appman-agm · PeeraJ · Jul 12, 2022 · Jun 3, 2021 · Aug 20, 2021 · Aug 20, 2021
diff --git a/.env b/.env
@@ -2,10 +2,9 @@ BUILD_IMG_NAME=nokia/kong-oidc
 INTEGRATION_PATH=test/docker/integration
 UNIT_PATH=test/docker/unit
 
-
-KONG_BASE_TAG=:2.2.1-centos
+KONG_BASE_TAG=:2.8.0-ubuntu
 KONG_TAG=
-KONG_DB_TAG=:12
+KONG_DB_TAG=:14
 KONG_DB_PORT=5432
 KONG_DB_USER=kong
 KONG_DB_PW=kong
@@ -14,7 +13,7 @@ KONG_SESSION_STORE_PORT=6379
 KONG_HTTP_PROXY_PORT=8000
 KONG_HTTP_ADMIN_PORT=8001
 
-KEYCLOAK_TAG=:4.8.3.Final
+KEYCLOAK_TAG=:16.1.1
 KEYCLOAK_PORT=8081
 KEYCLOAK_USER=admin
 KEYCLOAK_PW=password
diff --git a/kong-oidc-1.2.3-1.rockspec → kong-oidc-1.2.4-4.rockspec b/kong-oidc-1.2.3-1.rockspec → kong-oidc-1.2.4-4.rockspec
@@ -1,5 +1,5 @@
 package = "kong-oidc"
-version = "1.2.3-1"
+version = "1.2.4-4"
 source = {
     url = "git://github.com/revomatico/kong-oidc",
     tag = "master",
@@ -22,7 +22,7 @@ description = {
     license = "Apache 2.0"
 }
 dependencies = {
-    "lua-resty-openidc ~> 1.7.4-1"
+    "lua-resty-openidc ~> 1.7.5-1"
 }
 build = {
     type = "builtin",

diff --git a/kong/plugins/oidc/handler.lua b/kong/plugins/oidc/handler.lua
@@ -104,13 +104,13 @@ function make_oidc(oidcConfig)
 
   if err then
     if err == 'unauthorized request' then
-      utils.exit(ngx.HTTP_UNAUTHORIZED, err, ngx.HTTP_UNAUTHORIZED)
+      return kong.response.error(ngx.HTTP_UNAUTHORIZED)
     else
       if oidcConfig.recovery_page_path then
     	  ngx.log(ngx.DEBUG, "Redirecting to recovery page: " .. oidcConfig.recovery_page_path)
         ngx.redirect(oidcConfig.recovery_page_path)
       end
-      utils.exit(ngx.HTTP_INTERNAL_SERVER_ERROR, err, ngx.HTTP_INTERNAL_SERVER_ERROR)
+      return kong.response.error(ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
   end
   return res
@@ -127,10 +127,25 @@ function introspect(oidcConfig)
     if err then
       if oidcConfig.bearer_only == "yes" then
         ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. oidcConfig.realm .. '",error="' .. err .. '"'
-        utils.exit(ngx.HTTP_UNAUTHORIZED, err, ngx.HTTP_UNAUTHORIZED)
+        return kong.response.error(ngx.HTTP_UNAUTHORIZED)
       end
       return nil
     end
+    if oidcConfig.validate_scope == "yes" then
+      local validScope = false
+      if res.scope then
+        for scope in res.scope:gmatch("([^ ]+)") do
+          if scope == oidcConfig.scope then
+            validScope = true
+            break
+          end
+        end
+      end
+      if not validScope then
+        kong.log.err("Scope validation failed")
+        return kong.response.error(ngx.HTTP_FORBIDDEN)
+      end
+    end
     ngx.log(ngx.DEBUG, "OidcHandler introspect succeeded, requested path: " .. ngx.var.request_uri)
     return res
   end

