Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add secret support for http proxy endpoint #10222

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat: add secret support for http proxy endpoint #10222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions gravitee-apim-definition/gravitee-apim-definition-model/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@
<groupId>io.gravitee.node</groupId>
<artifactId>gravitee-node-vertx</artifactId>
</dependency>
<dependency>
<groupId>io.gravitee.secret</groupId>
<artifactId>gravitee-secret-api</artifactId>
</dependency>
</dependencies>

<build>
Expand Down
7 changes: 7 additions & 0 deletions ...m-definition-model/src/main/java/io/gravitee/definition/model/v4/ssl/jks/JKSKeyStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

import io.gravitee.definition.model.v4.ssl.KeyStore;
import io.gravitee.definition.model.v4.ssl.KeyStoreType;
import io.gravitee.secrets.api.annotation.Secret;
import io.gravitee.secrets.api.el.FieldKind;
import java.io.Serial;
import lombok.Builder;
import lombok.Getter;
Expand All @@ -36,8 +38,13 @@ public class JKSKeyStore extends KeyStore {

private String path;
private String content;

@Secret(FieldKind.PASSWORD)
private String password;

private String alias;

@Secret(FieldKind.PASSWORD)
private String keyPassword;

public JKSKeyStore() {
Expand Down
5 changes: 5 additions & 0 deletions ...definition-model/src/main/java/io/gravitee/definition/model/v4/ssl/jks/JKSTrustStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

import io.gravitee.definition.model.v4.ssl.TrustStore;
import io.gravitee.definition.model.v4.ssl.TrustStoreType;
import io.gravitee.secrets.api.annotation.Secret;
import io.gravitee.secrets.api.el.FieldKind;
import java.io.Serial;
import lombok.Builder;
import lombok.Getter;
Expand All @@ -36,7 +38,10 @@ public class JKSTrustStore extends TrustStore {

private String path;
private String content;

@Secret(FieldKind.PASSWORD)
private String password;

private String alias;

public JKSTrustStore() {
Expand Down
5 changes: 5 additions & 0 deletions ...m-definition-model/src/main/java/io/gravitee/definition/model/v4/ssl/pem/PEMKeyStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

import io.gravitee.definition.model.v4.ssl.KeyStore;
import io.gravitee.definition.model.v4.ssl.KeyStoreType;
import io.gravitee.secrets.api.annotation.Secret;
import io.gravitee.secrets.api.el.FieldKind;
import java.io.Serial;
import lombok.Builder;
import lombok.Getter;
Expand All @@ -35,7 +37,10 @@ public class PEMKeyStore extends KeyStore {
private static final long serialVersionUID = 1051430527272519608L;

private String keyPath;

@Secret(FieldKind.PRIVATE_KEY)
private String keyContent;

private String certPath;
private String certContent;

Expand Down
5 changes: 5 additions & 0 deletions ...nition-model/src/main/java/io/gravitee/definition/model/v4/ssl/pkcs12/PKCS12KeyStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

import io.gravitee.definition.model.v4.ssl.KeyStore;
import io.gravitee.definition.model.v4.ssl.KeyStoreType;
import io.gravitee.secrets.api.annotation.Secret;
import io.gravitee.secrets.api.el.FieldKind;
import java.io.Serial;
import lombok.Builder;
import lombok.Getter;
Expand All @@ -36,7 +38,10 @@ public class PKCS12KeyStore extends KeyStore {

private String path;
private String content;

@Secret(FieldKind.PASSWORD)
private String password;

private String alias;

/**
Expand Down
5 changes: 5 additions & 0 deletions ...tion-model/src/main/java/io/gravitee/definition/model/v4/ssl/pkcs12/PKCS12TrustStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@

import io.gravitee.definition.model.v4.ssl.TrustStore;
import io.gravitee.definition.model.v4.ssl.TrustStoreType;
import io.gravitee.secrets.api.annotation.Secret;
import io.gravitee.secrets.api.el.FieldKind;
import java.io.Serial;
import lombok.Builder;
import lombok.Getter;
Expand All @@ -36,7 +38,10 @@ public class PKCS12TrustStore extends TrustStore {

private String path;
private String content;

