You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2017/12/15 02:03:52 UTC
[GitHub] mhamann closed pull request #231: No secret in header
mhamann closed pull request #231: No secret in header
URL: https://github.com/apache/incubator-openwhisk-apigateway/pull/231
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/scripts/lua/oauth/github.lua b/scripts/lua/oauth/github.lua
index 2335477..104e893 100644
--- a/scripts/lua/oauth/github.lua
+++ b/scripts/lua/oauth/github.lua
@@ -25,14 +25,17 @@ local redis = require "lib/redis"
local request = require "lib/request"
local cjson = require "cjson"
local utils = require "lib/utils"
-local _M = {}
+local _M = {}
function _M.process(dataStore, token)
- local result = dataStore:getOAuthToken('github', token)
- if result ~= ngx.null then
- return cjson.decode(result)
- end
-
+ local result = dataStore:getOAuthToken('github', token)
+ if result ~= ngx.null then
+ json_resp = cjson.decode(result)
+ ngx.header['X-OIDC-id'] = json_resp['id']
+ ngx.header['X-OIDC-Email'] = json_resp['email']
+ return json_resp
+ end
+
local request_options = {
headers = {
["Accept"] = "application/json"
@@ -52,7 +55,7 @@ function _M.process(dataStore, token)
request.err(500, 'OAuth provider error.')
return
end
-
+
local json_resp = cjson.decode(res.body)
if json_resp.id == nil then
return nil
@@ -62,10 +65,12 @@ function _M.process(dataStore, token)
return nil
end
- dataStore:saveOAuthToken('github', token)
+ dataStore:saveOAuthToken('github', token, cjson.encode(json_resp))
-- convert Github's response
-- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
+ ngx.header['X-OIDC-id'] = json_resp['id']
+ ngx.header['X-OIDC-Email'] = json_resp['email']
return json_resp
end
-return _M
+return _M
diff --git a/scripts/lua/oauth/google.lua b/scripts/lua/oauth/google.lua
index 74f5454..c1b2011 100644
--- a/scripts/lua/oauth/google.lua
+++ b/scripts/lua/oauth/google.lua
@@ -25,15 +25,19 @@ local request = require "lib/request"
local utils = require "lib/utils"
local redis = require "lib/redis"
-local _M = {}
+local _M = {}
function _M.process (dataStore, token)
- local result = dataStore:getOAuthToken(dataStore, 'google', token)
-
+ local result = dataStore:getOAuthToken('google', token)
+
local httpc = http.new()
- if result ~= ngx.null then
- return cjson.decode(result)
- end
+ if result ~= ngx.null then
+ json_resp = cjson.decode(result)
+ ngx.header['X-OIDC-Sub'] = json_resp['sub']
+ ngx.header['X-OIDC-Email'] = json_resp['email']
+ ngx.header['X-OIDC-Scope'] = json_resp['scope']
+ return json_resp
+ end
local request_options = {
headers = {
@@ -41,7 +45,7 @@ function _M.process (dataStore, token)
},
ssl_verify = false
}
-
+
local envUrl = os.getenv('TOKEN_GOOGLE_URL')
envUrl = envUrl ~= nil and envUrl or 'https://www.googleapis.com/oauth2/v3/tokeninfo'
local request_uri = utils.concatStrings({envUrl, "?access_token=", token})
@@ -52,15 +56,18 @@ function _M.process (dataStore, token)
request.err(500, 'OAuth provider error.')
return nil
end
- local json_resp = cjson.decode(res.body)
- if json_resp['error_description'] ~= nil then
+ local json_resp = cjson.decode(res.body)
+ if json_resp['error_description'] ~= nil then
return nil
end
-
+
dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), json_resp['expires'])
-- convert Google's response
-- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
+ ngx.header['X-OIDC-Sub'] = json_resp['sub']
+ ngx.header['X-OIDC-Email'] = json_resp['email']
+ ngx.header['X-OIDC-Scope'] = json_resp['scope']
return json_resp
end
-return _M
+return _M
diff --git a/scripts/lua/policies/security/apiKey.lua b/scripts/lua/policies/security/apiKey.lua
index 2746619..f462abb 100644
--- a/scripts/lua/policies/security/apiKey.lua
+++ b/scripts/lua/policies/security/apiKey.lua
@@ -76,7 +76,10 @@ function processWithHashFunction(dataStore, securityObj, hashFunction)
local name = (securityObj.name == nil) and ((securityObj.header == nil) and 'x-api-key' or securityObj.header) or securityObj.name
local queryString = ngx.req.get_uri_args()
local location = (securityObj.location == nil) and 'header' or securityObj.location
+-- backwards compatible with "header" argument for name value. "name" argument takes precedent if both provided
+ local name = (securityObj.name == nil and securityObj.header == nil) and 'x-api-key' or (securityObj.name or securityObj.header)
local apiKey = nil
+
if location == "header" then
apiKey = ngx.var[utils.concatStrings({'http_', name}):gsub("-", "_")]
end
diff --git a/scripts/lua/policies/security/clientSecret.lua b/scripts/lua/policies/security/clientSecret.lua
index af865af..17e8003 100644
--- a/scripts/lua/policies/security/clientSecret.lua
+++ b/scripts/lua/policies/security/clientSecret.lua
@@ -53,7 +53,6 @@ function processWithHashFunction(dataStore, securityObj, hashFunction)
local queryString = ngx.req.get_uri_args()
local location = (securityObj.location == nil) and 'header' or securityObj.location
local clientId = nil
- local clientSecret = nil
-- allow support for custom names in query or header
local clientIdName = (securityObj.idFieldName == nil) and 'X-Client-ID' or securityObj.idFieldName
@@ -72,12 +71,7 @@ function processWithHashFunction(dataStore, securityObj, hashFunction)
-- allow support for custom names in query or header
local clientSecretName = (securityObj.secretFieldName == nil) and 'X-Client-Secret' or securityObj.secretFieldName
_G.clientSecretName = clientSecretName:lower()
- if location == "header" then
- clientSecret = ngx.var[utils.concatStrings({'http_', clientSecretName}):gsub("-","_")]
- end
- if location == "query" then
- clientSecret = queryString[clientSecretName]
- end
+ clientSecret = ngx.var[utils.concatStrings({'http_', clientSecretName}):gsub("-","_")]
-- if they didn't supply whatever name this is configured to require, error out
if clientSecret == nil or clientSecret == '' then
request.err(401, clientSecretName .. " required")
diff --git a/scripts/lua/policies/security/oauth2.lua b/scripts/lua/policies/security/oauth2.lua
index ecd62cf..eebf536 100644
--- a/scripts/lua/policies/security/oauth2.lua
+++ b/scripts/lua/policies/security/oauth2.lua
@@ -74,7 +74,7 @@ function exchange(dataStore, token, provider)
print("error loading provider.")
return nil
end
-
+
local result = impl.process(dataStore, token)
if result == nil then
request.err('401', 'OAuth token didn\'t work or provider doesn\'t support OpenID connect')
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services