Fix retrival of public keys when keycloak running older version or is misconfigured

Author: gbbirkisson

Makefile

@@ -2,12 +2,12 @@ include makefiles/*.mk
 
 REPOSITORY?=gbbirkisson
 IMAGE?=kong-plugin-jwt-keycloak
-KONG_VERSION?=1.0
+KONG_VERSION?=1.1.2
 FULL_IMAGE_NAME:=${REPOSITORY}/${IMAGE}:${KONG_VERSION}
 
-PLUGIN_VERSION?=1.0.1-1
+PLUGIN_VERSION?=1.0.2-1
 
-TEST_VERSIONS?=1.0.0 1.0.1 1.0.2 1.0.3 1.1rc1
+TEST_VERSIONS?=1.0.3 1.1.2
 
 ### Docker ###
 
@@ -40,7 +40,7 @@ test-unit:
 	@echo "Running unit tests"
 	@echo
 
-	@cd tests && $(MAKE) --no-print-directory _tests-unit PLUGIN_VERSION=${PLUGIN_VERSION}
+	@cd tests && $(MAKE) --no-print-directory _tests-unit PLUGIN_VERSION=${PLUGIN_VERSION} KONG_VERSION=${KONG_VERSION}
 
 	@echo
 	@echo "Unit tests passed"

README.md

@@ -40,10 +40,17 @@ If you have any suggestion or comments, please feel free to open an issue on thi
 
 | Kong Version |   Tests passing    |
 | ------------ | :----------------: |
-| Kong 0.13.x  |        :x:         |
-| Kong 0.14.x  |        :x:         |
-| Kong 1.0.x   | :white_check_mark: |
-| Kong 1.1.rc1 | :white_check_mark: |
+| 0.13.x       |        :x:         |
+| 0.14.x       |        :x:         |
+| 1.0.x        | :white_check_mark: |
+| 1.1.x        | :white_check_mark: |
+
+| Keycloak Version |   Tests passing    |
+| ---------------- | :----------------: |
+| 3.X.X            | :white_check_mark: |
+| 4.X.X            | :white_check_mark: |
+| 5.X.X            | :white_check_mark: |
+| 6.X.X            | :white_check_mark: |
 
 ## Installation
 
@@ -118,10 +125,10 @@ curl -X POST http://localhost:8001/plugins \
 | config.uri_param_names                 | no      | `jwt`             | A list of querystring parameters that Kong will inspect to retrieve JWTs.                                                                                                                                                                                                                                                                                                                |
 | config.cookie_names                    | no      |                   | A list of cookie names that Kong will inspect to retrieve JWTs.                                                                                                                                                                                                                                                                                                                          |
 | config.claims_to_verify                | no      | `exp`             | A list of registered claims (according to [RFC 7519](https://tools.ietf.org/html/rfc7519)) that Kong can verify as well. Accepted values: `exp`, `nbf`.                                                                                                                                                                                                                                  |
-| config.anonymous                       | no      |                   | An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` attribute which is internal to Kong, and not its `custom_id`.                                                                          |
+| config.anonymous                       | no      |                   | An optional string (consumer uuid) value to use as an “anonymous” consumer if authentication fails. If empty (default), the request will fail with an authentication failure `4xx`. Please note that this value must refer to the Consumer `id` attribute which is internal to Kong, and not its `custom_id`.                                                                            |
 | config.run_on_preflight                | no      | `true`            | A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests, if set to false then `OPTIONS` requests will always be allowed.                                                                                                                                                                                                  |
 | config.maximum_expiration              | no      | `0`               | An integer limiting the lifetime of the JWT to `maximum_expiration` seconds in the future. Any JWT that has a longer lifetime will rejected (HTTP 403). If this value is specified, `exp` must be specified as well in the `claims_to_verify` property. The default value of `0` represents an indefinite period. Potential clock skew should be considered when configuring this value. |
-| config.algorithm                       | no      | `RS256`           | The algorithm used to verify the token’s signature. Can be `HS256`, `HS384`, `HS512`, `RS256`, or `ES256`.                                                                                                                                                                                                                                                                              |
+| config.algorithm                       | no      | `RS256`           | The algorithm used to verify the token’s signature. Can be `HS256`, `HS384`, `HS512`, `RS256`, or `ES256`.                                                                                                                                                                                                                                                                               |
 | config.allowed_iss                     | yes     |                   | A list of allowed issuers for this route/service/api.                                                                                                                                                                                                                                                                                                                                    |
 | config.iss_key_grace_period            | no      | `10`              | An integer that sets the number of seconds until public keys for an issuer can be updated after writing new keys to the cache. This is a guard so that the Kong cache will not invalidate every time a token signed with an invalid public key is sent to the plugin.                                                                                                                    |
 | config.well_known_template             | false   | *see description* | A string template that the well known endpoint for keycloak is created from. String formatting is applied on the template and `%s` is replaced by the issuer of the token. Default value is `%s/.well-known/openid-configuration`                                                                                                                                                        |

kong-plugin-jwt-keycloak-1.0.1-1.rockspec kong-plugin-jwt-keycloak-1.0.2-1.rockspec

