feature: add auth v3 (#41)

bugfix:
1. fix watchdir delete not work
2. fix readdir kv.key not decode_base64

change: check if kv.value is exist

feature: add v3 auth

Author: DoubleSpout

.travis.yml

@@ -29,6 +29,10 @@ matrix:
 env:
   global:
     - OPENRESTY_PREFIX=/usr/local/openresty
+    - AUTH_ENDPOINT_V2=http://127.0.0.1:12379
+    - AUTH_ENDPOINT_V3=127.0.0.1:12379
+    - AUTH_USER=root
+    - AUTH_PWD=abc123
 
 install:
   - git clone https://github.com/openresty/test-nginx.git test-nginx
@@ -50,6 +54,10 @@ script:
   - etcd --version
   - goreman -f ./t/$GOREMAN_CONF start > goreman.log 2>&1 &
   - sleep 5
+  - chmod +x ./t/v2/add-auth.sh
+  - chmod +x ./t/v3/add-auth.sh
+  - ./t/v2/add-auth.sh
+  - ./t/v3/add-auth.sh
   - cat goreman.log
   - ps -ef | grep etcd
   - make test

lib/resty/etcd.lua

@@ -46,15 +46,19 @@ function _M.new(opts)
                                        .. ":" .. (opts.port or 2379)
     opts.ttl  = opts.ttl or -1
 
-    local ver, err = etcd_version(opts)
-    if not ver then
-        return nil, err
-    end
-
     local protocol = opts and opts.protocol or "v2"
     if protocol == "v3" then
-        local sub_ver = ver.etcdserver:sub(1, 4)
-        local etcd_prefix = prefix_v3[sub_ver] or "/v3beta"
+
+        local etcd_prefix = opts.etcd_prefix
+        -- if opts special the etcd_prefix,no need to check version
+        if not etcd_prefix then
+            local ver, err = etcd_version(opts)
+            if not ver then
+                return nil, err
+            end
+            local sub_ver = ver.etcdserver:sub(1, 4)
+            etcd_prefix = prefix_v3[sub_ver] or "/v3beta"
+        end
         opts.api_prefix = etcd_prefix .. (opts.api_prefix or "")
         return etcdv3.new(opts)
     end

lib/resty/etcd/v3.lua

@@ -6,6 +6,7 @@ local clear_tab     = require("table.clear")
 local utils         = require("resty.etcd.utils")
 local tab_nkeys     = require("table.nkeys")
 local encode_args   = ngx.encode_args
+local now           = ngx.now
 local sub_str       = string.sub
 local str_byte      = string.byte
 local str_char      = string.char
@@ -22,11 +23,13 @@ local INIT_COUNT_RESIZE = 2e8
 
 local _M = {}
 
-
 local mt = { __index = _M }
 
+-- define local refresh function variable
+local refresh_jwt_token
+
+local function _request_uri(self, method, uri, opts, timeout, ignore_auth)
 
-local function _request_uri(self, method, uri, opts, timeout)
     local body
     if opts and opts.body and tab_nkeys(opts.body) > 0 then
         body = encode_json(opts.body) --encode_args(opts.body)
@@ -36,6 +39,21 @@ local function _request_uri(self, method, uri, opts, timeout)
         uri = uri .. '?' .. encode_args(opts.query)
     end
 
+    local headers = {}
+    local keepalive = true
+    if self.is_auth then
+        if not ignore_auth then
+            -- authentication reqeust not need auth request
+            local _, err = refresh_jwt_token(self)
+            if err then
+                return nil, err
+            end
+        else
+            keepalive = false   -- jwt_token not keepalive
+        end
+        headers.Authorization = self.jwt_token
+    end
+
     local http_cli, err = utils.http.new()
     if err then
         return nil, err
@@ -51,6 +69,8 @@ local function _request_uri(self, method, uri, opts, timeout)
     res, err = http_cli:request_uri(uri, {
         method = method,
         body = body,
+        headers = headers,
+        keepalive = keepalive,
     })
 
     if err then
@@ -88,6 +108,8 @@ function _M.new(opts)
     local api_prefix = opts.api_prefix
     local key_prefix = opts.key_prefix or "/apisix"
     local http_host  = opts.http_host
+    local user = opts.user
+    local password = opts.password
 
     if not typeof.uint(timeout) then
         return nil, 'opts.timeout must be unsigned integer'
@@ -109,6 +131,14 @@ function _M.new(opts)
         return nil, 'opts.key_prefix must be string'
     end
 
+    if user and not typeof.string(user) then
+        return nil, 'opts.user must be string or ignore'
+    end
+
+    if password and not typeof.string(password) then
+        return nil, 'opts.password must be string or ignore'
+    end
+
     local endpoints = {}
     local http_hosts
     if type(http_host) == 'string' then -- signle node
@@ -118,7 +148,7 @@ function _M.new(opts)
     end
 
     for _, host in ipairs(http_hosts) do
-        local m, err = re_match(http_host, [[\/\/([\d.\w]+):(\d+)]], "jo")
+        local m, err = re_match(host, [[\/\/([\d.\w]+):(\d+)]], "jo")
         if not m then
             return nil, "invalid http host: " .. err
         end
@@ -134,10 +164,15 @@ function _M.new(opts)
     end
 
     return setmetatable({
-            timeout   = timeout,
-            ttl       = ttl,
-            is_cluster= #endpoints > 1,
-            endpoints = endpoints,
+            last_auth_time = now(), -- save last Authentication time
+            jwt_token   = nil,       -- last Authentication token
+            is_auth     = not not (user and password),
+            user       = user,
+            password   = password,
+            timeout    = timeout,
+            ttl        = ttl,
+            is_cluster = #endpoints > 1,
+            endpoints  = endpoints,
         },
         mt)
 end
@@ -159,6 +194,37 @@ local function choose_endpoint(self)
     return endpoints[pos]
 end
 
