Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(authz-keycloak): dynamic scope and resource mapping. #3308

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
98 commits
Select commit Hold shift + click to select a range
b0b6165
Add our own mod of authz-keycloak plugin.
jenskeiner Jan 11, 2021
fd96cb6
Fix session id parameter name.
jenskeiner Jan 11, 2021
8aedd89
Adjust Nginx config template to allow setting trusted TLS certificate…
jenskeiner Jan 11, 2021
4336446
Fix plugin name.
jenskeiner Jan 11, 2021
2d90fb4
Debugging.
jenskeiner Jan 12, 2021
1c09d30
Query matching resources from server.
jenskeiner Jan 12, 2021
6e36faf
Continue build out.
jenskeiner Jan 12, 2021
fc47492
More build out.
jenskeiner Jan 12, 2021
51be98c
Add UMA discovery.
jenskeiner Jan 12, 2021
d16dd16
Remove audience parameter in favour of client_id.
jenskeiner Jan 12, 2021
0deede0
Add request decorator.
jenskeiner Jan 12, 2021
67d4823
Make token endpoint optional.
jenskeiner Jan 12, 2021
5ddfe3d
Small fixes.
jenskeiner Jan 12, 2021
c032bfb
Add debug output.
jenskeiner Jan 12, 2021
1ca808d
Polishing.
jenskeiner Jan 12, 2021
2515ad5
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner Jan 14, 2021
1d58f48
Add service account access token retrieval.
jenskeiner Jan 14, 2021
b5c6626
Smaller fixes.
jenskeiner Jan 14, 2021
6d7749f
Add complete session management, including use of refresh tokens to r…
jenskeiner Jan 14, 2021
a73a702
Add lazy_load_paths and http_method_as_scope parameters and implement…
jenskeiner Jan 14, 2021
b9e9c80
Several fixes.
jenskeiner Jan 15, 2021
65d491f
Several fixes.
jenskeiner Jan 15, 2021
be6cde9
Polishing.
jenskeiner Jan 15, 2021
fb4e0ad
Return Keycloak-style message when unable to resolve permission.
jenskeiner Jan 15, 2021
6a9f12c
Update documentation.
jenskeiner Jan 15, 2021
1ec673c
Remove temporary plugin version.
jenskeiner Jan 15, 2021
6bcf69e
Breake some long lines.
jenskeiner Jan 15, 2021
be03eeb
Break some long lines and general polishing.
jenskeiner Jan 15, 2021
38617bb
Fix linting error.
jenskeiner Jan 15, 2021
a92df4b
Fix linting errors.
jenskeiner Jan 15, 2021
2d1ef83
Fix inting errors.
jenskeiner Jan 15, 2021
63cde92
Fix linting error.
jenskeiner Jan 15, 2021
6698f99
Add back deprecated audience attribute.
jenskeiner Jan 18, 2021
7b7c5a9
Replace audience with client_id and add where necessary.
jenskeiner Jan 18, 2021
5645de2
Fix syntax error.
jenskeiner Jan 18, 2021
194425b
Make cache ttl configurable.
jenskeiner Jan 18, 2021
536267f
Remove duplicate call to ngx.time().
jenskeiner Jan 18, 2021
ef7bc82
Move shared cache definition.
jenskeiner Jan 18, 2021
3503df7
Don't require client_id or audience.
jenskeiner Jan 18, 2021
71bb50a
Fix undefined variable reference.
jenskeiner Jan 18, 2021
84e7a7f
Fix test for 401 Unauthorized case.
jenskeiner Jan 18, 2021
f423e40
Fix too long line.
jenskeiner Jan 18, 2021
80fd821
Fix JSON schema.
jenskeiner Jan 18, 2021
cbae8b8
Revert previous change.
jenskeiner Jan 18, 2021
bf6d5f5
Add shared dictionary for authz-keycloak plugin.
jenskeiner Jan 18, 2021
f3773f6
Fix JSON schema syntax error.
jenskeiner Jan 18, 2021
0ae4713
Fix and simplify JSON schema.
jenskeiner Jan 18, 2021
2862111
Fix syntax error.
jenskeiner Jan 18, 2021
dd1240b
Add and fix tests.
jenskeiner Jan 18, 2021
bd4a929
Fix test case.
jenskeiner Jan 18, 2021
42f4b16
Debugging.
jenskeiner Jan 18, 2021
ae02b89
Temporarily only run tests for authz-keycloak plugin.
jenskeiner Jan 18, 2021
d97f283
Add shared dictionary for discovery documents.
jenskeiner Jan 18, 2021
1aea5d4
Fix syntax error.
jenskeiner Jan 18, 2021
1203932
Debugging.
jenskeiner Jan 18, 2021
bd57d62
Fix incorrect reference to configuration entry.
jenskeiner Jan 18, 2021
22793b5
Fix test case.
jenskeiner Jan 18, 2021
df9e0fa
Some minor adjustments.
jenskeiner Jan 18, 2021
a48ed60
Re-enable all test cases.
jenskeiner Jan 18, 2021
b7432a3
Attempt at fixing schema.
jenskeiner Jan 18, 2021
8337437
Another attempt at fixing schema.
jenskeiner Jan 18, 2021
f7e06c6
Fix test case.
jenskeiner Jan 18, 2021
26a59b9
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner Jan 19, 2021
f9b002a
Switch to updated Keycloak Docker image to enable testing of URI-to-r…
