You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@openwhisk.apache.org by GitBox <gi...@apache.org> on 2017/11/17 19:46:51 UTC
[GitHub] houshengbo closed pull request #264: Check for expired oauth tokens
houshengbo closed pull request #264: Check for expired oauth tokens
URL: https://github.com/apache/incubator-openwhisk-apigateway/pull/264
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/scripts/lua/oauth/app-id.lua b/scripts/lua/oauth/app-id.lua
index e0d15ef..7b5af21 100644
--- a/scripts/lua/oauth/app-id.lua
+++ b/scripts/lua/oauth/app-id.lua
@@ -55,10 +55,17 @@ function _M.process(dataStore, token, securityObj)
request.err(401, 'AppId key signature verification failed.')
return nil
end
- jwt_obj = cjson.decode(cjose.getJWSInfo(token))
+ local jwt_obj = cjson.decode(cjose.getJWSInfo(token))
+ local expireTime = jwt_obj['exp']
+ if expireTime < os.time() then
+ request.err(401, 'Access token expired.')
+ return nil
+ end
ngx.header['X-OIDC-Email'] = jwt_obj['email']
ngx.header['X-OIDC-Sub'] = jwt_obj['sub']
- dataStore:saveOAuthToken('appId', token, cjson.encode(jwt_obj), jwt_obj['exp'])
+ -- keep token in cache until it expires
+ local ttl = expireTime - os.time()
+ dataStore:saveOAuthToken('appId', token, cjson.encode(jwt_obj), ttl)
return jwt_obj
end
diff --git a/scripts/lua/oauth/facebook.lua b/scripts/lua/oauth/facebook.lua
index 2de6f09..f23ddf9 100644
--- a/scripts/lua/oauth/facebook.lua
+++ b/scripts/lua/oauth/facebook.lua
@@ -30,11 +30,7 @@ function _M.process(dataStore, token)
return nil
end
- local result = dataStore:getOAuthToken('facebook', token)
- if result ~= ngx.null then
- return cjson.decode(result)
- end
- result = dataStore:getOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}))
+ local result = dataStore:getOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}))
if result ~= ngx.null then
return cjson.decode(result)
end
@@ -64,13 +60,16 @@ function exchangeOAuthToken(dataStore, token, facebookAppToken)
return
end
local json_resp = cjson.decode(res.body)
+ if json_resp['error'] ~= nil then
+ return nil
+ end
if (json_resp['error']) then
return nil
end
- -- convert Facebook's response
- -- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
- dataStore:saveOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}), cjson.encode(json_resp), json_resp['expires_at'])
+ -- keep token in cache until it expires
+ local ttl = json_resp.data['expires_at'] - os.time()
+ dataStore:saveOAuthToken('facebook', utils.concatStrings({token, facebookAppToken}), cjson.encode(json_resp), ttl)
return json_resp
end
diff --git a/scripts/lua/oauth/github.lua b/scripts/lua/oauth/github.lua
index aa7035e..f4f2e9b 100644
--- a/scripts/lua/oauth/github.lua
+++ b/scripts/lua/oauth/github.lua
@@ -58,7 +58,9 @@ function _M.process(dataStore, token)
return nil
end
- dataStore:saveOAuthToken('github', token, cjson.encode(json_resp))
+ -- Github tokens do not expire; keep token in cache and clean up after 7 days
+ local ttl = 604800
+ dataStore:saveOAuthToken('github', token, cjson.encode(json_resp), ttl)
-- convert Github's response
-- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
return json_resp
diff --git a/scripts/lua/oauth/google.lua b/scripts/lua/oauth/google.lua
index 78f48dd..b6892b3 100644
--- a/scripts/lua/oauth/google.lua
+++ b/scripts/lua/oauth/google.lua
@@ -58,7 +58,9 @@ function _M.process (dataStore, token)
return nil
end
- dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), json_resp['expires'])
+ -- keep token in cache until it expires
+ local ttl = json_resp['expires_in']
+ dataStore:saveOAuthToken('google', token, cjson.encode(json_resp), ttl)
-- convert Google's response
-- Read more about the fields at: https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo
ngx.header['X-OIDC-Sub'] = json_resp['sub']
diff --git a/tests/scripts/lua/security.lua b/tests/scripts/lua/security.lua
index 2b8cf52..89533fd 100644
--- a/tests/scripts/lua/security.lua
+++ b/tests/scripts/lua/security.lua
@@ -237,33 +237,6 @@ describe('OAuth security module', function()
assert.same(red:exists('oauth:providers:mock:tokens:bad'), 0)
assert.falsy(result)
end)
- it('Loads a facebook token from the cache without a valid app id', function()
- local red = fakeredis.new()
- local ds = require "lib/dataStore"
- local dataStore = ds.initWithDriver(red)
- local token = "test"
- local ngxattrs = [[
- {
- "http_Authorization":"]] .. token .. [[",
- "http_x_facebook_app_token":"nothing",
- "tenant":"1234",
- "gatewayPath":"v1/test"
- }
- ]]
- local ngx = fakengx.new()
- ngx.var = cjson.decode(ngxattrs)
- _G.ngx = ngx
- local securityObj = [[
- {
- "type":"oauth2",
- "provider":"facebook",
- "scope":"resource"
- }
- ]]
- red:set('oauth:providers:facebook:tokens:test', '{ "token":"good"}')
- local result = oauth.process(dataStore, cjson.decode(securityObj))
- assert.truthy(result)
- end)
it('Loads a facebook token from the cache with a valid app id', function()
local red = fakeredis.new()
local ds = require "lib/dataStore"
diff --git a/tools/travis/build.sh b/tools/travis/build.sh
index 8b5dbaf..a9654bf 100755
--- a/tools/travis/build.sh
+++ b/tools/travis/build.sh
@@ -57,4 +57,4 @@ TERM=dumb ./gradlew tests:test --tests apigw.healthtests.* ${WSK_TESTS_DEPS_EXCL
sleep 60
TERM=dumb ./gradlew tests:test --tests whisk.core.apigw.* ${WSK_TESTS_DEPS_EXCLUDE}
sleep 60
-TERM=dumb ./gradlew tests:test --tests whisk.core.cli.test.ApiGwTests ${WSK_TESTS_DEPS_EXCLUDE}
+TERM=dumb ./gradlew tests:test --tests whisk.core.cli.test.ApiGwRestTests ${WSK_TESTS_DEPS_EXCLUDE}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services