OIDC: Fix issues with subset of services. #1304
Merged
Commits on Aug 30, 2021
-
OIDC: Fix issues with subset of services.
By default, APICast stores all services in an array of Service Objects, also, another array with the OIDC objects, something like this: ``` { "services": [ { "id": 1, "issuer": "http://foo.com", "auth_type": "oidc", ... }, { "id": 2, "auth_type": "provider_key" ... }, { "id": 3, "issuer": "http://bar.com", "auth_type": "oidc", ... } ], "oidc": [ { "issuer": "http://foo.com", ... }, false, { "issuer": "http://bar.com", ... } ] } ``` The mapping, on APICast config is like this: ``` service[0] using oidc[0] service[1] using oidc[1] service[2] using oidc[2] ``` When we filter using `APICAST_SERVICE_LIST`, it filters based on the array, so it'll transform to this: export APICAST_SERVICE_LIST=3 ``` { "services": [ { "id": 3, "issuer": "http://bar.com", "auth_type": "oidc", ... } ], "oidc": [ false, { "issuer": "http://bar.com", ... } ] } ``` So, OIDC will fail, because the first entry of the OIDC array is false, because false is added on filtering. This PR added a new entry on oidc object, that it's service_id, so filtering can be done without issues, config will be like this: ``` { "services": [ { "id": 1, "issuer": "http://foo.com", "auth_type": "oidc", ... }, { "id": 2, "auth_type": "provider_key" ... }, { "id": 3, "issuer": "http://bar.com", "auth_type": "oidc", ... } ], "oidc": [ { "issuer": "http://foo.com", "service_id": 1, ... }, { "service_id": 2, }, { "issuer": "http://bar.com", "service_id": 3, ... } ] } ``` On non-oidc services, the oidc will be not hitted at all. On invalid fetch, It'll be not fail, because the issuer is not in there, so it'll not work as expected. OIDC config links: Service OIDC setup: https://github.com/3scale/APIcast/blob/c184ff3e904f3d75857032a3da0004f8d74eba00/gateway/src/apicast/configuration/service.lua#L221-L231 OIDC error on invalid oicd setup: https://github.com/3scale/APIcast/blob/c184ff3e904f3d75857032a3da0004f8d74eba00/gateway/src/apicast/oauth/oidc.lua#L55 Warning message: https://github.com/3scale/APIcast/blob/c184ff3e904f3d75857032a3da0004f8d74eba00/gateway/src/apicast/proxy.lua#L199-L205 Filtering part: https://github.com/3scale/APIcast/blob/c184ff3e904f3d75857032a3da0004f8d74eba00/gateway/src/apicast/configuration.lua#L173-L297 Fix: THREESCALE-6042 Reported-by: Kevin Price <kevprice@redhat.com> Reported-by: Samuele Illuminati <sillumin@redhat.com> Signed-off-by: Eloy Coto <eloy.coto@acalustra.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.