feat: add hmac-auth authorization method (#1035)

.gitignore

@@ -30,6 +30,7 @@
 *.out
 release
 
+.vscode
 .idea
 .DS_Store
 coverage.txt

pkg/kube/apisix/apis/config/v2/types.go

@@ -341,6 +341,7 @@ type ApisixConsumerAuthParameter struct {
 	KeyAuth   *ApisixConsumerKeyAuth   `json:"keyAuth,omitempty" yaml:"keyAuth"`
 	WolfRBAC  *ApisixConsumerWolfRBAC  `json:"wolfRBAC,omitempty" yaml:"wolfRBAC"`
 	JwtAuth   *ApisixConsumerJwtAuth   `json:"jwtAuth,omitempty" yaml:"jwtAuth"`
+	HMACAuth  *ApisixConsumerHMACAuth  `json:"hmacAuth,omitempty" yaml:"hmacAuth"`
 }
 
 // ApisixConsumerBasicAuth defines the configuration for basic auth.
@@ -396,6 +397,25 @@ type ApisixConsumerJwtAuthValue struct {
 	Base64Secret bool   `json:"base64_secret,omitempty" yaml:"base64_secret,omitempty"`
 }
 
+// ApisixConsumerHMACAuth defines the configuration for the hmac auth.
+type ApisixConsumerHMACAuth struct {
+	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty" yaml:"secretRef,omitempty"`
+	Value     *ApisixConsumerHMACAuthValue `json:"value,omitempty" yaml:"value,omitempty"`
+}
+
+// ApisixConsumerHMACAuthValue defines the in-place configuration for hmac auth.
+type ApisixConsumerHMACAuthValue struct {
+	AccessKey           string   `json:"access_key" yaml:"access_key"`
+	SecretKey           string   `json:"secret_key" yaml:"secret_key"`
+	Algorithm           string   `json:"algorithm,omitempty" yaml:"algorithm,omitempty"`
+	ClockSkew           int64    `json:"clock_skew,omitempty" yaml:"clock_skew,omitempty"`
+	SignedHeaders       []string `json:"signed_headers,omitempty" yaml:"signed_headers,omitempty"`
+	KeepHeaders         bool     `json:"keep_headers,omitempty" yaml:"keep_headers,omitempty"`
+	EncodeURIParams     bool     `json:"encode_uri_params,omitempty" yaml:"encode_uri_params,omitempty"`
+	ValidateRequestBody bool     `json:"validate_request_body,omitempty" yaml:"validate_request_body,omitempty"`
+	MaxReqBody          int64    `json:"max_req_body,omitempty" yaml:"max_req_body,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ApisixConsumerList contains a list of ApisixConsumer.

pkg/kube/apisix/apis/config/v2beta3/types.go

@@ -342,6 +342,7 @@ type ApisixConsumerAuthParameter struct {
 	KeyAuth   *ApisixConsumerKeyAuth   `json:"keyAuth,omitempty" yaml:"keyAuth"`
 	WolfRBAC  *ApisixConsumerWolfRBAC  `json:"wolfRBAC,omitempty" yaml:"wolfRBAC"`
 	JwtAuth   *ApisixConsumerJwtAuth   `json:"jwtAuth,omitempty" yaml:"jwtAuth"`
+	HMACAuth  *ApisixConsumerHMACAuth  `json:"hmacAuth,omitempty" yaml:"hmacAuth"`
 }
 
 // ApisixConsumerBasicAuth defines the configuration for basic auth.
@@ -397,6 +398,25 @@ type ApisixConsumerJwtAuthValue struct {
 	Base64Secret bool   `json:"base64_secret,omitempty" yaml:"base64_secret,omitempty"`
 }
 
+// ApisixConsumerHMACAuth defines the configuration for the hmac auth.
+type ApisixConsumerHMACAuth struct {
+	SecretRef *corev1.LocalObjectReference `json:"secretRef,omitempty" yaml:"secretRef,omitempty"`
+	Value     *ApisixConsumerHMACAuthValue `json:"value,omitempty" yaml:"value,omitempty"`
+}
+
+// ApisixConsumerHMACAuthValue defines the in-place configuration for hmac auth.
+type ApisixConsumerHMACAuthValue struct {
+	AccessKey           string   `json:"access_key" yaml:"access_key"`
+	SecretKey           string   `json:"secret_key" yaml:"secret_key"`
+	Algorithm           string   `json:"algorithm,omitempty" yaml:"algorithm,omitempty"`
+	ClockSkew           int64    `json:"clock_skew,omitempty" yaml:"clock_skew,omitempty"`
+	SignedHeaders       []string `json:"signed_headers,omitempty" yaml:"signed_headers,omitempty"`
+	KeepHeaders         bool     `json:"keep_headers,omitempty" yaml:"keep_headers,omitempty"`
+	EncodeURIParams     bool     `json:"encode_uri_params,omitempty" yaml:"encode_uri_params,omitempty"`
+	ValidateRequestBody bool     `json:"validate_request_body,omitempty" yaml:"validate_request_body,omitempty"`
+	MaxReqBody          int64    `json:"max_req_body,omitempty" yaml:"max_req_body,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // ApisixConsumerList contains a list of ApisixConsumer.

