Add tests and CI

.busted

@@ -0,0 +1,7 @@
+return {
+  default = {
+    verbose = true,
+    coverage = false,
+    output = "gtest",
+  },
+}

.editorconfig

@@ -0,0 +1,22 @@
+root                     = true
+
+[*]
+end_of_line              = lf
+insert_final_newline     = true
+trim_trailing_whitespace = true
+charset                  = utf-8
+
+[*.lua]
+indent_style             = space
+indent_size              = 2
+
+[kong/templates/nginx*]
+indent_style             = space
+indent_size              = 4
+
+[*.template]
+indent_style             = space
+indent_size              = 4
+
+[Makefile]
+indent_style             = tab

.gitignore

@@ -0,0 +1,7 @@
+# servroot typically is the Kong working directory for tests
+servroot
+# exclude generated packed rocks
+*.rock
+
+#exclude test certs
+*.pem

.luacheckrc

@@ -0,0 +1,27 @@
+std             = "ngx_lua"
+unused_args     = false
+redefined       = false
+max_line_length = false
+
+
+globals = {
+    "_KONG",
+    "kong",
+    "ngx.IS_CLI",
+}
+
+
+not_globals = {
+    "string.len",
+    "table.getn",
+}
+
+
+ignore = {
+    "6.", -- ignore whitespace warnings
+}
+
+
+files["spec/**/*.lua"] = {
+    std = "ngx_lua+busted",
+}

.pongo/pongo-setup.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+NAME=testcert;
+
+if [ ! -f /kong-plugin/$NAME.pem ] && [ ! -f /kong-plugin/$NAME-private.pem ]; then
+  echo "Generating test certificates..."
+  openssl genrsa -out $NAME-private.pem 2048
+  openssl rsa -in $NAME-private.pem -outform PEM -pubout -out $NAME.pem
+fi
+
+# install rockspec, dependencies only
+find /kong-plugin -maxdepth 1 -type f -name '*.rockspec' -exec luarocks install --only-deps {} \;

.pongo/pongorc

@@ -0,0 +1,2 @@
+--postgres
+--cassandra

.travis.yml

@@ -0,0 +1,33 @@
+dist: bionic
+
+jobs:
+  include:
+  - name: Kong CE 1.4.x
+    env: KONG_VERSION=1.4.x
+  - name: Kong CE 1.5.x
+    env: KONG_VERSION=1.5.x
+  - name: Kong CE 2.0.x
+    env: KONG_VERSION=2.0.x
+  - name: Kong CE 2.1.x
+    env: KONG_VERSION=2.1.x
+  - name: Kong CE 2.2.x
+    env: KONG_VERSION=2.2.x
+  #- name: Nightly CE-master
+  #  env: KONG_VERSION=nightly POSTGRES=latest CASSANDRA=latest
+
+install:
+- git clone --single-branch https://github.com/Kong/kong-pongo ../kong-pongo
+- "../kong-pongo/pongo.sh up"
+- "../kong-pongo/pongo.sh build"
+
+script:
+- "../kong-pongo/pongo.sh lint"
+- "../kong-pongo/pongo.sh run"
+
+# notifications:
+#   slack:
+#     if: branch = master AND type != pull_request
+#     on_success: change
+#     on_failure: always
+#     rooms:
+#       secure: HdpUy77gMJEapyYOnKBqYeWFALG771KnLzUzbM5Et8br7RNrUTvA4fZ+paoLnIWU+0Sb+8A8/tRxBvPpxnVJFYZReQT4oBhX+wVTYbVr4i+UKfIDrU4DJ2nj3lHTa5t/dX7WZttBwFB8fuVugceWVF95DZCC9ll38d646+27wYydamu2hgCBs+PI4+J6msmFMC0T2vMr3A+B9reyiWQ+KG+E5U7mcmgMZ/xh10pBinPA7nXe0N4z50hR/ooHukFzMHDCyfVIKox9z9WQzS3SUI+Wxj6dts+dDVmVfTlM4XUM9e2MMDkBZgvQIedrjaR5pgdTl2xTWrMuMeeKbuimGa7FGD5rirgBg5gkP9LG1aSzJLP0lp4ldogTX+9VVaDE5N+ACKcR/10U3CskJYuOXx4cp0ub+TDIfe34NxgBe9PmTmJbTtRBgZ0sNVfZqfCmDYeCMTTyA+zug+XkPI+lQ56QqgFg4Hxohr+EsCQcQzA2YI9QUw0fIZPKyWQ91neE/ytF4xvNM8YI0yuLLgRYbbcvu6Tn4q0rwJkIdjh9eExD9ddsgTmENVN0KEYMj/Rk3WUJi6k7MDcSmxaBLC9REObgddyGM4hgXtbLGBAnJaDBHTaDBetTmrae2PAiZs478P4l5X1TzlZZMYVLlpVukpDJPzH6NBXZgiYjkyFipVc=

kong-upstream-jwt-1.2-1.rockspec

@@ -16,8 +16,7 @@ dependencies = {}
 build = {
    type = "builtin",
    modules = {
-      ["kong.plugins.kong-upstream-jwt.access"] = "src/access.lua",
-      ["kong.plugins.kong-upstream-jwt.handler"]  = "src/handler.lua",
-      ["kong.plugins.kong-upstream-jwt.schema"]= "src/schema.lua"
+      ["kong.plugins.kong-upstream-jwt.handler"] = "kong/plugins/upstream-jwt/handler.lua",
+      ["kong.plugins.kong-upstream-jwt.schema"] = "kong/plugins/upstream-jwt/schema.lua"
    }
 }

src/access.lua → kong/plugins/upstream-jwt/handler.lua

@@ -11,7 +11,12 @@ local encode_base64 = ngx.encode_base64
 local env_private_key_location = os.getenv("KONG_SSL_CERT_KEY")
 local env_public_key_location = os.getenv("KONG_SSL_CERT_DER")
 local utils = require "kong.tools.utils"
-local _M = {}
+
+
+local KongUpstreamJWTHandler = {
+  PRIORITY = 999, -- This plugin needs to run after auth plugins so it has access to `ngx.ctx.authenticated_consumer`
+  VERSION = "1.2",
+}
 
