feat: allow to use environment variables for openid-connect plugin #11451
Conversation
|
hi good morning @shreemaan-abhishek clould you kindly review this PR for me ? |
shreemaan-abhishek
left a comment
shreemaan-abhishek
left a comment
There was a problem hiding this comment.
please write a test case that uses vault as well.
apisix/plugins/openid-connect.lua
Outdated
|
|
||
| function _M.check_schema(conf) | ||
| function _M.check_schema(plugin_conf) | ||
| local conf = fetch_secrets(plugin_conf) |
There was a problem hiding this comment.
this is not needed.
There was a problem hiding this comment.
this is not needed.↳
This is needed when someone puts a non-string value such as a Boolean into env var, otherwise the type inconsistency will fail the check
There was a problem hiding this comment.
This line is giving me some issues after apisix reload.
If line fetch_secrets is done in check_schema, the route fails showing me the following error:
2024/11/12 17:12:51 [error] 240#240: *13728 lua entry thread aborted: runtime error: ...isix/custom-plugins/apisix/plugins/openid-connect.lua:478: attempt to compare nil with number
stack traceback:
coroutine 0:
...isix/custom-plugins/apisix/plugins/openid-connect.lua: in function 'phase_func'
/usr/local/apisix/apisix/plugin.lua:1166: in function 'run_plugin'
/usr/local/apisix/apisix/init.lua:689: in function 'http_access_phase'
access_by_lua(nginx.conf:310):2: in main chunk, client: 10.89.2.37, server: _, request: "GET /private/anything HTTP/2.0", host: "XXXX"
If I remove fetch_secrets from check_schema, the route work as expected but the following warning is shown at startup:
[warn] 187#187: *8391 [lua] utils.lua:418: find_and_log(): Using openid-connect discovery with no TLS is a security risk, context: init_worker_by_lua*
I assume that without the fetch_secrets the value of discovery is not resolved and openid checks https for it.
There was a problem hiding this comment.
So should we remove fetch_secrets from check_schema to avoid this?
By contrast, putting a Boolean value in a secret is not a particularly common case in this plugin. Typically, only string urls and secret keys will be placed in valut
There was a problem hiding this comment.
pushed this change
shreemaan-abhishek
left a comment
shreemaan-abhishek
left a comment
There was a problem hiding this comment.
please write a test case that uses vault as well.
There was a problem hiding this comment.
please add new test cases in t/plugin/openid-connect
Co-authored-by: Shreemaan Abhishek <[email protected]>
dosubot
bot
added
the
size:M
dosubot
bot
added
size:L
|
shreemaan-abhishek
left a comment
shreemaan-abhishek
left a comment
There was a problem hiding this comment.
the test cases for secret resource seems correct to me, please resolve the conflicts with master so that the tests can run
|
Great contribution!! I'm looking forward to this fix, as we are using AWS Secrets Manager as a secrets provider and we need to configure the secret as an environment variable. I hope this fix is merged and released soon 🙏 |
# Conflicts: # t/fips/openid-connect.t
hi @shreemaan-abhishek |
brmejia
left a comment
brmejia
left a comment
There was a problem hiding this comment.
This is exactly what I was looking for. I've tested this config on my local environment, and it works as expected.
client_id: "$env://APISIX_OIDC_CLIENT_ID"
client_secret: "$env://APISIX_OIDC_CLIENT_SECRET"
discovery: $env://APISIX_OIDC_DISCOVERY_URL
I hope this will be merged soon
|
Are there any updates on this? At the moment we have to keep a secret in our repo because of the bug that it is fixing this PR, and we need to move it to environment variables. So it would be awesome if we could have this fixed in a patch soon |
We need another good Samaritan to approve this change, then this PR will have three approve and be merged |
Could any of you help approve this PR at your convenience? It has been pending here for a long time and only needs the last approver |
hi @kayx23 @membphis @Revolyssup Could any of you help? |
|
I have left a comment: https://github.com/apache/apisix/pull/11451/files#r1896868940 |
Baoyuantop
removed
the
wait for update
merged |
Baoyuantop
requested review from
AlinsRan,
Revolyssup,
bzp2010,
membphis and
nic-6443
|
@nic-6443 @bzp2010 @Revolyssup @AlinsRan pls review this PR. |
seems can merge now, need someone help to click "merge" button or need to wait all those members approve it, then it will be merged automatic ? |
apisix/plugins/openid-connect.lua
Outdated
|
|
||
| function _M.rewrite(plugin_conf, ctx) | ||
| local conf = core.table.clone(plugin_conf) | ||
| local conf = fetch_secrets(plugin_conf, true, plugin_conf, "") |
There was a problem hiding this comment.
Please still clone the table.
While it is true that fetch_secrets does imply this fact, it cannot be inferred from the name and is not a feature of any mandatory guarantee.