diff --git a/kong/plugins/oidc/schema.lua b/kong/plugins/oidc/schema.lua
@@ -5,12 +5,14 @@ return {
     client_secret = { type = "string", required = true },
     discovery = { type = "string", required = true, default = "https://.well-known/openid-configuration" },
     introspection_endpoint = { type = "string", required = false },
-    timeout = { type = "number", required = false },
     introspection_endpoint_auth_method = { type = "string", required = false },
+    introspection_cache_ignore = { type = "string", required = true, default = "no" },
+    timeout = { type = "number", required = false },
     bearer_only = { type = "string", required = true, default = "no" },
     realm = { type = "string", required = true, default = "kong" },
     redirect_uri = { type = "string" },
     scope = { type = "string", required = true, default = "openid" },
+    validate_scope = { type = "string", required = true, default = "no" },
     response_type = { type = "string", required = true, default = "code" },
     ssl_verify = { type = "string", required = true, default = "no" },
     use_jwks = { type = "string", required = true, default = "no" },

diff --git a/kong/plugins/oidc/session.lua b/kong/plugins/oidc/session.lua
@@ -6,7 +6,8 @@ function M.configure(config)
   if config.session_secret then
     local decoded_session_secret = ngx.decode_base64(config.session_secret)
     if not decoded_session_secret then
-      utils.exit(500, "invalid OIDC plugin configuration, session secret could not be decoded", ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR))
+      kong.log.err("Invalid plugin configuration, session secret could not be decoded")
+      return kong.response.error(ngx.HTTP_INTERNAL_SERVER_ERROR)
     end
     ngx.var.session_secret = decoded_session_secret
   end

diff --git a/kong/plugins/oidc/utils.lua b/kong/plugins/oidc/utils.lua
@@ -50,12 +50,14 @@ function M.get_options(config, ngx)
     client_secret = config.client_secret,
     discovery = config.discovery,
     introspection_endpoint = config.introspection_endpoint,
-    timeout = config.timeout,
     introspection_endpoint_auth_method = config.introspection_endpoint_auth_method,
+    introspection_cache_ignore = config.introspection_cache_ignore,
+    timeout = config.timeout,
     bearer_only = config.bearer_only,
     realm = config.realm,
     redirect_uri = config.redirect_uri or M.get_redirect_uri(ngx),
     scope = config.scope,
+    validate_scope = config.validate_scope,
     response_type = config.response_type,
     ssl_verify = config.ssl_verify,
     use_jwks = config.use_jwks,
@@ -82,13 +84,6 @@ function M.get_options(config, ngx)
   }
 end
 
-function M.exit(httpStatusCode, message, ngxCode)
-  ngx.status = httpStatusCode
-  ngx.say(message)
-  ngx.exit(ngxCode)
-end
-
-
 -- Function set_consumer is derived from the following kong auth plugins:
 -- https://github.com/Kong/kong/blob/2.2.0/kong/plugins/ldap-auth/access.lua
 -- https://github.com/Kong/kong/blob/2.2.0/kong/plugins/oauth2/access.lua
@@ -97,39 +92,36 @@ end
 local function set_consumer(consumer, credential)
   kong.client.authenticate(consumer, credential)
 
-  local set_header = kong.service.request.set_header
-  local clear_header = kong.service.request.clear_header
-
   if consumer and consumer.id then
-    set_header(constants.HEADERS.CONSUMER_ID, consumer.id)
+    kong.service.request.set_header(constants.HEADERS.CONSUMER_ID, consumer.id)
   else
-    clear_header(constants.HEADERS.CONSUMER_ID)
+    kong.service.request.clear_header(constants.HEADERS.CONSUMER_ID)
   end
 
   if consumer and consumer.custom_id then
-    set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
+    kong.service.request.set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
   else
-    clear_header(constants.HEADERS.CONSUMER_CUSTOM_ID)
+    kong.service.request.clear_header(constants.HEADERS.CONSUMER_CUSTOM_ID)
   end
 
   if consumer and consumer.username then
-    set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
+    kong.service.request.set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
   else
-    clear_header(constants.HEADERS.CONSUMER_USERNAME)
+    kong.service.request.clear_header(constants.HEADERS.CONSUMER_USERNAME)
   end
 
   if credential and credential.sub then
-    set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.sub)
+    kong.service.request.set_header(constants.HEADERS.CREDENTIAL_IDENTIFIER, credential.sub)
   else
-    clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
+    kong.service.request.clear_header(constants.HEADERS.CREDENTIAL_IDENTIFIER)
   end
 
