t/apicast-policy-token-introspection.t: e2e tests

eguzki · eguzki · commit 858dd7e27e63 · 2024-01-19T16:24:59.000+01:00
diff --git a/t/apicast-policy-token-introspection.t b/t/apicast-policy-token-introspection.t
@@ -30,7 +30,7 @@ Token introspection policy check access token.
       "proxy": {
         "policy_chain": [
           {
-            "name": "apicast.policy.token_introspection", 
+            "name": "apicast.policy.token_introspection",
             "configuration": {
               "auth_type": "client_id+client_secret",
               "client_id": "app",
@@ -80,7 +80,7 @@ Token introspection policy return "403 Unauthorized" if access token is already
       "proxy": {
         "policy_chain": [
           {
-            "name": "apicast.policy.token_introspection", 
+            "name": "apicast.policy.token_introspection",
             "configuration": {
               "auth_type": "client_id+client_secret",
               "client_id": "app",
@@ -133,7 +133,7 @@ Token introspection policy return "403 Unauthorized" if IdP response error statu
       "proxy": {
         "policy_chain": [
           {
-            "name": "apicast.policy.token_introspection", 
+            "name": "apicast.policy.token_introspection",
             "configuration": {
               "auth_type": "client_id+client_secret",
               "client_id": "app",
@@ -164,6 +164,7 @@ Authorization: Bearer testaccesstoken
 --- error_code: 403
 --- no_error_log
 [error]
+
 === TEST 4: Token introspection request is failed with bad response value
 Token introspection policy return "403 Unauthorized" if IdP response invalid contents type.
 --- backend
@@ -271,7 +272,7 @@ Authorization: Bearer testaccesstoken
 [error]
 
 === TEST 6: Token introspection request success with oidc issuer endpoint
-Token introspection policy retrieves client_id and client_secret and 
+Token introspection policy retrieves client_id and client_secret and
 introspection endpoint from the oidc_issuer_endpoint of the service configuration.
 --- backend
   location /token/introspection {
@@ -293,7 +294,10 @@ introspection endpoint from the oidc_issuer_endpoint of the service configuratio
   "oidc": [
     {
       "issuer": "https://example.com/auth/realms/apicast",
-      "config": { "id_token_signing_alg_values_supported": [ "RS256" ] },
+      "config": {
+        "id_token_signing_alg_values_supported": [ "RS256" ],
+        "introspection_endpoint": "http://test_backend:$TEST_NGINX_SERVER_PORT/token/introspection"
+      },
       "keys": { "somekid": { "pem": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALClz96cDQ965ENYMfZzG+Acu25lpx2K\nNpAALBQ+catCA59us7+uLY5rjQR6SOgZpCz5PJiKNAdRPDJMXSmXqM0CAwEAAQ==\n-----END PUBLIC KEY-----", "alg": "RS256" } }
     }
   ],
@@ -347,7 +351,7 @@ yay, api backend
 oauth failed with
 
 === TEST 7: Token introspection request fails with app_key
-Token introspection policy retrieves client_id and client_secret and 
+Token introspection policy retrieves client_id and client_secret and
 introspection endpoint from the oidc_issuer_endpoint of the service configuration.
 When authentication_method = 1, the request fails.
 --- backend
@@ -400,11 +404,104 @@ Authentication failed
 [error]
 oauth failed with
 
+=== TEST 8: Token introspection request success with oidc issuer endpoint loaded from the IDP
+Token introspection policy retrieves client_id and client_secret and
+introspection endpoint from the oidc_issuer_endpoint of the service configuration.
+--- env eval
+( 'APICAST_CONFIGURATION_LOADER' => 'lazy' )
+--- backend
+location = /issuer/endpoint/.well-known/openid-configuration {
+  content_by_lua_block {
+    local base = "http://" .. ngx.var.host .. ':' .. ngx.var.server_port
+    ngx.header.content_type = 'application/json;charset=utf-8'
+    ngx.say(require('cjson').encode {
+        issuer = 'https://example.com/auth/realms/apicast',
+        id_token_signing_alg_values_supported = { 'RS256' },
+        jwks_uri = base .. '/jwks',
+        introspection_endpoint = base .. '/token/introspection',
+    })
+  }
+}
 
+location = /jwks {
+  content_by_lua_block {
+    ngx.header.content_type = 'application/json;charset=utf-8'
+    ngx.say([[
+        { "keys": [
+            { "kty":"RSA","kid":"somekid",
+              "n":"sKXP3pwND3rkQ1gx9nMb4By7bmWnHYo2kAAsFD5xq0IDn26zv64tjmuNBHpI6BmkLPk8mIo0B1E8MkxdKZeozQ","e":"AQAB",
+              "alg":"RS256" }
+        ] }
+    ]])
+  }
+}
 
