3scale · mikz · Mar 16, 2017 · Jan 18, 2017 · Jan 20, 2017 · Jan 27, 2017
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 - Ability to customize main section of nginx configuration (and expose more env variables) [PR #292](https://github.com/3scale/apicast/pull/292)
 - Ability to lock service to specific configuration version [PR #293](https://github.com/3scale/apicast/pull/292)
 - Ability to use Redis DB and password via `REDIS_URL` [PR #303](https://github.com/3scale/apicast/pull/303)
+- Ability to Authenticate against API using RHSSO and OpenID Connect [PR #283](https://github.com/3scale/apicast/pull/283)
 
 ### Removed
 

@@ -4,7 +4,8 @@ version = '0.1-0'
 dependencies = {
   'lua-resty-http == 0.09-0',
   'inspect == 3.1.0-1',
-  'router == 2.1-0'
+  'router == 2.1-0',
+  'lua-resty-jwt == 0.1.9-0'
 }
 build = {
    type = "builtin",

@@ -118,11 +118,23 @@ location = /_threescale/check_credentials {
 
 location = /threescale_oauth_authrep {
   internal;
+
+  set_by_lua_block $log {
+    local log = ngx.var.arg_log;
+    if log then return '&' .. ngx.unescape_uri(log) end
+  }
+  set $path /transactions/oauth_authrep.xml?$backend_authentication_type=$backend_authentication_value&service_id=$service_id&$usage&$credentials$log;
+  proxy_pass_request_headers off;
+  proxy_http_version 1.1;
+  proxy_pass $backend_endpoint$path;
   proxy_set_header  Host  "$backend_host";
   proxy_set_header  User-Agent "$user_agent";
   proxy_set_header  X-3scale-User-Agent "$deployment";
   proxy_set_header  X-3scale-Version "$version";
+  proxy_set_header  Connection "";
   proxy_set_header  X-3scale-OAuth2-Grant-Type "authorization_code";
 
-  proxy_pass $backend_endpoint/transactions/oauth_authrep.xml?$backend_authentication_type=$backend_authentication_value&service_id=$service_id&$usage&$credentials&log%5Bcode%5D=$arg_code&log%5Brequest%5D=$arg_req&log%5Bresponse%5D=$arg_resp;
+  rewrite_by_lua_block {
+    ngx.var.real_url = ngx.var.backend_endpoint .. ngx.var.path
+  }
 }
@@ -3,6 +3,7 @@ env REDIS_PORT;
 env REDIS_URL;
 env RESOLVER;
 env BACKEND_ENDPOINT_OVERRIDE;
+env RHSSO_ENDPOINT;
 
 include ../main.d/*.conf;
 

@@ -0,0 +1,11 @@
+#!/usr/bin/env resty
+
+pcall(require, 'luarocks.loader')
+package.path = package.path .. ";./src/?.lua"
+
+local keycloak = require 'oauth.keycloak'
+local cjson = require 'cjson'
+
+local config = keycloak.load_configuration()
+
+ngx.say(cjson.encode(config))
@@ -7,6 +7,8 @@ local remote_loader_v2 = require 'configuration_loader.remote_v2'
 local util = require 'util'
 local env = require('resty.env')
 local synchronization = require('resty.synchronization').new(1)
+local keycloak = require 'oauth.keycloak'
+local cjson = require 'cjson'
 
 local error = error
 local len = string.len
@@ -65,9 +67,9 @@ end
 
 -- Cosocket API is not available in the init_by_lua* context (see more here: https://github.com/openresty/lua-nginx-module#cosockets-not-available-everywhere)
 -- For this reason a new process needs to be started to download the configuration through 3scale API
-function _M.init(cwd)
+function _M.init(cwd, cmd)
   cwd = cwd or env.get('TEST_NGINX_APICAST_PATH') or ngx.config.prefix()
-  local config, err, code = util.system("cd '" .. cwd .."' && libexec/boot")
+  local config, err, code = util.system("cd '" .. cwd .."' && libexec/"..(cmd or "boot"))
 