@Secret(FieldKind.PASSWORD)
private String password;

private String alias;

public PKCS12TrustStore() {
Expand Down
180 changes: 180 additions & 0 deletions ...c/test/java/io/gravitee/apim/integration/tests/http/secrets/SecretsV4IntegrationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
/*
* Copyright © 2015 The Gravitee team (http://gravitee.io)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package io.gravitee.apim.integration.tests.http.secrets;

import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
import static com.github.tomakehurst.wiremock.client.WireMock.get;
import static com.github.tomakehurst.wiremock.client.WireMock.getRequestedFor;
import static com.github.tomakehurst.wiremock.client.WireMock.ok;
import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
import static org.assertj.core.api.Assertions.assertThat;

import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.graviteesource.entrypoint.http.get.HttpGetEntrypointConnectorFactory;
import com.graviteesource.secretprovider.hcvault.HCVaultSecretProvider;
import com.graviteesource.secretprovider.hcvault.HCVaultSecretProviderFactory;
import com.graviteesource.secretprovider.hcvault.config.manager.VaultConfig;
import com.graviteesource.service.secrets.SecretsService;
import io.gravitee.apim.gateway.tests.sdk.AbstractGatewayTest;
import io.gravitee.apim.gateway.tests.sdk.annotations.DeployApi;
import io.gravitee.apim.gateway.tests.sdk.annotations.GatewayTest;
import io.gravitee.apim.gateway.tests.sdk.configuration.GatewayConfigurationBuilder;
import io.gravitee.apim.gateway.tests.sdk.connector.EndpointBuilder;
import io.gravitee.apim.gateway.tests.sdk.connector.EntrypointBuilder;
import io.gravitee.apim.gateway.tests.sdk.secrets.SecretProviderBuilder;
import io.gravitee.apim.gateway.tests.sdk.utils.ResourceUtils;
import io.gravitee.common.service.AbstractService;
import io.gravitee.definition.model.v4.Api;
import io.gravitee.definition.model.v4.endpointgroup.Endpoint;
import io.gravitee.gateway.reactor.ReactableApi;
import io.gravitee.node.secrets.plugins.SecretProviderPlugin;
import io.gravitee.plugin.endpoint.EndpointConnectorPlugin;
import io.gravitee.plugin.endpoint.http.proxy.HttpProxyEndpointConnectorFactory;
import io.gravitee.plugin.entrypoint.EntrypointConnectorPlugin;
import io.gravitee.plugin.entrypoint.http.proxy.HttpProxyEntrypointConnectorFactory;
import io.gravitee.secrets.api.plugin.SecretManagerConfiguration;
import io.gravitee.secrets.api.plugin.SecretProviderFactory;
import io.vertx.core.http.HttpMethod;
import io.vertx.rxjava3.core.Vertx;
import io.vertx.rxjava3.core.http.HttpClient;
import io.vertx.rxjava3.core.http.HttpClientRequest;
import java.io.IOException;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Test;
import org.testcontainers.containers.Container;
import org.testcontainers.junit.jupiter.Testcontainers;
import org.testcontainers.vault.VaultContainer;

/**
* @author Remi Baptiste (remi.baptiste at graviteesource.com)
* @author GraviteeSource Team
*/
@Testcontainers
@GatewayTest
public class SecretsV4IntegrationTest extends AbstractGatewayTest {

private static final String VAULT_TOKEN = UUID.randomUUID().toString();

