KNELProductionContainers/CloudronPackages/APISIX/apisix-source/t/lib/keycloak.lua

--
-- Licensed to the Apache Software Foundation (ASF) under one or more
-- contributor license agreements.  See the NOTICE file distributed with
-- this work for additional information regarding copyright ownership.
-- The ASF licenses this file to You under the Apache License, Version 2.0
-- (the "License"); you may not use this file except in compliance with
-- the License.  You may obtain a copy of the License at
--
--     http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
--
local http = require "resty.http"

local _M = {}


-- Request APISIX and redirect to keycloak,
-- Login keycloak and return the res of APISIX
function _M.login_keycloak(uri, username, password)
    local httpc = http.new()

    local res, err = httpc:request_uri(uri, {method = "GET"})
    if not res then
        return nil, err
    elseif res.status ~= 302 then
        -- Not a redirect which we expect.
        -- Use 500 to indicate error.
        return nil, "Initial request was not redirected to ID provider authorization endpoint."
    else
        -- Extract cookies. Important since OIDC module tracks state with a session cookie.
        local cookies = res.headers['Set-Cookie']

        -- Concatenate cookies into one string as expected when sent in request header.
        local cookie_str = _M.concatenate_cookies(cookies)

        -- Call authorization endpoint we were redirected to.
        -- Note: This typically returns a login form which is the case here for Keycloak as well.
        -- However, how we process the form to perform the login is specific to Keycloak and
        -- possibly even the version used.
        res, err = httpc:request_uri(res.headers['Location'], {method = "GET"})
        if not res then
            -- No response, must be an error.
            return nil, err
        elseif res.status ~= 200 then
            -- Unexpected response.
            return nil, res.body
        end

        -- Check if response code was ok.
        if res.status ~= 200 then
            return nil, "unexpected status " .. res.status
        end

        -- From the returned form, extract the submit URI and parameters.
        local uri, params = res.body:match('.*action="(.*)%?(.*)" method="post">')

        -- Substitute escaped ampersand in parameters.
        params = params:gsub("&", "&")

        -- Get all cookies returned. Probably not so important since not part of OIDC specification.
        local auth_cookies = res.headers['Set-Cookie']

        -- Concatenate cookies into one string as expected when sent in request header.
        local auth_cookie_str = _M.concatenate_cookies(auth_cookies)

        -- Invoke the submit URI with parameters and cookies, adding username
        -- and password in the body.
        -- Note: Username and password are specific to the Keycloak Docker image used.
        res, err = httpc:request_uri(uri .. "?" .. params, {
                method = "POST",
                body = "username=" .. username .. "&password=" .. password,
                headers = {
                    ["Content-Type"] = "application/x-www-form-urlencoded",
                    ["Cookie"] = auth_cookie_str
                }
            })
        if not res then
            -- No response, must be an error.
            return nil, err
        elseif res.status ~= 302 then
            -- Not a redirect which we expect.
            return nil, "Login form submission did not return redirect to redirect URI."
        end

        -- Extract the redirect URI from the response header.
        -- TODO: Consider validating this against the plugin configuration.
        local redirect_uri = res.headers['Location']

        -- Invoke the redirect URI (which contains the authorization code as an URL parameter).
        res, err = httpc:request_uri(redirect_uri, {
                method = "GET",
                headers = {
                    ["Cookie"] = cookie_str
                }
            })

        if not res then
            -- No response, must be an error.
            return nil, err
        elseif res.status ~= 302 then
            -- Not a redirect which we expect.
            return nil, "Invoking redirect URI with authorization code" ..
                "did not return redirect to original URI."
        end

        return res, nil
    end
end


-- Concatenate cookies into one string as expected when sent in request header.
function _M.concatenate_cookies(cookies)
    local cookie_str = ""
    if type(cookies) == 'string' then
        cookie_str = cookies:match('([^;]*); .*')
    else
        -- Must be a table.
        local len = #cookies
        if len > 0 then
            cookie_str = cookies[1]:match('([^;]*); .*')
            for i = 2, len do
                cookie_str = cookie_str .. "; " .. cookies[i]:match('([^;]*); .*')
            end
        end
    end

    return cookie_str, nil
end


return _M