This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 225e18f38 feat: add jwe decrypt plugin (#10252)
225e18f38 is described below
commit 225e18f389a7593f356599999e41f77418e7732c
Author: fish <[email protected]>
AuthorDate: Mon Dec 4 17:56:16 2023 +0800
feat: add jwe decrypt plugin (#10252)
---
apisix/plugins/jwe-decrypt.lua | 250 ++++++++++++++++++
conf/config-default.yaml | 1 +
docs/en/latest/config.json | 1 +
docs/en/latest/plugins/jwe-decrypt.md | 183 +++++++++++++
t/admin/plugins.t | 3 +-
t/plugin/jwe-decrypt.t | 473 ++++++++++++++++++++++++++++++++++
6 files changed, 910 insertions(+), 1 deletion(-)
diff --git a/apisix/plugins/jwe-decrypt.lua b/apisix/plugins/jwe-decrypt.lua
new file mode 100644
index 000000000..8f7c68380
--- /dev/null
+++ b/apisix/plugins/jwe-decrypt.lua
@@ -0,0 +1,250 @@
+--
+-- Licensed to the Apache Software Foundation (ASF) under one or more
+-- contributor license agreements. See the NOTICE file distributed with
+-- this work for additional information regarding copyright ownership.
+-- The ASF licenses this file to You under the Apache License, Version 2.0
+-- (the "License"); you may not use this file except in compliance with
+-- the License. You may obtain a copy of the License at
+--
+-- http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+local core = require("apisix.core")
+local consumer_mod = require("apisix.consumer")
+local base64 = require("ngx.base64")
+local aes = require("resty.aes")
+local ngx = ngx
+local sub_str = string.sub
+local cipher = aes.cipher(256, "gcm")
+
+local plugin_name = "jwe-decrypt"
+
+local schema = {
+ type = "object",
+ properties = {
+ header = {
+ type = "string",
+ default = "Authorization"
+ },
+ forward_header = {
+ type = "string",
+ default = "Authorization"
+ },
+ strict = {
+ type = "boolean",
+ default = true
+ }
+ },
+ required = { "header", "forward_header" },
+}
+
+local consumer_schema = {
+ type = "object",
+ properties = {
+ key = { type = "string" },
+ secret = { type = "string", minLength = 32 },
+ is_base64_encoded = { type = "boolean" },
+ },
+ required = { "key", "secret" },
+}
+
+
+local _M = {
+ version = 0.1,
+ priority = 2509,
+ type = 'auth',
+ name = plugin_name,
+ schema = schema,
+ consumer_schema = consumer_schema
+}
+
+
+function _M.check_schema(conf, schema_type)
+ if schema_type == core.schema.TYPE_CONSUMER then
+ return core.schema.check(consumer_schema, conf)
+ end
+ return core.schema.check(schema, conf)
+end
+
+
+local function get_secret(conf)
+ local secret = conf.secret
+
+ if conf.is_base64_encoded then
+ return base64.decode_base64url(secret)
+ end
+
+ return secret
+end
+
+
+local function load_jwe_token(jwe_token)
+ local o = { valid = false }
+ o.header, o.enckey, o.iv, o.ciphertext, o.tag =
jwe_token:match("(.-)%.(.-)%.(.-)%.(.-)%.(.*)")
+ if not o.header then
+ return o
+ end
+ local he = base64.decode_base64url(o.header)
+ if not he then
+ return o
+ end
+ o.header_obj = core.json.decode(he)
+ if not o.header_obj then
+ return o
+ end
+ o.valid = true
+ return o
+end
+
+
+local function jwe_decrypt_with_obj(o, consumer)
+ local secret = get_secret(consumer.auth_conf)
+ local dec = base64.decode_base64url
+
+ local aes_default = aes:new(
+ secret,
+ nil,
+ cipher,
+ {iv = o.iv}
+ )
+
+ local decrypted = aes_default:decrypt(dec(o.ciphertext), dec(o.tag))
+ return decrypted
+end
+
+
+local function jwe_encrypt(o, consumer)
+ local secret = get_secret(consumer.auth_conf)
+ local enc = base64.encode_base64url
+
+ local aes_default = aes:new(
+ secret,
+ nil,
+ cipher,
+ {iv = o.iv})
+
+ local encrypted = aes_default:encrypt(o.plaintext)
+
+ o.ciphertext = encrypted[1]
+ o.tag = encrypted[2]
+ return o.header .. ".." .. enc(o.iv) .. "." .. enc(o.ciphertext) .. "." ..
