You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2017/12/15 02:03:52 UTC

[GitHub] mhamann closed pull request #231: No secret in header

mhamann closed pull request #231: No secret in header
URL: https://github.com/apache/incubator-openwhisk-apigateway/pull/231
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/scripts/lua/oauth/github.lua b/scripts/lua/oauth/github.lua
index 2335477..104e893 100644
--- a/scripts/lua/oauth/github.lua
+++ b/scripts/lua/oauth/github.lua
@@ -25,14 +25,17 @@ local redis = require "lib/redis"
 local request = require "lib/request"
 local cjson = require "cjson"
 local utils = require "lib/utils"
-local _M = {} 
+local _M = {}
 
 function _M.process(dataStore, token)
-  local result = dataStore:getOAuthToken('github', token) 
-  if result ~= ngx.null then 
-    return cjson.decode(result)
-  end 
- 
+  local result = dataStore:getOAuthToken('github', token)
+  if result ~= ngx.null then
+    json_resp = cjson.decode(result)
+    ngx.header['X-OIDC-id'] = json_resp['id']
+    ngx.header['X-OIDC-Email'] = json_resp['email']
+    return json_resp
+  end
+
   local request_options = {
     headers = {
       ["Accept"] = "application/json"
@@ -52,7 +55,7 @@ function _M.process(dataStore, token)
     request.err(500, 'OAuth provider error.')
     return
   end
- 
+
   local json_resp = cjson.decode(res.body)
   if json_resp.id == nil then
     return nil
@@ -62,10 +65,12 @@ function _M.process(dataStore, token)
     return nil
   end
 
-  dataStore:saveOAuthToken('github', token) 
+  dataStore:saveOAuthToken('github', token, cjson.encode(json_resp))
   -- convert Github's response
   -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
+  ngx.header['X-OIDC-id'] = json_resp['id']
+  ngx.header['X-OIDC-Email'] = json_resp['email']
   return json_resp
 end
 
-return _M 
+return _M
diff --git a/scripts/lua/oauth/google.lua b/scripts/lua/oauth/google.lua
index 74f5454..c1b2011 100644
--- a/scripts/lua/oauth/google.lua
+++ b/scripts/lua/oauth/google.lua
@@ -25,15 +25,19 @@ local request = require "lib/request"
 local utils = require "lib/utils"
 local redis = require "lib/redis"
 
-local _M = {} 
+local _M = {}
 function _M.process (dataStore, token)
 
-  local result = dataStore:getOAuthToken(dataStore, 'google', token) 
-  
+  local result = dataStore:getOAuthToken('google', token)
+
   local httpc = http.new()
-  if result ~= ngx.null then 
-    return cjson.decode(result)
-  end 
+  if result ~= ngx.null then
+    json_resp = cjson.decode(result)
+    ngx.header['X-OIDC-Sub'] = json_resp['sub']
+    ngx.header['X-OIDC-Email'] = json_resp['email']
+    ngx.header['X-OIDC-Scope'] = json_resp['scope']
+    return json_resp
+  end
 
   local request_options = {
     headers = {
@@ -41,7 +45,7 @@ function _M.process (dataStore, token)
     },
     ssl_verify = false
   }
-  
+
   local envUrl = os.getenv('TOKEN_GOOGLE_URL')
   envUrl = envUrl ~= nil and envUrl or 'https://www.googleapis.com/oauth2/v3/tokeninfo'
   local request_uri = utils.concatStrings({envUrl, "?access_token=", token})
@@ -52,15 +56,18 @@ function _M.process (dataStore, token)
     request.err(500, 'OAuth provider error.')
     return nil
   end
-  local json_resp = cjson.decode(res.body) 
-  if json_resp['error_description'] ~= nil then 
+  local json_resp = cjson.decode(res.body)
+  if json_resp['error_description'] ~= nil then
     return nil
   end
-  
+
   dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), json_resp['expires'])
   -- convert Google's response
   -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
+  ngx.header['X-OIDC-Sub'] = json_resp['sub']
+  ngx.header['X-OIDC-Email'] = json_resp['email']
+  ngx.header['X-OIDC-Scope'] = json_resp['scope']
   return json_resp
 end
 
-return _M 
+return _M
diff --git a/scripts/lua/policies/security/apiKey.lua b/scripts/lua/policies/security/apiKey.lua
index 2746619..f462abb 100644
--- a/scripts/lua/policies/security/apiKey.lua
+++ b/scripts/lua/policies/security/apiKey.lua
@@ -76,7 +76,10 @@ function processWithHashFunction(dataStore, securityObj, hashFunction)
   local name = (securityObj.name == nil) and ((securityObj.header == nil) and 'x-api-key' or securityObj.header) or securityObj.name
   local queryString = ngx.req.get_uri_args()
   local location = (securityObj.location == nil) and 'header' or securityObj.location
+-- backwards compatible with "header" argument for name value. "name" argument takes precedent if both provided
+  local name = (securityObj.name == nil and securityObj.header == nil) and 'x-api-key' or (securityObj.name or securityObj.header)
   local apiKey = nil
+
   if location == "header" then
     apiKey = ngx.var[utils.concatStrings({'http_', name}):gsub("-", "_")]
   end
diff --git a/scripts/lua/policies/security/clientSecret.lua b/scripts/lua/policies/security/clientSecret.lua
index af865af..17e8003 100644
--- a/scripts/lua/policies/security/clientSecret.lua
+++ b/scripts/lua/policies/security/clientSecret.lua
@@ -53,7 +53,6 @@ function processWithHashFunction(dataStore, securityObj, hashFunction)
   local queryString = ngx.req.get_uri_args()
   local location = (securityObj.location == nil) and 'header' or securityObj.location
   local clientId = nil
-  local clientSecret = nil
 
   -- allow support for custom names in query or header
   local clientIdName = (securityObj.idFieldName == nil) and 'X-Client-ID' or securityObj.idFieldName
@@ -72,12 +71,7 @@ function processWithHashFunction(dataStore, securityObj, hashFunction)
 -- allow support for custom names in query or header
   local clientSecretName = (securityObj.secretFieldName == nil) and 'X-Client-Secret' or securityObj.secretFieldName
   _G.clientSecretName = clientSecretName:lower()
-  if location == "header" then
-    clientSecret = ngx.var[utils.concatStrings({'http_', clientSecretName}):gsub("-","_")]
-  end
-  if location == "query" then
-    clientSecret = queryString[clientSecretName]
-  end
+  clientSecret = ngx.var[utils.concatStrings({'http_', clientSecretName}):gsub("-","_")]
 -- if they didn't supply whatever name this is configured to require, error out
   if clientSecret == nil or clientSecret == '' then
     request.err(401, clientSecretName .. " required")
diff --git a/scripts/lua/policies/security/oauth2.lua b/scripts/lua/policies/security/oauth2.lua
index ecd62cf..eebf536 100644
--- a/scripts/lua/policies/security/oauth2.lua
+++ b/scripts/lua/policies/security/oauth2.lua
@@ -74,7 +74,7 @@ function exchange(dataStore, token, provider)
       print("error loading provider.")
       return nil
     end
-   
+
     local result = impl.process(dataStore, token)
     if result == nil then
       request.err('401', 'OAuth token didn\'t work or provider doesn\'t support OpenID connect')


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services