You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openwhisk.apache.org by mh...@apache.org on 2019/09/06 03:53:04 UTC
[openwhisk-apigateway] branch appid-fixes created (now 9fb765a)
This is an automated email from the ASF dual-hosted git repository.
mhamann pushed a change to branch appid-fixes
in repository https://gitbox.apache.org/repos/asf/openwhisk-apigateway.git.
at 9fb765a Fix App ID bug, add unit tests
This branch includes the following new commits:
new 9fb765a Fix App ID bug, add unit tests
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[openwhisk-apigateway] 01/01: Fix App ID bug, add unit tests
Posted by mh...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mhamann pushed a commit to branch appid-fixes
in repository https://gitbox.apache.org/repos/asf/openwhisk-apigateway.git
commit 9fb765a51eccb3e01d9ad413814f730e79c72832
Author: Matt Hamann <mh...@us.ibm.com>
AuthorDate: Thu Sep 5 23:52:14 2019 -0400
Fix App ID bug, add unit tests
---
Dockerfile.test.unit | 48 ++++++++++++++++++++++++++++++------------
Makefile | 4 ----
scripts/lua/oauth/app-id.lua | 11 +++++-----
tests/install-deps.sh | 32 ----------------------------
tests/run-tests.sh | 4 ++++
tests/scripts/lua/security.lua | 42 ++++++++++++++++++++++++++++++++++++
tests/set_paths.lua | 2 ++
7 files changed, 89 insertions(+), 54 deletions(-)
diff --git a/Dockerfile.test.unit b/Dockerfile.test.unit
index 7038c9f..3c3df02 100644
--- a/Dockerfile.test.unit
+++ b/Dockerfile.test.unit
@@ -17,28 +17,24 @@
# apigateway
#
-# VERSION 1.13.6.1
+# VERSION 1.15.8.2
#
-# From https://hub.docker.com/_/alpine/
+# From https://hub.docker.com/_/openresty/
#
-FROM alpine:3.9
+FROM openresty/openresty:1.15.8.2-1-alpine-fat
ENV CJOSE_VERSION=0.5.1
+ENV RAN_VERSION=v0.1.4
+ENV STEP_VERSION=0.11.0
RUN apk update && \
apk add \
- gcc tar zlib wget make musl-dev g++ curl \
- libtool readline luajit luajit-dev unzip \
+ gcc tar zlib zlib-dev wget make musl-dev g++ curl \
+ libtool readline luajit luajit-dev unzip coreutils \
openssl openssl-dev git jansson jansson-dev
WORKDIR /tmp
-RUN wget https://luarocks.org/releases/luarocks-3.1.3.tar.gz && \
- tar zxpf luarocks-3.1.3.tar.gz && \
- cd luarocks-3.1.3 && \
- ./configure && \
- make build && \
- make install
RUN echo " ... installing cjose ... " \
&& mkdir -p /tmp/api-gateway \
@@ -49,9 +45,35 @@ RUN echo " ... installing cjose ... " \
&& make && make install \
&& rm -rf /tmp/api-gateway
-COPY . /etc/api-gateway
+RUN echo " ... installing step cli ... " \
+ && mkdir -p /tmp/step \
+ && curl -L https://github.com/smallstep/cli/releases/download/v${STEP_VERSION}/step_${STEP_VERSION}_linux_amd64.tar.gz -o /tmp/step/step_${STEP_VERSION}.tar.gz \
+ && tar -xf /tmp/step/step_${STEP_VERSION}.tar.gz -C /tmp/step \
+ && cd /tmp/step/step_${STEP_VERSION} \
+ && mv ./bin/step /usr/bin/step
+
+RUN echo " ... generating JWK/JWT ... " \
+ && step crypto jwk create /tmp/pub.jwk.json /tmp/prv.jwk.json -f --insecure --no-password --kty RSA --kid test-jwk \
+ && cat /tmp/pub.jwk.json | step crypto jwk keyset add /tmp/jwk.json \
+ && export JWT_EXPIRY=$(date -d "+10 days" +%s) \
+ && echo '{"email":"testuser@openwhisk.apache.org"}' | step crypto jwt sign --iss https://openwhisk.apache.org/apigateway --sub "test user" --exp $JWT_EXPIRY --aud tests --key /tmp/prv.jwk.json > /tmp/token.jwt
+RUN mkdir -p /etc/api-gateway/tests
WORKDIR /etc/api-gateway/tests
-RUN ./install-deps.sh
