This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new c3d7d5ec6 test: add missing regression coverage for data-mask and
saml-auth (#13684)
c3d7d5ec6 is described below
commit c3d7d5ec69774121f53d2e20d29d09c816795dd7
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Mon Jul 13 13:27:25 2026 +0800
test: add missing regression coverage for data-mask and saml-auth (#13684)
---
t/plugin/data-mask.t | 181 +++++++++++++++++++++++++-
t/plugin/saml-auth-post.t | 314 ++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 493 insertions(+), 2 deletions(-)
diff --git a/t/plugin/data-mask.t b/t/plugin/data-mask.t
index d00aae131..75fe7f8f2 100644
--- a/t/plugin/data-mask.t
+++ b/t/plugin/data-mask.t
@@ -667,7 +667,184 @@ success
-=== TEST 15: create route for access log masking test
+=== TEST 15: create route for multi-value query param masking
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "data-mask": {
+ "request": [
+ {
+ "action": "regex",
+ "name": "token",
+ "regex": ".",
+ "type": "query",
+ "value": "*"
+ }
+ ]
+ },
+ "file-logger": {
+ "path": "mask-multi-query.log"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1982": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+
+
+
+=== TEST 16: verify multi-value query param regex masking does not crash and
masks all values
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin").test
+
+ -- send request with the same param appearing twice
+ local code = t("/hello?token=abc&token=def", ngx.HTTP_GET)
+
+ local fd, err = io.open("mask-multi-query.log", "r")
+ if not fd then
+ core.log.error("failed to open file: ", err)
+ return
+ end
+ local line = fd:read()
+ local log = core.json.decode(line)
+ local token = log.request.querystring.token
+ os.remove("mask-multi-query.log")
+
+ -- token should be masked: regex "." replaces the first char with
"*"
+ local ok = false
+ if type(token) == "string" then
+ ok = token:sub(1, 1) == "*"
+ elseif type(token) == "table" then
+ ok = true
+ for _, v in ipairs(token) do
+ if v:sub(1, 1) ~= "*" then
+ ok = false
+ break
+ end
+ end
+ end
+ if ok then
+ ngx.say("success")
+ else
+ ngx.say("token not fully masked: " .. core.json.encode(token))
+ end
+ }
+ }
+--- response_body
+success
+
+
+
+=== TEST 17: create route for non-string JSON field regex masking
+--- config
+ location /t {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "plugins": {
+ "data-mask": {
+ "request": [
+ {
+ "action": "regex",
+ "body_format": "json",
+ "name": "$.count",
+ "regex": "\\d+",
+ "type": "body",
+ "value": "[REDACTED]"
+ },
+ {
+ "action": "replace",
+ "body_format": "json",
+ "name": "$.name",
+ "type": "body",
+ "value": "***"
+ }
+ ]
+ },
+ "file-logger": {
+ "include_req_body": true,
+ "path": "mask-nonstring-json.log"
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1982": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/hello"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+
+
+
+=== TEST 18: verify non-string JSON field regex is skipped without crash
+--- config
+ location /t {
+ content_by_lua_block {
+ local core = require("apisix.core")
+ local t = require("lib.test_admin").test
+
+ local code = t("/hello", ngx.HTTP_POST, [[{"count": 42, "name":
"Alice"}]])
+
+ local fd, err = io.open("mask-nonstring-json.log", "r")
+ if not fd then
+ core.log.error("failed to open file: ", err)
+ return
+ end
+ local line = fd:read()
+ local log = core.json.decode(line)
+ local body = core.json.decode(log.request.body)
+ os.remove("mask-nonstring-json.log")
+
+ -- $.count is a number; regex should be skipped, value unchanged
+ if body.count ~= 42 then
+ ngx.say("expected count=42, got: " .. tostring(body.count))
+ return
+ end
+ -- $.name is a string; replace should work
+ if body.name ~= "***" then
+ ngx.say("expected name=***, got: " .. tostring(body.name))
+ return
+ end
+ ngx.say("success")
+ }
+ }
+--- response_body
+success
+
+
+
+=== TEST 19: create route for access log masking test
--- config
location /t {
content_by_lua_block {
@@ -711,7 +888,7 @@ success
-=== TEST 16: verify access log masks sensitive query parameters
+=== TEST 20: verify access log masks sensitive query parameters
--- extra_yaml_config
nginx_config:
http:
diff --git a/t/plugin/saml-auth-post.t b/t/plugin/saml-auth-post.t
new file mode 100644
index 000000000..2e3fcfd88
--- /dev/null
+++ b/t/plugin/saml-auth-post.t
@@ -0,0 +1,314 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+use t::APISIX 'no_plan';
+
+log_level('info');
+repeat_each(1);
+no_long_string();
+no_root_location();
+no_shuffle();
+
+add_block_preprocessor(sub {
+ my ($block) = @_;
+
+ # setup default conf.yaml
+ my $extra_yaml_config = $block->extra_yaml_config // '';
+ $extra_yaml_config .= <<_EOC_;
+plugins:
+ - saml-auth # priority: 2598
+_EOC_
+
+ $block->set_value("extra_yaml_config", $extra_yaml_config);
+
+ if (!defined $block->request) {
+ $block->set_value("request", "GET /t");
+ }
+
+ if ((!defined $block->error_log) && (!defined $block->no_error_log)) {
+ $block->set_value("no_error_log", "[error]");
+ }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: Add route for sp1
+--- config
+ location /t {
+ content_by_lua_block {
+ local kc = require("lib.keycloak_saml")
+ local core = require("apisix.core")
