diff --git a/changelog/unreleased/kong/feat-add-vault-template-support-in-different-plugins.yml b/changelog/unreleased/kong/feat-add-vault-template-support-in-different-plugins.yml new file mode 100644 index 00000000000..7094502644f --- /dev/null +++ b/changelog/unreleased/kong/feat-add-vault-template-support-in-different-plugins.yml @@ -0,0 +1,3 @@ +message: Added an option to use {vault://} in specific fields of plugins +type: feature +scope: Plugin diff --git a/kong/plugins/basic-auth/daos.lua b/kong/plugins/basic-auth/daos.lua index 7963628a4c7..ff76bab85c1 100644 --- a/kong/plugins/basic-auth/daos.lua +++ b/kong/plugins/basic-auth/daos.lua @@ -14,8 +14,8 @@ return { { id = typedefs.uuid }, { created_at = typedefs.auto_timestamp_s }, { consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade" }, }, - { username = { type = "string", required = true, unique = true }, }, - { password = { type = "string", required = true, encrypted = true }, }, -- encrypted = true is a Kong Enterprise Exclusive feature, it does nothing in Kong CE + { username = { type = "string", required = true, unique = true, referenceable = true }, }, + { password = { type = "string", required = true, encrypted = true, referenceable = true }, }, -- encrypted = true is a Kong Enterprise Exclusive feature, it does nothing in Kong CE { tags = typedefs.tags }, }, transformations = { diff --git a/kong/plugins/hmac-auth/daos.lua b/kong/plugins/hmac-auth/daos.lua index 34f788b307d..3b7eaec0d59 100644 --- a/kong/plugins/hmac-auth/daos.lua +++ b/kong/plugins/hmac-auth/daos.lua @@ -15,8 +15,8 @@ return { { id = typedefs.uuid }, { created_at = typedefs.auto_timestamp_s }, { consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade", }, }, - { username = { type = "string", required = true, unique = true }, }, - { secret = { type = "string", auto = true }, }, + { username = { type = "string", required = true, unique = true, referenceable = true }, }, + { secret = { type = "string", auto = true, referenceable = true }, }, { tags = typedefs.tags }, }, }, diff --git a/kong/plugins/jwt/daos.lua b/kong/plugins/jwt/daos.lua index 32c46d2da27..bb07df4b405 100644 --- a/kong/plugins/jwt/daos.lua +++ b/kong/plugins/jwt/daos.lua @@ -24,7 +24,7 @@ return { { created_at = typedefs.auto_timestamp_s }, { consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade", }, }, { key = { type = "string", required = false, unique = true, auto = true }, }, - { secret = { type = "string", auto = true }, }, + { secret = { type = "string", auto = true, referenceable = true }, }, { rsa_public_key = { type = "string" }, }, { algorithm = { type = "string", diff --git a/kong/plugins/oauth2/daos.lua b/kong/plugins/oauth2/daos.lua index 354fdb17aa1..a65b4fa2ec6 100644 --- a/kong/plugins/oauth2/daos.lua +++ b/kong/plugins/oauth2/daos.lua @@ -31,8 +31,8 @@ local oauth2_credentials = { { created_at = typedefs.auto_timestamp_s }, { consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade", }, }, { name = { type = "string", required = true }, }, - { client_id = { type = "string", required = false, unique = true, auto = true }, }, - { client_secret = { type = "string", required = false, auto = true, encrypted = true }, }, -- encrypted = true is a Kong Enterprise Exclusive feature. It does nothing in Kong CE + { client_id = { type = "string", required = false, unique = true, auto = true, referenceable = true }, }, + { client_secret = { type = "string", required = false, auto = true, encrypted = true, referenceable = true }, }, -- encrypted = true is a Kong Enterprise Exclusive feature. It does nothing in Kong CE { hash_secret = { type = "boolean", required = true, default = false }, }, { redirect_uris = { type = "array", diff --git a/spec/03-plugins/03-http-log/03-schem-vault_spec.lua b/spec/03-plugins/03-http-log/03-schema-vault_spec.lua similarity index 100% rename from spec/03-plugins/03-http-log/03-schem-vault_spec.lua rename to spec/03-plugins/03-http-log/03-schema-vault_spec.lua diff --git a/spec/03-plugins/10-basic-auth/06-vault_spec.lua b/spec/03-plugins/10-basic-auth/06-vault_spec.lua new file mode 100644 index 00000000000..54c1a8e2987 --- /dev/null +++ b/spec/03-plugins/10-basic-auth/06-vault_spec.lua @@ -0,0 +1,45 @@ +local helpers = require "spec.helpers" +local Entity = require "kong.db.schema.entity" +local plugins_schema_def = require "kong.db.schema.entities.plugins" +local conf_loader = require "kong.conf_loader" + +local PLUGIN_NAME = "basic-auth" + + +describe(PLUGIN_NAME .. ": (schema-vault)", function() + local plugins_schema = assert(Entity.new(plugins_schema_def)) + + lazy_setup(function() + local conf = assert(conf_loader(nil, { + vaults = "bundled", + plugins = "bundled", + })) + + local kong_global = require "kong.global" + _G.kong = kong_global.new() + kong_global.init_pdk(kong, conf) + + local plugin_schema = require("kong.plugins."