+
+# Install Lua dependencies
+RUN luarocks install busted \
+ && luarocks install luacov \
+ && mkdir -p lua_modules \
+ && luarocks install --tree=lua_modules lua-cjson \
+ && luarocks install --tree=lua_modules luasocket \
+ && luarocks install --tree=lua_modules sha1 \
+ && luarocks install --tree=lua_modules md5 \
+ && luarocks install --tree=lua_modules net-url \
+ && luarocks install --tree=lua_modules luafilesystem \
+ && luarocks install --tree=lua_modules lua-resty-http 0.10 \
+ && luarocks install --tree=lua_modules https://github.com/mhamann/lua-resty-cjose/raw/master/lua-resty-cjose-0.5-0.rockspec
+
+COPY . /etc/api-gateway
CMD sh run-tests.sh
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 55e5e01..3d0a5d8 100644
--- a/Makefile
+++ b/Makefile
@@ -34,10 +34,6 @@ docker:
docker-ssh:
docker run -ti --entrypoint='bash' ${RUNTIME}
-.PHONY: test-build
-test-build:
- cd tests; ./install-deps.sh
-
.PHONY: profile-build
profile-build:
./build_profiling.sh
diff --git a/scripts/lua/oauth/app-id.lua b/scripts/lua/oauth/app-id.lua
index a756f64..b594def 100644
--- a/scripts/lua/oauth/app-id.lua
+++ b/scripts/lua/oauth/app-id.lua
@@ -14,7 +14,6 @@
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
-
local request = require 'lib/request'
local cjson = require 'cjson'
local utils = require 'lib/utils'
@@ -29,6 +28,7 @@ local function inject_req_headers(token_obj)
end
local function fetchJWKs(tenantId)
+ local httpc = http.new()
local keyUrl = utils.concatStrings({APPID_PKURL, tenantId, '/publickeys'})
local request_options = {
headers = {
@@ -42,7 +42,6 @@ end
function _M.process(dataStore, token, securityObj)
local cache_key = 'appid_' .. securityObj.tenantId
local result = dataStore:getOAuthToken(cache_key, token)
- local httpc = http.new()
local token_obj
-- Was the token in the cache?
@@ -53,9 +52,10 @@ function _M.process(dataStore, token, securityObj)
end
-- Cache miss. Proceed to validate the token
- local res, err = fetchJWKs
- if err or res.status ~= 200 then
+ local res, err = fetchJWKs(securityObj.tenantId)
+ if err ~= nil or not res or res.status ~= 200 then
request.err(500, 'An error occurred while fetching the App ID JWK configuration: ' .. err or res.body)
+ return nil
end
local key
@@ -81,7 +81,8 @@ function _M.process(dataStore, token, securityObj)
-- keep token in cache until it expires
local ttl = expireTime - os.time()
- dataStore:saveOAuthToken(cache_key, token, cjson.encode(token_obj), ttl)
+ local encodedToken = cjson.encode(token_obj)
+ dataStore:saveOAuthToken(cache_key, token, encodedToken, ttl)
return token_obj
end
diff --git a/tests/install-deps.sh b/tests/install-deps.sh
deleted file mode 100755
index 156cb3f..0000000
--- a/tests/install-deps.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# Install global dependencies
-luarocks install busted
-luarocks install luacov
-# Install test dependencies
-mkdir -p lua_modules
-luarocks install --tree=lua_modules lua-cjson
-luarocks install --tree=lua_modules luabitop
-luarocks install --tree=lua_modules luasocket
-luarocks install --tree=lua_modules sha1
-luarocks install --tree=lua_modules md5
-luarocks install --tree=lua_modules net-url
-luarocks install --tree=lua_modules luafilesystem
-luarocks install --tree=lua_modules lua-resty-http 0.10
-luarocks install --tree=lua_modules https://github.com/mhamann/lua-resty-cjose/raw/master/lua-resty-cjose-0.5-0.rockspec