pkg/kube/translation/apisix_consumer.go

@@ -51,6 +51,12 @@ func (t *translator) TranslateApisixConsumerV2beta3(ac *configv2beta3.ApisixCons
 			return nil, fmt.Errorf("invalid wolf rbac config: %s", err)
 		}
 		plugins["wolf-rbac"] = cfg
+	} else if ac.Spec.AuthParameter.HMACAuth != nil {
+		cfg, err := t.translateConsumerHMACAuthPluginV2beta3(ac.Namespace, ac.Spec.AuthParameter.HMACAuth)
+		if err != nil {
+			return nil, fmt.Errorf("invaild hmac auth config: %s", err)
+		}
+		plugins["hmac-auth"] = cfg
 	}
 
 	consumer := apisixv1.NewDefaultConsumer()
@@ -88,6 +94,12 @@ func (t *translator) TranslateApisixConsumerV2(ac *configv2.ApisixConsumer) (*ap
 			return nil, fmt.Errorf("invalid wolf rbac config: %s", err)
 		}
 		plugins["wolf-rbac"] = cfg
+	} else if ac.Spec.AuthParameter.HMACAuth != nil {
+		cfg, err := t.translateConsumerHMACAuthPluginV2(ac.Namespace, ac.Spec.AuthParameter.HMACAuth)
+		if err != nil {
+			return nil, fmt.Errorf("invaild hmac auth config: %s", err)
+		}
+		plugins["hmac-auth"] = cfg
 	}
 
 	consumer := apisixv1.NewDefaultConsumer()

pkg/kube/translation/apisix_consumer_test.go

@@ -126,6 +126,29 @@ func TestTranslateApisixConsumerV2beta3(t *testing.T) {
 	assert.Equal(t, "https://httpbin.org", cfg4.Server)
 	assert.Equal(t, "test01", cfg4.Appid)
 
+	ac = &configv2beta3.ApisixConsumer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "jack",
+			Namespace: "qa",
+		},
+		Spec: configv2beta3.ApisixConsumerSpec{
+			AuthParameter: configv2beta3.ApisixConsumerAuthParameter{
+				HMACAuth: &configv2beta3.ApisixConsumerHMACAuth{
+					Value: &configv2beta3.ApisixConsumerHMACAuthValue{
+						AccessKey: "foo",
+						SecretKey: "bar",
+					},
+				},
+			},
+		},
+	}
+	consumer, err = (&translator{}).TranslateApisixConsumerV2beta3(ac)
+	assert.Nil(t, err)
+	assert.Len(t, consumer.Plugins, 1)
+	cfg5 := consumer.Plugins["hmac-auth"].(*apisixv1.HMACAuthConsumerConfig)
+	assert.Equal(t, "foo", cfg5.AccessKey)
+	assert.Equal(t, "bar", cfg5.SecretKey)
+
 	// No test test cases for secret references as we already test them
 	// in plugin_test.go.
 }
@@ -231,6 +254,29 @@ func TestTranslateApisixConsumerV2(t *testing.T) {
 	assert.Equal(t, "https://httpbin.org", cfg4.Server)
 	assert.Equal(t, "test01", cfg4.Appid)
 
+	ac = &configv2.ApisixConsumer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "jack",
+			Namespace: "qa",
+		},
+		Spec: configv2.ApisixConsumerSpec{
+			AuthParameter: configv2.ApisixConsumerAuthParameter{
+				HMACAuth: &configv2.ApisixConsumerHMACAuth{
+					Value: &configv2.ApisixConsumerHMACAuthValue{
+						AccessKey: "foo",
+						SecretKey: "bar",
+					},
+				},
+			},
+		},
+	}
+	consumer, err = (&translator{}).TranslateApisixConsumerV2(ac)
+	assert.Nil(t, err)
+	assert.Len(t, consumer.Plugins, 1)
+	cfg5 := consumer.Plugins["hmac-auth"].(*apisixv1.HMACAuthConsumerConfig)
+	assert.Equal(t, "foo", cfg5.AccessKey)
+	assert.Equal(t, "bar", cfg5.SecretKey)
+
 	// No test test cases for secret references as we already test them
 	// in plugin_test.go.
 }

pkg/kube/translation/apisix_route.go

@@ -276,6 +276,8 @@ func (t *translator) translateHTTPRouteV2beta3(ctx *TranslateContext, ar *config
 				pluginMap["wolf-rbac"] = make(map[string]interface{})
 			case "jwtAuth":
 				pluginMap["jwt-auth"] = part.Authentication.JwtAuth
+			case "hmacAuth":
+				pluginMap["hmac-auth"] = make(map[string]interface{})
 			default:
 				pluginMap["basic-auth"] = make(map[string]interface{})
 			}
@@ -410,6 +412,8 @@ func (t *translator) translateHTTPRouteV2(ctx *TranslateContext, ar *configv2.Ap
 				pluginMap["wolf-rbac"] = make(map[string]interface{})
 			case "jwtAuth":
 				pluginMap["jwt-auth"] = part.Authentication.JwtAuth
+			case "hmacAuth":
+				pluginMap["hmac-auth"] = make(map[string]interface{})
 			default:
 				pluginMap["basic-auth"] = make(map[string]interface{})
 			}
@@ -635,6 +639,8 @@ func (t *translator) translateHTTPRouteV2beta3NotStrictly(ctx *TranslateContext,
 				pluginMap["wolf-rbac"] = make(map[string]interface{})
 			case "jwtAuth":
 				pluginMap["jwt-auth"] = part.Authentication.JwtAuth
+			case "hmacAuth":
+				pluginMap["hmac-auth"] = make(map[string]interface{})
 			default:
 				pluginMap["basic-auth"] = make(map[string]interface{})
 			}
@@ -692,6 +698,8 @@ func (t *translator) translateHTTPRouteV2NotStrictly(ctx *TranslateContext, ar *
 				pluginMap["wolf-rbac"] = make(map[string]interface{})
 			case "jwtAuth":
 				pluginMap["jwt-auth"] = part.Authentication.JwtAuth
+			case "hmacAuth":
+				pluginMap["hmac-auth"] = make(map[string]interface{})
 			default:
 				pluginMap["basic-auth"] = make(map[string]interface{})
 			}