   -- Try to read the file in current working directory before changing to the prefix.
   if err then config = file_loader.call() end
@@ -105,6 +107,12 @@ function boot.init(configuration)
     ngx.log(ngx.EMERG, 'cache is off, cannot store configuration, exiting')
     os.exit(0)
   end
+
+  local keycloak_config = _M.init(nil, "keycloak")
+
+  if keycloak_config then
+    configuration.keycloak = cjson.decode(keycloak_config)
+  end
 end
 
 local function refresh_configuration(configuration)
@@ -121,6 +129,8 @@ end
 function boot.init_worker(configuration)
   local interval = ttl() or 0
 
+  configuration.keycloak = keycloak.load_configuration()
+
   local function schedule(...)
     local ok, err = ngx.timer.at(...)
 
@@ -156,6 +166,12 @@ end
 local lazy = { init_worker = noop }
 
 function lazy.init(configuration)
+  local keycloak_config = _M.init(nil, "keycloak")
+
+  if keycloak_config then
+    configuration.keycloak = cjson.decode(keycloak_config)
+  end
+
   configuration.configured = true
 end
 
@@ -174,6 +190,8 @@ function lazy.rewrite(configuration, host)
     _M.configure(configuration, config)
   end
 
+  configuration.keycloak = keycloak.load_configuration()
+
   if ok then
     synchronization:release(host)
     sema:post()

@@ -1,30 +1,36 @@
-local get_token = require 'get_token'
-local callback = require 'authorized_callback'
-local authorize = require 'authorize'
-
 local router = require 'router'
+local apicast_oauth = require 'oauth.apicast_oauth'
+local keycloak = require 'oauth.keycloak'
 
 local _M = {
-  version = '0.0.1'
+  _VERSION = '0.0.2'
 }
 
-function _M.router()
-  -- TODO: use configuration to customize urls
-  local r = router:new()
+function _M.new(configuration)
+  if configuration.keycloak then
+    ngx.log(ngx.INFO, "keycloak configured")
+    return keycloak.new(configuration.keycloak)
+  else
+    return apicast_oauth.new()
+  end
+end
 
-  r:get('/authorize', authorize.call)
-  r:post('/authorize', authorize.call)
+function _M.router(oauth, service)
+  local r = router:new()
+  r:get('/authorize', function() oauth:authorize(service) end)
+  r:post('/authorize', function() oauth:authorize(service) end)
 
-  r:post('/callback', callback.call)
-  r:get('/callback', callback.call)
+  -- TODO: only applies to apicast oauth...
+  r:post('/callback', function() oauth:callback() end)
+  r:get('/callback', function() oauth:callback() end)
 
-  r:post('/oauth/token', get_token.call)
+  r:post('/oauth/token', function() oauth:get_token(service) end)
 
   return r
 end
 
-function _M.call(method, uri, ...)
-  local r = _M.router()
+function _M.call(oauth, service, method, uri, ...)
+  local r = _M.router(oauth, service)
 
   local f, params = r:resolve(method or ngx.req.get_method(),
     uri or ngx.var.uri,
@@ -34,5 +40,3 @@ function _M.call(method, uri, ...)
 end
 
 return _M
-
-
@@ -0,0 +1,26 @@
+local get_token = require 'oauth.apicast_oauth.get_token'
+local callback = require 'oauth.apicast_oauth.authorized_callback'
+local authorize = require 'oauth.apicast_oauth.authorize'
+local setmetatable = setmetatable
+
+local _M = {
+  _VERSION = '0.1'
+}
+
+local mt = { __index = _M }
+
+function _M.new(service)
+  return setmetatable(
+    {
+      authorize = authorize.call,
+      callback = callback.call,
+      get_token = get_token.call,
+      service = service
+    }, mt)
+end
+
+function _M.transform_credentials(_, credentials)
+  return credentials
+end
+
+return _M
@@ -93,6 +93,8 @@ local function check_client_credentials(params)
       ctx = ngx.ctx
     })
 
+  ngx.log(ngx.INFO, "[oauth] Checking client credentials, status: ", res.status, " body: ", res.body)
+
   if res.status == 200 then
     return { ["status"] = res.status, ["body"] = res.body }
   else