+
+ local default_opts = kc.get_default_opts()
+ local opts = core.table.deepcopy(default_opts)
+ opts.sp_issuer = "sp"
+ opts.auth_protocol_binding_method = "HTTP-POST"
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "host" : "127.0.0.1",
+ "plugins": {
+ "saml-auth": ]] .. core.json.encode(opts) .. [[
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 2: login and logout ok
+--- config
+ location /t {
+ content_by_lua_block {
+ local http = require "resty.http"
+ local httpc = http.new()
+ local kc = require "lib.keycloak_saml"
+
+ local path = "/uri"
+ local uri = "http://127.0.0.1:" .. ngx.var.server_port
+ local username = "test"
+ local password = "test"
+
+ local res, err, saml_cookie, keycloak_cookie =
kc.login_keycloak(uri .. path, username, password)
+ if err or res.headers['Location'] ~= path then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+ res, err = httpc:request_uri(uri .. res.headers['Location'], {
+ method = "GET",
+ headers = {
+ ["Cookie"] = saml_cookie
+ }
+ })
+ assert(res.status == 200)
+ ngx.say(res.body)
+
+ res, err = kc.logout_keycloak(uri .. "/logout", saml_cookie,
keycloak_cookie)
+ if err or res.headers['Location'] ~= "/logout_ok" then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+ }
+ }
+--- response_body_like
+uri: /uri
+cookie: .*
+host: 127.0.0.1:1984
+user-agent: .*
+x-real-ip: 127.0.0.1
+--- error_log
+login callback req with http post
+
+
+
+=== TEST 3: Add route for sp2
+--- config
+ location /t {
+ content_by_lua_block {
+ local kc = require("lib.keycloak_saml")
+ local core = require("apisix.core")
+
+ local default_opts = kc.get_default_opts()
+ local opts = core.table.deepcopy(default_opts)
+ opts.sp_issuer = "sp2"
+ opts.auth_protocol_binding_method = "HTTP-POST"
+
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/routes/2',
+ ngx.HTTP_PUT,
+ [[{
+ "host" : "127.0.0.2",
+ "plugins": {
+ "saml-auth": ]] .. core.json.encode(opts) .. [[
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 4: login sp1 and sp2, then do single logout
+--- config
+ location /t {
+ content_by_lua_block {
+ local http = require "resty.http"
+ local httpc = http.new()
+ local kc = require "lib.keycloak_saml"
+
+ local path = "/uri"
+
+ -- login to sp1
+ local uri = "http://127.0.0.1:" .. ngx.var.server_port
+ local username = "test"
+ local password = "test"
+
+ local res, err, saml_cookie, keycloak_cookie =
kc.login_keycloak(uri .. path, username, password)
+ if err or res.headers['Location'] ~= path then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+ res, err = httpc:request_uri(uri .. res.headers['Location'], {
+ method = "GET",
+ headers = {
+ ["Cookie"] = saml_cookie
+ }
+ })
+ assert(res.status == 200)
+
+ -- login to sp2, which would skip login at keycloak side
+ local uri2 = "http://127.0.0.2:" .. ngx.var.server_port
+
+ local res, err, saml_cookie2 =
kc.login_keycloak_for_second_sp(uri2 .. path, keycloak_cookie)
+ if err or res.headers['Location'] ~= path then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+ res, err = httpc:request_uri(uri2 .. res.headers['Location'], {
+ method = "GET",
+ headers = {
+ ["Cookie"] = saml_cookie2
+ }
+ })
+ assert(res.status == 200)
+
+ -- SLO (single logout)
+ res, err = kc.single_logout(uri .. "/logout", saml_cookie,
saml_cookie2, keycloak_cookie)
+ if err or res.headers['Location'] ~= "/logout_ok" then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+
+ -- login to sp2, which would do normal login process at keycloak
side
+ local res, err, saml_cookie2, keycloak_cookie =
kc.login_keycloak(uri2 .. path, username, password)
+ if err or res.headers['Location'] ~= path then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+ res, err = httpc:request_uri(uri2 .. res.headers['Location'], {
+ method = "GET",
+ headers = {
+ ["Cookie"] = saml_cookie2
+ }
+ })
+ assert(res.status == 200)
+
+ -- logout sp2
+ res, err = kc.logout_keycloak(uri2 .. "/logout", saml_cookie2,
keycloak_cookie)
+ if err or res.headers['Location'] ~= "/logout_ok" then
+ ngx.log(ngx.ERR, err)
+ ngx.exit(500)
+ end
+ }
+ }
+--- error_log
+login callback req with http post
+
+
+
+=== TEST 5: Add route for sp1 with wrong login_callback_uri
+--- config
+ location /t {
+ content_by_lua_block {
+ local kc = require("lib.keycloak_saml")
+ local core = require("apisix.core")
+
+ local default_opts = kc.get_default_opts()
+ local opts = core.table.deepcopy(default_opts)
+ opts.sp_issuer = "sp"
+ opts.login_callback_uri = "/wrong_url"
+ opts.auth_protocol_binding_method = "HTTP-POST"
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "host" : "127.0.0.1",
+ "plugins": {
+ "saml-auth": ]] .. core.json.encode(opts) .. [[
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+
+ if code >= 300 then
+ ngx.status = code
+ end
+ ngx.say(body)
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 6: login failed
+--- config
+ location /t {
+ content_by_lua_block {
+ local http = require "resty.http"
+ local httpc = http.new()
+ local kc = require "lib.keycloak_saml"
+
+ local path = "/uri"
+ local uri = "http://127.0.0.1:" .. ngx.var.server_port
+ local username = "test"
+ local password = "test"
+
+ local res = kc.login_keycloak(uri .. path, username, password)
+ assert(res == nil)
+ }
+ }