-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(authz-keycloak): dynamic scope and resource mapping. #3308
Merged
spacewander
merged 98 commits into
apache:master
from
jenskeiner:dynamic-scope-and-resource-mapping
Jan 27, 2021
Merged
Changes from 26 commits
Commits
Show all changes
98 commits
Select commit
Hold shift + click to select a range
b0b6165
Add our own mod of authz-keycloak plugin.
jenskeiner fd96cb6
Fix session id parameter name.
jenskeiner 8aedd89
Adjust Nginx config template to allow setting trusted TLS certificate…
jenskeiner 4336446
Fix plugin name.
jenskeiner 2d90fb4
Debugging.
jenskeiner 1c09d30
Query matching resources from server.
jenskeiner 6e36faf
Continue build out.
jenskeiner fc47492
More build out.
jenskeiner 51be98c
Add UMA discovery.
jenskeiner d16dd16
Remove audience parameter in favour of client_id.
jenskeiner 0deede0
Add request decorator.
jenskeiner 67d4823
Make token endpoint optional.
jenskeiner 5ddfe3d
Small fixes.
jenskeiner c032bfb
Add debug output.
jenskeiner 1ca808d
Polishing.
jenskeiner 2515ad5
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner 1d58f48
Add service account access token retrieval.
jenskeiner b5c6626
Smaller fixes.
jenskeiner 6d7749f
Add complete session management, including use of refresh tokens to r…
jenskeiner a73a702
Add lazy_load_paths and http_method_as_scope parameters and implement…
jenskeiner b9e9c80
Several fixes.
jenskeiner 65d491f
Several fixes.
jenskeiner be6cde9
Polishing.
jenskeiner fb4e0ad
Return Keycloak-style message when unable to resolve permission.
jenskeiner 6a9f12c
Update documentation.
jenskeiner 1ec673c
Remove temporary plugin version.
jenskeiner 6bcf69e
Breake some long lines.
jenskeiner be03eeb
Break some long lines and general polishing.
jenskeiner 38617bb
Fix linting error.
jenskeiner a92df4b
Fix linting errors.
jenskeiner 2d1ef83
Fix inting errors.
jenskeiner 63cde92
Fix linting error.
jenskeiner 6698f99
Add back deprecated audience attribute.
jenskeiner 7b7c5a9
Replace audience with client_id and add where necessary.
jenskeiner 5645de2
Fix syntax error.
jenskeiner 194425b
Make cache ttl configurable.
jenskeiner 536267f
Remove duplicate call to ngx.time().
jenskeiner ef7bc82
Move shared cache definition.
jenskeiner 3503df7
Don't require client_id or audience.
jenskeiner 71bb50a
Fix undefined variable reference.
jenskeiner 84e7a7f
Fix test for 401 Unauthorized case.
jenskeiner f423e40
Fix too long line.
jenskeiner 80fd821
Fix JSON schema.
jenskeiner cbae8b8
Revert previous change.
jenskeiner bf6d5f5
Add shared dictionary for authz-keycloak plugin.
jenskeiner f3773f6
Fix JSON schema syntax error.
jenskeiner 0ae4713
Fix and simplify JSON schema.
jenskeiner 2862111
Fix syntax error.
jenskeiner dd1240b
Add and fix tests.
jenskeiner bd4a929
Fix test case.
jenskeiner 42f4b16
Debugging.
jenskeiner ae02b89
Temporarily only run tests for authz-keycloak plugin.
jenskeiner d97f283
Add shared dictionary for discovery documents.
jenskeiner 1aea5d4
Fix syntax error.
jenskeiner 1203932
Debugging.
jenskeiner bd57d62
Fix incorrect reference to configuration entry.
jenskeiner 22793b5
Fix test case.
jenskeiner df9e0fa
Some minor adjustments.
jenskeiner a48ed60
Re-enable all test cases.
jenskeiner b7432a3
Attempt at fixing schema.
jenskeiner 8337437
Another attempt at fixing schema.
jenskeiner f7e06c6
Fix test case.
jenskeiner 26a59b9
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner f9b002a
Switch to updated Keycloak Docker image to enable testing of URI-to-r…
jenskeiner d7e98e6
Temporarily only test authz-keycloak plugin to spped up checks.
jenskeiner 9541bc2
Add test case to set up lazy_load_paths and http_method_as_scope.