..PLUGIN_NAME..".schema") + assert(plugins_schema:new_subschema(PLUGIN_NAME, plugin_schema)) + end) + + it("should dereference vault value", function() + local env_name = "BASIC_AUTH_HIDE_CREDENTIALS" + local env_value = "true" + + finally(function() + helpers.unsetenv(env_name) + end) + + helpers.setenv(env_name, env_value) + + local entity = plugins_schema:process_auto_fields({ + name = PLUGIN_NAME, + config = { + hide_credentials = "{vault://env/basic-auth-hide-credentials}" + }, + }, "select") + + assert.equal(env_value, entity.config.hide_credentials) + end) +end) diff --git a/spec/03-plugins/16-jwt/06-vault_spec.lua b/spec/03-plugins/16-jwt/06-vault_spec.lua new file mode 100644 index 00000000000..582a32997fb --- /dev/null +++ b/spec/03-plugins/16-jwt/06-vault_spec.lua @@ -0,0 +1,45 @@ +local helpers = require "spec.helpers" +local Entity = require "kong.db.schema.entity" +local plugins_schema_def = require "kong.db.schema.entities.plugins" +local conf_loader = require "kong.conf_loader" + +local PLUGIN_NAME = "jwt" + + +describe(PLUGIN_NAME .. ": (schema-vault)", function() + local plugins_schema = assert(Entity.new(plugins_schema_def)) + + lazy_setup(function() + local conf = assert(conf_loader(nil, { + vaults = "bundled", + plugins = "bundled", + })) + + local kong_global = require "kong.global" + _G.kong = kong_global.new() + kong_global.init_pdk(kong, conf) + + local plugin_schema = require("kong.plugins."..PLUGIN_NAME..".schema") + assert(plugins_schema:new_subschema(PLUGIN_NAME, plugin_schema)) + end) + + it("should dereference vault value", function() + local env_name = "JWT_SECRET_IS_BASE64" + local env_value = "true" + + finally(function() + helpers.unsetenv(env_name) + end) + + helpers.setenv(env_name, env_value) + + local entity = plugins_schema:process_auto_fields({ + name = PLUGIN_NAME, + config = { + secret_is_base64 = "{vault://env/jwt-secret-is-base64}" + }, + }, "select") + + assert.equal(env_value, entity.config.secret_is_base64) + end) +end) diff --git a/spec/03-plugins/19-hmac-auth/06-vault_spec.lua b/spec/03-plugins/19-hmac-auth/06-vault_spec.lua new file mode 100644 index 00000000000..1be1e299998 --- /dev/null +++ b/spec/03-plugins/19-hmac-auth/06-vault_spec.lua @@ -0,0 +1,45 @@ +local helpers = require "spec.helpers" +local Entity = require "kong.db.schema.entity" +local plugins_schema_def = require "kong.db.schema.entities.plugins" +local conf_loader = require "kong.conf_loader" + +local PLUGIN_NAME = "hmac-auth" + + +describe(PLUGIN_NAME .. ": (schema-vault)", function() + local plugins_schema = assert(Entity.new(plugins_schema_def)) + + lazy_setup(function() + local conf = assert(conf_loader(nil, { + vaults = "bundled", + plugins = "bundled", + })) + + local kong_global = require "kong.global" + _G.kong = kong_global.new() + kong_global.init_pdk(kong, conf) + + local plugin_schema = require("kong.plugins."..PLUGIN_NAME..".schema") + assert(plugins_schema:new_subschema(PLUGIN_NAME, plugin_schema)) + end) + + it("should dereference vault value", function() + local env_name = "HMAC_AUTH_HIDE_CREDENTIALS" + local env_value = "true" + + finally(function() + helpers.unsetenv(env_name) + end) + + helpers.setenv(env_name, env_value) + + local entity = plugins_schema:process_auto_fields({ + name = PLUGIN_NAME, + config = { + hide_credentials = "{vault://env/hmac-auth-hide-credentials}" + }, + }, "select") + + assert.equal(env_value, entity.config.hide_credentials) + end) +end) diff --git a/spec/03-plugins/25-oauth2/06-vault_spec.lua b/spec/03-plugins/25-oauth2/06-vault_spec.lua new file mode 100644 index 00000000000..191a3568033 --- /dev/null +++ b/spec/03-plugins/25-oauth2/06-vault_spec.lua @@ -0,0 +1,45 @@ +local helpers = require "spec.helpers" +local Entity = require "kong.db.schema.entity" +local plugins_schema_def = require "kong.db.schema.entities.plugins" +local conf_loader = require "kong.conf_loader" + +local PLUGIN_NAME = "oauth2" + + +describe(PLUGIN_NAME .. ": (schema-vault)", function() + local plugins_schema = assert(Entity.new(plugins_schema_def)) + + lazy_setup(function() + local conf = assert(conf_loader(nil, { + vaults = "bundled", + plugins = "bundled", + })) + + local kong_global = require "kong.global" + _G.kong = kong_global.new() + kong_global.init_pdk(kong, conf) + + local plugin_schema = require("kong.plugins."..PLUGIN_NAME..".schema") + assert(plugins_schema:new_subschema(PLUGIN_NAME, plugin_schema)) + end) + + it("should dereference vault value", function() + local env_name = "OAUTH2_HIDE_CREDENTIALS" + local env_value = "true" + + finally(function() + helpers.unsetenv(env_name) + end) + + helpers.setenv(env_name, env_value) + + local entity = plugins_schema:process_auto_fields({ + name = PLUGIN_NAME, + config = { + hide_credentials = "{vault://env/oauth2-hide-credentials}" + }, + }, "select") + + assert.equal(env_value, entity.config.hide_credentials) + end) +end)