updating to allow multi-authentication and working against kong 1.X+

emoj · emoj · commit 0709abf5c76b · 2019-05-15T11:30:07.000-04:00
diff --git a/.github/ ISSUE_TEMPLATE.md b/.github/ ISSUE_TEMPLATE.md
diff --git a/kong/plugins/oidc/handler.lua b/kong/plugins/oidc/handler.lua
@@ -4,12 +4,63 @@ local utils = require("kong.plugins.oidc.utils")
 local filter = require("kong.plugins.oidc.filter")
 local session = require("kong.plugins.oidc.session")
 
-local singletons = require "kong.singletons"
 local constants = require "kong.constants"
-local responses = require "kong.tools.responses"
 
-OidcHandler.PRIORITY = 1000
+local kong = kong
 
+OidcHandler.PRIORITY = 1002
+
+local function internal_server_error(err)
+  kong.log.err(err)
+  return kong.response.exit(500, { message = "An unexpected error occurred" })
+end
+
+local function set_consumer(consumer, credential, token)
+  local set_header = kong.service.request.set_header
+  local clear_header = kong.service.request.clear_header
+
+  if consumer and consumer.id then
+    set_header(constants.HEADERS.CONSUMER_ID, consumer.id)
+  else
+    clear_header(constants.HEADERS.CONSUMER_ID)
+  end
+
+  if consumer and consumer.custom_id then
+    set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
+  else
+    clear_header(constants.HEADERS.CONSUMER_CUSTOM_ID)
+  end
+
+  if consumer and consumer.username then
+    set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
+  else
+    clear_header(constants.HEADERS.CONSUMER_USERNAME)
+  end
+
+  kong.client.authenticate(consumer, credential)
+
+  if credential then
+    if token.scope then
+      set_header("x-authenticated-scope", token.scope)
+    else
+      clear_header("x-authenticated-scope")
+    end
+
+    if token.authenticated_userid then
+      set_header("x-authenticated-userid", token.authenticated_userid)
+    else
+      clear_header("x-authenticated-userid")
+    end
+
+    clear_header(constants.HEADERS.ANONYMOUS) -- in case of auth plugins concatenation
+
+  else
+    set_header(constants.HEADERS.ANONYMOUS, true)
+    clear_header("x-authenticated-scope")
+    clear_header("x-authenticated-userid")
+  end
+
+end
 
 function OidcHandler:new()
   OidcHandler.super.new(self, "oidc")
@@ -18,7 +69,7 @@ end
 function OidcHandler:access(config)
   OidcHandler.super.access(self)
 
-  if ngx.ctx.authenticated_credential and config.anonymous ~= "" then
+  if config.anonymous and kong.client.get_credential() then
     -- we're already authenticated, and we're configured for using anonymous,
     -- hence we're in a logical OR between auth methods and we're already done.
     return
@@ -49,6 +100,10 @@ function handle(oidcConfig)
     response = make_oidc(oidcConfig)
     if response then
       if (response.user) then
+        local tmp_user = response.user
+        tmp_user.id = response.user.sub
+        tmp_user.username = response.user.preferred_username
+        set_consumer(tmp_user, nil, nil)
         utils.injectUser(response.user)
       end
       if (response.access_token) then
@@ -69,19 +124,20 @@ function make_oidc(oidcConfig)
       ngx.log(ngx.DEBUG, "Entering recovery page: " .. oidcConfig.recovery_page_path)
       ngx.redirect(oidcConfig.recovery_page_path)
     end
-    if oidcConfig.anonymous ~= "" then
+    if oidcConfig.anonymous then
       -- get anonymous user
-      local consumer_cache_key = singletons.db.consumers:cache_key(oidcConfig.anonymous)
-      local consumer, err      = singletons.cache:get(consumer_cache_key, nil,
-                                                      load_consumer_into_memory,
-                                                      oidcConfig.anonymous, true)
+      local consumer_cache_key = kong.db.consumers:cache_key(oidcConfig.anonymous)
+      local consumer, err      = kong.cache:get(consumer_cache_key, nil,
+                                                load_consumer_into_memory,
+                                                oidcConfig.anonymous, true)
       if err then
-        return responses.send_HTTP_INTERNAL_SERVER_ERROR(err)
+        return internal_server_error(err)
       end
+
       set_consumer(consumer, nil, nil)
 
