feat(vault): vault lua module, integration with jwt-auth authentication plugin

apisix/core/vault.lua

@@ -0,0 +1,122 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements.  See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License.  You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+
+local core = require("apisix.core")
+local http = require("resty.http")
+local json = require("cjson")
+
+local fetch_local_conf = require("apisix.core.config_local").local_conf
+local norm_path = require("pl.path").normpath
+
+local _M = {}
+
+local function fetch_vault_conf()
+    local conf, err = fetch_local_conf()
+    if not conf then
+        return nil, "failed to fetch vault configuration from config yaml: " .. err
+    end
+
+    if not conf.vault then
+        return nil, "accessing vault data requires configuration information"
+    end
+    return conf.vault
+end
+
+
+local function make_request_to_vault(method, key, skip_prefix, data)
+    local vault, err = fetch_vault_conf()
+    if not vault then
+        return nil, err
+    end
+
+    local httpc = http.new()
+    -- config timeout or default to 5000 ms
+    httpc:set_timeout((vault.timeout or 5)*1000)
+
+    local req_addr = vault.host
+    if not skip_prefix then
+        req_addr = req_addr .. norm_path("/v1/"
+                .. vault.prefix .. "/" .. key)
+    else
+        req_addr = req_addr .. norm_path("/v1/" .. key)
+    end
+
+    local res, err = httpc:request_uri(req_addr, {
+        method = method,
+        headers = {
+            ["X-Vault-Token"] = vault.token
+        },
+        body = core.json.encode(data or  {}, true)
+    })
+    if not res then
+        return nil, err
+    end
+
+    return res.body
+end
+
+-- key is the vault kv engine path, joined with config yaml vault prefix.
+-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the
+-- prefix defined inside config yaml under vault config for fetching data.
+local function get(key, skip_prefix)
+    core.log.info("fetching data from vault for key: ", key)
+
+    local res, err = make_request_to_vault("GET", key, skip_prefix)
+    if not res or err then
+        return nil, "failed to retrtive data from vault kv engine " .. err
+    end
+
+    return json.decode(res)
+end
+
+_M.get = get
+
+-- key is the vault kv engine path, data is json key vaule pair.
+-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the
+-- prefix defined inside config yaml under vault config for storing data.
+local function set(key, data, skip_prefix)
+    core.log.info("stroing data into vault for key: ", key,
+                    "and value: ", core.json.delay_encode(data, true))
+
+    local res, err = make_request_to_vault("POST", key, skip_prefix, data)
+    if not res or err then
+        return nil, "failed to store data into vault kv engine " .. err
+    end
+
+    return true
+end
+_M.set = set
+
+
+-- key is the vault kv engine path, joined with config yaml vault prefix.
+-- It takes an extra optional boolean param skip_prefix. If enabled, it simply doesn't use the
+-- prefix defined inside config yaml under vault config for deleting data.
+local function delete(key, skip_prefix)
+    core.log.info("deleting data from vault for key: ", key)
+
+    local res, err = make_request_to_vault("DELETE", key, skip_prefix)
+
+    if not res or err then
+        return nil, "failed to delete data into vault kv engine " .. err
+    end
+
+    return true
+end
+
+_M.delete = delete
+
+return _M

apisix/plugins/jwt-auth.lua

@@ -19,6 +19,7 @@ local jwt      = require("resty.jwt")
 local ck       = require("resty.cookie")
 local consumer_mod = require("apisix.consumer")
 local resty_random = require("resty.random")
+local vault        = require("apisix.core.vault")
 
 local ngx_encode_base64 = ngx.encode_base64
 local ngx_decode_base64 = ngx.decode_base64
@@ -54,6 +55,10 @@ local consumer_schema = {
         base64_secret = {
             type = "boolean",
             default = false
+        },
+        vault = {
+            type = "object",
+            properties = {}
         }
     },
     dependencies = {
@@ -76,7 +81,20 @@ local consumer_schema = {
                         },
                     },
                     required = {"public_key", "private_key"},
-                }
+                },
+                {
+                    properties = {
+                        vault = {
+                            type = "object",
+                            properties = {}
+                        },
+                        algorithm = {
+                            enum = {"RS256"},
+                        },
+                    },
+                    required = {"vault"},
+                },
+
             }
         }
     },
@@ -119,29 +137,34 @@ function _M.check_schema(conf, schema_type)
     if schema_type == core.schema.TYPE_CONSUMER then
         ok, err = core.schema.check(consumer_schema, conf)
     else
-        ok, err = core.schema.check(schema, conf)
+        return core.schema.check(schema, conf)
     end
 