-=== TEST 8: Token introspection request success with oidc issuer endpoint loaded from the IDP
+location = /token/introspection {
+  content_by_lua_block {
+    local credential = ngx.decode_base64(require('ngx.re').split(ngx.req.get_headers()['Authorization'], ' ', 'oj')[2])
+    require('luassert').are.equal('app:appsec', credential)
+    ngx.say('{"active": true}')
+  }
+}
+
+location = /transactions/oauth_authrep.xml {
+  content_by_lua_block { ngx.exit(200) }
+}
+
+--- configuration
+{
+  "services": [
+    {
+      "backend_version": "oauth",
+      "proxy": {
+        "authentication_method": "oidc",
+        "oidc_issuer_endpoint": "http://app:appsec@test_backend:$TEST_NGINX_SERVER_PORT/issuer/endpoint",
+        "api_backend": "http://test:$TEST_NGINX_SERVER_PORT/",
+        "proxy_rules": [
+          { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 1 }
+        ],
+        "policy_chain": [
+          {
+            "name": "apicast.policy.token_introspection",
+            "configuration": {
+              "auth_type": "use_3scale_oidc_issuer_endpoint"
+            }
+          },
+          { "name": "apicast.policy.apicast" }
+        ]
+      }
+    }
+  ]
+}
+--- upstream
+  location /echo {
+    content_by_lua_block {
+      ngx.say('yay, api backend');
+    }
+  }
+--- request
+GET /echo
+--- more_headers eval
+use Crypt::JWT qw(encode_jwt);
+my $jwt = encode_jwt(payload => {
+  aud => 'the_token_audience',
+  sub => 'someone',
+  iss => 'https://example.com/auth/realms/apicast',
+  exp => time + 3600 }, key => \$::rsa, alg => 'RS256', extra_headers => { kid => 'somekid' });
+"Authorization: Bearer $jwt"
+--- error_code: 200
+--- response_body
+yay, api backend
+--- no_error_log
+[error]
+oauth failed with
+
+=== TEST 9: Token introspection request success with oidc issuer endpoint returning deprecated introspection attribute
 Token introspection policy retrieves client_id and client_secret and
 introspection endpoint from the oidc_issuer_endpoint of the service configuration.
+But the service configuration returns deprecated "token_introspection_endpoint" attribute
+instead of "introspection_endpoint" attribute. This is for backward compatibility.
+
 --- env eval
 ( 'APICAST_CONFIGURATION_LOADER' => 'lazy' )
 --- backend
@@ -416,6 +513,7 @@ location = /issuer/endpoint/.well-known/openid-configuration {
         issuer = 'https://example.com/auth/realms/apicast',
         id_token_signing_alg_values_supported = { 'RS256' },
         jwks_uri = base .. '/jwks',
+        token_introspection_endpoint = base .. '/token/introspection',
     })
   }
 }
@@ -492,3 +590,79 @@ yay, api backend
 --- no_error_log
 [error]
 oauth failed with
+
+=== TEST 10: Token introspection request success with oidc issuer endpoint
+Token introspection policy retrieves introspection endpoint from the oidc_issuer_endpoint
+of the service configuration. However, the introspection endpoint is not in the response
+--- env eval
+( 'APICAST_CONFIGURATION_LOADER' => 'lazy' )
+--- backend
+location = /issuer/endpoint/.well-known/openid-configuration {
+  content_by_lua_block {
+    local base = "http://" .. ngx.var.host .. ':' .. ngx.var.server_port
+    ngx.header.content_type = 'application/json;charset=utf-8'
+    ngx.say(require('cjson').encode {
+        issuer = 'https://example.com/auth/realms/apicast',
+        id_token_signing_alg_values_supported = { 'RS256' },
+        jwks_uri = base .. '/jwks',
+    })
+  }
+}
+
+location = /jwks {
+  content_by_lua_block {
+    ngx.header.content_type = 'application/json;charset=utf-8'
+    ngx.say([[
+        { "keys": [
+            { "kty":"RSA","kid":"somekid",
+              "n":"sKXP3pwND3rkQ1gx9nMb4By7bmWnHYo2kAAsFD5xq0IDn26zv64tjmuNBHpI6BmkLPk8mIo0B1E8MkxdKZeozQ","e":"AQAB",
+              "alg":"RS256" }
+        ] }
+    ]])
+  }
+}
+
+--- configuration
+{
+  "services": [
+    {
+      "backend_version": "oauth",
+      "proxy": {
+        "authentication_method": "oidc",
+        "oidc_issuer_endpoint": "http://app:appsec@test_backend:$TEST_NGINX_SERVER_PORT/issuer/endpoint",
+        "api_backend": "http://test:$TEST_NGINX_SERVER_PORT/",
+        "proxy_rules": [
+          { "pattern": "/", "http_method": "GET", "metric_system_name": "hits", "delta": 1 }
+        ],
+        "policy_chain": [
+          {
+            "name": "apicast.policy.token_introspection",
+            "configuration": {
+              "auth_type": "use_3scale_oidc_issuer_endpoint"
+            }
+          },
+          { "name": "apicast.policy.apicast" }
+        ]
+      }
+    }
+  ]
+}
+--- upstream
+  location /echo {
+    content_by_lua_block {
+      ngx.say('yay, api backend');
+    }
+  }
+--- request
+GET /echo
+--- more_headers eval
+use Crypt::JWT qw(encode_jwt);
+my $jwt = encode_jwt(payload => {
+  aud => 'the_token_audience',
+  sub => 'someone',
+  iss => 'https://example.com/auth/realms/apicast',
+  exp => time + 3600 }, key => \$::rsa, alg => 'RS256', extra_headers => { kid => 'somekid' });
+"Authorization: Bearer $jwt"
+--- error_code: 403
+--- no_error_log
+[error]
