From b14c2e1f5b30db8522699eadf0d29c2d0b059893 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 18 Aug 2021 02:51:28 +0800 Subject: [PATCH 1/3] fix(authz-keycloak): set default permissions as empty table when lazy_load_path is false --- apisix/plugins/authz-keycloak.lua | 6 ++++- t/plugin/authz-keycloak.t | 42 +++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua index 9a1c16c8fb85..0dbac3601d47 100644 --- a/apisix/plugins/authz-keycloak.lua +++ b/apisix/plugins/authz-keycloak.lua @@ -51,7 +51,8 @@ local schema = { type = "string", minLength = 1, maxLength = 100 }, - uniqueItems = true + uniqueItems = true, + default = {} }, lazy_load_paths = {type = "boolean", default = false}, http_method_as_scope = {type = "boolean", default = false}, @@ -83,6 +84,9 @@ local schema = { { properties = { lazy_load_paths = {enum = {false}}, + }, + anyOf = { + {required = {"permissions"}} } }, { diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index 02c9c5cec13f..ae395b4bd346 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -152,7 +152,33 @@ done -=== TEST 6: full schema check +=== TEST 6: no permissions when lazy_load_paths=false +--- config + location /t { + content_by_lua_block { + local plugin = require("apisix.plugins.authz-keycloak") + local ok, err = plugin.check_schema({ + token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token", + client_id = "University", + lazy_load_paths = false + }) + if not ok then + ngx.say(err) + end + + ngx.say("done") + } + } +--- request +GET /t +--- response_body +done +--- no_error_log +[error] + + + +=== TEST 7: full schema check --- config location /t { content_by_lua_block { @@ -192,7 +218,7 @@ done -=== TEST 7: token_endpoint and discovery both missing +=== TEST 8: token_endpoint and discovery both missing --- config location /t { content_by_lua_block { @@ -215,7 +241,7 @@ done -=== TEST 8: client_id and audience both missing +=== TEST 9: client_id and audience both missing --- config location /t { content_by_lua_block { @@ -238,7 +264,7 @@ done -=== TEST 9: resource_registration_endpoint and discovery both missing and lazy_load_paths is true +=== TEST 10: resource_registration_endpoint and discovery both missing and lazy_load_paths is true --- config location /t { content_by_lua_block { @@ -265,7 +291,7 @@ done -=== TEST 10: Add https endpoint with ssl_verify true (default) +=== TEST 11: Add https endpoint with ssl_verify true (default) --- config location /t { content_by_lua_block { @@ -331,7 +357,7 @@ passed -=== TEST 11: TEST with fake token and https endpoint +=== TEST 12: TEST with fake token and https endpoint --- config location /t { content_by_lua_block { @@ -361,7 +387,7 @@ Error while sending authz request to https://127.0.0.1:8443/auth/realms/Universi -=== TEST 12: Add https endpoint with ssl_verify false +=== TEST 13: Add https endpoint with ssl_verify false --- config location /t { content_by_lua_block { @@ -429,7 +455,7 @@ passed -=== TEST 13: TEST for https based token verification with ssl_verify false +=== TEST 14: TEST for https based token verification with ssl_verify false --- config location /t { content_by_lua_block { From 4a5db81e026c13f968b5819890d5d478926459a5 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 18 Aug 2021 04:17:09 +0800 Subject: [PATCH 2/3] resolve code review --- apisix/plugins/authz-keycloak.lua | 3 --- t/plugin/authz-keycloak.t | 42 ++++++------------------------- 2 files changed, 8 insertions(+), 37 deletions(-) diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua index 0dbac3601d47..acb4fea5dcbe 100644 --- a/apisix/plugins/authz-keycloak.lua +++ b/apisix/plugins/authz-keycloak.lua @@ -84,9 +84,6 @@ local schema = { { properties = { lazy_load_paths = {enum = {false}}, - }, - anyOf = { - {required = {"permissions"}} } }, { diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index ae395b4bd346..02c9c5cec13f 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -152,33 +152,7 @@ done -=== TEST 6: no permissions when lazy_load_paths=false ---- config - location /t { - content_by_lua_block { - local plugin = require("apisix.plugins.authz-keycloak") - local ok, err = plugin.check_schema({ - token_endpoint = "https://host.domain/auth/realms/foo/protocol/openid-connect/token", - client_id = "University", - lazy_load_paths = false - }) - if not ok then - ngx.say(err) - end - - ngx.say("done") - } - } ---- request -GET /t ---- response_body -done ---- no_error_log -[error] - - - -=== TEST 7: full schema check +=== TEST 6: full schema check --- config location /t { content_by_lua_block { @@ -218,7 +192,7 @@ done -=== TEST 8: token_endpoint and discovery both missing +=== TEST 7: token_endpoint and discovery both missing --- config location /t { content_by_lua_block { @@ -241,7 +215,7 @@ done -=== TEST 9: client_id and audience both missing +=== TEST 8: client_id and audience both missing --- config location /t { content_by_lua_block { @@ -264,7 +238,7 @@ done -=== TEST 10: resource_registration_endpoint and discovery both missing and lazy_load_paths is true +=== TEST 9: resource_registration_endpoint and discovery both missing and lazy_load_paths is true --- config location /t { content_by_lua_block { @@ -291,7 +265,7 @@ done -=== TEST 11: Add https endpoint with ssl_verify true (default) +=== TEST 10: Add https endpoint with ssl_verify true (default) --- config location /t { content_by_lua_block { @@ -357,7 +331,7 @@ passed -=== TEST 12: TEST with fake token and https endpoint +=== TEST 11: TEST with fake token and https endpoint --- config location /t { content_by_lua_block { @@ -387,7 +361,7 @@ Error while sending authz request to https://127.0.0.1:8443/auth/realms/Universi -=== TEST 13: Add https endpoint with ssl_verify false +=== TEST 12: Add https endpoint with ssl_verify false --- config location /t { content_by_lua_block { @@ -455,7 +429,7 @@ passed -=== TEST 14: TEST for https based token verification with ssl_verify false +=== TEST 13: TEST for https based token verification with ssl_verify false --- config location /t { content_by_lua_block { From 75c7068cb396bf26500a12b714d6c004a62a07c0 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Wed, 18 Aug 2021 15:36:43 +0800 Subject: [PATCH 3/3] resolve code review --- t/plugin/authz-keycloak.t | 91 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index 02c9c5cec13f..5fce3dd52c24 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -456,3 +456,94 @@ GET /t false --- error_log Request denied: HTTP 401 Unauthorized. Body: {"error":"HTTP 401 Unauthorized"} + + + +=== TEST 14: set enforcement mode is "ENFORCING", lazy_load_paths and permissions use default values +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token", + "client_id": "course_management", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "policy_enforcement_mode": "ENFORCING", + "timeout": 3000 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }]], + [[{ + "node": { + "value": { + "plugins": { + "authz-keycloak": { + "token_endpoint": "http://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token", + "client_id": "course_management", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "policy_enforcement_mode": "ENFORCING", + "timeout": 3000 + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/hello1" + }, + "key": "/apisix/routes/1" + }, + "action": "set" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 15: test for permission is empty and enforcement mode is "ENFORCING". +--- config + location /t { + content_by_lua_block { + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello1" + local res, err = httpc:request_uri(uri, { + method = "GET", + headers = { + ["Authorization"] = "Bearer " .. "fake access token", + } + }) + + ngx.say(res.body) + } + } +--- request +GET /t +--- response_body +{"error":"access_denied","error_description":"not_authorized"} +--- no_error_log