Fixes gbbirkisson#38 Adapt the plugin to kong v3.0.0 breaking changes (…

…#6)

.dockerignore

@@ -4,7 +4,6 @@
 Dockerfile
 Makefile
 README.md
-Dockerfile
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

Dockerfile

@@ -1,11 +1,15 @@
 ## Build plugin
 ARG KONG_VERSION
-FROM kong:${KONG_VERSION} as builder
+FROM docker.io/kong:${KONG_VERSION} as builder
 
 # Root needed to install dependencies
 USER root
 
-RUN apk --no-cache add zip
+# Starting from kong 3.2 they move from alpine to debian .. so conditional install logic is needed
+ARG DISTO_ADDONS="zip"
+RUN if [ -x "$(command -v apk)" ]; then apk add --no-cache $DISTO_ADDONS; \
+    elif [ -x "$(command -v apt-get)" ]; then apt-get update && apt-get install $DISTO_ADDONS; \
+    fi
 WORKDIR /tmp
 
 COPY ./*.rockspec /tmp
@@ -15,7 +19,7 @@ ARG PLUGIN_VERSION
 RUN luarocks make && luarocks pack kong-plugin-jwt-keycloak ${PLUGIN_VERSION}
 
 ## Create Image
-FROM kong:${KONG_VERSION}
+FROM docker.io/kong:${KONG_VERSION}
 
 ENV KONG_PLUGINS="bundled,jwt-keycloak"
 

Makefile

@@ -1,19 +1,27 @@
+.DEFAULT_GOAL:=all
+
 include makefiles/*.mk
 
 REPOSITORY?=telekom-digioss
 IMAGE?=kong-plugin-jwt-keycloak
-KONG_VERSION?=2.8.3
+KONG_VERSION?=3.4.0
 FULL_IMAGE_NAME:=${REPOSITORY}/${IMAGE}:${KONG_VERSION}
 
-PLUGIN_VERSION?=1.1.0-1
+PLUGIN_VERSION?=1.3.0-1
 
-TEST_VERSIONS?=1.1.3 1.2.3 1.3.1 1.4.3 1.5.1 2.0.5 2.1.4 2.2.0 2.3.2
+# Tests version separated with spaces
+TEST_VERSIONS?=2.8.1 3.0.0 3.1.0 3.2.2 3.3.0
 
 ### Docker ###
 
+default:
+	@echo "!! Running all builds, pulls and startups !!"
+
+all: default helpers-start keycloak-rm kong-stop keycloak-start build kong-restart
+
 build:
 	@echo "Building image ..."
-	docker build --pull -q -t ${FULL_IMAGE_NAME} --build-arg KONG_VERSION=${KONG_VERSION} --build-arg PLUGIN_VERSION=${PLUGIN_VERSION} .
+	docker build --pull -q -t ${FULL_IMAGE_NAME} --build-arg KONG_VERSION=${KONG_VERSION} --build-arg PLUGIN_VERSION=${PLUGIN_VERSION} . --progress=plain --no-cache
 
 run: build
 	docker run -it --rm ${FULL_IMAGE_NAME} kong start --vv
@@ -34,7 +42,7 @@ upload:
 start: kong-db-start kong-start
 restart: kong-stop kong-start
 restart-all: stop start
-stop: kong-stop kong-db-stop
+stop: kong-stop kong-db-stop keycloak-stop keycloak-rm helpers-stop
 
 test-unit: keycloak-start
 	@echo ======================================================================
@@ -47,7 +55,7 @@ test-unit: keycloak-start
 	@echo "Unit tests passed with kong version ${KONG_VERSION}"
 	@echo ======================================================================
 
-test-integration: restart-all sleep keycloak-start
+test-integration: #keycloak-stop keycloak-rm keycloak-start restart-all sleep
 	@echo ======================================================================
 	@echo "Testing kong version ${KONG_VERSION} with ${KONG_DATABASE}"
 	@echo
@@ -64,7 +72,7 @@ test-all: keycloak-start
 	@echo "Starting integration tests for multiple versions"
 	@set -e; for t in  $(TEST_VERSIONS); do \
 		$(MAKE) --no-print-directory test-unit PLUGIN_VERSION=${PLUGIN_VERSION} KONG_VERSION=$$t ; \
-    $(MAKE) --no-print-directory test-integration PLUGIN_VERSION=${PLUGIN_VERSION} KONG_VERSION=$$t KONG_DATABASE=postgres ; \
+        $(MAKE) --no-print-directory test-integration PLUGIN_VERSION=${PLUGIN_VERSION} KONG_VERSION=$$t KONG_DATABASE=postgres ; \
     done
 	@echo "All test successful"
 