-  clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
+  kong.service.request.clear_header(constants.HEADERS.CREDENTIAL_USERNAME)
 
   if credential then
-    clear_header(constants.HEADERS.ANONYMOUS)
+    kong.service.request.clear_header(constants.HEADERS.ANONYMOUS)
   else
-    set_header(constants.HEADERS.ANONYMOUS, true)
+    kong.service.request.set_header(constants.HEADERS.ANONYMOUS, true)
   end
 end
 
@@ -139,13 +131,13 @@ function M.injectAccessToken(accessToken, headerName, bearerToken)
   if (bearerToken) then
     token = formatAsBearerToken(token)
   end
-  ngx.req.set_header(headerName, token)
+  kong.service.request.set_header(headerName, token)
 end
 
 function M.injectIDToken(idToken, headerName)
   ngx.log(ngx.DEBUG, "Injecting " .. headerName)
   local tokenStr = cjson.encode(idToken)
-  ngx.req.set_header(headerName, ngx.encode_base64(tokenStr))
+  kong.service.request.set_header(headerName, ngx.encode_base64(tokenStr))
 end
 
 function M.setCredentials(user)
@@ -158,7 +150,7 @@ end
 function M.injectUser(user, headerName)
   ngx.log(ngx.DEBUG, "Injecting " .. headerName)
   local userinfo = cjson.encode(user)
-  ngx.req.set_header(headerName, ngx.encode_base64(userinfo))
+  kong.service.request.set_header(headerName, ngx.encode_base64(userinfo))
 end
 
 function M.injectGroups(user, claim)

diff --git a/test/docker/integration/Dockerfile b/test/docker/integration/Dockerfile
@@ -7,12 +7,13 @@ ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua;;
 ENV LUA_CPATH /usr/local/lib/lua/5.1/?.so;;
 
 # Install unzip for luarocks, gcc for lua-cjson
-RUN yum install -y unzip gcc curl 
+RUN apt update && apt install -y unzip gcc curl
 RUN luarocks install luacov
 RUN luarocks install luaunit
 RUN luarocks install lua-cjson
+RUN luarocks install luaossl OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong
 
 # Change openidc version when version in rockspec changes
-RUN luarocks install lua-resty-openidc 1.7.4-1
+RUN luarocks install lua-resty-openidc 1.7.5-1
 
 COPY . /usr/local/kong-oidc
diff --git a/test/docker/unit/Dockerfile b/test/docker/unit/Dockerfile
@@ -1,16 +1,20 @@
 ARG KONG_BASE_TAG
 FROM kong${KONG_BASE_TAG}
 USER root
+
 ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua
 # For lua-cjson
 ENV LUA_CPATH /usr/local/lib/lua/5.1/?.so
 
 # Install unzip for luarocks, gcc for lua-cjson
-RUN echo "ip_resolve=4" >> /etc/yum.conf && yum install -y unzip gcc
-# Change openidc version when version in rockspec changes
-RUN luarocks install lua-resty-openidc 1.7.4-1
+RUN apt update && apt install -y unzip gcc curl
 RUN luarocks install luacov
 RUN luarocks install luaunit
+RUN luarocks install lua-cjson
+RUN luarocks install luaossl OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong
+
+# Change openidc version when version in rockspec changes
+RUN luarocks install lua-resty-openidc 1.7.5-1
 
 WORKDIR /usr/local/kong-oidc
 

diff --git a/test/unit/mockable_case.lua b/test/unit/mockable_case.lua
@@ -9,6 +9,8 @@ function MockableCase:setUp()
     DEBUG = "debug",
     ERR = "error",
     HTTP_UNAUTHORIZED = 401,
+    HTTP_FORBIDDEN = 403,
+    HTTP_INTERNAL_SERVER_ERROR = 500,
     ctx = {},
     header = {},
     var = {request_uri = "/"},
@@ -44,6 +46,11 @@ function MockableCase:setUp()
         set_header = function(...) end
       }
     },
+    response = {
+      error = function(status)
+        ngx.status = status
+      end
+    },
     log = {
       err = function(...) end
     },