@org.testcontainers.junit.jupiter.Container
protected static final VaultContainer vaultContainer = new VaultContainer<>("hashicorp/vault:1.13.3")
.withVaultToken(VAULT_TOKEN)
.withInitCommand(
"kv put secret/test private-key='-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCMOMvaM1XZzR1H\nPp127syCvuxnljnxsMLCvfM+8QsdyeuYVURei3z502zxWVTwNbxUbTxOkgIuNYRT\nyypEMpYajSEv0sMt4d7KBchE0eeQlcMDQ2J6kzfVjHyxLMMu8JscBQ5KGvF1vW3Q\np16w6C6JebF21Y0LumL9cMEToN6OrDKx9BrUkbTXHfSf+5rvkrnGfIPMulNJS2On\nl4zmT0bHs8a/zSIGmcwNIG243LmXTFu67TKbknJahICrRz0uZ8h1HMFbe7yY12s0\nd0xGJDJcPIBcdWHhB8z6iduTxCYZ2vY3EdFcC2RMO99zJPlWeDGY4lTM8TRFEAvE\nj4a21CltAgMBAAECggEADu4VNnx0zaX7UhSmq30tpVYy0ay7KrLJafbTqYX8ywUu\n4p9hkjeD7Q3H8cKzOoheLxcabrs5JDZqiol9TJmeReF1ASSNx5rfH9+RvVIkN87a\nXsST/b0jGsfElxDPD3Zq7YbUSKupvgGXaboIaQmvus+MR7zhMbh8xcN1q2NbjxE6\nCLXV+uu8kVPLsUbGFGK53vK7+MHnEKJIbjHR+LRNMxZRzoX7h57UO6uoXwWes2Kr\nopMzIJdv2ZRvXS62NNCTK9BoPb4OreXSoEJZkXS26ispOLLnM36D4UpNeDl6hITN\noCSHKiRGFqY5QOir/MP8uqNmGEtprMDmUQt/K5Z8OQKBgQDVvEi7SmHFJLNSsY2l\nvvxlwIa9rr0d/TFtTXcGMUdLYg7rQtaZ3e0geJv4wU58KahmpgYqpX4s0/Gc4L37\nyG1kCtPUjHvxxauLRr0OcXz35pTqlGhVGyls9onCxM/nDpoiYDvueuse69rVVGDE\nTKg2pxqS0Rxh7FARKY1RpJprjwKBgQCn8xsrRSc5QGF/L7b87MK1sf+lQ7Updubt\nv/XRFq5lhHp888MrIsqcqsDqRChoY2Qoi0vuNv52pgpha6lXkxL5Djd1ypX457KR\ntaJmx7qoolYW7INU4mvcryyIiW9ELiFrGb8XrwhXwmUBWOGGEDJkgYOj6W7Co38T\n2RbkBvBNQwKBgGTniv7A0v+bn/0+Tb0eOVJgXjxWrnnl+tu7YqHNyfbQyHJRD7d8\nimJ2DkyWFlOP5yzu3KJtlu/a74o8n/SqXtqIMhF6cVlnFOGf98lF0tXGSi+k+MyV\nEi2bBtaoy+4tep8YB7NC3JWwi5ODTlveRNvocCc4CcpBIlu33jvZFf4JAoGATJ0R\nn8OECRHdZ++UQfyfNdNlEza3xZp/7aTLtf3qwFSWq7lnJp5QXvdl2XgOFtCAOB6T\nHK/plKZZxece8Nweo45grlMj5s+LHf0FgG1MMPEc5IgvwOEo4xrl7cMEBs4kYH72\nNQ+bdq0u9lZdSpLI6iBKtNMfu5pptdwqHQstQ5ECgYBQ+XWJHuKLadcMAoAdG+gW\n5KxlSlin7PqgmzobXggp2aUGVLHs4pvIGA+7Sf/kAPfJ6bimv4dIODqEe8TZnmWp\n4ZG0jYjFXVnbwbh+hU5EF03ntO9WYqL6rYU3zujz/ZuKBEByIFowTX9uaVKEgML6\n5oHAF4Sb7zxa2jSEehGQ5Q==\n-----END PRIVATE KEY-----'"
);

private static String token;

private final int backendPort = getAvailablePort();

@Override
protected void configureWireMock(WireMockConfiguration configuration) {
configuration
.httpsPort(backendPort)
.needClientAuth(true)
.keystorePath(ResourceUtils.toPath("certs/keystore01.jks"))
.keystorePassword("password")
.trustStorePath(ResourceUtils.toPath("certs/truststore01.jks"))
.trustStorePassword("password");
}

@Override
public void configureEntrypoints(Map<String, EntrypointConnectorPlugin<?, ?>> entrypoints) {
entrypoints.putIfAbsent("http-proxy", EntrypointBuilder.build("http-proxy", HttpProxyEntrypointConnectorFactory.class));
}

@Override
public void configureEndpoints(Map<String, EndpointConnectorPlugin<?, ?>> endpoints) {
endpoints.putIfAbsent("http-proxy", EndpointBuilder.build("http-proxy", HttpProxyEndpointConnectorFactory.class));
}

@Override
public void configureGateway(GatewayConfigurationBuilder configurationBuilder) {
super.configureGateway(configurationBuilder);