diff --git a/tests/run-tests.sh b/tests/run-tests.sh
index 3a90230..817f831 100755
--- a/tests/run-tests.sh
+++ b/tests/run-tests.sh
@@ -16,5 +16,9 @@
# limitations under the License.
#
+# Grab pre-generated JWT for use in tests
+export OAUTH_TEST_JWT=$(cat /tmp/token.jwt)
+export OAUTH_TEST_JWK=$(cat /tmp/jwk.json)
+
# Run unit tests
busted --output=TAP --helper=set_paths --pattern=.lua scripts
diff --git a/tests/scripts/lua/security.lua b/tests/scripts/lua/security.lua
index e449ff9..59b244e 100644
--- a/tests/scripts/lua/security.lua
+++ b/tests/scripts/lua/security.lua
@@ -269,6 +269,48 @@ describe('OAuth security module', function()
local result = oauth.process(dataStore, cjson.decode(securityObj))
assert.truthy(result)
end)
+
+ it('Successfully fetches App ID JWK keys and validates token', function()
+ local red = fakeredis.new()
+ -- Mock red.expire w/ a no-op to avoid a seg fault
+ red.expire = function(arg)
+ return {}, nil
+ end
+ local ds = require "lib/dataStore"
+ local dataStore = ds.initWithDriver(red)
+ local token = os.getenv("OAUTH_TEST_JWT")
+ local appid = "app"
+ local ngxattrs = [[
+ {
+ "http_Authorization":"]] .. token .. [[",
+ "tenant":"1234",
+ "gatewayPath":"v1/test"
+ }
+ ]]
+ local ngx = fakengx.new()
+ ngx.config = { ngx_lua_version = 'test' }
+ ngx.var = cjson.decode(ngxattrs)
+ _G.ngx = ngx
+ -- Mock http lib request to return the "right" values
+ local http = require 'resty.http'
+ http.request_uri = function (url, params)
+ local res = {}
+ res.status = 200
+ res.body = os.getenv("OAUTH_TEST_JWK")
+ return res, nil
+ end
+
+ local securityObj = [[
+ {
+ "type":"oauth2",
+ "provider":"app-id",
+ "tenantId": "tenant1",
+ "scope":"api"
+ }
+ ]]
+ local result = oauth.process(dataStore, cjson.decode(securityObj))
+ assert.truthy(result)
+ end)
end)
describe('Client Secret Module', function()
local clientSecret = require 'policies/security/clientSecret'
diff --git a/tests/set_paths.lua b/tests/set_paths.lua
index 352cc91..470858a 100644
--- a/tests/set_paths.lua
+++ b/tests/set_paths.lua
@@ -21,9 +21,11 @@ local f = assert(io.popen('pwd', 'r'))
local pwd = assert(f:read('*a')):sub(1, -2)
f:close()
package.path = package.path ..
+ ';' .. '/usr/local/openresty/lualib/?.lua' ..
';' .. pwd .. '/lua_modules/share/lua/' .. version .. '/?.lua' ..
';' .. pwd .. '/lua_modules/share/lua/' .. version .. '/?/init.lua' ..
';' .. pwd .. '/lua_modules/share/lua/' .. version .. '/net/?.lua' ..
';' .. pwd .. '/../scripts/lua/?.lua'
package.cpath = package.cpath ..
+ ';' .. '/usr/local/openresty/lualib/?.so' ..
';' .. pwd .. '/lua_modules/lib/lua/' .. version .. '/?.so'