As soon as someone modifies fetch_secrets in the future and doesn't clone there anymore, something will go wrong with your code.
Therefore, it's best to explicitly copy this table here anyway to ensure that, no matter how much external conditions change, the logic of this plugin doesn't break.
There was a problem hiding this comment.
Please still clone the table. While it is true that
fetch_secretsdoes imply this fact, it cannot be inferred from the name and is not a feature of any mandatory guarantee. As soon as someone modifiesfetch_secretsin the future and doesn't clone there anymore, something will go wrong with your code.Therefore, it's best to explicitly copy this table here anyway to ensure that, no matter how much external conditions change, the logic of this plugin doesn't break.
hi @Baoyuantop please advice
There was a problem hiding this comment.
I previously referred to the implementation of other plugin codes:
- https://github.com/apache/apisix/blob/master/apisix/plugins/authz-keycloak.lua#L767
- https://github.com/apache/apisix/blob/master/apisix/plugins/limit-count.lua#L37
There are many other locations, so I think there is no problem with the current PR from the implementation point of view.
As soon as someone modifies fetch_secrets in the future and doesn't clone there anymore, something will go wrong with your code.
If this happens, many plugin codes will need to be adjusted. If my understanding is wrong, please correct me.
There was a problem hiding this comment.
hi @Baoyuantop already 5 approval more than 3 approval required now, cloud you help to merge this PR?
apisix/plugins/openid-connect.lua
Outdated
|
|
||
| function _M.rewrite(plugin_conf, ctx) | ||
| local conf = core.table.clone(plugin_conf) | ||
| local conf = fetch_secrets(plugin_conf, true, plugin_conf, "") |
There was a problem hiding this comment.
I previously referred to the implementation of other plugin codes:
- https://github.com/apache/apisix/blob/master/apisix/plugins/authz-keycloak.lua#L767
- https://github.com/apache/apisix/blob/master/apisix/plugins/limit-count.lua#L37
There are many other locations, so I think there is no problem with the current PR from the implementation point of view.
As soon as someone modifies fetch_secrets in the future and doesn't clone there anymore, something will go wrong with your code.
If this happens, many plugin codes will need to be adjusted. If my understanding is wrong, please correct me.
I do not agree with this conclusion.
The examples you listed are insufficient to prove this point. The reason we need to clone conf is that this plugin may temporarily and locally modify fields in conf.
Lua tables use reference passing (pointer), and modifying the conf within the plugin would have side effects on the global configuration cache, which is unacceptable.
You can check the two examples you provided; they do not involve any scenarios where the conf is modified, so there is no need to explicitly clone the conf. Whether fetch_secrets clones the conf internally has no impact on this.
Looking at the openid-connect plugin, there are modifications to conf everywhere, so it undoubtedly needs to know whether conf has been cloned. This is a necessary measure to ensure that the global cache is not polluted.
However, we cannot rely on external behavior (fetch_secrets) to guarantee this, as it violates the principle of low coupling.
I still stand by this view, and unless this is modified, I will not merge this PR.
- I do not believe that
fetch_secretsimplies that it will perform a clone and guarantee that this behavior will always be valid. - Performing an explicit clone (which is only a shallow clone) is inexpensive. At the same time, it ensures that it will conform to the logic before this modification rather than relying on external conditions for assurance.
- Even if anybody does modify
fetch_secretsin the future, the fact that conf is not cloned cannot be easily detected.This will lead to unexpected behavior rather than an error.
I do not have the time to track all code changes in this area, and I do not want to wait until a bad situation occurs to discover it.
If this is still a matter of controversy, then let more maintainers express their opinions.
There was a problem hiding this comment.
hi @bzp2010
just add a commit to clone plugin_conf before fetch_secrets
There was a problem hiding this comment.
@bzp2010 may i ask what is the apisix PR merge flow? more than 3 approvals will merge it automatic
or need someone manually click merge button,or else ?
There was a problem hiding this comment.
more than 3 approvals and manually click merge button.
There is also a CI error, but it doesn't seem to be related to this PR. I've seen similar errors in other PRs.
There was a problem hiding this comment.
more than 3 approvals and manually click merge button.
There is also a CI error, but it doesn't seem to be related to this PR. I've seen similar errors in other PRs.
then could you help to merge it now ?🙂
There was a problem hiding this comment.
Merged, thanks for your contribution.
darkSheep404
dismissed stale reviews from SkyeYoung, membphis, and Baoyuantop
via
463c47a
|
Merge first, the failed CI will be fixed at #12530 (comment) |
github-project-automation
bot
moved this from 👀 In review
to ✅ Done
in ⚡️ Apache APISIX Roadmap
9 participants
Description
feat: allow to use environment variables for openid-connect plugin
Checklist