You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by me...@apache.org on 2020/08/08 10:24:52 UTC
[apisix] branch master updated: test: Added test cases for openid
connect introspection (#2018)
This is an automated email from the ASF dual-hosted git repository.
membphis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 14f979e test: Added test cases for openid connect introspection (#2018)
14f979e is described below
commit 14f979edf84c5a76a96902cc2ab8e5697a905fe9
Author: Nirojan Selvanathan <ss...@gmail.com>
AuthorDate: Sat Aug 8 12:24:42 2020 +0200
test: Added test cases for openid connect introspection (#2018)
Fix #1718
* Added test case for token intropsection with Keycloak identity server
* Renamed oauth doc to openid-connect to correctly link with the plugin name
---
README.md | 2 +-
README_CN.md | 2 +-
doc/_sidebar.md | 2 +-
doc/plugins/{oauth.md => openid-connect.md} | 0
doc/zh-cn/README.md | 4 +-
doc/zh-cn/plugins/{oauth.md => openid-connect.md} | 0
t/plugin/openid-connect.t | 152 ++++++++++++++++++++++
7 files changed, 157 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 5af20c2..3acb900 100644
--- a/README.md
+++ b/README.md
@@ -84,7 +84,7 @@ A/B testing, canary release, blue-green deployment, limit rate, defense against
- **Security**
- Authentications: [key-auth](doc/plugins/key-auth.md), [JWT](doc/plugins/jwt-auth.md), [basic-auth](doc/plugins/basic-auth.md), [wolf-rbac](doc/plugins/wolf-rbac.md)
- [IP Whitelist/Blacklist](doc/plugins/ip-restriction.md)
- - [IdP](doc/plugins/oauth.md): Support external authentication services, such as Auth0, okta, etc., users can use this to connect to OAuth 2.0 and other authentication methods.
+ - [IdP](doc/plugins/openid-connect.md): Support external authentication services, such as Auth0, okta, etc., users can use this to connect to OAuth 2.0 and other authentication methods.
- [Limit-req](doc/plugins/limit-req.md)
- [Limit-count](doc/plugins/limit-count.md)
- [Limit-concurrency](doc/plugins/limit-conn.md)
diff --git a/README_CN.md b/README_CN.md
index c88fe91..4cd2bd1 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -83,7 +83,7 @@ A/B 测试、金丝雀发布(灰度发布)、蓝绿部署、限流限速、抵
- **安全防护**
- 多种身份认证方式: [key-auth](doc/zh-cn/plugins/key-auth.md), [JWT](doc/zh-cn/plugins/jwt-auth.md), [basic-auth](doc/zh-cn/plugins/basic-auth.md), [wolf-rbac](doc/zh-cn/plugins/wolf-rbac.md)。
- [IP 黑白名单](doc/zh-cn/plugins/ip-restriction.md)
- - [IdP 支持](doc/plugins/oauth.md): 支持外部的身份认证服务,比如 Auth0,Okta,Authing 等,用户可以借此来对接 Oauth2.0 等认证方式。
+ - [IdP 支持](doc/plugins/openid-connect.md): 支持外部的身份认证服务,比如 Auth0,Okta,Authing 等,用户可以借此来对接 Oauth2.0 等认证方式。
- [限制速率](doc/zh-cn/plugins/limit-req.md)
- [限制请求数](doc/zh-cn/plugins/limit-count.md)
- [限制并发](doc/zh-cn/plugins/limit-conn.md)
diff --git a/doc/_sidebar.md b/doc/_sidebar.md
index 6a9c1e5..8a354cb 100644
--- a/doc/_sidebar.md
+++ b/doc/_sidebar.md
@@ -54,7 +54,7 @@
- [Key Auth](plugins/key-auth.md)
- [Basic Auth](plugins/basic-auth.md)
- [JWT Auth](plugins/jwt-auth.md)
- - [Opend ID Connect](plugins/oauth.md)
+ - [Opend ID Connect](plugins/openid-connect.md)
- General
diff --git a/doc/plugins/oauth.md b/doc/plugins/openid-connect.md
similarity index 100%
rename from doc/plugins/oauth.md
rename to doc/plugins/openid-connect.md
diff --git a/doc/zh-cn/README.md b/doc/zh-cn/README.md
index dd645b1..d8f875b 100644
--- a/doc/zh-cn/README.md
+++ b/doc/zh-cn/README.md
@@ -53,7 +53,7 @@
* [grpc-transcode](plugins/grpc-transcode.md):REST <--> gRPC 转码。
* [serverless](plugins/serverless.md):允许在 APISIX 中的不同阶段动态运行 Lua 代码。
* [ip-restriction](plugins/ip-restriction.md): IP 黑白名单。