+-- return refresh_is_ok, error
+function refresh_jwt_token(self)
+    -- token exist and not expire
+    -- default is 5min, we use 3min
+    -- https://github.com/etcd-io/etcd/issues/8287
+    if self.jwt_token and now() - self.last_auth_time < 60 * 3 then
+        return true, nil
+    end
+
+    local opts = {
+        body = {
+            name         = self.user,
+            password     = self.password,
+        }
+    }
+    local res, err = _request_uri(self, 'POST',
+                        choose_endpoint(self).full_prefix .. "/auth/authenticate",
+                        opts, 5, true)    -- default authenticate timeout 5 second
+    if err then
+        return nil, err
+    end
+
+    if not res or not res.body or not res.body.token then
+        return nil, 'authenticate refresh token fail'
+    end
+
+    self.jwt_token = res.body.token
+    self.last_auth_time = now()
+
+    return true, nil
+end
 
 local function set(self, key, val, attr)
     -- verify key
@@ -317,7 +383,7 @@ local function get(self, key, attr)
                               choose_endpoint(self).full_prefix .. "/kv/range",
                               opts, attr and attr.timeout or self.timeout)
 
-    if res.status==200 then
+    if res and res.status==200 then
         if res.body.kvs and tab_nkeys(res.body.kvs)>0 then
             for _, kv in ipairs(res.body.kvs) do
                 kv.key = decode_base64(kv.key)
@@ -383,7 +449,7 @@ end
 
 
 local function request_chunk(self, method, host, port, path, opts, timeout)
-    local body, err
+    local body, err, _
     if opts and opts.body and tab_nkeys(opts.body) > 0 then
         body, err = encode_json(opts.body)
         if not body then
@@ -396,6 +462,16 @@ local function request_chunk(self, method, host, port, path, opts, timeout)
         query = encode_args(opts.query)
     end
 
+    local headers = {}
+    if self.is_auth then
+        -- authentication reqeust not need auth request
+        _, err = refresh_jwt_token(self)
+        if err then
+            return nil, err
+        end
+        headers.Authorization = self.jwt_token
+    end
+
     local http_cli
     http_cli, err = utils.http.new()
     if err then
@@ -417,10 +493,11 @@ local function request_chunk(self, method, host, port, path, opts, timeout)
 
     local res
     res, err = http_cli:request({
-        method = method,
-        path   = path,
-        body   = body,
-        query  = query,
+        method  = method,
+        path    = path,
+        body    = body,
+        query   = query,
+        headers = headers,
     })
     utils.log_info("http request method: ", method, " path: ", path,
              " body: ", body, " query: ", query)

t/v2/add-auth.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+curl -X "PUT" "${AUTH_ENDPOINT_V2}/v2/auth/users/root" -H "Content-Type: application/json; charset=utf-8" -d $"{\"user\":\"${AUTH_USER}\",\"password\":\"${AUTH_PWD}\"}"
+curl -X "PUT" "${AUTH_ENDPOINT_V2}/v2/auth/enable"
+curl -X "PUT" "${AUTH_ENDPOINT_V2}/v2/auth/roles/guest" -H "Content-Type: text/plain; charset=utf-8" -u "${AUTH_USER}:${AUTH_PWD}" -d $'{"role":"guest","revoke":{"kv":{"write": ["/*"]}}}'

t/v2/cluster.t

@@ -81,24 +81,28 @@ checked error msg as expect: Key not found
 all done
 
 
-
-=== TEST 2: cluster set + delete + get
+=== TEST 2: cluster set + delete + get + auth
 --- http_config eval: $::HttpConfig
 --- config
     location /t {
         content_by_lua_block {
             local etcd, err = require "resty.etcd" .new({
                 http_host = {
-                    "http://127.0.0.1:12379",
+                    "http://127.0.0.1:12379", 
                     "http://127.0.0.1:22379",
                     "http://127.0.0.1:32379",
-                }
+                },
+                user = 'root',
+                password = 'abc123',
             })
             check_res(etcd, err)
 
             local res, err = etcd:set("/test", {a = "abc"})
             check_res(res, err)
 
+            local res, err = etcd:get("/test")
+            check_res(res, err)
+
             ngx.sleep(1)
 
             res, err = etcd:delete("/test")
@@ -109,6 +113,18 @@ all done
             local data, err = etcd:get("/test")
             check_res(data, err, nil, "Key not found")
 
+            etcd, err = require "resty.etcd" .new({
+                http_host = {
+                    "http://127.0.0.1:12379", 
+                    "http://127.0.0.1:22379",
+                    "http://127.0.0.1:32379",
+                },
+                user = 'wrong_user_name',
+                password = 'wrong_password',
+            })
+            data, err = etcd:get("/test")
+            check_res(data, err, nil, "The request requires user authentication")
+
             ngx.say("all done")
         }
     }
@@ -118,4 +134,5 @@ GET /t
 [error]
 --- response_body
 checked error msg as expect: Key not found
+checked error msg as expect: The request requires user authentication
 all done

t/v3/add-auth.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+export ETCDCTL_API=3
+etcdctl version 
+etcdctl --endpoints="${AUTH_ENDPOINT_V3}" user add "${AUTH_USER}:${AUTH_PWD}"
+etcdctl --endpoints="${AUTH_ENDPOINT_V3}" role add root
+etcdctl --endpoints="${AUTH_ENDPOINT_V3}" user grant-role root root
+etcdctl --endpoints="${AUTH_ENDPOINT_V3}" role list
+etcdctl --endpoints="${AUTH_ENDPOINT_V3}" user list
+etcdctl --endpoints="${AUTH_ENDPOINT_V3}" auth enable