@@ -1,6 +1,6 @@
 package = "kong-plugin-jwt-keycloak"
 
-version = "1.0.1-1"
+version = "1.0.2-1"
 -- The version '0.1.0' is the source code version, the trailing '1' is the version of this rockspec.
 -- whenever the source version changes, the rockspec should be reset to 1. The rockspec version is only
 -- updated (incremented) when this file changes, but the source remains the same.
@@ -10,7 +10,7 @@ supported_platforms = {"linux", "macosx"}
 
 source = {
   url = "git://github.com/gbbirkisson/kong-plugin-jwt-keycloak",
-  tag = "v1.0.1",
+  tag = "v1.0.2",
 }
 description = {
   summary = "A Kong plugin that will validate tokens issued by keycloak",

luarocks.Dockerfile

@@ -1,4 +1,4 @@
-FROM kong:1.0 as packer
+FROM kong:1.1.2 as builder
 
 ENV LUAROCKS_MODULE=kong-plugin-jwt-keycloak
 
@@ -7,10 +7,10 @@ RUN apk add --no-cache git zip && \
     luarocks install ${LUAROCKS_MODULE} && \
     luarocks pack ${LUAROCKS_MODULE}
 
-FROM kong:1.0
+FROM kong:1.1.2
 
 ENV KONG_PLUGINS="bundled,jwt-keycloak"
 
-COPY --from=packer kong-plugin-jwt-keycloak* /tmp/
-RUN luarocks install /tmp/kong-plugin-jwt-keycloak* &&\
+COPY --from=builder kong-plugin-jwt-keycloak* /tmp/
+RUN luarocks install /tmp/kong-plugin-jwt-keycloak* && \
     rm /tmp/*

makefiles/keycloak.mk

@@ -1,4 +1,4 @@
-KEYCLOAK_IMAGE:=jboss/keycloak:4.8.3.Final
+KEYCLOAK_IMAGE:=jboss/keycloak:6.0.1
 KEYCLOAK_CONTAINER_NAME:=kc_local
 KEYCLOAK_PORT:=8080
 KEYCLOAK_ADMIN_USER:=admin
@@ -9,9 +9,6 @@ keycloak-start:
 	-- @docker run -d \
 	--name ${KEYCLOAK_CONTAINER_NAME} \
 	-p ${KEYCLOAK_PORT}:8080 \
-	-e KEYCLOAK_HOSTNAME=localhost \
-	-e KEYCLOAK_HTTP_PORT=8080 \
-	-e KEYCLOAK_PORT=${KEYCLOAK_PORT} \
 	-e KEYCLOAK_USER=${KEYCLOAK_ADMIN_USER} \
 	-e KEYCLOAK_PASSWORD=${KEYCLOAK_ADMIN_PASS} \
 	${KEYCLOAK_IMAGE}

src/keycloak_keys.lua

@@ -2,17 +2,53 @@ local http = require "socket.http"
 local cjson_safe = require "cjson.safe"
 local convert = require "kong.plugins.jwt-keycloak.key_conversion"
 
-local function get_request(url)
+local function parse_url(url)
+    local chunk, protocol = url:match("^(([a-z0-9+]+)://)")
+    url = url:sub((chunk and #chunk or 0) + 1)
+
+    local auth
+    chunk, auth = url:match('(([%w%p]+:?[%w%p]+)@)')
+    url = url:sub((chunk and #chunk or 0) + 1)
+
+    local host
+    local hostname
+    local port
+    if protocol then
+        host = url:match("^([%a%.%d-]+:?%d*)")
+        if host then
+            hostname = host:match("^([^:/]+)")
+            port = host:match(":(%d+)$")
+        end
+        url = url:sub((host and #host or 0) + 1)
+    end
+
+    local parsed = {
+        protocol = protocol,
+        host = host,
+        hostname = hostname,
+        port = port,
+    }
+
+    return parsed
+end
+
+local function get_request(url, port)
     local res
     local status
+    local err
 
-    res, status = http.request(url)
+    local chunks = {}
+    res, status = http.request{
+        url = url,
+        port = port,
+        sink = ltn12.sink.table(chunks)
+    }
 
     if status ~= 200 then
         return nil, 'Failed calling url ' .. url
     end
 
-    res, err = cjson_safe.decode(res)
+    res, err = cjson_safe.decode(table.concat(chunks))
     if not res then
         return nil, 'Failed to parse json response'
     end
@@ -25,17 +61,20 @@ local function get_wellknown_endpoint(well_known_template, issuer)
 end
 
 local function get_issuer_keys(well_known_endpoint)
-    local res, err = get_request(well_known_endpoint)
+    -- Get port of the request: This is done because keycloak 3.X.X does not play well with lua socket.http
+    local req = parse_url(well_known_endpoint)
+
+    local res, err = get_request(well_known_endpoint, req.port)
     if err then
         return nil, err
     end
 
