You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by mh...@apache.org on 2019/09/06 03:53:05 UTC
[openwhisk-apigateway] 01/01: Fix App ID bug, add unit tests
This is an automated email from the ASF dual-hosted git repository.
mhamann pushed a commit to branch appid-fixes
in repository https://gitbox.apache.org/repos/asf/openwhisk-apigateway.git
commit 9fb765a51eccb3e01d9ad413814f730e79c72832
Author: Matt Hamann <mh...@us.ibm.com>
AuthorDate: Thu Sep 5 23:52:14 2019 -0400
Fix App ID bug, add unit tests
---
Dockerfile.test.unit | 48 ++++++++++++++++++++++++++++++------------
Makefile | 4 ----
scripts/lua/oauth/app-id.lua | 11 +++++-----
tests/install-deps.sh | 32 ----------------------------
tests/run-tests.sh | 4 ++++
tests/scripts/lua/security.lua | 42 ++++++++++++++++++++++++++++++++++++
tests/set_paths.lua | 2 ++
7 files changed, 89 insertions(+), 54 deletions(-)
diff --git a/Dockerfile.test.unit b/Dockerfile.test.unit
index 7038c9f..3c3df02 100644
--- a/Dockerfile.test.unit
+++ b/Dockerfile.test.unit
@@ -17,28 +17,24 @@
# apigateway
#
-# VERSION 1.13.6.1
+# VERSION 1.15.8.2
#
-# From https://hub.docker.com/_/alpine/
+# From https://hub.docker.com/_/openresty/
#
-FROM alpine:3.9
+FROM openresty/openresty:1.15.8.2-1-alpine-fat
ENV CJOSE_VERSION=0.5.1
+ENV RAN_VERSION=v0.1.4
+ENV STEP_VERSION=0.11.0
RUN apk update && \
apk add \
- gcc tar zlib wget make musl-dev g++ curl \
- libtool readline luajit luajit-dev unzip \
+ gcc tar zlib zlib-dev wget make musl-dev g++ curl \
+ libtool readline luajit luajit-dev unzip coreutils \
openssl openssl-dev git jansson jansson-dev
WORKDIR /tmp
-RUN wget https://luarocks.org/releases/luarocks-3.1.3.tar.gz && \
- tar zxpf luarocks-3.1.3.tar.gz && \
- cd luarocks-3.1.3 && \
- ./configure && \
- make build && \
- make install
RUN echo " ... installing cjose ... " \
&& mkdir -p /tmp/api-gateway \
@@ -49,9 +45,35 @@ RUN echo " ... installing cjose ... " \
&& make && make install \
&& rm -rf /tmp/api-gateway
-COPY . /etc/api-gateway
+RUN echo " ... installing step cli ... " \
+ && mkdir -p /tmp/step \
+ && curl -L https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/step_${STEP_VERSION}_linux_amd64.tar.gz -o /tmp/step/step_${STEP_VERSION}.tar.gz \
+ && tar -xf /tmp/step/step_${STEP_VERSION}.tar.gz -C /tmp/step \
+ && cd /tmp/step/step_${STEP_VERSION} \
+ && mv ./bin/step /usr/bin/step
+
+RUN echo " ... generating JWK/JWT ... " \
+ && step crypto jwk create /tmp/pub.jwk.json /tmp/prv.jwk.json -f --insecure --no-password --kty RSA --kid test-jwk \
+ && cat /tmp/pub.jwk.json | step crypto jwk keyset add /tmp/jwk.json \
+ && export JWT_EXPIRY=$(date -d "+10 days" +%s) \
+ && echo '{"email":"testuser@openwhisk.apache.org"}' | step crypto jwt sign --iss https://openwhisk.apache.org/apigateway --sub "test user" --exp $JWT_EXPIRY --aud tests --key /tmp/prv.jwk.json > /tmp/token.jwt
+RUN mkdir -p /etc/api-gateway/tests
WORKDIR /etc/api-gateway/tests
-RUN ./install-deps.sh
+
+# Install Lua dependencies
+RUN luarocks install busted \
+ && luarocks install luacov \
+ && mkdir -p lua_modules \
+ && luarocks install --tree=lua_modules lua-cjson \
+ && luarocks install --tree=lua_modules luasocket \
+ && luarocks install --tree=lua_modules sha1 \
+ && luarocks install --tree=lua_modules md5 \
+ && luarocks install --tree=lua_modules net-url \
+ && luarocks install --tree=lua_modules luafilesystem \
+ && luarocks install --tree=lua_modules lua-resty-http 0.10 \
+ && luarocks install --tree=lua_modules https://github.com/mhamann/lua-resty-cjose/raw/master/lua-resty-cjose-0.5-0.rockspec
+
+COPY . /etc/api-gateway
CMD sh run-tests.sh
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 55e5e01..3d0a5d8 100644
--- a/Makefile
+++ b/Makefile
@@ -34,10 +34,6 @@ docker:
docker-ssh:
docker run -ti --entrypoint='bash' ${RUNTIME}
-.PHONY: test-build
-test-build:
- cd tests; ./install-deps.sh
-
.PHONY: profile-build
profile-build:
./build_profiling.sh
diff --git a/scripts/lua/oauth/app-id.lua b/scripts/lua/oauth/app-id.lua
index a756f64..b594def 100644
--- a/scripts/lua/oauth/app-id.lua
+++ b/scripts/lua/oauth/app-id.lua
@@ -14,7 +14,6 @@
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-
local request = require 'lib/request'
local cjson = require 'cjson'
local utils = require 'lib/utils'
@@ -29,6 +28,7 @@ local function inject_req_headers(token_obj)
end
local function fetchJWKs(tenantId)
+ local httpc = http.new()
local keyUrl = utils.concatStrings({APPID_PKURL, tenantId, '/publickeys'})
local request_options = {
headers = {
@@ -42,7 +42,6 @@ end
function _M.process(dataStore, token, securityObj)
local cache_key = 'appid_' .. securityObj.tenantId
local result = dataStore:getOAuthToken(cache_key, token)
- local httpc = http.new()
local token_obj
-- Was the token in the cache?
