This is an automated email from the ASF dual-hosted git repository.
wenming pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 561e8e8b8 refactor(google-cloud-logging): unify google-cloud-oauth.lua
file (#11596)
561e8e8b8 is described below
commit 561e8e8b88ebb23fb7769467807107894632303c
Author: HuanXin-Chen <111850224+huanxin-c...@users.noreply.github.com>
AuthorDate: Thu Oct 3 22:03:50 2024 +0800
refactor(google-cloud-logging): unify google-cloud-oauth.lua file (#11596)
---
Makefile | 3 -
apisix/plugins/google-cloud-logging.lua | 17 ++-
apisix/plugins/google-cloud-logging/oauth.lua | 137 ---------------------
docs/en/latest/plugins/google-cloud-logging.md | 5 +-
docs/zh/latest/plugins/google-cloud-logging.md | 5 +-
t/plugin/google-cloud-logging.t | 12 +-
.../google-cloud-logging/config-https-domain.json | 2 +-
t/plugin/google-cloud-logging/config-https-ip.json | 2 +-
t/plugin/google-cloud-logging/config.json | 2 +-
t/plugin/google-cloud-logging2.t | 6 +-
10 files changed, 32 insertions(+), 159 deletions(-)
diff --git a/Makefile b/Makefile
index 545a21e4f..bd734ac18 100644
--- a/Makefile
+++ b/Makefile
@@ -305,9 +305,6 @@ install: runtime
$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/ext-plugin
$(ENV_INSTALL) apisix/plugins/ext-plugin/*.lua
$(ENV_INST_LUADIR)/apisix/plugins/ext-plugin/
- $(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/google-cloud-logging
- $(ENV_INSTALL) apisix/plugins/google-cloud-logging/*.lua
$(ENV_INST_LUADIR)/apisix/plugins/google-cloud-logging/
-
$(ENV_INSTALL) -d $(ENV_INST_LUADIR)/apisix/plugins/grpc-transcode
$(ENV_INSTALL) apisix/plugins/grpc-transcode/*.lua
$(ENV_INST_LUADIR)/apisix/plugins/grpc-transcode/
diff --git a/apisix/plugins/google-cloud-logging.lua
b/apisix/plugins/google-cloud-logging.lua
index 74360e9b3..62ca991c0 100644
--- a/apisix/plugins/google-cloud-logging.lua
+++ b/apisix/plugins/google-cloud-logging.lua
@@ -20,7 +20,7 @@ local tostring = tostring
local http = require("resty.http")
local log_util = require("apisix.utils.log-util")
local bp_manager_mod = require("apisix.utils.batch-processor-manager")
-local google_oauth = require("apisix.plugins.google-cloud-logging.oauth")
+local google_oauth = require("apisix.utils.google-cloud-oauth")
local lrucache = core.lrucache.new({
@@ -43,7 +43,7 @@ local schema = {
default = "https://oauth2.googleapis.com/token";
},
--
https://developers.google.com/identity/protocols/oauth2/scopes#logging
- scopes = {
+ scope = {
type = "array",
items = {
description = "Google OAuth2 Authorization Scopes",
@@ -58,6 +58,15 @@ local schema = {
"https://www.googleapis.com/auth/cloud-platform";
}
},
+ scopes = {
+ type = "array",
+ items = {
+ description = "Google OAuth2 Authorization Scopes",
+ type = "string",
+ },
+ minItems = 1,
+ uniqueItems = true
+ },
entries_uri = {
type = "string",
default = "https://logging.googleapis.com/v2/entries:write";
@@ -168,7 +177,9 @@ local function create_oauth_object(conf)
return nil, err
end
- return google_oauth:new(auth_conf, conf.ssl_verify)
+ auth_conf.scope = auth_conf.scopes or auth_conf.scope
+
+ return google_oauth.new(auth_conf, conf.ssl_verify)
end
diff --git a/apisix/plugins/google-cloud-logging/oauth.lua
b/apisix/plugins/google-cloud-logging/oauth.lua
deleted file mode 100644
index a560bd43f..000000000
--- a/apisix/plugins/google-cloud-logging/oauth.lua
+++ /dev/null
@@ -1,137 +0,0 @@
---
--- Licensed to the Apache Software Foundation (ASF) under one or more
--- contributor license agreements. See the NOTICE file distributed with
--- this work for additional information regarding copyright ownership.
