adds sha1 support for basic auth configuration (issue Kong#33)

tyiss · Sep 2, 2015 · 920b45a · 920b45a
1 parent a23185c
commit 920b45a
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 1 deletion.
diff --git a/kong/plugins/basic-auth/api.lua b/kong/plugins/basic-auth/api.lua
@@ -1,9 +1,41 @@
 local crud = require "kong.api.crud_helpers"
+local basic_auth_utils = require "kong.plugins.basic-auth.utils"
+
+local function get_config(dao_factory)
+  -- in case of no conf.
+  local default_config = {
+    hide_credentials = false,
+    encryption_method = "plain",
+  }
+
+  local data, err = dao_factory.plugins:find_by_keys({ name = "basic-auth" })
+  if err then
+    return default_config, err
+  end
+
+  if not data[1] or not data[1].config then
+    return default_config, "basic-auth configuration not found"
+  end
+
+  return data[1].config or default_config
+end
+
+local function prepare_password(self, dao_factory, helpers)
+  local config, err = get_config(dao_factory)
+  if err then
+    ngx.log(ngx.ERR, "Error fetching basic-auth configuration: ", err)
+  end
+
+  local method = config.encryption_method or "plain"
+  local transform_function = basic_auth_utils.encryption_methods[method] or basic_auth_utils.encryption_methods.plain
+  return transform_function(self.params)
+end
 
 local global_route = {
   before = function(self, dao_factory, helpers)
     crud.find_consumer_by_username_or_id(self, dao_factory, helpers)
     self.params.consumer_id = self.consumer.id
+    self.params.password = prepare_password(self, dao_factory, helpers)
   end,
 
   GET = function(self, dao_factory, helpers)
@@ -23,6 +55,7 @@ local single_route = {
   before = function(self, dao_factory, helpers)
     crud.find_consumer_by_username_or_id(self, dao_factory, helpers)
     self.params.consumer_id = self.consumer.id
+    self.params.password = prepare_password(self, dao_factory, helpers)
 
     local data, err = dao_factory.basicauth_credentials:find_by_keys({ id = self.params.id })
     if err then

diff --git a/kong/plugins/basic-auth/schema.lua b/kong/plugins/basic-auth/schema.lua
@@ -1,6 +1,7 @@
 return {
   no_consumer = true,
   fields = {
-    hide_credentials = { type = "boolean", default = false }
+    hide_credentials = { type = "boolean", default = false },
+    encryption_method = { type = "string", default = 'plain' },
   }
 }
diff --git a/kong/plugins/basic-auth/utils.lua b/kong/plugins/basic-auth/utils.lua
@@ -0,0 +1,40 @@
+local resty_string = require "resty.string"
+local resty_sha1 = require "resty.sha1"
+
+local string_format = string.format
+
+_M = {}
+
+-- sha1 — Calculate the sha1 hash of a string
+-- @param `string` input string.
+-- @return `string` the sha1 of the given string.
+function _M.sha1(string)
+  local sha1 = resty_sha1:new()
+  if not sha1 then
+    return nil, "failed to create the sha1 object"
+  end
+
+  local ok = sha1:update(string)
+  if not ok then
+    return nil, "failed to add data"
+  end
+
+  local digest = sha1:final()  -- binary digest
+  return resty_string.to_hex(digest)
+end
+
+function _M.salt_credentials(credential)
+  return string_format("%s:%s", credential.password, credential.consumer_id)
+end
+
+-- transformation table for all supported encryption mathods.
+_M.encryption_methods = {
+  plain = function(credential) return credential.password end,
+  sha1 = function(credential)
+    local password_salted = _M.salt_credentials(credential)
+    ngx.log(ngx.ERR, "Dalted: ", password_salted)
+    return _M.sha1(password_salted)
+  end,
+}
+
+return _M
diff --git a/spec/plugins/basic-auth/api_spec.lua b/spec/plugins/basic-auth/api_spec.lua
@@ -120,4 +120,40 @@ describe("Basic Auth Credentials API", function()
 
     end)
   end)
+
+  -- test sha1
+  describe("/consumers/:consumer/basic-auth/ sha1", function()
+    local consumer_id = "asd"
+
+    setup(function()
+      local fixtures = spec_helper.insert_fixtures {
+        consumer = {{ username = "john", custom_id = "asdd" }},
+        api = {
+          { name = "basic-auth", inbound_dns = "test1.com", upstream_url = "http://mockbin.com" },
+        },
+        plugin = {
+          { name = "basic-auth", config = { encryption_method = "sha1" },__api = 1 }
+        },
+      }
+
+      consumer = fixtures.consumer[1]
+      BASE_URL = spec_helper.API_URL.."/consumers/john/basic-auth/"
+    end)
+
+    describe("POST", function()
+
+      it("[SUCCESS] should create a basicauth credential with passowrd hashed using sha1", function()
+        local username, password = "john", "1234"
+        local response, status = http_client.post(BASE_URL, { username = username, password = password })
+
+        assert.equal(201, status)
+
+        credential = json.decode(response)
+        assert.equal(username, credential.username)
+        assert.are_not.equal(password, credential.password)
+        assert.equal(40, #credential.password)
+      end)
+    end)
+  end)
+
 end)