePort: %d
+ authentication:
+ enable: true
+ type: hmacAuth
+`, backendSvc, backendPorts[0])
+ assert.Nil(ginkgo.GinkgoT(), s.CreateResourceFromString(ar), "creating ApisixRoute with hmacAuth")
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixRoutesCreated(1), "Checking number of routes")
+ assert.Nil(ginkgo.GinkgoT(), s.EnsureNumApisixUpstreamsCreated(1), "Checking number of upstreams")
+
+ _ = s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "bar").
+ WithHeader("X-HMAC-SIGNATURE", "0K5jRBTxMVHHJAVoxMtWbKu9toFtTsUdHvQ3Xq/8zfY=").
+ WithHeader("X-HMAC-ACCESS-KEY", "papa").
+ WithHeader("X-HMAC-ALGORITHM", "hmac-sha256").
+ WithHeader("X-HMAC-SIGNED-HEADERS", "User-Agent").
+ WithHeader("User-Agent", "curl/7.29.0").
+ Expect().
+ Status(http.StatusOK)
+
+ msg := s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "bar").
+ Expect().
+ Status(http.StatusUnauthorized).
+ Body().
+ Raw()
+ assert.Contains(ginkgo.GinkgoT(), msg, "Missing authorization in request")
+
+ msg = s.NewAPISIXClient().GET("/ip").
+ WithHeader("Host", "httpbin.org").
+ WithHeader("X-Foo", "baz").
+ WithHeader("X-HMAC-SIGNATURE", "0K5jRBTxMVHHJAVoxMtWbKu9toFtTsUdHvQ3Xq/8zfY=").
+ WithHeader("X-HMAC-ACCESS-KEY", "papa").
+ WithHeader("X-HMAC-ALGORITHM", "hmac-sha256").
+ WithHeader("X-HMAC-SIGNED-HEADERS", "User-Agent").
+ WithHeader("User-Agent", "curl/7.29.0").
+ Expect().
+ Status(http.StatusNotFound).
+ Body().
+ Raw()
+ assert.Contains(ginkgo.GinkgoT(), msg, "404 Route Not Found")
+ })
+
+ ginkgo.It("ApisixRoute with hmacAuth consumer using secret", func() {
+ secret := `
+apiVersion: v1
+kind: Secret
+metadata:
+ name: hmac
+data:
+ access_key: papa
+ secret_key: fatpa
+ algorithm: "hmac-sha256"
+ clock_skew: 0
Review Comment:
secret is base64 encoded
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -610,7 +641,18 @@ spec:
minItems: 1
items:
type: string
- enum: [ "CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE" ]
+ enum:
+ [
+ "CONNECT",
+ "DELETE",
+ "GET",
+ "HEAD",
+ "OPTIONS",
+ "PATCH",
+ "POST",
+ "PUT",
+ "TRACE",
+ ]
Review Comment:
ditto
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -355,7 +367,18 @@ spec:
minItems: 1
items:
type: string
- enum: [ "CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE" ]
+ enum:
+ [
+ "CONNECT",
+ "DELETE",
+ "GET",
+ "HEAD",
+ "OPTIONS",
+ "PATCH",
+ "POST",
+ "PUT",
+ "TRACE",
+ ]
Review Comment:
ditto
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -372,7 +395,8 @@ spec:
properties:
scope:
type: string
- enum: [ "Cookie", "Header", "Path", "Query" ]
+ enum:
+ ["Cookie", "Header", "Path", "Query"]
Review Comment:
ditto
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -129,12 +140,13 @@ spec:
properties:
scope:
type: string
- enum: ["Cookie", "Header", "Path", "Query"]
+ enum:
+ ["Cookie", "Header", "Path", "Query"]
Review Comment:
ditto
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -627,7 +669,8 @@ spec:
properties:
scope:
type: string
- enum: [ "Cookie", "Header", "Path", "Query" ]
+ enum:
+ ["Cookie", "Header", "Path", "Query"]
Review Comment:
ditto
##########
samples/deploy/crd/v1/ApisixRoute.yaml:
##########
@@ -112,7 +112,18 @@ spec:
minItems: 1
items:
type: string
- enum: ["CONNECT", "DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT", "TRACE"]
+ enum:
+ [
+ "CONNECT",
+ "DELETE",
+ "GET",
+ "HEAD",
+ "OPTIONS",
+ "PATCH",
+ "POST",
+ "PUT",
+ "TRACE",
+ ]
Review Comment:
If you want to write a sequence over multiple lines, you can remove the `[` `]` symbol and use `-`
like:
```
enum:
- "CONNECT"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix-ingress-controller] Fatpa commented on a diff in pull request #1035: feat: add hmac-auth authorization method
Posted by GitBox <gi...@apache.org>.
Fatpa commented on code in PR #1035:
URL: https://github.com/apache/apisix-ingress-controller/pull/1035#discussion_r882258246
##########
pkg/kube/translation/plugin_test.go:
##########
@@ -914,25 +914,111 @@ func TestTranslateConsumerWolfRBACWithSecretRef(t *testing.T) {
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
delete(sec.Data, "appid")
_, err = client.CoreV1().Secrets("default").Update(context.Background(), sec, metav1.UpdateOptions{})
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
delete(sec.Data, "header_prefix")
_, err = client.CoreV1().Secrets("default").Update(context.Background(), sec, metav1.UpdateOptions{})
assert.Nil(t, err)
<-processCh
- cfg, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
+ _, err = tr.translateConsumerWolfRBACPluginV2beta3("default", wolfRBAC)
assert.Nil(t, err)
close(processCh)
close(stopCh)
}
+
+func TestTranslateConsumerHMACAuthPluginWithInPlaceValue(t *testing.T) {
+ hmacAuth := &configv2beta3.ApisixConsumerHMACAuth{
+ Value: &configv2beta3.ApisixConsumerHMACAuthValue{
+ AccessKey: "foo",
+ SecretKey: "foo-secret",
+ ClockSkew: 0,
+ SignedHeaders: []string{"User-Agent"},
+ },
+ }
+ cfg, err := (&translator{}).translateConsumerHMACAuthPluginV2beta3("default", hmacAuth)
+ assert.Nil(t, err)
+ assert.Equal(t, "foo", cfg.AccessKey)
+ assert.Equal(t, "foo-secret", cfg.SecretKey)
+ assert.Equal(t, int64(0), cfg.ClockSkew)
+ assert.Equal(t, []string{"User-Agent"}, cfg.SignedHeaders)
+}
+
+func TestTranslateConsumerHMACAuthPluginWithSecretRed(t *testing.T) {
Review Comment:
Yes and i had rename it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org