--- The ASF licenses this file to You under the Apache License, Version 2.0
--- (the "License"); you may not use this file except in compliance with
--- the License. You may obtain a copy of the License at
---
--- http://www.apache.org/licenses/LICENSE-2.0
---
--- Unless required by applicable law or agreed to in writing, software
--- distributed under the License is distributed on an "AS IS" BASIS,
--- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
--- See the License for the specific language governing permissions and
--- limitations under the License.
---
-
-local core = require("apisix.core")
-local type = type
-local setmetatable = setmetatable
-
-local ngx_update_time = ngx.update_time
-local ngx_time = ngx.time
-local ngx_encode_args = ngx.encode_args
-
-local http = require("resty.http")
-local jwt = require("resty.jwt")
-
-
-local function get_timestamp()
- ngx_update_time()
- return ngx_time()
-end
-
-
-local _M = {}
-
-
-function _M:generate_access_token()
- if not self.access_token or get_timestamp() >
self.access_token_expire_time - 60 then
- self:refresh_access_token()
- end
- return self.access_token
-end
-
-
-function _M:refresh_access_token()
- local http_new = http.new()
- local res, err = http_new:request_uri(self.token_uri, {
- ssl_verify = self.ssl_verify,
- method = "POST",
- body = ngx_encode_args({
- grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer",
- assertion = self:generate_jwt_token()
- }),
- headers = {
- ["Content-Type"] = "application/x-www-form-urlencoded",
- },
- })
-
- if not res then
- core.log.error("failed to refresh google oauth access token, ", err)
- return
- end
-
- if res.status ~= 200 then
- core.log.error("failed to refresh google oauth access token: ",
res.body)
- return
- end
-
- res, err = core.json.decode(res.body)
- if not res then
- core.log.error("failed to parse google oauth response data: ", err)
- return
- end
-
- self.access_token = res.access_token
- self.access_token_type = res.token_type
- self.access_token_expire_time = get_timestamp() + res.expires_in
-end
-
-
-function _M:generate_jwt_token()
- local payload = core.json.encode({
- iss = self.client_email,
- aud = self.token_uri,
- scope = self.scope,
- iat = get_timestamp(),
- exp = get_timestamp() + (60 * 60)
- })
-
- local jwt_token = jwt:sign(self.private_key, {
- header = { alg = "RS256", typ = "JWT" },
- payload = payload,
- })
-
- return jwt_token
-end
-
-
-function _M:new(config, ssl_verify)
- local oauth = {
- client_email = config.client_email,
- private_key = config.private_key,
- project_id = config.project_id,
- token_uri = config.token_uri or "https://oauth2.googleapis.com/token";,
- auth_uri = config.auth_uri or
"https://accounts.google.com/o/oauth2/auth";,
- entries_uri = config.entries_uri or
"https://logging.googleapis.com/v2/entries:write";,
- access_token = nil,
- access_token_type = nil,
- access_token_expire_time = 0,
- }
-
- oauth.ssl_verify = ssl_verify
-
- if config.scopes then
- if type(config.scopes) == "string" then
- oauth.scope = config.scopes
- end
-
- if type(config.scopes) == "table" then
- oauth.scope = core.table.concat(config.scopes, " ")
- end
- else
- --
https://developers.google.com/identity/protocols/oauth2/scopes#logging
- oauth.scope = core.table.concat({
"https://www.googleapis.com/auth/logging.read";,
-
"https://www.googleapis.com/auth/logging.write";,
-
"https://www.googleapis.com/auth/logging.admin";,
-
"https://www.googleapis.com/auth/cloud-platform"; }, " ")
- end
-
- setmetatable(oauth, { __index = self })
- return oauth
-end
-
-
-return _M
diff --git a/docs/en/latest/plugins/google-cloud-logging.md
b/docs/en/latest/plugins/google-cloud-logging.md
index 4a8313bf8..85b972381 100644
--- a/docs/en/latest/plugins/google-cloud-logging.md
+++ b/docs/en/latest/plugins/google-cloud-logging.md
@@ -42,7 +42,8 @@ This plugin also allows to push logs as a batch to your
Google Cloud Logging Ser
| auth_config.project_id | True |
|
Project ID in the Google Cloud service account.
