shreemaan-abhishek commented on code in PR #11090:
URL: https://github.com/apache/apisix/pull/11090#discussion_r1556901813
##########
t/plugin/openid-connect6.t:
##########
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+ "redirect_uri": "http://localhost:3000";,
+ "ssl_verify": false,
+ "timeout": 10,
+ "bearer_only": true,
+ "realm": "University",
+ "introspection_endpoint_auth_method":
"client_secret_post",
+ "introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+ "introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+ location /t {
+ content_by_lua_block {
+ -- Obtain valid access token from Keycloak using known username
and password.
+ local json_decode = require("toolkit.json").decode
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+ local res, err = httpc:request_uri(uri, {
+ method = "POST",
+ body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&[email protected]&password=123456",
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ })
+
+ -- Check response from keycloak and fail quickly if there's no
response.
+ if not res then
+ ngx.say(err)
+ return
+ end
+
+ -- Check if response code was ok.
+ if res.status == 200 then
+ -- Get access token from JSON response body.
+ local body = json_decode(res.body)
+ local accessToken = body["access_token"]
+
+ -- Access route using access token. Should work.
+ uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. body["access_token"],
+ ["X-Addon-Header-A"] = "Value-A",
+ ["X-Addon-Header-B"] = "Value-b"
+ }
+ })
+
+ if res.status == 200 then
+ -- Route accessed successfully.
+ ngx.say(true)
+ else
+ -- Couldn't access route.
+ ngx.say(false)
+ end
+ else
+ -- Response from Keycloak not ok.
+ ngx.say(false)
+ end
+ }
+ }
+--- response_body
+true
+--- grep_error_log eval
+qr/token validate successfully by \w+/
+--- grep_error_log_out
+token validate successfully by introspection
Review Comment:
I think we can check this just like so:
```perl
--- error_log
token validate successfully by introspection
```
##########
t/plugin/openid-connect6.t:
##########
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+ "redirect_uri": "http://localhost:3000";,
+ "ssl_verify": false,
+ "timeout": 10,
+ "bearer_only": true,
+ "realm": "University",
+ "introspection_endpoint_auth_method":
"client_secret_post",
+ "introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+ "introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+ location /t {
+ content_by_lua_block {
+ -- Obtain valid access token from Keycloak using known username
and password.
+ local json_decode = require("toolkit.json").decode
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+ local res, err = httpc:request_uri(uri, {
+ method = "POST",
+ body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&[email protected]&password=123456",
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ })
+
+ -- Check response from keycloak and fail quickly if there's no
response.
+ if not res then
+ ngx.say(err)
+ return
+ end
+
+ -- Check if response code was ok.
+ if res.status == 200 then
+ -- Get access token from JSON response body.
+ local body = json_decode(res.body)
+ local accessToken = body["access_token"]
+
+ -- Access route using access token. Should work.
+ uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. body["access_token"],
+ ["X-Addon-Header-A"] = "Value-A",
+ ["X-Addon-Header-B"] = "Value-b"
+ }
+ })
+
+ if res.status == 200 then
+ -- Route accessed successfully.
+ ngx.say(true)
+ else
+ -- Couldn't access route.
+ ngx.say(false)
+ end
+ else
+ -- Response from Keycloak not ok.
+ ngx.say(false)
+ end
+ }
+ }
+--- response_body
+true
+--- grep_error_log eval
+qr/token validate successfully by \w+/
+--- grep_error_log_out
+token validate successfully by introspection
+
+
+
+=== TEST 6: Access route with an invalid token, should work as expected too.
Review Comment:
```suggestion
=== TEST 6: Access route with an invalid token, should fail
```
##########
t/plugin/openid-connect6.t:
##########
@@ -155,3 +155,213 @@ passed
}
--- response_body
passed
+
+
+
+=== TEST 4: Update route with Keycloak introspection endpoint and
introspection addon headers.
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+ "redirect_uri": "http://localhost:3000";,
+ "ssl_verify": false,
+ "timeout": 10,
+ "bearer_only": true,
+ "realm": "University",
+ "introspection_endpoint_auth_method":
"client_secret_post",
+ "introspection_endpoint":
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token/introspect";,
+ "introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 5: Obtain valid token and access route with it, introspection work as
expected when configured extras headers.
+--- config
+ location /t {
+ content_by_lua_block {
+ -- Obtain valid access token from Keycloak using known username
and password.
+ local json_decode = require("toolkit.json").decode
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri =
"http://127.0.0.1:8080/realms/University/protocol/openid-connect/token";
+ local res, err = httpc:request_uri(uri, {
+ method = "POST",
+ body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&[email protected]&password=123456",
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ })
+
+ -- Check response from keycloak and fail quickly if there's no
response.
+ if not res then
+ ngx.say(err)
+ return
+ end
+
+ -- Check if response code was ok.
+ if res.status == 200 then
+ -- Get access token from JSON response body.
+ local body = json_decode(res.body)
+ local accessToken = body["access_token"]
+
+ -- Access route using access token. Should work.
+ uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. body["access_token"],
+ ["X-Addon-Header-A"] = "Value-A",
+ ["X-Addon-Header-B"] = "Value-b"
+ }
+ })
+
+ if res.status == 200 then
+ -- Route accessed successfully.
+ ngx.say(true)
+ else
+ -- Couldn't access route.
+ ngx.say(false)
+ end
+ else
+ -- Response from Keycloak not ok.
+ ngx.say(false)
+ end
+ }
+ }
+--- response_body
+true
+--- grep_error_log eval
+qr/token validate successfully by \w+/
+--- grep_error_log_out
+token validate successfully by introspection
+
+
+
+=== TEST 6: Access route with an invalid token, should work as expected too.
+--- config
+ location /t {
+ content_by_lua_block {
+ -- Access route using a fake access token.
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. "fake access token",
+ ["X-Addon-Header-A"] = "Value-A",
+ ["X-Addon-Header-B"] = "Value-b"
+ }
+ })
+
+ if res.status == 200 then
+ ngx.say(true)
+ else
+ ngx.say(false)
+ end
+ }
+ }
+--- response_body
+false
+--- error_log
+OIDC introspection failed: invalid token
+
+
+
+=== TEST 7: Update route with fake Keycloak introspection endpoint and
introspection addon headers
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "openid-connect": {
+ "client_id": "course_management",
+ "client_secret":
"d1ec69e9-55d2-4109-a3ea-befa071579d5",
+ "discovery":
"http://127.0.0.1:8080/realms/University/.well-known/openid-configuration";,
+ "redirect_uri": "http://localhost:3000";,
+ "ssl_verify": false,
+ "timeout": 10,
+ "bearer_only": true,
+ "realm": "University",
+ "introspection_endpoint_auth_method":
"client_secret_post",
+ "introspection_endpoint":
"http://127.0.0.1:1980/log_request";,
+ "introspection_addon_headers":
["X-Addon-Header-A", "X-Addon-Header-B"]
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 8: Check http headers from fake introspection endpoint.
Review Comment:
I don't understand what's happening in this test.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