enc(o.tag)
+end
+
+
+local function get_consumer(key)
+ local consumer_conf = consumer_mod.plugin(plugin_name)
+ if not consumer_conf then
+ return nil
+ end
+ local consumers = consumer_mod.consumers_kv(plugin_name, consumer_conf,
"key")
+ if not consumers then
+ return nil
+ end
+ core.log.info("consumers: ", core.json.delay_encode(consumers))
+ return consumers[key]
+end
+
+
+local function fetch_jwe_token(conf, ctx)
+ local token = core.request.header(ctx, conf.header)
+ if token then
+ local prefix = sub_str(token, 1, 7)
+ if prefix == 'Bearer ' or prefix == 'bearer ' then
+ return sub_str(token, 8)
+ end
+
+ return token
+ end
+end
+
+
+function _M.rewrite(conf, ctx)
+ -- fetch token and hide credentials if necessary
+ local jwe_token, err = fetch_jwe_token(conf, ctx)
+ if not jwe_token and conf.strict then
+ core.log.info("failed to fetch JWE token: ", err)
+ return 403, { message = "missing JWE token in request" }
+ end
+
+ local jwe_obj = load_jwe_token(jwe_token)
+ if not jwe_obj.valid then
+ return 400, { message = "JWE token invalid" }
+ end
+
+ if not jwe_obj.header_obj.kid then
+ return 400, { message = "missing kid in JWE token" }
+ end
+
+ local consumer = get_consumer(jwe_obj.header_obj.kid)
+ if not consumer then
+ return 400, { message = "invalid kid in JWE token" }
+ end
+
+ local plaintext, err = jwe_decrypt_with_obj(jwe_obj, consumer)
+ if err ~= nil then
+ return 400, { message = "failed to decrypt JWE token" }
+ end
+ core.request.set_header(ctx, conf.forward_header, plaintext)
+end
+
+
+local function gen_token()
+ local args = core.request.get_uri_args()
+ if not args or not args.key then
+ return core.response.exit(400)
+ end
+
+ local key = args.key
+ local payload = args.payload
+ if payload then
+ payload = ngx.unescape_uri(payload)
+ end
+
+ local consumer = get_consumer(key)
+ if not consumer then
+ return core.response.exit(404)
+ end
+
+ core.log.info("consumer: ", core.json.delay_encode(consumer))
+
+ local iv = args.iv
+ if not iv then
+ -- TODO: random bytes
+ iv = "123456789012"
+ end
+
+ local obj = {
+ iv = iv,
+ plaintext = payload,
+ header_obj = {
+ kid = key,
+ alg = "dir",
+ enc = "A256GCM",
+ },
+ }
+ obj.header = base64.encode_base64url(core.json.encode(obj.header_obj))
+ local jwe_token = jwe_encrypt(obj, consumer)
+ if jwe_token then
+ return core.response.exit(200, jwe_token)
+ end
+
+ return core.response.exit(404)
+end
+
+
+function _M.api()
+ return {
+ {
+ methods = { "GET" },
+ uri = "/apisix/plugin/jwe/encrypt",
+ handler = gen_token,
+ }
+ }
+end
+
+return _M
diff --git a/conf/config-default.yaml b/conf/config-default.yaml
index 8717d1398..677f08272 100755
--- a/conf/config-default.yaml
+++ b/conf/config-default.yaml
@@ -467,6 +467,7 @@ plugins: # plugin list (sorted by
priority)
- hmac-auth # priority: 2530
- basic-auth # priority: 2520
- jwt-auth # priority: 2510
+ - jwe-decrypt # priority: 2509
- key-auth # priority: 2500
- consumer-restriction # priority: 2400
- forward-auth # priority: 2002
diff --git a/docs/en/latest/config.json b/docs/en/latest/config.json
index 3482517bd..2eea87849 100644
--- a/docs/en/latest/config.json
+++ b/docs/en/latest/config.json
@@ -101,6 +101,7 @@
"items": [
"plugins/key-auth",
"plugins/jwt-auth",
+ "plugins/jwe-decrypt",
"plugins/basic-auth",
"plugins/authz-keycloak",
"plugins/authz-casdoor",
