Skip to content

Commit

Permalink
fix(authz-keycloak): do not expose internal errors to the client (#6854)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tzssangglass @spacewander
tzssangglass authored and spacewander committed Jun 30, 2022
1 parent 669266b commit 64e5c88
Show file tree
Hide file tree
Showing 2 changed files with 80 additions and 7 deletions.
14 changes: 7 additions & 7 deletions apisix/plugins/authz-keycloak.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -721,13 +721,13 @@ local function generate_token_using_password_grant(conf,ctx)

if not username then
local err = "username is missing."
log.error(err)
return 422, err
log.warn(err)
return 422, {message = err}
end
if not password then
local err = "password is missing."
log.error(err)
return 422, err
log.warn(err)
return 422, {message = err}
end

local client_id = authz_keycloak_get_client_id(conf)
Expand All @@ -737,7 +737,7 @@ local function generate_token_using_password_grant(conf,ctx)
if not token_endpoint then
local err = "Unable to determine token endpoint."
log.error(err)
return 503, err
return 503, {message = err}
end
local httpc = authz_keycloak_get_http_client(conf)

Expand All @@ -763,7 +763,7 @@ local function generate_token_using_password_grant(conf,ctx)
err = "Accessing token endpoint URL (" .. token_endpoint
.. ") failed: " .. err
log.error(err)
return 401, {message = err}
return 401, {message = "Accessing token endpoint URL failed."}
end

log.debug("Response data: " .. res.body)
Expand All @@ -773,7 +773,7 @@ local function generate_token_using_password_grant(conf,ctx)
err = "Could not decode JSON from response"
.. (err and (": " .. err) or '.')
log.error(err)
return 401, {message = err}
return 401, {message = "Could not decode JSON from response."}
end

return res.status, res.body
Expand Down
73 changes: 73 additions & 0 deletions t/plugin/authz-keycloak.t
View file
Original file line number Diff line number Diff line change
Expand Up @@ -623,3 +623,76 @@ GET /t
true
--- no_error_log
[error]



=== TEST 19: no username or password
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"authz-keycloak": {
"token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"timeout": 3000,
"ssl_verify": false,
"password_grant_token_generation_incoming_uri": "/api/token"
}
},
"upstream": {
"nodes": {
"127.0.0.1:1982": 1
},
"type": "roundrobin"
},
"uri": "/api/token"
}]]
)

if code >= 300 then
ngx.status = code
end

local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/api/token"
local headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
}

-- no username
local res, err = httpc:request_uri(uri, {
method = "POST",
headers = headers,
body = ngx.encode_args({
password = "123456",
}),
})
ngx.print(res.body)

-- no password
local res, err = httpc:request_uri(uri, {
method = "POST",
headers = headers,
body = ngx.encode_args({
username = "teacher@gmail.com",
}),
})
ngx.print(res.body)
}
}
--- request
GET /t
--- response_body
{"message":"username is missing."}
{"message":"password is missing."}
--- no_error_log
[error]

0 comments on commit 64e5c88

Please sign in to comment.