     if not ok then
         return false, err
     end
 
-    if schema_type == core.schema.TYPE_CONSUMER then
-        if conf.algorithm ~= "RS256" and not conf.secret then
-            conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
-        elseif conf.base64_secret then
-            if ngx_decode_base64(conf.secret) == nil then
-                return false, "base64_secret required but the secret is not in base64 format"
-            end
+    if conf.vault then
+        core.log.info("skipping jwt-auth schema validation with vault")
+        return true
+    end
+
+    if conf.algorithm ~= "RS256" and not conf.secret then
+        conf.secret = ngx_encode_base64(resty_random.bytes(32, true))
+    elseif conf.base64_secret then
+        if ngx_decode_base64(conf.secret) == nil then
+            return false, "base64_secret required but the secret is not in base64 format"
         end
+    end
 
-        if conf.algorithm == "RS256" then
-            if not conf.public_key then
-                return false, "missing valid public key"
-            end
-            if not conf.private_key then
-                return false, "missing valid private key"
-            end
+    if conf.algorithm == "RS256" then
+        -- Possible options are a) both are in vault, b) both in schema
+        -- c) one in schema, another in vault.
+        if not conf.public_key then
+            return false, "missing valid public key"
+        end
+        if not conf.private_key then
+            return false, "missing valid private key"
         end
     end
 
@@ -175,12 +198,62 @@ local function fetch_jwt_token(ctx)
 end
 
 
-local function get_secret(conf)
+local function get_vault_path(username)
+    return "consumer/".. username .. "/jwt-auth"
+end
+
+
+local function get_secret(conf, consumer_name)
+    local secret = conf.secret
+    if conf.vault then
+        local res, err = vault.get(get_vault_path(consumer_name))
+        if not res or err then
+            return nil, err
+        end
+
+        if not res.data or not res.data.secret then
+            return nil, "secret could not found in vault: " .. core.json.encode(res)
+        end
+        secret = res.data.secret
+    end
+
     if conf.base64_secret then
-        return ngx_decode_base64(conf.secret)
+        return ngx_decode_base64(secret)
     end
 
-    return conf.secret
+    return secret
+end
+
+
+local function get_rsa_keypair(conf, consumer_name)
+    local public_key = conf.public_key
+    local private_key = conf.private_key
+    -- if keys are present in conf, no need to query vault (fallback)
+    if public_key and private_key then
+        return public_key, private_key
+    end
+
+    local vout = {}
+    if conf.vault then
+        local res, err = vault.get(get_vault_path(consumer_name))
+        if not res or err then
+            return nil, nil, err
+        end
+
+        if not res.data then
+            return nil, nil, "keypairs could not found in vault: " .. core.json.encode(res)
+        end
+        vout = res.data
+    end
+
+    if not public_key and not vout.public_key then
+        return nil, nil, "missing public key, not found in config/vault"
+    end
+    if not private_key and not vout.private_key then
+        return nil, nil, "missing private key, not found in config/vault"
+    end
+
+    return public_key or vout.public_key, private_key or vout.private_key
 end
 
 
@@ -197,16 +270,20 @@ local function get_real_payload(key, auth_conf, payload)
 end
 