jenskeiner Jan 19, 2021
d7e98e6
Temporarily only test authz-keycloak plugin to spped up checks.
jenskeiner Jan 19, 2021
9541bc2
Add test case to set up lazy_load_paths and http_method_as_scope.
jenskeiner Jan 19, 2021
6bfd47f
Add tests to check Keycloak permissions mapped from URI and HTTP method.
jenskeiner Jan 19, 2021
af205a1
Debugging.
jenskeiner Jan 19, 2021
0ad8601
Fix test cases.
jenskeiner Jan 19, 2021
c583cb5
Add fake endpoint for authz-keycloak plugin testing.
jenskeiner Jan 19, 2021
46b9c1f
Remove debug code.
jenskeiner Jan 19, 2021
697cdbe
Debugging.
jenskeiner Jan 19, 2021
68ca6cc
Remove debug code after fixing Docker image.
jenskeiner Jan 19, 2021
8b982aa
Cleanup.
jenskeiner Jan 19, 2021
a6ae71a
Fix CI build on Cent OS that's using an outdated Keycloak Docker image.
jenskeiner Jan 19, 2021
3677dba
Revert nack to original image.
jenskeiner Jan 19, 2021
3a399b8
And back to new image again.
jenskeiner Jan 19, 2021
744e4e3
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner Jan 20, 2021
ea0ce90
Remove conflict markers that were left in unintentionally.
jenskeiner Jan 20, 2021
334d4e9
Flip Keycloak image reference back to sshniro's repo.
jenskeiner Jan 20, 2021
d49dc53
Change Docker repo back to sshniro's.
jenskeiner Jan 20, 2021
73d5e89
Trivial change to kick off checks again.
jenskeiner Jan 20, 2021
fa72cc5
Trivial hange to kick off checks again.
jenskeiner Jan 20, 2021
32cea93
Align comment indent.
jenskeiner Jan 20, 2021
ab55569
Add documentation for cache_ttl_seconds attribute.
jenskeiner Jan 21, 2021
59dccc9
Fix incorrect usage of boolean value.
jenskeiner Jan 21, 2021
5ca93a5
Temporarily disable some unit tests to speed up checks.
jenskeiner Jan 21, 2021
450ce05
Cleanup documentation, JSON schema, and HTTP handling.
jenskeiner Jan 21, 2021
e08224b
Fix syntax error.
jenskeiner Jan 21, 2021
e97d00d
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner Jan 21, 2021
f2eabee
Fix syntax error.
jenskeiner Jan 21, 2021
ce2eb72
Cleanup.
jenskeiner Jan 21, 2021
caffeee
Fix syntax error.
jenskeiner Jan 21, 2021
1f658d2
Fix test case.
jenskeiner Jan 21, 2021
67a7fe7
Fix stray conf.http_request_decorator.
jenskeiner Jan 21, 2021
977759f
Split test into two files.
jenskeiner Jan 21, 2021
c4c4449
Re-enable all tests.
jenskeiner Jan 21, 2021
7a8460c
Fix test case numbering scheme.
jenskeiner Jan 21, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/centos7-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
run: |
docker run --rm -itd -p 6379:6379 --name apisix_redis redis:3.0-alpine
docker run --rm -itd -e HTTP_PORT=8888 -e HTTPS_PORT=9999 -p 8888:8888 -p 9999:9999 mendhak/http-https-echo
docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 -p 8443:8443 sshniro/keycloak-apisix
docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 -p 8443:8443 sshniro/keycloak-apisix:1.0.0
docker network create kafka-net --driver bridge
docker run --name zookeeper-server -d -p 2181:2181 --network kafka-net -e ALLOW_ANONYMOUS_LOGIN=yes bitnami/zookeeper:3.6.0
docker run --name kafka-server1 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 9092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:latest
Expand Down
2 changes: 1 addition & 1 deletion .travis/linux_openresty_common_runner.sh
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ before_install() {
docker run --rm -itd -p 6379:6379 --name apisix_redis redis:3.0-alpine
docker run --rm -itd -e HTTP_PORT=8888 -e HTTPS_PORT=9999 -p 8888:8888 -p 9999:9999 mendhak/http-https-echo
# Runs Keycloak version 10.0.2 with inbuilt policies for unit tests
docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 -p 8443:8443 sshniro/keycloak-apisix
docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:8080 -p 8443:8443 sshniro/keycloak-apisix:1.0.0
# spin up kafka cluster for tests (1 zookeper and 1 kafka instance)
docker pull bitnami/zookeeper:3.6.0
docker pull bitnami/kafka:latest
Expand Down
11 changes: 7 additions & 4 deletions apisix/cli/ngx_tpl.lua
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,9 @@ http {
lua_shared_dict jwks 1m; # cache for JWKs
lua_shared_dict introspection 10m; # cache for JWT verification results