diff --git a/docs/en/latest/plugins/jwe-decrypt.md
b/docs/en/latest/plugins/jwe-decrypt.md
new file mode 100644
index 000000000..d255e1f03
--- /dev/null
+++ b/docs/en/latest/plugins/jwe-decrypt.md
@@ -0,0 +1,183 @@
+---
+title: jwe-decrypt
+keywords:
+ - Apache APISIX
+ - API Gateway
+ - Plugin
+ - JWE Decrypt
+ - jwe-decrypt
+description: This document contains information about the Apache APISIX
jwe-decrypt Plugin.
+---
+
+<!--
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+-->
+
+## Description
+
+The `jwe-decrypt` Plugin is used to decrypt
[JWE](https://datatracker.ietf.org/doc/html/rfc7516) authorization headers in
requests to an APISIX [Service](../terminology/service.md) or
[Route](../terminology/route.md).
+
+This Plugin adds an endpoint `/apisix/plugin/jwe/encrypt` for JWE encryption.
For decryption, the key should be configured in
[Consumer](../terminology/consumer.md).
+
+## Attributes
+
+For Consumer:
+
+| Name | Type | Required
| Default | Valid values | Description
|
+|---------------|---------|-------------------------------------------------------|---------|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| key | string | True
| | | Unique key for a Consumer.
|
+| secret | string | True
| | | The decryption key. The key could
be saved in a secret manager using the [Secret](../terminology/secret.md)
resource. |
+| is_base64_encoded | boolean | False
| false | | Set to true if the secret is
base64 encoded.
|
+
+For Route:
+
+| Name | Type | Required | Default | Description
|
+|--------|--------|----------|---------------|---------------------------------------------------------------------|
+| header | string | False | authorization | The header to get the token
from. |
+| forward_header | string | False | authorization | Set the header name
that passes the plaintext to the Upstream. |
+| strict | boolean | False | true | If true, throw a 403 error if JWE
token is missing from the request. If false, do not throw an error if JWE token
cannot be found. |
+
+## Example usage
+
+First, create a Consumer with `jwe-decrypt` and configure the decryption key:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/consumers -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "username": "jack",
+ "plugins": {
+ "jwe-decrypt": {
+ "key": "user-key",
+ "secret": "key-length-must-be-at-least-32-bytes"
+ }
+ }
+}'
+```
+
+Next, create a Route with `jwe-decrypt` enabled to decrypt the authorization
header:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "methods": ["GET"],
+ "uri": "/anything*",
+ "plugins": {
+ "jwe-decrypt": {}
+ },
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbin.org:80": 1
+ }
+ }
+}'
+```
+
+### Encrypt Data with JWE
+
+The Plugin creates an internal endpoint `/apisix/plugin/jwe/encrypt` to
encrypt data with JWE. To expose it publicly, create a Route with the
[public-api](public-api.md) Plugin:
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/routes/jwenew -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "uri": "/apisix/plugin/jwe/encrypt",
+ "plugins": {
+ "public-api": {}
+ }
+}'
+```
+
+Send a request to the endpoint passing the key configured in Consumer to the
URI parameter to encrypt some sample data in the payload:
+
+```shell
+curl -G --data-urlencode 'payload={"uid":10000,"uname":"test"}'
'http://127.0.0.1:9080/apisix/plugin/jwe/encrypt?key=user-key' -i
