From 05761fd7cff30867233c1a2e9e14bf60c9e9fe13 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Fri, 15 Apr 2022 11:29:29 +0800 Subject: [PATCH 1/3] fix(authz-keycloak): do not expose internal errors to the client --- apisix/plugins/authz-keycloak.lua | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua index 85bfe19a67e4..29303e13e7a1 100644 --- a/apisix/plugins/authz-keycloak.lua +++ b/apisix/plugins/authz-keycloak.lua @@ -722,12 +722,12 @@ local function generate_token_using_password_grant(conf,ctx) if not username then local err = "username is missing." log.error(err) - return 422, err + return 422, {message = err} end if not password then local err = "password is missing." log.error(err) - return 422, err + return 422, {message = err} end local client_id = authz_keycloak_get_client_id(conf) @@ -737,7 +737,7 @@ local function generate_token_using_password_grant(conf,ctx) if not token_endpoint then local err = "Unable to determine token endpoint." log.error(err) - return 503, err + return 503, {message = err} end local httpc = authz_keycloak_get_http_client(conf) @@ -763,7 +763,7 @@ local function generate_token_using_password_grant(conf,ctx) err = "Accessing token endpoint URL (" .. token_endpoint .. ") failed: " .. err log.error(err) - return 401, {message = err} + return 401, {message = "Accessing token endpoint URL failed."} end log.debug("Response data: " .. res.body) @@ -773,7 +773,7 @@ local function generate_token_using_password_grant(conf,ctx) err = "Could not decode JSON from response" .. (err and (": " .. err) or '.') log.error(err) - return 401, {message = err} + return 401, {message = "Could not decode JSON from response."} end return res.status, res.body From 4d541ad12010e7d5555352ffcd5611be28c0ab79 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Sun, 17 Apr 2022 12:37:09 +0800 Subject: [PATCH 2/3] fix code review --- apisix/plugins/authz-keycloak.lua | 4 +- t/plugin/authz-keycloak.t | 73 +++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 2 deletions(-) diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua index 29303e13e7a1..de316bafd4da 100644 --- a/apisix/plugins/authz-keycloak.lua +++ b/apisix/plugins/authz-keycloak.lua @@ -721,12 +721,12 @@ local function generate_token_using_password_grant(conf,ctx) if not username then local err = "username is missing." - log.error(err) + log.warn(err) return 422, {message = err} end if not password then local err = "password is missing." - log.error(err) + log.warn(err) return 422, {message = err} end diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index bf09f14b062c..b0787e39a2c9 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -623,3 +623,76 @@ GET /t true --- no_error_log [error] + + + +=== TEST 19: no username of password +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "plugins": { + "authz-keycloak": { + "token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token", + "permissions": ["course_resource#view"], + "client_id": "course_management", + "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5", + "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", + "timeout": 3000, + "ssl_verify": false, + "password_grant_token_generation_incoming_uri": "/api/token" + } + }, + "upstream": { + "nodes": { + "127.0.0.1:1982": 1 + }, + "type": "roundrobin" + }, + "uri": "/api/token" + }]] + ) + + if code >= 300 then + ngx.status = code + end + + local json_decode = require("toolkit.json").decode + local http = require "resty.http" + local httpc = http.new() + local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/api/token" + local headers = { + ["Content-Type"] = "application/x-www-form-urlencoded", + } + + -- no username + local res, err = httpc:request_uri(uri, { + method = "POST", + headers = headers, + body = ngx.encode_args({ + password = "123456", + }), + }) + ngx.print(res.body) + + -- no password + local res, err = httpc:request_uri(uri, { + method = "POST", + headers = headers, + body = ngx.encode_args({ + username = "teacher@gmail.com", + }), + }) + ngx.print(res.body) + } + } +--- request +GET /t +--- response_body +{"message":"username is missing."} +{"message":"password is missing."} +--- no_error_log +[error] From b47cd43f3cf99cc05ae849db089f1727eb932103 Mon Sep 17 00:00:00 2001 From: tzssangglass Date: Sun, 17 Apr 2022 21:20:54 +0800 Subject: [PATCH 3/3] fix review --- t/plugin/authz-keycloak.t | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/t/plugin/authz-keycloak.t b/t/plugin/authz-keycloak.t index b0787e39a2c9..8efb0e7ce441 100644 --- a/t/plugin/authz-keycloak.t +++ b/t/plugin/authz-keycloak.t @@ -626,7 +626,7 @@ true -=== TEST 19: no username of password +=== TEST 19: no username or password --- config location /t { content_by_lua_block {