 --- Get the private key location either from the environment or from configuration
 -- @param conf the kong configuration
@@ -20,7 +25,7 @@ local function get_private_key_location(conf)
   if env_private_key_location then
     return env_private_key_location
   end
-  return conf.private_key_location
+  return conf.private_key_location, "private key location not provided"
 end
 
 --- Get the public key location either from the environment or from configuration
@@ -30,7 +35,7 @@ local function get_public_key_location(conf)
   if env_public_key_location then
     return env_public_key_location
   end
-  return conf.public_key_location
+  return conf.public_key_location, "public key location not provided"
 end
 
 --- base 64 encoding
@@ -80,7 +85,7 @@ local function encode_jwt_token(conf, payload, key)
     typ = "JWT",
     alg = "RS256",
     x5c = {
-      b64_encode(get_kong_key("pubder", get_public_key_location(conf)))
+      b64_encode(get_kong_key("pubder", assert(get_public_key_location(conf))))
     }
   }
   if conf.key_id then
@@ -156,15 +161,15 @@ end
 local function add_jwt_header(conf)
   local payload_hash = build_payload_hash()
   local payload = build_jwt_payload(conf, payload_hash)
-  local kong_private_key = get_kong_key("pkey", get_private_key_location(conf))
+  local kong_private_key = get_kong_key("pkey", assert(get_private_key_location(conf)))
   local jwt = encode_jwt_token(conf, payload, kong_private_key)
   ngx.req.set_header(conf.header, build_header_value(conf, jwt))
 end
 
 --- Execute the script
 -- @param conf kong configuration
-function _M.execute(conf)
+function KongUpstreamJWTHandler:access(conf)
   add_jwt_header(conf)
 end
 
-return _M
+return KongUpstreamJWTHandler

spec/upstream-jwt/02-access_spec.lua

@@ -0,0 +1,98 @@
+local helpers = require "spec.helpers"
+
+
+for _, strategy in helpers.each_strategy() do
+  describe("upstream-jwt: (access) [#" .. strategy .. "]", function()
+    local client, consumer
+
+    lazy_setup(function()
+
+      local bp = helpers.get_db_utils(strategy, nil, { "upstream-jwt" })
+
+      -- Inject a loopback service. Test requests are looped back and will hit
+      -- this route, which will then validate the JWT
+      local route_JWT = bp.routes:insert({
+        hosts = { "localhost" },
+      })
+      bp.plugins:insert {
+        name = "jwt",
+        route = { id = route_JWT.id },
+        config = {
+          header_names = { "My-Authorization" },
+          key_claim_name = "iss", -- the claim whose value to use to look up the consumer secret
+        },
+      }
+      consumer = bp.consumers:insert {
+        username = "tieske",
+        custom_id = "also_tieske",
+      }
+      bp.jwt_secrets:insert {
+        consumer       = { id = consumer.id },
+        algorithm      = "RS256",
+        key            = "source-kong",
+        rsa_public_key = assert(helpers.utils.readfile("/kong-plugin/testcert.pem"))
+      }
+
+      -- Service that loops back to the JWT route/plugin above
+      local service_loopback = bp.services:insert({
+        host = "localhost",
+        port = helpers.get_proxy_port(),
+        protocol = "http",
+      })
+      local route1 = bp.routes:insert({
+        service = { id = service_loopback.id },
+        hosts = { "test1.com" },
+      })
+      bp.plugins:insert {
+        name = "upstream-jwt",
+        route = { id = route1.id },
+        config = {
+          issuer = "source-kong",
+          private_key_location = "/kong-plugin/testcert-private.pem",
+          public_key_location = "/kong-plugin/testcert.pem",
+          key_id = nil,  -- kid header value in JWT
+          header = "My-Authorization",
+          include_credential_type = true,  -- include "Bearer " in header
+        },
+      }
+
+      -- start kong
+      assert(helpers.start_kong({
+        -- set the strategy
+        database   = strategy,
+        -- use the custom test template to create a local mock server
+        nginx_conf = "spec/fixtures/custom_nginx.template",
+        -- make sure our plugin gets loaded
+        plugins = "bundled,upstream-jwt",
+      }))
+    end)
+
+    lazy_teardown(function()
+      helpers.stop_kong(nil, true)
+    end)
+
+    before_each(function()
+      client = helpers.proxy_client()
+    end)
+
+    after_each(function()
+      if client then client:close() end
+    end)
+
+
+
+    it("a valid JWT passes", function()
+      local r = client:get("/request", {
+        headers = {
+          host = "test1.com"
+        }
+      })
+      assert.response(r).has.status(200)
+      assert.equal('also_tieske', assert.request(r).has.header("x-consumer-custom-id"))
+      assert.equal(consumer.id,   assert.request(r).has.header("x-consumer-id"))
+      assert.equal('tieske',      assert.request(r).has.header("x-consumer-username"))
+      assert.equal('source-kong', assert.request(r).has.header("x-credential-identifier"))
+    end)
+
+  end)
+end