jenskeiner 6bfd47f
Add tests to check Keycloak permissions mapped from URI and HTTP method.
jenskeiner af205a1
Debugging.
jenskeiner 0ad8601
Fix test cases.
jenskeiner c583cb5
Add fake endpoint for authz-keycloak plugin testing.
jenskeiner 46b9c1f
Remove debug code.
jenskeiner 697cdbe
Debugging.
jenskeiner 68ca6cc
Remove debug code after fixing Docker image.
jenskeiner 8b982aa
Cleanup.
jenskeiner a6ae71a
Fix CI build on Cent OS that's using an outdated Keycloak Docker image.
jenskeiner 3677dba
Revert nack to original image.
jenskeiner 3a399b8
And back to new image again.
jenskeiner 744e4e3
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner ea0ce90
Remove conflict markers that were left in unintentionally.
jenskeiner 334d4e9
Flip Keycloak image reference back to sshniro's repo.
jenskeiner d49dc53
Change Docker repo back to sshniro's.
jenskeiner 73d5e89
Trivial change to kick off checks again.
jenskeiner fa72cc5
Trivial hange to kick off checks again.
jenskeiner 32cea93
Align comment indent.
jenskeiner ab55569
Add documentation for cache_ttl_seconds attribute.
jenskeiner 59dccc9
Fix incorrect usage of boolean value.
jenskeiner 5ca93a5
Temporarily disable some unit tests to speed up checks.
jenskeiner 450ce05
Cleanup documentation, JSON schema, and HTTP handling.
jenskeiner e08224b
Fix syntax error.
jenskeiner e97d00d
Merge branch 'master_upstream' into dynamic-scope-and-resource-mapping
jenskeiner f2eabee
Fix syntax error.
jenskeiner ce2eb72
Cleanup.
jenskeiner caffeee
Fix syntax error.
jenskeiner 1f658d2
Fix test case.
jenskeiner 67a7fe7
Fix stray conf.http_request_decorator.
jenskeiner 977759f
Split test into two files.
jenskeiner c4c4449
Re-enable all tests.
jenskeiner 7a8460c
Fix test case numbering scheme.
jenskeiner File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -146,6 +146,9 @@ http { | |
lua_shared_dict jwks 1m; # cache for JWKs | ||
lua_shared_dict introspection 10m; # cache for JWT verification results | ||
|
||
# for authz-keycloak | ||
lua_shared_dict access_tokens 1m; # cache for service account access tokens | ||
|
||
# for custom shared dict | ||
{% if http.lua_shared_dicts then %} | ||
{% for cache_key, cache_size in pairs(http.lua_shared_dicts) do %} | ||
|
@@ -371,16 +374,16 @@ http { | |
{% end %} | ||
{% end %} {% -- if enable_ipv6 %} | ||
|
||
{% if ssl.ssl_trusted_certificate ~= nil then %} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Moved this here since it was previously only used when APISIX itself was accepting HTTPS from the outside. But even if TLS is disabled, internally, plugins that send requests may still need to be able to use TLS and may have custom CA certs configured. |
||
lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *}; | ||
{% end %} | ||
|
||
{% if ssl.enable then %} | ||
ssl_certificate {* ssl.ssl_cert *}; | ||
ssl_certificate_key {* ssl.ssl_cert_key *}; | ||
ssl_session_cache shared:SSL:20m; | ||
ssl_session_timeout 10m; | ||
|
||
{% if ssl.ssl_trusted_certificate ~= nil then %} | ||
lua_ssl_trusted_certificate {* ssl.ssl_trusted_certificate *}; | ||
{% end %} | ||
|
||
ssl_protocols {* ssl.ssl_protocols *}; | ||
ssl_ciphers {* ssl.ssl_ciphers *}; | ||
ssl_prefer_server_ciphers on; | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to add it after:
apisix/t/APISIX.pm
Line 248 in bbbdf58
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do. Can you quickly explain the reason?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The configuration used in test is generated from
apisix/t/APISIX.pm
instead ofapisix/cli/ngx_tpl.lua
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, ok.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spacewander Quick question: We also need a shared dict for the discovery documents. I have added that to
apisix/t/APISIX.pm
now as well. But I can't see other dicts that e.g. theopenid-connect
plugin needs in that file. How do the tests then run successfully w/o the dict definitions?