Dump basic auth password

[romanovskyj]

Summary

I am working on a CLI tool for exporting/importing kong configuration. It looks like it is not possible to export/import basic-auth password: when we run GET method on /consumers/{consumer_id}/basic-auth on it we only get a password hash, but we are not able to apply it for new kong instance.

In this case, it looks like if kong DB has some disaster, it will not be possible to recreate basic-auth entities using API as it is not possible to dump passwords.

I understand that it is not a good practice to have API response with a plain password, so I think that the solution could be the possibility of creating basic-auth entities with specifying password hash, not password itself.

Steps To Reproduce

1. Create a consumer:

curl -i -X POST \
  --url http://localhost:8001/consumers/ \
  --data "username=Jason"

2. Create a basic auth:

curl -i -X POST \
  --url http://localhost:8001/consumers/Jason/basic-auth/ \
  --data 'username=jason&password=password'

3. Get basic auth:

{
    "total": 1,
    "data": [
        {
            "created_at": 1548310716000,
            "id": "6e90172e-00bb-42a3-83b6-3b48b74ba498",
            "password": "9b1db67006dde859bb8f697f9752e209e90b3b63",
            "username": "jason",
            "consumer_id": "e798641f-f52b-403d-80a7-0b971ab3dbd7"
        }
    ]
}

4. See that password it hashed and you can do nothing with hash

Additional Details & Logs

• Kong version (0.14)

[p0pr0ck5]

Related to #1237 - to be able to re-export the basic auth credentials, they would need to be symmetrically encrypted.

[p0pr0ck5]

Also worth noting that basic-auth passwords are currently salted with the ID of that credential's consumer object, before being SHA'd. So if your restore process PUTs the exported Consumer and retains the original UUID, you can also re-insert the password hash directly into the DB. This is not easy to automate as it requires direct DB access (there's no way to bypass the hash function in the Admin API), but it is possible (I've used it in a DR situation).

[romanovskyj]

Got it, thanks for the clarification. Yes, you are right, it is a bit hard to access DB of kong directly from the CLI client and not sure if it is the appropriate way.

I understand that this issue just a feature request, but in general, what do you think of the solution where it is possible specifying password hash, not only password itself? Is it conceptually right or not?

[zkendall]

if kong DB has some disaster

Wouldn't you want to manage this like any other application-data and back it up on the DB level, not through REST APIs?

[romanovskyj]

For DB disaster backup is possible, you are right, but for tracking the config history or propagating similar config to other instances (dev/stage/prod) I am afraid it is not enough.