Skip to content

Commit

Permalink
fix(authz-keycloak): add missing path for access_denied_redirect_uri (a…
Browse files Browse the repository at this point in the history 
…pache#6794)
  • Loading branch information
@spacewander
spacewander committed May 29, 2022
1 parent e472b14 commit 9a48bc6
Show file tree
Hide file tree
Showing 2 changed files with 113 additions and 0 deletions.
5 changes: 5 additions & 0 deletions apisix/plugins/authz-keycloak.lua
View file
Original file line number Diff line number Diff line change
Expand Up @@ -666,6 +666,11 @@ local function evaluate_permissions(conf, ctx, token)
if res.status == 403 then
-- Request permanently denied, e.g. due to lacking permissions.
log.debug('Request denied: HTTP 403 Forbidden. Body: ', res.body)
if conf.access_denied_redirect_uri then
core.response.set_header("Location", conf.access_denied_redirect_uri)
return 307
end

return res.status, res.body
elseif res.status == 401 then
-- Request temporarily denied, e.g access token not valid.
Expand Down
108 changes: 108 additions & 0 deletions t/plugin/authz-keycloak3.t
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
use t::APISIX 'no_plan';

add_block_preprocessor(sub {
my ($block) = @_;

if (!$block->request) {
$block->set_value("request", "GET /t");
}

if (!$block->error_log && !$block->no_error_log) {
$block->set_value("no_error_log", "[error]\n[alert]");
}
});

run_tests;

__DATA__
=== TEST 1: access_denied_redirect_uri works with request denied in token_endpoint
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"authz-keycloak": {
"token_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token",
"access_denied_redirect_uri": "http://127.0.0.1/test",
"permissions": ["course_resource#delete"],
"client_id": "course_management",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"timeout": 3000
}
},
"upstream": {
"nodes": {
"127.0.0.1:1982": 1
},
"type": "roundrobin"
},
"uri": "/hello1"
}]]
)
if code >= 300 then
ngx.status = code
end
ngx.say(body)
}
}
--- response_body
passed
=== TEST 2: hit
--- config
location /t {
content_by_lua_block {
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
local res, err = httpc:request_uri(uri, {
method = "POST",
body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=student@gmail.com&password=123456",
headers = {
["Content-Type"] = "application/x-www-form-urlencoded"
}
})
if res.status == 200 then
local body = json_decode(res.body)
local accessToken = body["access_token"]
uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello1"
local res, err = httpc:request_uri(uri, {
method = "GET",
headers = {
["Authorization"] = "Bearer " .. accessToken,
}
})
ngx.status = res.status
ngx.header["Location"] = res.headers["Location"]
end
}
}
--- error_code: 307
--- response_headers
Location: http://127.0.0.1/test

0 comments on commit 9a48bc6

Please sign in to comment.