Merge pull request #12 from ruiengana/master

added scope validation unit tests

.env

@@ -2,9 +2,9 @@ BUILD_IMG_NAME=nokia/kong-oidc
 INTEGRATION_PATH=test/docker/integration
 UNIT_PATH=test/docker/unit
 
-KONG_BASE_TAG=:2.2.1-centos
+KONG_BASE_TAG=:2.8.0-ubuntu
 KONG_TAG=
-KONG_DB_TAG=:12
+KONG_DB_TAG=:14
 KONG_DB_PORT=5432
 KONG_DB_USER=kong
 KONG_DB_PW=kong
@@ -13,7 +13,7 @@ KONG_SESSION_STORE_PORT=6379
 KONG_HTTP_PROXY_PORT=8000
 KONG_HTTP_ADMIN_PORT=8001
 
-KEYCLOAK_TAG=:4.8.3.Final
+KEYCLOAK_TAG=:16.1.1
 KEYCLOAK_PORT=8081
 KEYCLOAK_USER=admin
 KEYCLOAK_PW=password

kong/plugins/oidc/handler.lua

@@ -101,13 +101,13 @@ function make_oidc(oidcConfig)
 
   if err then
     if err == 'unauthorized request' then
-      utils.exit(ngx.HTTP_UNAUTHORIZED, err, ngx.HTTP_UNAUTHORIZED)
+      utils.exit(ngx.HTTP_UNAUTHORIZED, err)
     else
       if oidcConfig.recovery_page_path then
     	  ngx.log(ngx.DEBUG, "Redirecting to recovery page: " .. oidcConfig.recovery_page_path)
         ngx.redirect(oidcConfig.recovery_page_path)
       end
-      utils.exit(ngx.HTTP_INTERNAL_SERVER_ERROR, err, ngx.HTTP_INTERNAL_SERVER_ERROR)
+      utils.exit(ngx.HTTP_INTERNAL_SERVER_ERROR, err)
     end
   end
   return res
@@ -124,7 +124,7 @@ function introspect(oidcConfig)
     if err then
       if oidcConfig.bearer_only == "yes" then
         ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. oidcConfig.realm .. '",error="' .. err .. '"'
-        utils.exit(ngx.HTTP_UNAUTHORIZED, err, ngx.HTTP_UNAUTHORIZED)
+        utils.exit(ngx.HTTP_UNAUTHORIZED, err)
       end
       return nil
     end
@@ -139,7 +139,7 @@ function introspect(oidcConfig)
         end
       end
       if not validScope then
-        utils.exit(ngx.HTTP_FORBIDDEN,"Invalid scope",ngx.HTTP_FORBIDDEN)
+        utils.exit(ngx.HTTP_FORBIDDEN, 'Scope validation failed')
       end
     end
     ngx.log(ngx.DEBUG, "OidcHandler introspect succeeded, requested path: " .. ngx.var.request_uri)

kong/plugins/oidc/session.lua

@@ -6,7 +6,7 @@ function M.configure(config)
   if config.session_secret then
     local decoded_session_secret = ngx.decode_base64(config.session_secret)
     if not decoded_session_secret then
-      utils.exit(500, "invalid OIDC plugin configuration, session secret could not be decoded", ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR))
+      utils.exit(ngx.HTTP_INTERNAL_SERVER_ERROR, 'Invalid plugin configuration, session secret could not be decoded')
     end
     ngx.var.session_secret = decoded_session_secret
   end

kong/plugins/oidc/utils.lua

@@ -84,10 +84,10 @@ function M.get_options(config, ngx)
   }
 end
 
-function M.exit(httpStatusCode, message, ngxCode)
-  ngx.status = httpStatusCode
-  ngx.say(message)
-  ngx.exit(ngxCode)
+function M.exit(statusCode, message)
+  ngx.status = statusCode
+  kong.log.err(message)
+  ngx.exit(statusCode)
 end
 
 

test/docker/integration/Dockerfile

@@ -7,12 +7,13 @@ ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua;;
 ENV LUA_CPATH /usr/local/lib/lua/5.1/?.so;;
 
 # Install unzip for luarocks, gcc for lua-cjson
-RUN yum install -y unzip gcc curl 
+RUN apt update && apt install -y unzip gcc curl
 RUN luarocks install luacov
 RUN luarocks install luaunit
 RUN luarocks install lua-cjson
+RUN luarocks install luaossl OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong
 
 # Change openidc version when version in rockspec changes
-RUN luarocks install lua-resty-openidc 1.7.4-1
+RUN luarocks install lua-resty-openidc 1.7.5-1
 
 COPY . /usr/local/kong-oidc

test/docker/unit/Dockerfile

@@ -1,16 +1,20 @@
 ARG KONG_BASE_TAG
 FROM kong${KONG_BASE_TAG}
 USER root
+
 ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua
 # For lua-cjson
 ENV LUA_CPATH /usr/local/lib/lua/5.1/?.so
 