// create a renewable token so the plugin does not start panicking
Container.ExecResult execResult = null;
try {
execResult = vaultContainer.execInContainer("vault", "token", "create", "-period=10m", "-field", "token");
} catch (IOException e) {
throw new RuntimeException(e);
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
token = execResult.getStdout();

configurationBuilder.setYamlProperty("api.secrets.providers[0].plugin", "vault");
configurationBuilder.setYamlProperty("api.secrets.providers[0].configuration.enabled", true);
configurationBuilder.setYamlProperty("api.secrets.providers[0].configuration.host", vaultContainer.getHost());
configurationBuilder.setYamlProperty("api.secrets.providers[0].configuration.port", vaultContainer.getMappedPort(8200));
configurationBuilder.setYamlProperty("api.secrets.providers[0].configuration.ssl.enabled", "false");
configurationBuilder.setYamlProperty("api.secrets.providers[0].configuration.auth.method", "token");
configurationBuilder.setYamlProperty("api.secrets.providers[0].configuration.auth.config.token", token);
}

@Override
public void configureSecretProviders(
Set<SecretProviderPlugin<? extends SecretProviderFactory<?>, ? extends SecretManagerConfiguration>> secretProviderPlugins
) {
secretProviderPlugins.add(
SecretProviderBuilder.build(HCVaultSecretProvider.PLUGIN_ID, HCVaultSecretProviderFactory.class, VaultConfig.class)
);
}

@Override
public void configureServices(Set<Class<? extends AbstractService<?>>> services) {
super.configureServices(services);
services.add(SecretsService.class);
}

@AfterAll
static void cleanup() {
vaultContainer.close();
}

@Override
public void configureApi(ReactableApi<?> reactableApi, Class<?> definitionClass) {
if (!isV4Api(definitionClass)) {
throw new AssertionError("TCP api should only be v4 api");
}
final Api apiDefinition = (Api) reactableApi.getDefinition();

updateEndpointsPort(apiDefinition, backendPort);
}

@Test
@DeployApi({ "/apis/v4/http/secrets/api-secured-jks-password-secret-static-ref.json" })
void should_retrieve_password_from_secret_provider(HttpClient httpClient, Vertx vertx) {
wiremock.stubFor(get("/endpoint").willReturn(ok("response from backend")));

