Introspection writes to error log if authorization bearer header is missing (#18)

* openidc.introspect is invoked only if request has Authorization Bearer header to prevent error logging from openidc.introspect. Added first draft of unit tests.

* Got rid of luanit_agent.

* lib removed.

Author: phirvone

kong/plugins/oidc/handler.lua

@@ -4,7 +4,6 @@ local utils = require("kong.plugins.oidc.utils")
 local filter = require("kong.plugins.oidc.filter")
 local session = require("kong.plugins.oidc.session")
 
-local openidc = require("resty.openidc")
 local cjson = require("cjson")
 
 OidcHandler.PRIORITY = 1000
@@ -19,18 +18,17 @@ function OidcHandler:access(config)
   local oidcConfig = utils.get_options(config, ngx)
 
   if filter.shouldProcessRequest(oidcConfig) then
-    ngx.log(ngx.DEBUG, "In plugin OidcHandler:access calling authenticate, requested path: " .. ngx.var.request_uri)
     session.configure(config)
     handle(oidcConfig)
   else
-    ngx.log(ngx.DEBUG, "In plugin OidcHandler:access NOT calling authenticate, requested path: " .. ngx.var.request_uri)
+    ngx.log(ngx.DEBUG, "OidcHandler ignoring request, path: " .. ngx.var.request_uri)
   end
 
-  ngx.log(ngx.DEBUG, "In plugin OidcHandler:access Done")
+  ngx.log(ngx.DEBUG, "OidcHandler done")
 end
 
 function handle(oidcConfig)
-  local response = nil
+  local response
   if oidcConfig.introspection_endpoint then
     response = introspect(oidcConfig)
     if response then
@@ -48,7 +46,8 @@ function handle(oidcConfig)
 end
 
 function make_oidc(oidcConfig)
-  local res, err = openidc.authenticate(oidcConfig)
+  ngx.log(ngx.DEBUG, "OidcHandler calling authenticate, requested path: " .. ngx.var.request_uri)
+  local res, err = require("resty.openidc").authenticate(oidcConfig)
   if err then
     if oidcConfig.recovery_page_path then
       ngx.log(ngx.DEBUG, "Entering recovery page: " .. oidcConfig.recovery_page_path)
@@ -60,11 +59,15 @@ function make_oidc(oidcConfig)
 end
 
 function introspect(oidcConfig)
-  local res, err = openidc.introspect(oidcConfig)
-  if err then
-    return nil
+  if utils.has_bearer_access_token() then
+    local res, err = require("resty.openidc").introspect(oidcConfig)
+    if err then
+      return nil
+    end
+    ngx.log(ngx.DEBUG, "OidcHandler introspect succeeded, requested path: " .. ngx.var.request_uri)
+    return res
   end
-  return res
+  return nil
 end
 
 

kong/plugins/oidc/utils.lua

@@ -1,7 +1,7 @@
 local M = {}
 
 local function parseFilters(csvFilters)
-  filters = {}
+  local filters = {}
   if (not (csvFilters == nil)) then
     for pattern in string.gmatch(csvFilters, "[^,]+") do
       table.insert(filters, pattern)
@@ -66,4 +66,15 @@ function M.injectUser(user)
   ngx.ctx.authenticated_consumer = tmp_user
 end
 
+function M.has_bearer_access_token()
+  local header =  ngx.req.get_headers()['Authorization']
+  if header and header:find(" ") then
+    local divider = header:find(' ')
+    if string.lower(header:sub(0, divider-1)) == string.lower("Bearer") then
+      return true
+    end
+  end
+  return false
+end
+
 return M

test/unit/test_filter.lua

@@ -43,3 +43,5 @@ function TestFilter:testProcessRequestWhenTheyAreNoFiltersEmpty()
 end
 