|
| auth_config.token_uri | True | https://oauth2.googleapis.com/token
|
Token URI of the Google Cloud service account.
|
| auth_config.entries_uri | False |
https://logging.googleapis.com/v2/entries:write
| Google Cloud Logging Service API.
|
-| auth_config.scopes | False |
["https://www.googleapis.com/auth/logging.read";,
"https://www.googleapis.com/auth/logging.write";,
"https://www.googleapis.com/auth/logging.admin";,
"https://www.googleapis.com/auth/cloud-platform";] | Access scopes of the Google
Cloud service account. See [OAuth 2.0 Scopes for Google
APIs](https://developers.google.com/identity/protocols/oauth2/scopes#logging). |
+| auth_config.scope | False |
["https://www.googleapis.com/auth/logging.read";,
"https://www.googleapis.com/auth/logging.write";,
"https://www.googleapis.com/auth/logging.admin";,
"https://www.googleapis.com/auth/cloud-platform";] | Access scopes of the Google
Cloud service account. See [OAuth 2.0 Scopes for Google
APIs](https://developers.google.com/identity/protocols/oauth2/scopes#logging). |
+| auth_config.scopes | Deprecated |
["https://www.googleapis.com/auth/logging.read";,
"https://www.googleapis.com/auth/logging.write";,
"https://www.googleapis.com/auth/logging.admin";,
"https://www.googleapis.com/auth/cloud-platform";] | Access scopes of the Google
Cloud service account. Use `auth_config.scope` instead.
|
| auth_file | True |
|
Path to the Google Cloud service account authentication JSON file. Either
`auth_config` or `auth_file` must be provided.
|
| ssl_verify | False | true
|
When set to `true`, enables SSL verification as mentioned in [OpenResty
docs](https://github.com/openresty/lua-nginx-module#tcpsocksslhandshake).
|
| resource | False | {"type": "global"}
|
Google monitor resource. See
[MonitoredResource](https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource)
for more details. |
@@ -141,7 +142,7 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H
"X-API-KEY: $admin_key" -X P
"client_email":"your service account
em...@apisix.iam.gserviceaccount.com",
"private_key":"-----BEGIN RSA PRIVATE KEY-----your private
key-----END RSA PRIVATE KEY-----",
"token_uri":"https://oauth2.googleapis.com/token";,
- "scopes":[
+ "scope":[
"https://www.googleapis.com/auth/logging.admin";
],
"entries_uri":"https://logging.googleapis.com/v2/entries:write";
diff --git a/docs/zh/latest/plugins/google-cloud-logging.md
b/docs/zh/latest/plugins/google-cloud-logging.md
index d0e0ba5c4..d485bee31 100644
--- a/docs/zh/latest/plugins/google-cloud-logging.md
+++ b/docs/zh/latest/plugins/google-cloud-logging.md
@@ -42,7 +42,8 @@ description: API 网关 Apache APISIX 的 google-cloud-logging 插件可用于
| auth_config.project_id | 是 |
| 谷歌服务帐号的项目 ID。
|
| auth_config.token_uri | 是 | https://oauth2.googleapis.com/token
| 请求谷歌服务帐户的令牌的 URI。
|
| auth_config.entries_uri | 否 |
https://logging.googleapis.com/v2/entries:write | 谷歌日志服务写入日志条目的 API。
|
-| auth_config.scopes | 否 |
| 谷歌服务账号的访问范围,可参考 [OAuth 2.0 Scopes for Google
APIs](https://developers.google.com/identity/protocols/oauth2/scopes#logging)。可选项:"https://www.googleapis.com/auth/logging.read"、"https://www.googleapis.com/auth/logging.write"、"https://www.googleapis.com/auth/logging.admin"、"https://www.googleapis.com/auth/cloud-platform"。|