httpClient
.rxRequest(HttpMethod.GET, "/test")
.flatMap(HttpClientRequest::rxSend)
.flatMap(response -> {
// just asserting we get a response (hence no SSL errors), no need for an API.
assertThat(response.statusCode()).isEqualTo(200);
return response.body();
})
.test()
.awaitDone(10, TimeUnit.SECONDS)
.assertComplete();
//wiremock.verify(1, getRequestedFor(urlPathEqualTo("/endpoint")).withHeader("Authorization", equalTo("ApiKey ".concat(apiKey))));
}
}
73 changes: 73 additions & 0 deletions ...s/src/test/resources/apis/v4/http/secrets/api-secured-jks-password-secret-static-ref.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
{
"id": "static-secret-api-v4",
"name": "my-secret-api-v4",
"gravitee": "4.0.0",
"type": "proxy",
"listeners": [
{
"type": "http",
"paths": [
{
"path": "/test"
}
],
"entrypoints": [
{
"type": "http-proxy"
}
]
}
],
"endpointGroups": [
{
"name": "default-group",
"type": "http-proxy",
"endpoints": [
{
"name": "default",
"type": "http-proxy",
"weight": 1,
"inheritConfiguration": false,
"configuration": {
"target": "https://localhost:8080/endpoint"
},
"sharedConfigurationOverride": {
"http": {
"connectTimeout": 3000,
"readTimeout": 60000
},
"ssl": {
"trustAll": false,
"keyStore": {
"type": "PEM",
"certContent": "-----BEGIN CERTIFICATE-----\nMIICxzCCAa+gAwIBAgIEPvlKwjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwls\nb2NhbGhvc3QwHhcNMTgxMDA5MTU0MTAyWhcNMTkxMDA0MTU0MTAyWjAUMRIwEAYD\nVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCM\nOMvaM1XZzR1HPp127syCvuxnljnxsMLCvfM+8QsdyeuYVURei3z502zxWVTwNbxU\nbTxOkgIuNYRTyypEMpYajSEv0sMt4d7KBchE0eeQlcMDQ2J6kzfVjHyxLMMu8Jsc\nBQ5KGvF1vW3Qp16w6C6JebF21Y0LumL9cMEToN6OrDKx9BrUkbTXHfSf+5rvkrnG\nfIPMulNJS2Onl4zmT0bHs8a/zSIGmcwNIG243LmXTFu67TKbknJahICrRz0uZ8h1\nHMFbe7yY12s0d0xGJDJcPIBcdWHhB8z6iduTxCYZ2vY3EdFcC2RMO99zJPlWeDGY\n4lTM8TRFEAvEj4a21CltAgMBAAGjITAfMB0GA1UdDgQWBBQmmZF9umT5DGh4RgYX\nBQhzb6EkQTANBgkqhkiG9w0BAQsFAAOCAQEAW1QaHW4iYjUtjQik+nWD3Xktbm50\ns9PeAYSCp9an757dvzfO/vwJZE+1+grmsS0l/jxh8L0qsdjM5Qt4VmjK5CbikE2v\ne4Vt4o40tQOz8A7fNVVp5S33njgNbp1UMhnrFsHVZ6Aa8HHxisjliluVK1/YPl80\nKRs57GL4SyvELzmWhh7egndxdGYR9nbAbg1RQ+kJClqSS0BL5oQ4Xn4AGmU5839/\nZ1+N5qgNq2/BYOi6FsltL91US0FOLNxDBYqjwShGOJ1V6Lvh27YmSHViscph6GeZ\nkZ2xybRANymp0DSVER5J+D2RuJNtzp/zl//BJ3b19tpVpDTQ1ndzcSGPLg==\n-----END CERTIFICATE-----",
"keyContent": "{#secrets.get('/vault/secret/test:private-key')}"
},
"trustStore": {
"type": "PEM",
"content": "-----BEGIN CERTIFICATE-----\nMIICxzCCAa+gAwIBAgIEPvlKwjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDEwls\nb2NhbGhvc3QwHhcNMTgxMDA5MTU0MTAyWhcNMTkxMDA0MTU0MTAyWjAUMRIwEAYD\nVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCM\nOMvaM1XZzR1HPp127syCvuxnljnxsMLCvfM+8QsdyeuYVURei3z502zxWVTwNbxU\nbTxOkgIuNYRTyypEMpYajSEv0sMt4d7KBchE0eeQlcMDQ2J6kzfVjHyxLMMu8Jsc\nBQ5KGvF1vW3Qp16w6C6JebF21Y0LumL9cMEToN6OrDKx9BrUkbTXHfSf+5rvkrnG\nfIPMulNJS2Onl4zmT0bHs8a/zSIGmcwNIG243LmXTFu67TKbknJahICrRz0uZ8h1\nHMFbe7yY12s0d0xGJDJcPIBcdWHhB8z6iduTxCYZ2vY3EdFcC2RMO99zJPlWeDGY\n4lTM8TRFEAvEj4a21CltAgMBAAGjITAfMB0GA1UdDgQWBBQmmZF9umT5DGh4RgYX\nBQhzb6EkQTANBgkqhkiG9w0BAQsFAAOCAQEAW1QaHW4iYjUtjQik+nWD3Xktbm50\ns9PeAYSCp9an757dvzfO/vwJZE+1+grmsS0l/jxh8L0qsdjM5Qt4VmjK5CbikE2v\ne4Vt4o40tQOz8A7fNVVp5S33njgNbp1UMhnrFsHVZ6Aa8HHxisjliluVK1/YPl80\nKRs57GL4SyvELzmWhh7egndxdGYR9nbAbg1RQ+kJClqSS0BL5oQ4Xn4AGmU5839/\nZ1+N5qgNq2/BYOi6FsltL91US0FOLNxDBYqjwShGOJ1V6Lvh27YmSHViscph6GeZ\nkZ2xybRANymp0DSVER5J+D2RuJNtzp/zl//BJ3b19tpVpDTQ1ndzcSGPLg==\n-----END CERTIFICATE-----"
}
}
}
}
]
}
],
"flows": [
{
"name": "flow-1",
"enabled": true,
"selectors": [
{
"type": "http",
"path": "/",
"pathOperator": "START_WITH",
"methods": ["GET"]
}
]
}
],
"analytics": {
"enabled": false
}
}
Loading