@@ -53,9 +52,10 @@ function _M.process(dataStore, token, securityObj)
end
-- Cache miss. Proceed to validate the token
- local res, err = fetchJWKs
- if err or res.status ~= 200 then
+ local res, err = fetchJWKs(securityObj.tenantId)
+ if err ~= nil or not res or res.status ~= 200 then
request.err(500, 'An error occurred while fetching the App ID JWK configuration: ' .. err or res.body)
+ return nil
end
local key
@@ -81,7 +81,8 @@ function _M.process(dataStore, token, securityObj)
-- keep token in cache until it expires
local ttl = expireTime - os.time()
- dataStore:saveOAuthToken(cache_key, token, cjson.encode(token_obj), ttl)
+ local encodedToken = cjson.encode(token_obj)
+ dataStore:saveOAuthToken(cache_key, token, encodedToken, ttl)
return token_obj
end
diff --git a/tests/install-deps.sh b/tests/install-deps.sh
deleted file mode 100755
index 156cb3f..0000000
--- a/tests/install-deps.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Install global dependencies
-luarocks install busted
-luarocks install luacov
-# Install test dependencies
-mkdir -p lua_modules
-luarocks install --tree=lua_modules lua-cjson
-luarocks install --tree=lua_modules luabitop
-luarocks install --tree=lua_modules luasocket
-luarocks install --tree=lua_modules sha1
-luarocks install --tree=lua_modules md5
-luarocks install --tree=lua_modules net-url
-luarocks install --tree=lua_modules luafilesystem
-luarocks install --tree=lua_modules lua-resty-http 0.10
-luarocks install --tree=lua_modules https://github.com/mhamann/lua-resty-cjose/raw/master/lua-resty-cjose-0.5-0.rockspec
diff --git a/tests/run-tests.sh b/tests/run-tests.sh
index 3a90230..817f831 100755
--- a/tests/run-tests.sh
+++ b/tests/run-tests.sh
@@ -16,5 +16,9 @@
# limitations under the License.
#
+# Grab pre-generated JWT for use in tests
+export OAUTH_TEST_JWT=$(cat /tmp/token.jwt)
+export OAUTH_TEST_JWK=$(cat /tmp/jwk.json)
+
# Run unit tests
busted --output=TAP --helper=set_paths --pattern=.lua scripts
diff --git a/tests/scripts/lua/security.lua b/tests/scripts/lua/security.lua
index e449ff9..59b244e 100644
--- a/tests/scripts/lua/security.lua
+++ b/tests/scripts/lua/security.lua
@@ -269,6 +269,48 @@ describe('OAuth security module', function()
local result = oauth.process(dataStore, cjson.decode(securityObj))
assert.truthy(result)
end)
+
+ it('Successfully fetches App ID JWK keys and validates token', function()
+ local red = fakeredis.new()
+ -- Mock red.expire w/ a no-op to avoid a seg fault
+ red.expire = function(arg)
+ return {}, nil
+ end
+ local ds = require "lib/dataStore"
+ local dataStore = ds.initWithDriver(red)
+ local token = os.getenv("OAUTH_TEST_JWT")
+ local appid = "app"
+ local ngxattrs = [[
+ {
+ "http_Authorization":"]] .. token .. [[",
+ "tenant":"1234",
+ "gatewayPath":"v1/test"
+ }
+ ]]
+ local ngx = fakengx.new()
+ ngx.config = { ngx_lua_version = 'test' }
+ ngx.var = cjson.decode(ngxattrs)
+ _G.ngx = ngx
+ -- Mock http lib request to return the "right" values
+ local http = require 'resty.http'
+ http.request_uri = function (url, params)
+ local res = {}
+ res.status = 200
+ res.body = os.getenv("OAUTH_TEST_JWK")
+ return res, nil
+ end
+
+ local securityObj = [[
+ {
+ "type":"oauth2",
+ "provider":"app-id",
+ "tenantId": "tenant1",
+ "scope":"api"
+ }
+ ]]
+ local result = oauth.process(dataStore, cjson.decode(securityObj))
+ assert.truthy(result)
+ end)
end)
describe('Client Secret Module', function()
local clientSecret = require 'policies/security/clientSecret'
diff --git a/tests/set_paths.lua b/tests/set_paths.lua
index 352cc91..470858a 100644
--- a/tests/set_paths.lua
+++ b/tests/set_paths.lua
@@ -21,9 +21,11 @@ local f = assert(io.popen('pwd', 'r'))
local pwd = assert(f:read('*a')):sub(1, -2)
f:close()
package.path = package.path ..
+ ';' .. '/usr/local/openresty/lualib/?.lua' ..
';' .. pwd .. '/lua_modules/share/lua/' .. version .. '/?.lua' ..
';' .. pwd .. '/lua_modules/share/lua/' .. version .. '/?/init.lua' ..
';' .. pwd .. '/lua_modules/share/lua/' .. version .. '/net/?.lua' ..
';' .. pwd .. '/../scripts/lua/?.lua'
package.cpath = package.cpath ..
+ ';' .. '/usr/local/openresty/lualib/?.so' ..
';' .. pwd .. '/lua_modules/lib/lua/' .. version .. '/?.so'