# for authz-keycloak
lua_shared_dict access_tokens 1m; # cache for service account access tokens
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to add it after:

lua_shared_dict skywalking-tracing-buffer 100m;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will do. Can you quickly explain the reason?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The configuration used in test is generated from apisix/t/APISIX.pm instead of apisix/cli/ngx_tpl.lua.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, ok.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spacewander Quick question: We also need a shared dict for the discovery documents. I have added that to apisix/t/APISIX.pm now as well. But I can't see other dicts that e.g. the openid-connect plugin needs in that file. How do the tests then run successfully w/o the dict definitions?


# for custom shared dict
{% if http.lua_shared_dicts then %}
{% for cache_key, cache_size in pairs(http.lua_shared_dicts) do %}
Expand Down Expand Up @@ -383,16 +386,16 @@ http {
{% end %}
{% end %} {% -- if enable_ipv6 %}

{% if ssl.ssl_trusted_certificate ~= nil then %}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved this here since it was previously only used when APISIX itself was accepting HTTPS from the outside. But even if TLS is disabled, internally, plugins that send requests may still need to be able to use TLS and may have custom CA certs configured.

lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
{% end %}

{% if ssl.enable then %}
ssl_certificate {* ssl.ssl_cert *};
ssl_certificate_key {* ssl.ssl_cert_key *};
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;

{% if ssl.ssl_trusted_certificate ~= nil then %}
lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *};
{% end %}

ssl_protocols {* ssl.ssl_protocols *};
ssl_ciphers {* ssl.ssl_ciphers *};
ssl_prefer_server_ciphers on;
Expand Down
Loading