refactor(basic-auth) use dao transformations with basic auth credentials

Also removes the need to use custom dao. This works as a showcase for
dao-transformations. Fix Kong#4893.

kong-1.3.0-0.rockspec

@@ -215,7 +215,6 @@ build = {
     ["kong.plugins.basic-auth.access"] = "kong/plugins/basic-auth/access.lua",
     ["kong.plugins.basic-auth.schema"] = "kong/plugins/basic-auth/schema.lua",
     ["kong.plugins.basic-auth.daos"] = "kong/plugins/basic-auth/daos.lua",
-    ["kong.plugins.basic-auth.basicauth_credentials"] = "kong/plugins/basic-auth/basicauth_credentials.lua",
 
     ["kong.plugins.key-auth.migrations"] = "kong/plugins/key-auth/migrations/init.lua",
     ["kong.plugins.key-auth.migrations.000_base_key_auth"] = "kong/plugins/key-auth/migrations/000_base_key_auth.lua",

kong/plugins/basic-auth/daos.lua

@@ -1,25 +1,34 @@
 local typedefs = require "kong.db.schema.typedefs"
+local crypto = require "kong.plugins.basic-auth.crypto"
 
 
 return {
   basicauth_credentials = {
-    dao = "kong.plugins.basic-auth.basicauth_credentials",
     name = "basicauth_credentials",
     primary_key = { "id" },
     cache_key = { "username" },
     endpoint_key = "username",
-    -- Passwords are hashed on insertion, so the exported passwords would be encrypted.
-    -- Importing them back would require "plain" unencrypted passwords instead
+    -- Passwords are hashed, so the exported passwords would contain the hashes.
+    -- Importing them back would require "plain" non-hashed passwords instead.
     db_export = false,
     admin_api_name = "basic-auths",
     admin_api_nested_name = "basic-auth",
     fields = {
       { id = typedefs.uuid },
       { created_at = typedefs.auto_timestamp_s },
-      { consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade", }, },
+      { consumer = { type = "foreign", reference = "consumers", required = true, on_delete = "cascade" }, },
       { username = { type = "string", required = true, unique = true }, },
       { password = { type = "string", required = true }, },
       { tags     = typedefs.tags },
     },
+    transformations = {
+      {
+        input = { "password" },
+        needs = { "consumer.id" },
+        on_write = function(password, consumer_id)
+          return { password = crypto.hash(consumer_id, password) }
+        end,
+      },
+    },
   },
 }

spec/02-integration/03-db/02-db_core_entities_spec.lua

@@ -423,6 +423,7 @@ for _, strategy in helpers.each_strategy() do
           local fake_id = utils.uuid()
           local credentials, _, err_t = db.basicauth_credentials:insert({
             username = "peter",
+            password = "pan",
             consumer = { id = fake_id },
           })
 

spec/03-plugins/10-basic-auth/02-api_spec.lua

@@ -69,6 +69,7 @@ for _, strategy in helpers.each_strategy() do
             path    = "/consumers/bob/basic-auth/",
             body    = {
               username = "bobby",
+              password = "kong",
               tags     = { "tag1", "tag2" },
             },
             headers = {
@@ -135,7 +136,10 @@ for _, strategy in helpers.each_strategy() do
             })
             local body = assert.res_status(400, res)
             local json = cjson.decode(body)
-            assert.same({ username = "required field missing" }, json.fields)
+            assert.same({
+              username = "required field missing",
+              password = "required field missing",
+            }, json.fields)
           end)
           it("cannot create two identical usernames", function()
             local res = assert(admin_client:send {
@@ -273,7 +277,10 @@ for _, strategy in helpers.each_strategy() do
             })
             local body = assert.res_status(400, res)
             local json = cjson.decode(body)
-            assert.same({ username  = "expected a string" }, json.fields)
+            assert.same({
+              username  = "expected a string",
+              password = "required field missing",
+            }, json.fields)
           end)
         end)
       end)
@@ -401,14 +408,16 @@ for _, strategy in helpers.each_strategy() do
           db:truncate("basicauth_credentials")
           bp.basicauth_credentials:insert {
             consumer = { id = consumer.id },
-            username = "bob"
+            username = "bob",
+            password = "secret",
           }
           consumer2 = bp.consumers:insert {
             username = "bob-the-buidler"
           }
           bp.basicauth_credentials:insert {
             consumer = { id = consumer2.id },
-            username = "bob-the-buidler"
+            username = "bob-the-buidler",
+            password = "secret",
           }
         end)
         it("retrieves all the basic-auths with trailing slash", function()
@@ -480,7 +489,7 @@ for _, strategy in helpers.each_strategy() do
           })
           local body = assert.res_status(400, res)
           local json = cjson.decode(body)
-          assert.same("schema violation (consumer: required field missing)", json.message)
+          assert.same("2 schema violations (consumer: required field missing; password: required field missing)", json.message)
         end)
 
         it("creates basic-auth credential", function()
@@ -489,6 +498,7 @@ for _, strategy in helpers.each_strategy() do
             path = "/basic-auths",
             body = {
               username = "bob",
+              password = "test",
               consumer = {
                 id = consumer.id
               }
@@ -505,6 +515,35 @@ for _, strategy in helpers.each_strategy() do
     end)
 
     describe("/basic-auths/:username_or_id", function()
+      describe("PATCH", function()
+        local consumer2
+
+        lazy_setup(function()
+          consumer2 = bp.consumers:insert({
+            username = "john"
+          })
+        end)
+
+        it("does not allow updating consumer as it would invalidate the password", function()
+          local res = assert(admin_client:send {
+            method = "PATCH",
+            path = "/basic-auths/bob",
+            body = {
+              consumer = {
+                id = consumer2.id
+              }
+            },
+            headers = {
+              ["Content-Type"] = "application/json"
+            }
+          })
+
+          local body = assert.res_status(400, res)
+          local json = cjson.decode(body)
+          assert.same("schema violation (all or none of these fields must be set: 'password', 'consumer.id')", json.message)
+        end)
+      end)
+
       describe("PUT", function()
         lazy_setup(function()
           db:truncate("basicauth_credentials")
@@ -522,14 +561,15 @@ for _, strategy in helpers.each_strategy() do
           })
           local body = assert.res_status(400, res)
           local json = cjson.decode(body)
-          assert.same("schema violation (consumer: required field missing)", json.message)
+          assert.same("2 schema violations (consumer: required field missing; password: required field missing)", json.message)
         end)
 
         it("creates basic-auth credential", function()
           local res = assert(admin_client:send {
             method = "PUT",
             path = "/basic-auths/bob",
             body = {
+              password = "secret",
               consumer = {
                 id = consumer.id
               }
@@ -552,7 +592,8 @@ for _, strategy in helpers.each_strategy() do
           db:truncate("basicauth_credentials")
           credential = bp.basicauth_credentials:insert {
             consumer = { id = consumer.id },
-            username = "bob"
+            username = "bob",
+            password = "secret",
           }
         end)
         it("retrieve consumer from a basic-auth id", function()