 
-local function sign_jwt_with_HS(key, auth_conf, payload)
-    local auth_secret = get_secret(auth_conf)
+local function sign_jwt_with_HS(key, consumer, payload)
+    local auth_secret, err = get_secret(consumer.auth_conf, consumer.username)
+    if not auth_secret then
+        core.log.error("failed to sign jwt, err: ", err)
+        core.response.exit(503, "failed to sign jwt")
+    end
     local ok, jwt_token = pcall(jwt.sign, _M,
         auth_secret,
         {
             header = {
                 typ = "JWT",
-                alg = auth_conf.algorithm
+                alg = consumer.auth_conf.algorithm
             },
-            payload = get_real_payload(key, auth_conf, payload)
+            payload = get_real_payload(key, consumer.auth_conf, payload)
         }
     )
     if not ok then
@@ -217,18 +294,24 @@ local function sign_jwt_with_HS(key, auth_conf, payload)
 end
 
 
-local function sign_jwt_with_RS256(key, auth_conf, payload)
+local function sign_jwt_with_RS256(key, consumer, payload)
+    local public_key, private_key, err = get_rsa_keypair(consumer.auth_conf, consumer.username)
+    if not public_key then
+        core.log.error("failed to sign jwt, err: ", err)
+        core.response.exit(503, "failed to sign jwt")
+    end
+
     local ok, jwt_token = pcall(jwt.sign, _M,
-        auth_conf.private_key,
+        private_key,
         {
             header = {
                 typ = "JWT",
-                alg = auth_conf.algorithm,
+                alg = consumer.auth_conf.algorithm,
                 x5c = {
-                    auth_conf.public_key,
+                    public_key,
                 }
             },
-            payload = get_real_payload(key, auth_conf, payload)
+            payload = get_real_payload(key, consumer.auth_conf, payload)
         }
     )
     if not ok then
@@ -238,13 +321,22 @@ local function sign_jwt_with_RS256(key, auth_conf, payload)
     return jwt_token
 end
 
-
-local function algorithm_handler(consumer)
+-- introducing method_only flag (returns respective signing method) to save http API calls.
+local function algorithm_handler(consumer, method_only)
     if not consumer.auth_conf.algorithm or consumer.auth_conf.algorithm == "HS256"
             or consumer.auth_conf.algorithm == "HS512" then
-        return sign_jwt_with_HS, get_secret(consumer.auth_conf)
+        if method_only then
+            return sign_jwt_with_HS
+        end
+
+        return get_secret(consumer.auth_conf, consumer.username)
     elseif consumer.auth_conf.algorithm == "RS256" then
-        return sign_jwt_with_RS256, consumer.auth_conf.public_key
+        if method_only then
+            return sign_jwt_with_RS256
+        end
+
+        local public_key, _, err = get_rsa_keypair(consumer.auth_conf, consumer.username)
+        return public_key, err
     end
 end
 
@@ -284,7 +376,11 @@ function _M.rewrite(conf, ctx)
     end
     core.log.info("consumer: ", core.json.delay_encode(consumer))
 
-    local _, auth_secret = algorithm_handler(consumer)
+    local auth_secret, err = algorithm_handler(consumer)
+    if not auth_secret then
+        core.log.error("failed to retrive secrets, err: ", err)
+        return 503, {message = "failed to verify jwt"}
+    end
     jwt_obj = jwt:verify_jwt_obj(auth_secret, jwt_obj)
     core.log.info("jwt object: ", core.json.delay_encode(jwt_obj))
 
@@ -325,8 +421,8 @@ local function gen_token()
 
     core.log.info("consumer: ", core.json.delay_encode(consumer))
 
-    local sign_handler, _ = algorithm_handler(consumer)
-    local jwt_token = sign_handler(key, consumer.auth_conf, payload)
+    local sign_handler = algorithm_handler(consumer, true)
+    local jwt_token = sign_handler(key, consumer, payload)
     if jwt_token then
         return core.response.exit(200, jwt_token)
     end

ci/centos7-ci.sh

@@ -40,6 +40,9 @@ install_dependencies() {
     cp ./etcd-v3.4.0-linux-amd64/etcdctl /usr/local/bin/
     rm -rf etcd-v3.4.0-linux-amd64
 
+    # install vault cli capabilities
+    install_vault_cli
+
     # install test::nginx
     yum install -y cpanminus perl
     cpanm --notest Test::Nginx IPC::Run > build.log 2>&1 || (cat build.log && exit 1)