+```
+
+You should see a response similar to the following, with the JWE encrypted
data in the response body:
+
+```
+HTTP/1.1 200 OK
+Date: Mon, 25 Sep 2023 02:38:16 GMT
+Content-Type: text/plain; charset=utf-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+Server: APISIX/3.5.0
+Apisix-Plugins: public-api
+
+eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.hfzMJ0YfmbMcJ0ojgv4PYAHxPjlgMivmv35MiA.7nilnBt2dxLR_O6kf-HQUA
+```
+
+### Decrypt Data with JWE
+
+Send a request to the route with the JWE encrypted data in the `Authorization`
header:
+
+```shell
+curl http://127.0.0.1:9080/anything/hello -H 'Authorization:
eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.hfzMJ0YfmbMcJ0ojgv4PYAHxPjlgMivmv35MiA.7nilnBt2dxLR_O6kf-HQUA'
-i
+```
+
+You should see a response similar to the following, where the `Authorization`
header shows the plaintext of the payload:
+
+```
+HTTP/1.1 200 OK
+Content-Type: application/json
+Content-Length: 452
+Connection: keep-alive
+Date: Mon, 25 Sep 2023 02:38:59 GMT
+Access-Control-Allow-Origin: *
+Access-Control-Allow-Credentials: true
+Server: APISIX/3.5.0
+Apisix-Plugins: jwe-decrypt
+
+{
+ "args": {},
+ "data": "",
+ "files": {},
+ "form": {},
+ "headers": {
+ "Accept": "*/*",
+ "Authorization": "{\"uid\":10000,\"uname\":\"test\"}",
+ "Host": "127.0.0.1",
+ "User-Agent": "curl/8.1.2",
+ "X-Amzn-Trace-Id": "Root=1-6510f2c3-1586ec011a22b5094dbe1896",
+ "X-Forwarded-Host": "127.0.0.1"
+ },
+ "json": null,
+ "method": "GET",
+ "origin": "127.0.0.1, 119.143.79.94",
+ "url": "http://127.0.0.1/anything/hello";
+}
+```
+
+## Delete Plugin
+
+To remove the `jwe-decrypt` Plugin, you can delete the corresponding JSON
configuration from the Plugin configuration. APISIX will automatically reload
and you do not have to restart for this to take effect.
+
+```shell
+curl http://127.0.0.1:9180/apisix/admin/routes/1 -H 'X-API-KEY:
edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
+{
+ "methods": ["GET"],
+ "uri": "/anything*",
+ "plugins": {},
+ "upstream": {
+ "type": "roundrobin",
+ "nodes": {
+ "httpbin.org:80": 1
+ }
+ }
+}'
+```
diff --git a/t/admin/plugins.t b/t/admin/plugins.t
index e7b736fd9..c174d5f29 100644
--- a/t/admin/plugins.t
+++ b/t/admin/plugins.t
@@ -85,6 +85,7 @@ ldap-auth
hmac-auth
basic-auth
jwt-auth
+jwe-decrypt
key-auth
consumer-restriction
forward-auth
@@ -312,7 +313,7 @@
qr/\{"metadata_schema":\{"properties":\{"ikey":\{"minimum":0,"type":"number"\},"
}
}
--- response_body eval
-qr/\[\{"name":"multi-auth","priority":2600\},\{"name":"wolf-rbac","priority":2555\},\{"name":"ldap-auth","priority":2540\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"key-auth","priority":2500\}\]/
+qr/\[\{"name":"multi-auth","priority":2600\},\{"name":"wolf-rbac","priority":2555\},\{"name":"ldap-auth","priority":2540\},\{"name":"hmac-auth","priority":2530\},\{"name":"basic-auth","priority":2520\},\{"name":"jwt-auth","priority":2510\},\{"name":"jwe-decrypt","priority":2509\},\{"name":"key-auth","priority":2500\}\]/
diff --git a/t/plugin/jwe-decrypt.t b/t/plugin/jwe-decrypt.t
new file mode 100644
index 000000000..8a5d3dca9
--- /dev/null
+++ b/t/plugin/jwe-decrypt.t
@@ -0,0 +1,473 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+repeat_each(2);
+no_long_string();
+no_root_location();
+no_shuffle();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: sanity
