[THREESCALE-2236] Add methods option on Keycloak policy. #1039

eloycoto · 2019-05-15T14:27:35Z

This commits add the methods option on the keycloack policy. That
allow users to define a new policy from any jwt claim, resource and
method.

To be backwards compatible 'ANY' method is in place, and if methods are
not defined this global method will be used and all will work as normal.

Example policy:

"policy_chain": [
  {
    "name": "apicast.policy.keycloak_role_check",
    "configuration": {
      "scopes": [
        {
          "realm_roles": [ { "name": "director" } ],
          "resource": "/confidential",
          "methods": ["POST"]
        }
      ],
      "type": "blacklist"
    }
  },
  { "name": "apicast.policy.apicast" }
]

Signed-off-by: Eloy Coto [email protected]

gateway/src/apicast/policy/keycloak_role_check/keycloak_role_check.lua

spec/policy/keycloak_role_check/keycloak_role_check_spec.lua

davidor · 2019-05-16T09:54:16Z

t/apicast-policy-keycloak-role-check.t

@@ -393,3 +393,160 @@ yay, api backend
 --- no_error_log
 [error]
 oauth failed with
+
+
+=== TEST6: Role check with allow methods


Can you add a space between TEST and 6 ? It's just because I don't know if that can cause some issue with the script that we have to automatically number tests correctly. https://github.com/3scale/APIcast/blob/master/script/reorder-tests

I've updated all the test.

davidor · 2019-05-17T14:35:29Z

Good job @eloycoto 👍

I think that extracting a Scope module might simplify some code and also the tests, but there's no need to do that now. We can evaluate that in the future if we need to add more functionality to this policy.

I think the PR could be merged after #1041

This commits add the `methods` option on the Keycloak policy. That allow users to define a new policy from any jwt claim, resource and method. To be backwards compatible 'ANY' method is in place, and if methods are not defined this global method will be used and all will work as normal. Example policy: ``` "policy_chain": [ { "name": "apicast.policy.keycloak_role_check", "configuration": { "scopes": [ { "realm_roles": [ { "name": "director" } ], "resource": "/confidential", "methods": ["POST"] } ], "type": "blacklist" } }, { "name": "apicast.policy.apicast" } ] ``` Signed-off-by: Eloy Coto <[email protected]>

This commits adds a ANY method to match any method in the mapping_rule so allow all and only block by the request uri. Signed-off-by: Eloy Coto <[email protected]>

Signed-off-by: Eloy Coto <[email protected]>

eloycoto · 2019-05-21T05:31:54Z

Code rebased with master branch, should be ready to merge.

eloycoto changed the title ~~[THREESCALE-2236] Add methods option on keycloack policy.~~ [THREESCALE-2236] Add methods option on keycloak policy. May 15, 2019

eloycoto force-pushed the THREESCALE-2236 branch 3 times, most recently from a175403 to ef24d2d Compare May 15, 2019 15:31

eloycoto changed the title ~~[THREESCALE-2236] Add methods option on keycloak policy.~~ [THREESCALE-2236] Add methods option on Keycloak policy. May 15, 2019

eloycoto marked this pull request as ready for review May 15, 2019 15:37

eloycoto requested a review from a team as a code owner May 15, 2019 15:37

eloycoto force-pushed the THREESCALE-2236 branch from ef24d2d to 444e5b1 Compare May 16, 2019 06:26