+| auth_config.scope | 否 |
| 谷歌服务账号的访问范围,可参考 [OAuth 2.0 Scopes for Google
APIs](https://developers.google.com/identity/protocols/oauth2/scopes#logging)。可选项:"https://www.googleapis.com/auth/logging.read"、"https://www.googleapis.com/auth/logging.write"、"https://www.googleapis.com/auth/logging.admin"、"https://www.googleapis.com/auth/cloud-platform"。|
+| auth_config.scopes | 废弃 |
| 谷歌服务账号的访问范围,推荐使用 `auth_config.scope`
|
| auth_file | 是 |
| `auth_config` 和 `auth_file` 必须配置一个。
|
| ssl_verify | 否 | true
| 当设置为 `true` 时,启用 `SSL` 验证。 |
| resource | 否 | {"type": "global"}
| 谷歌监控资源,请参考
[MonitoredResource](https://cloud.google.com/logging/docs/reference/v2/rest/v2/MonitoredResource)。
|
@@ -142,7 +143,7 @@ curl http://127.0.0.1:9180/apisix/admin/routes/1 \
"client_email":"your service account
em...@apisix.iam.gserviceaccount.com",
"private_key":"-----BEGIN RSA PRIVATE KEY-----your private
key-----END RSA PRIVATE KEY-----",
"token_uri":"https://oauth2.googleapis.com/token";,
- "scopes":[
+ "scope":[
"https://www.googleapis.com/auth/logging.admin";
],
"entries_uri":"https://logging.googleapis.com/v2/entries:write";
diff --git a/t/plugin/google-cloud-logging.t b/t/plugin/google-cloud-logging.t
index bc4293cf6..81e719090 100644
--- a/t/plugin/google-cloud-logging.t
+++ b/t/plugin/google-cloud-logging.t
@@ -44,7 +44,7 @@ __DATA__
resource = {
type = "global"
},
- scopes = {
+ scope = {
"https://www.googleapis.com/auth/logging.admin";
},
log_id = "syslog",
@@ -82,7 +82,7 @@ passed
resource = {
type = "global"
},
- scopes = {
+ scope = {
"https://www.googleapis.com/auth/logging.admin";
},
log_id = "syslog",
@@ -205,7 +205,7 @@ tBXLQH7fw5H8RaxBN91yQUZombw6JnRBXKKohWHZ3Q==
-----END RSA PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries";,
@@ -382,7 +382,7 @@ kEJQcmfVew5mFXyxuEn3zA==
-----END PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries";,
@@ -465,7 +465,7 @@ kEJQcmfVew5mFXyxuEn3zA==
-----END PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token?token_type=Basic";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries?token_type=Basic";,
@@ -548,7 +548,7 @@ kEJQcmfVew5mFXyxuEn3zA==
-----END PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token?token_type=Basic";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries";,
diff --git a/t/plugin/google-cloud-logging/config-https-domain.json
b/t/plugin/google-cloud-logging/config-https-domain.json
index cae085998..7225446d7 100644
--- a/t/plugin/google-cloud-logging/config-https-domain.json
+++ b/t/plugin/google-cloud-logging/config-https-domain.json
@@ -2,7 +2,7 @@
"private_key": "-----BEGIN PRIVATE
KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDzrFwnA3EvYyR\naeMgaLD3hBjvxKrz10uox1X8q7YYhf2ViRtLRUMa2bEMYksE5hbhwpNf6mKAnLOC\nUuAT6cPPdUl/agKpJXviBPIR2LuzD17WsLJHp1HxUDssSkgfCaGcOGGNfLUhhIpF\n2JUctLmxiZoAZySlSjcwupSuDJ0aPm0XO8r9H8Qu5kF2Vkz5e5bFivLTmvzrQTe4\nv5V1UI6hThElCSeUmdNF3uG3wopxlvq4zXgLTnuLbrNf/Gc4mlpV+UDgTISj32Ep\nAB2vxKEbvQw4ti8YJnGXWjxLerhfrszFw+V8lpeduiDYA44ZFoVqvzxeIsVZNtcw\nIu7PvEPNAgMBAAECggEAVpyN9m7A1F631/aLheFpLgMbeKt4p
[...]