README.md

@@ -1,8 +1,18 @@
 <h1>Kong plugin jwt-keycloak</h1>
 
-> **:warning: No longer maintained!**
+> **⚠️ This fork is maintained for a limited set of version combinations**
 > 
-> I will no longer be maintaining this plugin. Thanks for all the positive feedback and interest in this project. Feel free to fork and keep it alive. Cheers!
+> The official author of the plugin no longer maintains it since 24.08.2021  
+> Details see: <https://github.com/gbbirkisson/kong-plugin-jwt-keycloak/blob/master/README.md>
+>
+> We will continue to use this plugin in our project and maintain here this fork for it.  
+> But we do not need backward compatible changes... so we will not test it to be able to work with older versions of kong.
+>
+> Supported version matrix:
+> * kong dependencies of version 2.8.1 .... and higher versions
+> * postgres database of version 12.x ... and higher versions
+> * keycloak versions in the way how redhat-sso contains the versions in their product starting from keycloak 9.0
+
 
 A plugin for the [Kong Microservice API Gateway](https://konghq.com/solutions/gateway/) to validate access tokens issued by [Keycloak](https://www.keycloak.org/). It uses the [Well-Known Uniform Resource Identifiers](https://tools.ietf.org/html/rfc5785) provided by [Keycloak](https://www.keycloak.org/) to load [JWK](https://tools.ietf.org/html/rfc7517) public keys from issuers that are specifically allowed for each endpoint.
 
@@ -44,33 +54,30 @@ If you have any suggestion or comments, please feel free to open an issue on thi
 
 ## Tested and working for
 
-| Kong Version |   Tests passing    |
-| ------------ | :----------------: |
-| 0.13.x       |        :x:         |
-| 0.14.x       |        :x:         |
-| 1.0.x        | :white_check_mark: |
-| 1.1.x        | :white_check_mark: |
-| 1.2.x        | :white_check_mark: |
-| 1.3.x        | :white_check_mark: |
-| 1.4.x        | :white_check_mark: |
-| 1.5.x        | :white_check_mark: |
-| 2.0.x        | :white_check_mark: |
-| 2.1.x        | :white_check_mark: |
-| 2.2.x        | :white_check_mark: |
-| 2.3.x        | :white_check_mark: |
-
-| Keycloak Version |   Tests passing    |
-| ---------------- | :----------------: |
-| 3.X.X            | :white_check_mark: |
-| 4.X.X            | :white_check_mark: |
-| 5.X.X            | :white_check_mark: |
-| 6.X.X            | :white_check_mark: |
-| 7.X.X            | :white_check_mark: |
-| 8.X.X            | :white_check_mark: |
-| 9.X.X            | :white_check_mark: |
-| 10.X.X           | :white_check_mark: |
-| 11.X.X           | :white_check_mark: |
-| 12.X.X           | :white_check_mark: |
+There are a few limitations about testing combinations:
+* Kong only provides a limited set off their lua code on luarocks  
+  <https://luarocks.org/modules/kong/kong>  
+  for this reason currently only these version combinations can be validated
+* Redhat / Jboss / Keycloak provides also not all latest updates of RHSSO base versions of keycloak
+  <https://quay.io/repository/keycloak/keycloak?tab=tags>  
+  For this reason not the latest patch versions on the contained rhsso product versions can be used for testing  
+  <https://access.redhat.com/solutions/3296901>
+
+| Kong Version       |    Tests passing   |
+| ------------------ | :----------------: |
+| 2.8.1              | ✅ |
+| 3.0.0              | ✅ |
+| 3.1.0              | ✅ |
+| 3.2.2              | ✅ |
+| 3.3.0              | ✅ |
+| 3.4.0              | ✅ |
+
+
+| Keycloak Version   |    Tests passing   |
+| ------------------ | :----------------: |
+| 9.0.3  (RHSSO-7.4) | ✅ |
+| 15.0.2 (RHSSO-7.5) | ✅ |
+| 18.0.2 (RHSSO-7.6) | ✖️ [Issue](https://github.com/telekom-digioss/kong-plugin-jwt-keycloak/issues/5) |
 
 ## Installation
 
@@ -85,15 +92,15 @@ luarocks install kong-plugin-jwt-keycloak
 #### Packing the rock
 
 ```bash
-export PLUGIN_VERSION=1.1.0-1
+export PLUGIN_VERSION=1.3.0-1
 luarocks make
 luarocks pack kong-plugin-jwt-keycloak ${PLUGIN_VERSION}
 ```
 