+--- config
+ location /t {
+ content_by_lua_block {
+ local plugin = require("apisix.plugins.jwe-decrypt")
+ local core = require("apisix.core")
+ local conf = {key = "123", secret =
"12345678901234567890123456789012"}
+
+ local ok, err = plugin.check_schema(conf,
core.schema.TYPE_CONSUMER)
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say(require("toolkit.json").encode(conf))
+ }
+ }
+--- response_body_like eval
+qr/{"key":"123","secret":"[a-zA-Z0-9+\\\/]+={0,2}"}/
+
+
+
+=== TEST 2: wrong type of string
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local plugin = require("apisix.plugins.jwe-decrypt")
+ local ok, err = plugin.check_schema({key = 123, secret =
"12345678901234567890123456789012"}, core.schema.TYPE_CONSUMER)
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+property "key" validation failed: wrong type: expected string, got number
+done
+
+
+
+=== TEST 3: wrong type of string
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local plugin = require("apisix.plugins.jwe-decrypt")
+ local ok, err = plugin.check_schema({key = "123", secret =
"123456"}, core.schema.TYPE_CONSUMER)
+ if not ok then
+ ngx.say(err)
+ end
+
+ ngx.say("done")
+ }
+ }
+--- response_body
+property "secret" validation failed: string too short, expected at least 32,
got 6
+done
+
+
+
+=== TEST 4: add consumer with username and plugins
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "jwe-decrypt": {
+ "key": "user-key",
+ "secret": "12345678901234567890123456789012"
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 5: enable jwe-decrypt plugin using admin api
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "jwe-decrypt": {
+ "header": "Authorization",
+ "forward_header": "Authorization"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 6: create public API route (jwe-decrypt sign)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/2',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "public-api": {}
+ },
+ "uri": "/apisix/plugin/jwe/encrypt"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 7: sign / verify in argument
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, err, token =
t('/apisix/plugin/jwe/encrypt?key=user-key&payload=hello',
+ ngx.HTTP_GET
+ )
+
+ if code > 200 then
+ ngx.status = code
+ ngx.say(err)
+ return
+ end
+
+ code, err, body = t('/hello',
+ ngx.HTTP_GET,
+ nil,
+ nil,
+ { Authorization = token }
+ )
+
+ ngx.print(body)
+ }
+ }
+--- response_body
+hello world
+
+
+
+=== TEST 8: test for unsupported method
+--- request
+PATCH /apisix/plugin/jwe/encrypt?key=user-key
+--- error_code: 404
+
+
+
+=== TEST 9: verify, missing token
+--- request
+GET /hello
+--- error_code: 403
+--- response_body
+{"message":"missing JWE token in request"}
+
+
+
+=== TEST 10: verify: invalid JWE token
+--- request
+GET /hello
+--- more_headers
+Authorization:
invalid-eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.6JeRgm02rpOJdg.4nkSYJgwMKYgTeacatgmRw
+--- error_code: 400
+--- response_body
+{"message":"JWE token invalid"}
+
+
+
+=== TEST 11: verify (in header)
+--- request
+GET /hello
+--- more_headers
+Authorization: Bearer
eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.6JeRgm02rpOJdg.4nkSYJgwMKYgTeacatgmRw
+--- response_body
+hello world
+
+
+
+=== TEST 12: verify (in header without Bearer)
+--- request
+GET /hello
+--- more_headers
+Authorization:
eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.6JeRgm02rpOJdg.4nkSYJgwMKYgTeacatgmRw
+--- response_body
+hello world
+
+
+
+=== TEST 13: verify (header with bearer)
+--- request
+GET /hello
+--- more_headers
+Authorization: bearer
eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.6JeRgm02rpOJdg.4nkSYJgwMKYgTeacatgmRw
+--- response_body
+hello world
+
+
+
+=== TEST 14: verify (invalid bearer token)
+--- request
+GET /hello
+--- more_headers
+Authorization: bearer
invalid-eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy.6JeRgm02rpOJdg.4nkSYJgwMKYgTeacatgmRw
+--- error_code: 400
+--- response_body
+{"message":"JWE token invalid"}
+
+
+
+=== TEST 15: delete a exist consumer
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "jwe-decrypt": {
+ "key": "user-key",
+ "secret": "12345678901234567890123456789012"
+ }
+ }
+ }]]
+ )
+ ngx.say("code: ", code < 300, " body: ", body)
+
+ code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "chen",
+ "plugins": {
+ "jwe-decrypt": {
+ "key": "chen-key",
+ "secret": "12345678901234567890123456789021"
+ }
+ }
+ }]]
+ )
+ ngx.say("code: ", code < 300, " body: ", body)
+
+ code, body = t('/apisix/admin/consumers/jack',
+ ngx.HTTP_DELETE)
+ ngx.say("code: ", code < 300, " body: ", body)
+
+ code, body =
t('/apisix/plugin/jwe/encrypt?key=chen-key&payload=hello',
+ ngx.HTTP_GET)
+ ngx.say("code: ", code < 300, " body: ", body)
+ }
+ }
+--- response_body
+code: true body: passed
+code: true body: passed
+code: true body: passed
+code: true body: passed
+
+
+
+=== TEST 16: add consumer with username and plugins with base64 secret
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/consumers',
+ ngx.HTTP_PUT,
+ [[{
+ "username": "jack",
+ "plugins": {
+ "jwe-decrypt": {
+ "key": "user-key",
+ "secret":
"fo4XKdZ1xSrIZyms4q2BwPrW5lMpls9qqy5tiAk2esc=",
+ "is_base64_encoded": true
+ }
+ }
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 17: enable jwt decrypt plugin with base64 secret
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "jwe-decrypt": {
+ "header": "Authorization",
+ "forward_header": "Authorization"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 18: create public API route (jwe-decrypt sign)
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/2',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "public-api": {}
+ },
+ "uri": "/apisix/plugin/jwe/encrypt"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 19: sign / verify in argument
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, err, token =
t('/apisix/plugin/jwe/encrypt?key=user-key&payload=hello',
+ ngx.HTTP_GET
+ )
+
+ if code > 200 then
+ ngx.status = code
+ ngx.say(err)
+ return
+ end
+
+ ngx.log(ngx.WARN, "dibag: ", token)
+
+ code, err, body = t('/hello',
+ ngx.HTTP_GET,
+ nil,
+ nil,
+ { Authorization = token }
+ )
+
+ ngx.print(body)
+ }
+ }
+--- response_body
+hello world
+
+
+
+=== TEST 20: verify (in header)
+--- request
+GET /hello
+--- more_headers
+Authorization: Bearer
eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy._0DrWD0.vl-ydutnNuMpkYskwNqu-Q
+--- response_body
+hello world
+
+
+
+=== TEST 21: verify (in header without Bearer)
+--- request
+GET /hello
+--- more_headers
+Authorization:
eyJhbGciOiJkaXIiLCJraWQiOiJ1c2VyLWtleSIsImVuYyI6IkEyNTZHQ00ifQ..MTIzNDU2Nzg5MDEy._0DrWD0.vl-ydutnNuMpkYskwNqu-Q
+--- response_body
+hello world
