Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion apisix/consumer.lua
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,20 @@ function create_consume_cache(consumers_conf, key_attr)
for _, consumer in ipairs(consumers_conf.nodes) do
local new_consumer = consumer_lrucache(consumer, nil,
fill_consumer_secret, consumer)
consumer_names[new_consumer.auth_conf[key_attr]] = new_consumer
local key_value = new_consumer.auth_conf[key_attr]
-- fail closed: skip if the credential is unset or an unresolved secret ref,
-- else a client could auth with the literal $ENV://... reference string
if key_value == nil then
core.log.error("missing consumer auth credential '", key_attr,
"', skipping consumer: ", new_consumer.consumer_name)

elseif secret.has_secret_ref(new_consumer.auth_conf) then
core.log.error("failed to resolve secret reference in consumer auth ",
"credential, skipping consumer: ", new_consumer.consumer_name)

else
consumer_names[key_value] = new_consumer
end
end

return consumer_names
Expand Down
43 changes: 43 additions & 0 deletions t/plugin/key-auth.t
Original file line number Diff line number Diff line change
Expand Up @@ -737,3 +737,46 @@ passed
GET /hello?auth=authtwo
--- response_args
auth: authtwo



=== TEST 33: consumer key uses an env ref that fails to resolve
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/consumers',
ngx.HTTP_PUT,
[[{
"username": "jack",
"plugins": {
"key-auth": {
"key": "$env://KEYAUTH_UNRESOLVED_SECRET"
}
}
}]]
)

if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- request
GET /t
--- response_body
passed



=== TEST 34: fail closed, literal ref is not accepted as a credential
--- request
GET /hello
--- more_headers
apikey: $env://KEYAUTH_UNRESOLVED_SECRET
--- error_code: 401
--- response_body
{"message":"Invalid API key in request"}
--- error_log
invalid api key
Loading