 #### Installing the rock
 
 ```bash
-export PLUGIN_VERSION=1.1.0-1
+export PLUGIN_VERSION=1.3.0-1
 luarocks install jwt-keycloak-${PLUGIN_VERSION}.all.rock
 ```
 
@@ -151,6 +158,7 @@ curl -X POST http://localhost:8001/plugins \
 | config.claims_to_verify                | no      | `exp`             | A list of registered claims (according to [RFC 7519](https://tools.ietf.org/html/rfc7519)) that Kong can verify as well. Accepted values: `exp`, `nbf`.                                                                                                                                                                                                                                  |
 | config.anonymous                       | no      |                   | An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` attribute which is internal to Kong, and not its `custom_id`.                                                                            |
 | config.run_on_preflight                | no      | `true`            | A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests, if set to false then `OPTIONS` requests will always be allowed.                                                                                                                                                                                                  |
+| config.header_names                    | no      | `authorization`   | A list of HTTP header names that Kong will inspect to retrieve JWTs. `OPTIONS` requests will always be allowed.                                                                                                                                                                                                  |
 | config.maximum_expiration              | no      | `0`               | An integer limiting the lifetime of the JWT to `maximum_expiration` seconds in the future. Any JWT that has a longer lifetime will rejected (HTTP 403). If this value is specified, `exp` must be specified as well in the `claims_to_verify` property. The default value of `0` represents an indefinite period. Potential clock skew should be considered when configuring this value. |
 | config.algorithm                       | no      | `RS256`           | The algorithm used to verify the token’s signature. Can be `HS256`, `HS384`, `HS512`, `RS256`, or `ES256`.                                                                                                                                                                                                                                                                               |
 | config.allowed_iss                     | yes     |                   | A list of allowed issuers for this route/service/api. Can be specified as a `string` or as a [Pattern](http://lua-users.org/wiki/PatternsTutorial).                                                                                                                                                                                                                                      |
@@ -171,14 +179,14 @@ Create service and add the plugin to it, and lastly create a route:
 
 ```bash
 curl -X POST http://localhost:8001/services \
-    --data "name=mockbin-echo" \
-    --data "url=http://mockbin.org/echo"
+    --data "name=httpbin-anything" \
+    --data "url=http://localhost:8093/anything"
 
-curl -X POST http://localhost:8001/services/mockbin-echo/plugins \
+curl -X POST http://localhost:8001/services/httpbin-anything/plugins \
     --data "name=jwt-keycloak" \
     --data "config.allowed_iss=http://localhost:8080/auth/realms/master"
 
-curl -X POST http://localhost:8001/services/mockbin-echo/routes \
+curl -X POST http://localhost:8001/services/httpbin-anything/routes \
     --data "paths=/" 
 ```
 

kong-plugin-jwt-keycloak-1.3.0-1.rockspec

@@ -0,0 +1,44 @@
+local plugin_name = "jwt-keycloak"
+local package_name = "kong-plugin-" .. plugin_name
+local package_version = "1.3.0"
+local rockspec_revision = "1"
+
+local github_account_name = "telekom-digioss"
+local github_repo_name = package_name
+local git_checkout = package_version == "dev" and "master" or package_version
+
+
+package = package_name
+version = package_version .. "-" .. rockspec_revision
+supported_platforms = { "linux", "macosx" }
+source = {
+  url = "git+https://github.com/"..github_account_name.."/"..github_repo_name..".git",
+  branch = git_checkout,
+}
+
+
+description = {
+  summary = "A Kong plugin that will validate tokens issued by keycloak",
+  homepage = "https://"..github_account_name..".github.io/"..github_repo_name,
+  license = "Apache 2.0",
+}
+
+
+dependencies = {
+  "lua ~> 5"
+}
+
+
+build = {
+  type = "builtin",
+  modules = {
+    -- TODO: add any additional code files added to the plugin
+    ["kong.plugins."..plugin_name..".handler"]            = "src/handler.lua",
+    ["kong.plugins."..plugin_name..".schema"]             = "src/schema.lua",
+    ["kong.plugins."..plugin_name..".keycloak_keys"]      = "src/keycloak_keys.lua",
+    ["kong.plugins."..plugin_name..".key_conversion"]     = "src/key_conversion.lua",
+    ["kong.plugins."..plugin_name..".validators.issuers"] = "src/validators/issuers.lua",
+    ["kong.plugins."..plugin_name..".validators.roles"]   = "src/validators/roles.lua",
+    ["kong.plugins."..plugin_name..".validators.scope"]   = "src/validators/scope.lua",
+  }
+}

luarocks.Dockerfile

@@ -1,4 +1,4 @@
-FROM kong:2.8.3 as builder
+FROM kong:3.1.0 as builder
 
 USER root
 
@@ -9,7 +9,7 @@ RUN apk add --no-cache git zip && \
     luarocks install ${LUAROCKS_MODULE} && \
     luarocks pack ${LUAROCKS_MODULE}
 