 # Install unzip for luarocks, gcc for lua-cjson
-RUN echo "ip_resolve=4" >> /etc/yum.conf && yum install -y unzip gcc
-# Change openidc version when version in rockspec changes
-RUN luarocks install lua-resty-openidc 1.7.4-1
+RUN apt update && apt install -y unzip gcc curl
 RUN luarocks install luacov
 RUN luarocks install luaunit
+RUN luarocks install lua-cjson
+RUN luarocks install luaossl OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong
+
+# Change openidc version when version in rockspec changes
+RUN luarocks install lua-resty-openidc 1.7.5-1
 
 WORKDIR /usr/local/kong-oidc
 

test/unit/mockable_case.lua

@@ -9,6 +9,8 @@ function MockableCase:setUp()
     DEBUG = "debug",
     ERR = "error",
     HTTP_UNAUTHORIZED = 401,
+    HTTP_FORBIDDEN = 403,
+    HTTP_INTERNAL_SERVER_ERROR = 500,
     ctx = {},
     header = {},
     var = {request_uri = "/"},

test/unit/test_handler_mocking_openidc.lua

@@ -214,14 +214,63 @@ function TestHandler:test_introspect_bearer_token_and_property_mapping()
   ngx.encode_base64 = function(x) return "x" end
 
   local headers = {}
-  ngx.req.set_header = function(h, v)
-    headers[h] = v
-  end
+  kong.service.request.set_header = function(name, value) headers[name] = value end
 
-  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", use_jwks = "yes", mappings = {'foo:X-Foo', 'incorrect', 'not:present'}})
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", use_jwks = "yes", disable_userinfo_header = "yes", header_names = {'X-Foo', 'present'}, header_claims = {'foo', 'not'}})
   lu.assertEquals(headers["X-Foo"], 'bar')
-  lu.assertTrue(self:log_contains("not present on token"))
-  lu.assertTrue(self:log_contains("Ignoring incorrect configuration"))
+  lu.assertNil(headers["present"])
+end
+
+function TestHandler:test_introspect_bearer_token_and_incorrect_property_mapping()
+  self.module_resty.openidc.bearer_jwt_verify = function(opts)
+    return {foo = "bar"}, false
+  end
+  ngx.req.get_headers = function() return {Authorization = "Bearer xxx"} end
+
+  ngx.encode_base64 = function(x) return "x" end
+
+  local headers = {}
+  kong.service.request.set_header = function(name, value) headers[name] = value end
+
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", use_jwks = "yes", disable_userinfo_header = "yes", header_names = {'X-Foo'}, header_claims = {'foo', 'incorrect'}})
+  lu.assertNil(headers["X-Foo"])
+end
+
+function TestHandler:test_introspect_bearer_token_and_scope_nok()
+  self.module_resty.openidc.bearer_jwt_verify = function(opts)
+    return {scope = "foo"}, false
+  end
+  ngx.req.get_headers = function() return {Authorization = "Bearer xxx"} end
+
+  ngx.encode_base64 = function(x) return "x" end
+
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", use_jwks = "yes", userinfo_header_name = "X-Userinfo", validate_scope = "yes", scope = "bar"})
+  lu.assertEquals(ngx.status, ngx.HTTP_FORBIDDEN)
+end
+
+function TestHandler:test_introspect_bearer_token_and_empty_scope_nok()
+  self.module_resty.openidc.bearer_jwt_verify = function(opts)
+    return {foo = "bar"}, false
+  end
+  ngx.req.get_headers = function() return {Authorization = "Bearer xxx"} end
+
+  ngx.encode_base64 = function(x) return "x" end
+
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", use_jwks = "yes", userinfo_header_name = "X-Userinfo", validate_scope = "yes", scope = "bar"})
+  lu.assertEquals(ngx.status, ngx.HTTP_FORBIDDEN)
+end
+
+function TestHandler:test_introspect_bearer_token_and_scope_ok()
+  self.module_resty.openidc.bearer_jwt_verify = function(opts)
+    return {scope = "foo bar"}, false
+  end
+  ngx.req.get_headers = function() return {Authorization = "Bearer xxx"} end
+
+  ngx.encode_base64 = function(x) return "x" end
+
+  self.handler:access({introspection_endpoint = "x", bearer_only = "yes", use_jwks = "yes", userinfo_header_name = "X-Userinfo", validate_scope = "yes", scope = "bar"})
+  lu.assertNotEquals(ngx.status, ngx.HTTP_FORBIDDEN)
+  lu.assertNotEquals(ngx.status, ngx.HTTP_INTERNAL_SERVER_ERROR)
 end
 
 lu.run()