test/apisix
1
0
Fork 0
mirror of https://gitee.com/iresty/apisix.git synced 2024-12-04 04:57:35 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(authz-keycloak): do not expose internal errors to the client (#6854)

Browse Source
This commit is contained in:
tzssangglass 2022-04-18 08:56:13 +08:00 committed by GitHub
parent 6bbffb4d0f
commit 943436a16c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 80 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
apisix/plugins/authz-keycloak.lua
View File

@ -721,13 +721,13 @@ local function generate_token_using_password_grant(conf,ctx)
if not username then
local err = "username is missing."
log.error(err)
return 422, err
log.warn(err)
return 422, {message = err}
end
if not password then
local err = "password is missing."
log.error(err)
return 422, err
log.warn(err)
return 422, {message = err}
end
local client_id = authz_keycloak_get_client_id(conf)
@ -737,7 +737,7 @@ local function generate_token_using_password_grant(conf,ctx)
if not token_endpoint then
local err = "Unable to determine token endpoint."
log.error(err)
return 503, err
return 503, {message = err}
end
local httpc = authz_keycloak_get_http_client(conf)
@ -763,7 +763,7 @@ local function generate_token_using_password_grant(conf,ctx)
err = "Accessing token endpoint URL (" .. token_endpoint
.. ") failed: " .. err
log.error(err)
return 401, {message = err}
return 401, {message = "Accessing token endpoint URL failed."}
end
log.debug("Response data: " .. res.body)
@ -773,7 +773,7 @@ local function generate_token_using_password_grant(conf,ctx)
err = "Could not decode JSON from response"
.. (err and (": " .. err) or '.')
log.error(err)
return 401, {message = err}
return 401, {message = "Could not decode JSON from response."}
end
return res.status, res.body

73
t/plugin/authz-keycloak.t vendored
View File

@ -623,3 +623,76 @@ GET /t
true
--- no_error_log
[error]
=== TEST 19: no username or password
--- config
location /t {
content_by_lua_block {
local t = require("lib.test_admin").test
local code, body = t('/apisix/admin/routes/1',
ngx.HTTP_PUT,
[[{
"plugins": {
"authz-keycloak": {
"token_endpoint": "https://127.0.0.1:8443/auth/realms/University/protocol/openid-connect/token",
"permissions": ["course_resource#view"],
"client_id": "course_management",
"client_secret": "d1ec69e9-55d2-4109-a3ea-befa071579d5",
"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
"timeout": 3000,
"ssl_verify": false,
"password_grant_token_generation_incoming_uri": "/api/token"
}
},
"upstream": {
"nodes": {
"127.0.0.1:1982": 1
},
"type": "roundrobin"
},
"uri": "/api/token"
}]]
)
if code >= 300 then
ngx.status = code
end
local json_decode = require("toolkit.json").decode
local http = require "resty.http"
local httpc = http.new()
local uri = "http://127.0.0.1:" .. ngx.var.server_port .. "/api/token"
local headers = {
["Content-Type"] = "application/x-www-form-urlencoded",
}
-- no username
local res, err = httpc:request_uri(uri, {
method = "POST",
headers = headers,
body = ngx.encode_args({
password = "123456",
}),
})
ngx.print(res.body)
-- no password
local res, err = httpc:request_uri(uri, {
method = "POST",
headers = headers,
body = ngx.encode_args({
username = "teacher@gmail.com",
}),
})
ngx.print(res.body)
}
}
--- request
GET /t
--- response_body
{"message":"username is missing."}
{"message":"password is missing."}
--- no_error_log
[error]