-FROM kong:2.8.3
+FROM kong:3.1.0
 
 USER root
 

makefiles/helpers.mk

@@ -0,0 +1,31 @@
+HTTPBIN_IMAGE:=docker.io/kennethreitz/httpbin
+HTTPBIN_CONTAINER_NAME:=kong_test_httpbin
+HTTPBIN_PORT:=8093
+
+PGADMIN_IMAGE:=docker.io/dpage/pgadmin4:7.5
+PGADMIN_CONTAINER_NAME:=kong_test_pgadmin6
+PGADMIN_PORT:=5050
+PGADMIN_DEFAULT_EMAIL=pgadmin@subdomain.domain
+PGADMIN_DEFAULT_PASSWORD=pgadmin
+
+helpers-start:
+	@echo "Starting Helpers ..."
+	@docker start ${HTTPBIN_CONTAINER_NAME} || docker run -d \
+	--name ${HTTPBIN_CONTAINER_NAME} \
+	-p ${HTTPBIN_PORT}:80 \
+	${HTTPBIN_IMAGE}
+	@docker start ${PGADMIN_CONTAINER_NAME} || docker run -d \
+	--name ${PGADMIN_CONTAINER_NAME} \
+	--net host \
+	-e "PGADMIN_DEFAULT_EMAIL=${PGADMIN_DEFAULT_EMAIL}" \
+	-e "PGADMIN_DEFAULT_PASSWORD=${PGADMIN_DEFAULT_PASSWORD}" \
+	-e "PGADMIN_CONFIG_DEBUG=True" \
+	-e "PGADMIN_LISTEN_PORT=${PGADMIN_DEFAULT_PASSWORD}" \
+	${PGADMIN_IMAGE}
+
+helpers-stop:
+	@echo "Stopping Helpers ..."
+	- @docker stop ${HTTPBIN_CONTAINER_NAME}
+	- @docker rm ${HTTPBIN_CONTAINER_NAME}
+	- @docker stop ${PGADMIN_CONTAINER_NAME}
+	- @docker rm ${PGADMIN_CONTAINER_NAME}

makefiles/keycloak.mk

@@ -1,5 +1,6 @@
-KEYCLOAK_IMAGE:=jboss/keycloak:12.0.2
-KEYCLOAK_CONTAINER_NAME:=kc_local
+KEYCLOAK_IMAGE:=quay.io/keycloak/keycloak:15.0.2
+# KEYCLOAK_IMAGE:=quay.io/keycloak/keycloak:18.0.2 #--> Look deeper. There is a problem wir keycloak key rotation test results
+KEYCLOAK_CONTAINER_NAME:=kong_test_keycloack
 KEYCLOAK_PORT:=8080
 KEYCLOAK_ADMIN_USER:=admin
 KEYCLOAK_ADMIN_PASS:=admin
@@ -11,7 +12,10 @@ keycloak-start:
 	-p ${KEYCLOAK_PORT}:8080 \
 	-e KEYCLOAK_USER=${KEYCLOAK_ADMIN_USER} \
 	-e KEYCLOAK_PASSWORD=${KEYCLOAK_ADMIN_PASS} \
+	-e KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN_USER} \
+	-e KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASS} \
 	${KEYCLOAK_IMAGE}
+    # start-dev --http-relative-path /auth # needed starting from keycloak 18
 	@bash -c 'while ! timeout 1 bash -c "echo > /dev/tcp/localhost/8080"; do sleep 1; done'
 
 keycloak-stop:
@@ -21,3 +25,9 @@ keycloak-stop:
 keycloak-rm: keycloak-stop
 	@echo "Removing Keycloak"
 	- @docker rm ${KEYCLOAK_CONTAINER_NAME}
+
+keycloak-restart: keycloak-rm keycloak-start
+	@echo "Restarted Keycloak..."
+
+keycloak-logs:
+	- @docker logs --follow ${KEYCLOAK_CONTAINER_NAME}