This is an automated email from the ASF dual-hosted git repository.
spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 1917631c1 fix(authz-keycloak): add missing path for
access_denied_redirect_uri (#6794)
1917631c1 is described below
commit 1917631c142311ba04a63aa02bf3581619a599d1
Author: 罗泽轩 <[email protected]>
AuthorDate: Thu Apr 7 08:59:02 2022 +0800
fix(authz-keycloak): add missing path for access_denied_redirect_uri (#6794)
---
apisix/plugins/authz-keycloak.lua | 5 ++
t/plugin/authz-keycloak3.t | 108 ++++++++++++++++++++++++++++++++++++++
2 files changed, 113 insertions(+)
diff --git a/apisix/plugins/authz-keycloak.lua
b/apisix/plugins/authz-keycloak.lua
index 25902e157..85bfe19a6 100644
--- a/apisix/plugins/authz-keycloak.lua
+++ b/apisix/plugins/authz-keycloak.lua
@@ -671,6 +671,11 @@ local function evaluate_permissions(conf, ctx, token)
if res.status == 403 then
-- Request permanently denied, e.g. due to lacking permissions.
log.debug('Request denied: HTTP 403 Forbidden. Body: ', res.body)
+ if conf.access_denied_redirect_uri then
+ core.response.set_header("Location",
conf.access_denied_redirect_uri)
+ return 307
+ end
+
return res.status, res.body
elseif res.status == 401 then
-- Request temporarily denied, e.g access token not valid.
diff --git a/t/plugin/authz-keycloak3.t b/t/plugin/authz-keycloak3.t
new file mode 100644
index 000000000..a198fb8f8
--- /dev/null
+++ b/t/plugin/authz-keycloak3.t
@@ -0,0 +1,108 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ if (!$block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+ if (!$block->error_log && !$block->no_error_log) {
+ $block->set_value("no_error_log", "[error]\n[alert]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: access_denied_redirect_uri works with request denied in
token_endpoint
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "authz-keycloak": {
+ "token_endpoint":
"http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token";,
+ "access_denied_redirect_uri":
"http://127.0.0.1/test";,
+ "permissions": ["course_resource#delete"],
+ "client_id": "course_management",
+ "grant_type":
"urn:ietf:params:oauth:grant-type:uma-ticket",
+ "timeout": 3000
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1982": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello1"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 2: hit
+--- config
+ location /t {
+ content_by_lua_block {
+ local json_decode = require("toolkit.json").decode
+ local http = require "resty.http"
+ local httpc = http.new()
+ local uri =
"http://127.0.0.1:8090/auth/realms/University/protocol/openid-connect/token";
+ local res, err = httpc:request_uri(uri, {
+ method = "POST",
+ body =
"grant_type=password&client_id=course_management&client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5&[email protected]&password=123456",
+ headers = {
+ ["Content-Type"] = "application/x-www-form-urlencoded"
+ }
+ })
+
+ if res.status == 200 then
+ local body = json_decode(res.body)
+ local accessToken = body["access_token"]
+ uri = "http://127.0.0.1:"; .. ngx.var.server_port .. "/hello1"
+ local res, err = httpc:request_uri(uri, {
+ method = "GET",
+ headers = {
+ ["Authorization"] = "Bearer " .. accessToken,
+ }
+ })
+
+ ngx.status = res.status
+ ngx.header["Location"] = res.headers["Location"]
+ end
+ }
+ }
+--- error_code: 307
+--- response_headers
+Location: http://127.0.0.1/test