     else
-      utils.exit(500, err, ngx.HTTP_INTERNAL_SERVER_ERROR)
+      return kong.response.exit(err.status, err.message, err.headers)
     end
   end
   return res
@@ -93,19 +149,20 @@ function introspect(oidcConfig)
     if err then
       if oidcConfig.bearer_only == "yes" then
         ngx.header["WWW-Authenticate"] = 'Bearer realm="' .. oidcConfig.realm .. '",error="' .. err .. '"'
-        if oidcConfig.anonymous ~= "" then
+        if oidcConfig.anonymous then
           -- get anonymous user
-          local consumer_cache_key = singletons.db.consumers:cache_key(oidcConfig.anonymous)
-          local consumer, err      = singletons.cache:get(consumer_cache_key, nil,
-                                                          load_consumer_into_memory,
-                                                          oidcConfig.anonymous, true)
+          local consumer_cache_key = kong.db.consumers:cache_key(oidcConfig.anonymous)
+          local consumer, err      = kong.cache:get(consumer_cache_key, nil,
+                                                    load_consumer_into_memory,
+                                                    oidcConfig.anonymous, true)
           if err then
-            return responses.send_HTTP_INTERNAL_SERVER_ERROR(err)
+            return internal_server_error(err)
           end
+    
           set_consumer(consumer, nil, nil)
     
         else
-          utils.exit(ngx.HTTP_UNAUTHORIZED, err, ngx.HTTP_UNAUTHORIZED)
+          return kong.response.exit(err.status, err.message, err.headers)
         end
         
       end
@@ -119,21 +176,5 @@ end
 
 -- TESTING
 
-local function set_consumer(consumer, credential, token)
-  ngx_set_header(constants.HEADERS.CONSUMER_ID, consumer.id)
-  ngx_set_header(constants.HEADERS.CONSUMER_CUSTOM_ID, consumer.custom_id)
-  ngx_set_header(constants.HEADERS.CONSUMER_USERNAME, consumer.username)
-  ngx.ctx.authenticated_consumer = consumer
-  if credential then
-    ngx_set_header("x-authenticated-scope", token.scope)
-    ngx_set_header("x-authenticated-userid", token.authenticated_userid)
-    ngx.ctx.authenticated_credential = credential
-    ngx_set_header(constants.HEADERS.ANONYMOUS, nil) -- in case of auth plugins concatenation
-  else
-    ngx_set_header(constants.HEADERS.ANONYMOUS, true)
-  end
-
-end
-
 
 return OidcHandler
diff --git a/kong/plugins/oidc/schema.lua b/kong/plugins/oidc/schema.lua
@@ -1,24 +1,41 @@
+local typedefs = require "kong.db.schema.typedefs"
+
+local function validate_flows(config)
+
+  return true
+
+end
+
 return {
-  no_consumer = true,
+  name = "oidc",
   fields = {
-    anonymous = { type = "string", uuid = true, legacy = true },
-    client_id = { type = "string", required = true },
-    client_secret = { type = "string", required = true },
-    discovery = { type = "string", required = true, default = "https://.well-known/openid-configuration" },
-    introspection_endpoint = { type = "string", required = false },
-    timeout = { type = "number", required = false },
-    introspection_endpoint_auth_method = { type = "string", required = false },
-    bearer_only = { type = "string", required = true, default = "no" },
-    realm = { type = "string", required = true, default = "kong" },
-    redirect_uri_path = { type = "string" },
-    scope = { type = "string", required = true, default = "openid" },
-    response_type = { type = "string", required = true, default = "code" },
-    ssl_verify = { type = "string", required = true, default = "no" },
-    token_endpoint_auth_method = { type = "string", required = true, default = "client_secret_post" },
-    session_secret = { type = "string", required = false },
-    recovery_page_path = { type = "string" },
-    logout_path = { type = "string", required = false, default = '/logout' },
-    redirect_after_logout_uri = { type = "string", required = false, default = '/' },
-    filters = { type = "string" }
-  }
+    { consumer = typedefs.no_consumer },
+    { config = {
+        type = "record",
+        fields = {
+          { anonymous = { type = "string", uuid = true, legacy = true }, },
+          {client_id = { type = "string", required = true, default = "konglocal" }},
+          {client_secret = { type = "string", required = true, default = "kongapigateway" }},
+          {discovery = { type = "string", required = true, default = "https://cas.example.org:8453/cas/oidc/.well-known/openid-configuration" }},
+          {introspection_endpoint = { type = "string", required = false }},
+          {timeout = { type = "number", required = false }},
+          {introspection_endpoint_auth_method = { type = "string", required = false }},
+          {bearer_only = { type = "string", required = true, default = "no" }},
+          {realm = { type = "string", required = true, default = "kong" }},
+          {redirect_uri_path = { type = "string" }},
+          {inject_base_path = { type = "string" }},
+          {scope = { type = "string", required = true, default = "openid" }},
+          {response_type = { type = "string", required = true, default = "code" }},
+          {ssl_verify = { type = "string", required = true, default = "no" }},
+          {token_endpoint_auth_method = { type = "string", required = true, default = "client_secret_post" }},
+          {session_secret = { type = "string", required = false }},
+          {recovery_page_path = { type = "string" }},
+          {logout_path = { type = "string", required = false, default = '/logout' }},
+          {redirect_after_logout_uri = { type = "string", required = false, default = '/' }},
+          {filters = { type = "string" }}
+        },
+        custom_validator = validate_flows,
+      },
+    },
+  },
 }