 lu.run()
+
+

test/unit/test_filters_advanced.lua

@@ -0,0 +1,156 @@
+local filter = require("kong.plugins.oidc.filter")
+local lu = require("luaunit")
+
+TestFilter = {}
+ngx = {
+    var = {
+        uri = ""
+    }
+}
+
+local config =  {
+    filters = {  "^/auth$","^/auth[^%w_%-%.~]","^/arc$","^/arc[^%w_%-%.~]","^/projects/%d+/zeppelin[^%w_%-%.~]","^/projects/%d+/zeppelin$"}
+}
+function TestFilter:testIgnoreRequestWhenUriIsAuth()
+    ngx.var.uri = "/auth"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+
+    ngx.var.uri = "/auth/"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+end
+
+
+function TestFilter:testIgnoreRequestWhenUriIsArc()
+    ngx.var.uri = "/arc"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+
+    ngx.var.uri = "/arc/"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+end
+
+
+function TestFilter:testProcessRequestWhichAreAllowed()
+    ngx.var.uri = "/not_auth"
+    assert(filter.shouldProcessRequest(config) == true)
+end
+
+---------------------------NEW TESTS
+function TestFilter:testIgnoreRequestBeingIdenticalToFilter()
+    ngx.var.uri = "/arc"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testIgnoreRequestStartingWithFilterFollowedBySlash()
+    ngx.var.uri = "/arc/"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testIgnoreRequestStartingWithFilterFollowedByPaths()
+    ngx.var.uri = "/arc/de/triomphe"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+
+end
+
+function TestFilter:testIgnoreRequestStartingWithFilterFollowedByQuestionmark()
+    ngx.var.uri = "/arc?"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+
+    ngx.var.uri = "/arc?de=triomphe"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+
+end
+
+
+function TestFilter:testIgnoreRequestStartingWithFilterFollowedByQuestionmark()
+    ngx.var.uri = "/arc?"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+
+    ngx.var.uri = "/arc?de=triomphe"
+    lu.assertFalse(filter.shouldProcessRequest(config) )
+
+end
+
+function TestFilter:testPrefixNotAtTheStart()
+    ngx.var.uri = "/process_this/arc"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+
+    ngx.var.uri = "/process_this/arc/de/triomphe"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+
+    ngx.var.uri = "/process_this/architecture"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+
+end
+
+
+function TestFilter:testLowercaseLetterAfterPrefix()
+    ngx.var.uri = "/architecture"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testUppercaseLetterLetterAfterPrefix()
+    ngx.var.uri = "/archITACTURE"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testDigitAfterPrefix()
+    ngx.var.uri = "/arc123"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testHyphenAfterPrefix()
+    ngx.var.uri = "/arc-123"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testPeriodAfterPrefix()
+    ngx.var.uri = "/arc.123"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+
+function TestFilter:testUnderscoreAfterPrefix()
+    ngx.var.uri = "/arc_123"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+function TestFilter:testTildeAfterPrefix()
+    ngx.var.uri = "/arc~123"
+    lu.assertTrue(filter.shouldProcessRequest(config) )
+end
+
+
+
+--zeppelin tests
+function TestFilter:testZeppelin()
+    ngx.var.uri = "/projects/10/zeppelin"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+end
+
+function TestFilter:testSlashAfterZeppelin()
+    ngx.var.uri = "/projects/10/zeppelin/"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+end
+
+
+function TestFilter:testQuestionMarkAfterZeppelin()
+    ngx.var.uri = "/projects/10/zeppelin?"
+    lu.assertFalse(filter.shouldProcessRequest(config))
+end
+
+function TestFilter:testExtraCharactersAfterZeppelin()
+    ngx.var.uri = "/projects/10/zeppelinextras"
+    lu.assertTrue(filter.shouldProcessRequest(config))
+end
+
+function TestFilter:testZeppelinNotAtStart()
+    ngx.var.uri = "/this/projects/10/zeppelin"
+    lu.assertTrue(filter.shouldProcessRequest(config))
+end
+
+
+
+
+lu.run()
+
+

test/unit/test_handler_mocking_openidc.lua

@@ -0,0 +1,119 @@
+package.path = package.path .. ";test/lib/?.lua;;" -- kong & co
+
+local lu = require("luaunit")
+
+
+TestHandler = {}
+
+  function TestHandler:setUp()
+    self.logs = {}
+    self.ngx_headers = {}
+    self.mocked_ngx = {
+      DEBUG = "debug",
+      ctx = {},
+      header = {},
+      var = {request_uri = "/"},
+      req = {
+        get_uri_args = function(...) end,
+        set_header = function(...) end,
+        get_headers = function(...) return self.ngx_headers end
+      },
+      log = function(...)
+        self.logs[#self.logs+1] = table.concat(arg, " ")
+        print("ngx.log: ", unpack(arg))
+      end,
+      say = function(...) end,
+      exit = function(...) end,
+      redirect = function(...) end
+    }
+    self.ngx = _G.ngx
+    _G.ngx = self.mocked_ngx
+
+    self.resty = package.loaded.resty
+    package.loaded["resty.openidc"] = nil
+    self.module_resty = {openidc = {
+      authenticate = function(...) return {}, nil end }
+      }
+    package.preload["resty.openidc"] = function()
+      return self.module_resty.openidc
+    end
+
+    self.cjson = package.loaded.cjson
+    package.loaded.cjson = nil
+    package.preload["cjson"] = function()
+      return {encode = function(...) return "encoded" end}
+    end
+
+    self.handler = require("kong.plugins.oidc.handler")()
+  end
+
+  function TestHandler:tearDown()
+    _G.ngx = self.ngx
+    package.loaded.resty = self.resty
+    package.loaded.cjson = self.cjson
+  end
+
+  function TestHandler:log_contains(str)
+    return table.concat(self.logs, "//"):find(str) and true or false
+  end
+
+  function TestHandler:test_authenticate_ok_no_userinfo()
+    self.module_resty.openidc.authenticate = function(opts)
+      return {}, false
+    end
+
+    self.handler:access({})
+    lu.assertTrue(self:log_contains("calling authenticate"))
+  end
+
+  function TestHandler:test_authenticate_ok_with_userinfo()
+    self.module_resty.openidc.authenticate = function(opts)
+      return {user = {sub = "sub"}}, false
+    end
+
+    self.handler:access({})
+    lu.assertTrue(self:log_contains("calling authenticate"))
+  end
+
+  function TestHandler:test_authenticate_nok_no_recovery()
+    self.module_resty.openidc.authenticate = function(opts)
+      return {}, true
+    end
+
+    self.handler:access({})
+    lu.assertTrue(self:log_contains("calling authenticate"))
+  end
+
+  function TestHandler:test_authenticate_nok_with_recovery()
+    self.module_resty.openidc.authenticate = function(opts)
+      return {}, true
+    end
+
+    self.handler:access({recovery_page_path = "x"})
+    lu.assertTrue(self:log_contains("recovery page"))
+  end
+
+  function TestHandler:test_introspect_ok_no_userinfo()
+    self.module_resty.openidc.introspect = function(opts)
+      return false, false
+    end
+    self.ngx_headers = {Authorization = "Bearer xxx"}
+
+    self.handler:access({introspection_endpoint = "x"})
+    lu.assertTrue(self:log_contains("introspect succeeded"))
+  end
+
+  function TestHandler:test_introspect_ok_with_userinfo()
+    self.module_resty.openidc.introspect = function(opts)
+      return {}, false
+    end
+    self.ngx_headers = {Authorization = "Bearer xxx"}
+
+    self.handler:access({introspection_endpoint = "x"})
+    lu.assertTrue(self:log_contains("introspect succeeded"))
+  end
+
+
+lu.run()
+
+