Re: [PR] feat: support secret fetching in authz-keycloak [apisix]

Wed, 04 Oct 2023 21:53:23 -0700 


shreemaan-abhishek commented on code in PR #10291:
URL: https://github.com/apache/apisix/pull/10291#discussion_r1346778828


##########
t/plugin/authz-keycloak.t:
##########
@@ -645,3 +649,88 @@ GET /t
 --- response_body
 {"message":"username is missing."}
 {"message":"password is missing."}
+
+
+
+=== TEST 19: store secret into vault
+--- exec
+VAULT_TOKEN='root' VAULT_ADDR='http://0.0.0.0:8200' vault kv put kv/apisix/foo 
client_secret=d1ec69e9-55d2-4109-a3ea-befa071579d5
+--- response_body
+Success! Data written to: kv/apisix/foo
+
+
+
+=== TEST 20: set client_secret as a reference to secret
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            -- put secret vault config
+            local code, body = t('/apisix/admin/secrets/vault/test1',
+                ngx.HTTP_PUT,
+                [[{
+                    "uri": "http://127.0.0.1:8200";,
+                    "prefix" : "kv/apisix",
+                    "token" : "root"
+                }]]
+                )
+
+            if code >= 300 then
+                ngx.status = code
+                return ngx.say(body)
+            end
+            local code, body = t('/apisix/admin/routes/1',
+                 ngx.HTTP_PUT,
+                 [[{
+                        "plugins": {
+                            "authz-keycloak": {
+                                "token_endpoint": 
"https://127.0.0.1:8443/realms/University/protocol/openid-connect/token";,
+                                "permissions": ["course_resource#view"],
+                                "client_id": "course_management",
+                                "client_secret": 
"$secret://vault/test1/foo/client_secret",
+                                "grant_type": 
"urn:ietf:params:oauth:grant-type:uma-ticket",
+                                "timeout": 3000,
+                                "ssl_verify": false,
+                                
"password_grant_token_generation_incoming_uri": "/api/token"
+                            }
+                        },
+                        "upstream": {
+                            "nodes": {
+                                "127.0.0.1:1982": 1
+                            },
+                            "type": "roundrobin"
+                        },
+                        "uri": "/api/token"
+                }]]
+            )
+
+            if code >= 300 then
+                ngx.status = code

Review Comment:
   return when there is a failure.
   ```suggestion
                   ngx.status = code
                   return ngx.say(body)
   ```



##########
t/plugin/authz-keycloak.t:
##########


Review Comment:
   better add new tests in `t/plugin/authz-keycloak3.t`



##########
apisix/plugins/authz-keycloak.lua:
##########
@@ -20,6 +20,7 @@ local sub_str   = string.sub
 local type      = type
 local ngx       = ngx
 local plugin_name = "authz-keycloak"
+local secret         = require("apisix.secret")

Review Comment:
   ```suggestion
   local secret        = require("apisix.secret")
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to