-    local res, err = get_request(res['jwks_uri'])
+    local res, err = get_request(res['jwks_uri'], req.port)
     if err then
         return nil, err
     end
 
-    keys = {}
+    local keys = {}
     for i, key in ipairs(res['keys']) do
         keys[i] = string.gsub(
             convert.convert_kc_key(key), 

tests/Makefile

@@ -2,7 +2,7 @@ UNIT_TEST_IMAGE:=jwt-keycloak-unit-test-image
 INTE_TEST_IMAGE:=jwt-keycloak-inte-test-image
 
 _build-unit-test-image:
-	@docker build -t ${UNIT_TEST_IMAGE} --build-arg PLUGIN_VERSION=${PLUGIN_VERSION} -f unit_tests/Dockerfile ..
+	@docker build -t ${UNIT_TEST_IMAGE} --build-arg PLUGIN_VERSION=${PLUGIN_VERSION} --build-arg KONG_VERSION=${KONG_VERSION} -f unit_tests/Dockerfile ..
 
 _tests-unit: _build-unit-test-image
 	@docker run -it --rm --net=host -v ${PWD}:/jwt-keycloak:ro ${UNIT_TEST_IMAGE}

tests/integration_tests/tests/TestRoles.py

@@ -11,14 +11,16 @@ class TestRoles(unittest.TestCase):
     def test_no_auth(self, status, body):
         self.assertEqual(OK, status)
 
-    @skip("New keycloak handles roles differently")
+    @skip("Need to update tests")
     @create_api({
         'allowed_iss': ['http://localhost:8080/auth/realms/master'],
         'roles': ['test_role']
     })
     @authenticate()
     @call_api()
     def test_roles_auth(self, status, body):
+        if not KC_VERSION.startswith('3'):
+            self.skipTest("Test not supported for " + KC_VERSION)
         self.assertEqual(OK, status)
 
     @create_api({
@@ -31,14 +33,16 @@ def test_roles_auth_rainy(self, status, body):
         self.assertEqual(FORBIDDEN, status)
         self.assertEqual('Access token does not have the required scope/role', body.get('message'))
 
-    @skip("New keycloak handles roles differently")
+    @skip("Need to update tests")
     @create_api({
         'allowed_iss': ['http://localhost:8080/auth/realms/master'],
         'roles': ['test_role', 'not_found']
     })
     @authenticate()
     @call_api()
     def test_roles_auth_double(self, status, body):
+        if not KC_VERSION.startswith('3'):
+            self.skipTest("Test not supported for " + KC_VERSION)
         self.assertEqual(OK, status)
 
     @create_api({
@@ -114,6 +118,8 @@ def test_client_roles_auth(self, status, body):
     @authenticate()
     @call_api()
     def test_client_scope(self, status, body):
+        if KC_VERSION.startswith('3'):
+            self.skipTest("Test not supported for " + KC_VERSION)
         self.assertEqual(OK, status)
 
     @create_api({
@@ -123,6 +129,8 @@ def test_client_scope(self, status, body):
     @authenticate()
     @call_api()
     def test_client_scope_double(self, status, body):
+        if KC_VERSION.startswith('3'):
+            self.skipTest("Test not supported for " + KC_VERSION)
         self.assertEqual(OK, status)
 
     @create_api({

tests/integration_tests/tests/config.py

@@ -22,3 +22,7 @@
 
 assert r.status_code == 200
 KC_ADMIN_TOKEN = r.json()['access_token']
+
+r = requests.get(KC_HOST + '/admin/serverinfo', headers={'Authorization': 'Bearer ' + KC_ADMIN_TOKEN})
+assert r.status_code == 200
+KC_VERSION = r.json()['systemInfo']['version']

tests/unit_tests/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu
+FROM ubuntu:18.04
 
 # Install openresty and luarocks
 RUN apt-get update -y && apt-get install -yqq wget software-properties-common
@@ -7,13 +7,15 @@ RUN add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release
 RUN apt-get update -y && apt-get install -yqq openresty luarocks
 
 # Install dependencies for rocks to be installed
-RUN apt-get install -yqq git libssl-dev m4 # for cqueues
+RUN apt-get install -yqq git libssl-dev m4 libyaml-dev
 RUN git config --global url.https://github.com/.insteadOf git://github.com/
 
 # Install kong and busted
-RUN luarocks install kong
 RUN luarocks install busted
 
+ARG KONG_VERSION
+RUN luarocks install kong ${KONG_VERSION}-0
+
 # Install plugin
 COPY ./*.rockspec /tmp
 COPY ./LICENSE /tmp/LICENSE