"project_id": "apisix",
"token_uri": "https://test.com:1983/google/logging/token";,
- "scopes": [
+ "scope": [
"https://apisix.apache.org/logs:admin";
],
"entries_uri": "https://test.com:1983/google/logging/entries";
diff --git a/t/plugin/google-cloud-logging/config-https-ip.json
b/t/plugin/google-cloud-logging/config-https-ip.json
index 498618fc7..86b33fc60 100644
--- a/t/plugin/google-cloud-logging/config-https-ip.json
+++ b/t/plugin/google-cloud-logging/config-https-ip.json
@@ -2,7 +2,7 @@
"private_key": "-----BEGIN PRIVATE
KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDzrFwnA3EvYyR\naeMgaLD3hBjvxKrz10uox1X8q7YYhf2ViRtLRUMa2bEMYksE5hbhwpNf6mKAnLOC\nUuAT6cPPdUl/agKpJXviBPIR2LuzD17WsLJHp1HxUDssSkgfCaGcOGGNfLUhhIpF\n2JUctLmxiZoAZySlSjcwupSuDJ0aPm0XO8r9H8Qu5kF2Vkz5e5bFivLTmvzrQTe4\nv5V1UI6hThElCSeUmdNF3uG3wopxlvq4zXgLTnuLbrNf/Gc4mlpV+UDgTISj32Ep\nAB2vxKEbvQw4ti8YJnGXWjxLerhfrszFw+V8lpeduiDYA44ZFoVqvzxeIsVZNtcw\nIu7PvEPNAgMBAAECggEAVpyN9m7A1F631/aLheFpLgMbeKt4p
[...]
"project_id": "apisix",
"token_uri": "https://127.0.0.1:1983/google/logging/token";,
- "scopes": [
+ "scope": [
"https://apisix.apache.org/logs:admin";
],
"entries_uri": "https://127.0.0.1:1983/google/logging/entries";
diff --git a/t/plugin/google-cloud-logging/config.json
b/t/plugin/google-cloud-logging/config.json
index 8de2535aa..3d0bb6295 100644
--- a/t/plugin/google-cloud-logging/config.json
+++ b/t/plugin/google-cloud-logging/config.json
@@ -2,7 +2,7 @@
"private_key": "-----BEGIN PRIVATE
KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDzrFwnA3EvYyR\naeMgaLD3hBjvxKrz10uox1X8q7YYhf2ViRtLRUMa2bEMYksE5hbhwpNf6mKAnLOC\nUuAT6cPPdUl/agKpJXviBPIR2LuzD17WsLJHp1HxUDssSkgfCaGcOGGNfLUhhIpF\n2JUctLmxiZoAZySlSjcwupSuDJ0aPm0XO8r9H8Qu5kF2Vkz5e5bFivLTmvzrQTe4\nv5V1UI6hThElCSeUmdNF3uG3wopxlvq4zXgLTnuLbrNf/Gc4mlpV+UDgTISj32Ep\nAB2vxKEbvQw4ti8YJnGXWjxLerhfrszFw+V8lpeduiDYA44ZFoVqvzxeIsVZNtcw\nIu7PvEPNAgMBAAECggEAVpyN9m7A1F631/aLheFpLgMbeKt4p
[...]
"project_id": "apisix",
"token_uri": "http://127.0.0.1:1980/google/logging/token";,
- "scopes": [
+ "scope": [
"https://apisix.apache.org/logs:admin";
],
"entries_uri": "http://127.0.0.1:1980/google/logging/entries";
diff --git a/t/plugin/google-cloud-logging2.t b/t/plugin/google-cloud-logging2.t
index 11e86288e..35d162b6d 100644
--- a/t/plugin/google-cloud-logging2.t
+++ b/t/plugin/google-cloud-logging2.t
@@ -125,7 +125,7 @@ kEJQcmfVew5mFXyxuEn3zA==
-----END PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries";,
@@ -244,7 +244,7 @@ kEJQcmfVew5mFXyxuEn3zA==
-----END PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries";,
@@ -384,7 +384,7 @@ kEJQcmfVew5mFXyxuEn3zA==
-----END PRIVATE KEY-----]],
project_id = "apisix",
token_uri =
"http://127.0.0.1:1980/google/logging/token";,
- scopes = {
+ scope = {
"https://apisix.apache.org/logs:admin";
},
entries_uri =
"http://127.0.0.1:1980/google/logging/entries";,
