You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by ho...@apache.org on 2017/11/17 19:46:48 UTC

[incubator-openwhisk-apigateway] branch master updated: Check for expired oauth tokens (#264)

This is an automated email from the ASF dual-hosted git repository.

houshengbo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk-apigateway.git


The following commit(s) were added to refs/heads/master by this push:
     new 25e495e  Check for expired oauth tokens (#264)
25e495e is described below

commit 25e495e0d86b5540989f2bd0005d6cf640395c92
Author: Alex Song <al...@gmail.com>
AuthorDate: Fri Nov 17 14:46:46 2017 -0500

    Check for expired oauth tokens (#264)
---
 scripts/lua/oauth/app-id.lua   | 11 +++++++++--
 scripts/lua/oauth/facebook.lua | 15 +++++++--------
 scripts/lua/oauth/github.lua   |  4 +++-
 scripts/lua/oauth/google.lua   |  4 +++-
 tests/scripts/lua/security.lua | 27 ---------------------------
 tools/travis/build.sh          |  2 +-
 6 files changed, 23 insertions(+), 40 deletions(-)

diff --git a/scripts/lua/oauth/app-id.lua b/scripts/lua/oauth/app-id.lua
index e0d15ef..7b5af21 100644
--- a/scripts/lua/oauth/app-id.lua
+++ b/scripts/lua/oauth/app-id.lua
@@ -55,10 +55,17 @@ function _M.process(dataStore, token, securityObj)
     request.err(401, 'AppId key signature verification failed.')
     return nil
   end
-  jwt_obj = cjson.decode(cjose.getJWSInfo(token))
+  local jwt_obj = cjson.decode(cjose.getJWSInfo(token))
+  local expireTime = jwt_obj['exp']
+  if expireTime < os.time() then
+    request.err(401, 'Access token expired.')
+    return nil
+  end
   ngx.header['X-OIDC-Email'] = jwt_obj['email']
   ngx.header['X-OIDC-Sub'] = jwt_obj['sub']
-  dataStore:saveOAuthToken('appId', token, cjson.encode(jwt_obj), jwt_obj['exp'])
+  -- keep token in cache until it expires
+  local ttl = expireTime - os.time()
+  dataStore:saveOAuthToken('appId', token, cjson.encode(jwt_obj), ttl)
   return jwt_obj
 end
 
diff --git a/scripts/lua/oauth/facebook.lua b/scripts/lua/oauth/facebook.lua
index 2de6f09..f23ddf9 100644
--- a/scripts/lua/oauth/facebook.lua
+++ b/scripts/lua/oauth/facebook.lua
@@ -30,11 +30,7 @@ function _M.process(dataStore, token)
     return nil
   end
 
-  local result = dataStore:getOAuthToken('facebook', token)
-  if result ~= ngx.null then
-    return cjson.decode(result)
-  end
-  result = dataStore:getOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}))
+  local result = dataStore:getOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}))
   if result ~= ngx.null then
     return cjson.decode(result)
   end
@@ -64,13 +60,16 @@ function exchangeOAuthToken(dataStore, token, facebookAppToken)
     return
   end
   local json_resp = cjson.decode(res.body)
+  if json_resp['error'] ~= nil then
+    return nil
+  end
 
   if (json_resp['error']) then
     return nil
   end
-  -- convert Facebook's response
-  -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
-  dataStore:saveOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}), cjson.encode(json_resp), json_resp['expires_at'])
+  -- keep token in cache until it expires
+  local ttl = json_resp.data['expires_at'] - os.time()
+  dataStore:saveOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}), cjson.encode(json_resp), ttl)
   return json_resp
 end
 
diff --git a/scripts/lua/oauth/github.lua b/scripts/lua/oauth/github.lua
index aa7035e..f4f2e9b 100644
--- a/scripts/lua/oauth/github.lua
+++ b/scripts/lua/oauth/github.lua
@@ -58,7 +58,9 @@ function _M.process(dataStore, token)
     return nil
   end
 
-  dataStore:saveOAuthToken('github', token, cjson.encode(json_resp))
+  -- Github tokens do not expire; keep token in cache and clean up after 7 days
+  local ttl = 604800
+  dataStore:saveOAuthToken('github', token, cjson.encode(json_resp), ttl)
   -- convert Github's response
   -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
   return json_resp
diff --git a/scripts/lua/oauth/google.lua b/scripts/lua/oauth/google.lua
index 78f48dd..b6892b3 100644
--- a/scripts/lua/oauth/google.lua
+++ b/scripts/lua/oauth/google.lua
@@ -58,7 +58,9 @@ function _M.process (dataStore, token)
     return nil
   end
 
-  dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), json_resp['expires'])
+  -- keep token in cache until it expires
+  local ttl = json_resp['expires_in']
+  dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), ttl)
   -- convert Google's response
   -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
   ngx.header['X-OIDC-Sub'] = json_resp['sub']
diff --git a/tests/scripts/lua/security.lua b/tests/scripts/lua/security.lua
index 2b8cf52..89533fd 100644
--- a/tests/scripts/lua/security.lua
+++ b/tests/scripts/lua/security.lua
@@ -237,33 +237,6 @@ describe('OAuth security module', function()
     assert.same(red:exists('oauth:providers:mock:tokens:bad'), 0)
     assert.falsy(result)
   end)
-  it('Loads a facebook token from the cache without a valid app id', function()
-    local red = fakeredis.new()
-    local ds = require "lib/dataStore"
-    local dataStore = ds.initWithDriver(red)
-    local token = "test"
-    local ngxattrs = [[
-      {
-        "http_Authorization":"]] .. token .. [[",
-        "http_x_facebook_app_token":"nothing",
-        "tenant":"1234",
-        "gatewayPath":"v1/test"
-      }
-    ]]
-    local ngx = fakengx.new()
-    ngx.var = cjson.decode(ngxattrs)
-    _G.ngx = ngx
-    local securityObj = [[
-      {
-        "type":"oauth2",
-        "provider":"facebook",
-        "scope":"resource"
-      }
-    ]]
-    red:set('oauth:providers:facebook:tokens:test', '{ "token":"good"}')
-    local result = oauth.process(dataStore, cjson.decode(securityObj))
-    assert.truthy(result)
-  end)
   it('Loads a facebook token from the cache with a valid app id', function()
     local red = fakeredis.new()
     local ds = require "lib/dataStore"
diff --git a/tools/travis/build.sh b/tools/travis/build.sh
index 8b5dbaf..a9654bf 100755
--- a/tools/travis/build.sh
+++ b/tools/travis/build.sh
@@ -57,4 +57,4 @@ TERM=dumb ./gradlew tests:test --tests apigw.healthtests.* ${WSK_TESTS_DEPS_EXCL
 sleep 60
 TERM=dumb ./gradlew tests:test --tests whisk.core.apigw.* ${WSK_TESTS_DEPS_EXCLUDE}
 sleep 60
-TERM=dumb ./gradlew tests:test --tests whisk.core.cli.test.ApiGwTests ${WSK_TESTS_DEPS_EXCLUDE}
+TERM=dumb ./gradlew tests:test --tests whisk.core.cli.test.ApiGwRestTests ${WSK_TESTS_DEPS_EXCLUDE}

-- 
To stop receiving notification emails like this one, please contact
['"commits@openwhisk.apache.org" <co...@openwhisk.apache.org>'].