-* [openid-connect](plugins/oauth.md)
+* [openid-connect](plugins/openid-connect.md)
* [redirect](plugins/redirect.md): URI 重定向。
* [response-rewrite](plugins/response-rewrite.md): 支持自定义修改返回内容的 `status code`、`body`、`headers`。
* [fault-injection](plugins/fault-injection.md):故障注入,可以返回指定的响应体、响应码和响应时间,从而提供了不同的失败场景下处理的能力,例如服务失败、服务过载、服务高延时等。
@@ -66,7 +66,7 @@
* [batch-requests](plugins/batch-requests.md): 以 **http pipeline** 的方式在网关一次性发起多个 `http` 请求。
* [authz-keycloak](plugins/authz-keycloak.md): 支持 Keycloak 身份认证服务器
* [uri-blocker](plugins/uri-blocker.md): 根据 URI 拦截用户请求。
-* [oauth](plugins/oauth.md): 提供 OAuth 2 身份验证和自省。
+* [oauth](plugins/openid-connect.md): 提供 OAuth 2 身份验证和自省。
部署
=======
diff --git a/doc/zh-cn/plugins/oauth.md b/doc/zh-cn/plugins/openid-connect.md
similarity index 100%
rename from doc/zh-cn/plugins/oauth.md
rename to doc/zh-cn/plugins/openid-connect.md
diff --git a/t/plugin/openid-connect.t b/t/plugin/openid-connect.t
index d6887d3..b9214ce 100644
--- a/t/plugin/openid-connect.t
+++ b/t/plugin/openid-connect.t
@@ -418,3 +418,155 @@ GET /t
--- error_code: 401
--- error_log
jwt signature verification failed
+
+
+
+=== TEST 11: Update route with keycloak config for introspection
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "redirect_uri": "http://localhost:3000",
+ "ssl_verify": false,
+ "timeout": 10,
+ "bearer_only": true,
+ "realm": "University",
+ "introspection_endpoint_auth_method": "client_secret_post",
+ "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]],
+ [[{
+ "node": {
+ "value": {
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery": "http://127.0.0.1:8090/auth/realms/University/.well-known/openid-configuration",
+ "redirect_uri": "http://localhost:3000",
+ "ssl_verify": "no",
+ "timeout": 10000,
+ "bearer_only": true,
+ "realm": "University",
+ "introspection_endpoint_auth_method": "client_secret_post",
+ "introspection_endpoint": "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token/introspect"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ },
+ "key": "/apisix/routes/1"
+ },
+ "action": "set"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- request
+GET /t
+--- response_body
+passed
+--- no_error_log
+[error]
+
+
+
+=== TEST 12: Access keycloak with correct token
+--- config
+ location /t {
+ content_by_lua_block {
+ local json_decode = require("cjson").decode
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri = "http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token"
+ local res, err = httpc:request_uri(uri, {
+ method = "POST",
+ body = "grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&username=teacher@gmail.com&password=123456",
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ })
+
+ if res.status == 200 then
+ local body = json_decode(res.body)
+ local accessToken = body["access_token"]
+ uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. body["access_token"]
+ }
+ })
+
+ if res.status == 200 then
+ ngx.say(true)
+ else
+ ngx.say(false)
+ end
+ else
+ ngx.say(false)
+ end
+ }
+ }
+--- request
+GET /t
+--- response_body
+true
+--- no_error_log
+[error]
+
+
+
+=== TEST 13: Access keycloak with wrong token
+--- config
+ location /t {
+ content_by_lua_block {
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/hello"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. "fake access token",
+ }
+ })
+
+ if res.status == 200 then
+ ngx.say(true)
+ else
+ ngx.say(false)
+ end
+ }
+ }
+--- request
+GET /t
+--- response_body
+false
+--- error_log
+failed to introspect in openidc: invalid token