scripts/lua/policies/security/oauth2.lua - openwhisk-apigateway - Git at Google

 -- Copyright (c) 2016 IBM. All rights reserved.
 --
 --   Permission is hereby granted, free of charge, to any person obtaining a
 --   copy of this software and associated documentation files (the "Software"),
 --   to deal in the Software without restriction, including without limitation
 --   the rights to use, copy, modify, merge, publish, distribute, sublicense,
 --   and/or sell copies of the Software, and to permit persons to whom the
 --   Software is furnished to do so, subject to the following conditions:
 --
 --   The above copyright notice and this permission notice shall be included in
 --   all copies or substantial portions of the Software.
 --
 --   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 --   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 --   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 --   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 --   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 --   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 --   DEALINGS IN THE SOFTWARE.

 --- @module oauth
 -- A module to check with an oauth provider and reject an api call with a bad oauth token
 -- @author David Green (greend), Alex Song (songs)


 local utils = require "lib/utils"
 local request = require "lib/request"
 local redis = require "lib/redis"
 local cjson = require "cjson"

 local REDIS_HOST = os.getenv("REDIS_HOST")
 local REDIS_PORT = os.getenv("REDIS_PORT")
 local REDIS_PASS = os.getenv("REDIS_PASS")

 -- Process the security object
 -- @param securityObj security object from nginx conf file
 -- @return oauthId oauth identification
 local _M = {}

 function process(securityObj)
   local red = redis.init(REDIS_HOST, REDIS_PORT, REDIS_PASS, 1000)
   local result = processWithRedis(red, securityObj)
   redis.close(red)
   return result
 end

 function processWithRedis(red, securityObj)

   local accessToken = ngx.var['http_Authorization']
   if accessToken == nil then
     request.err(401, "No Authorization header provided")
   end
   local token = {}
   local key = utils.concatStrings({"oauth:providers:", securityObj.provider, ":tokens:", accessToken})
   -- If we haven't cached the token go to the oauth provider
   if not (red:exists(key) == 1) then
     token = exchange(accessToken, securityObj.provider)
   else
     token = cjson.decode(red:get(key))
   end

   if token == nil or not (token.error == nil) then
     request.err(401, "Token didn't work or provider doesn't support OpenID connect.")
     return false
   end
   red:set(key, cjson.encode(token))

   if not token.expires == nil then
     red:expire(key, token.expires)
   end
   return ''
 -- only check with the provider if we haven't cached the token.
 end

 --- Exchange tokens with an oauth provider. Loads a provider based on configuration in the nginx.conf
 -- @param token the accessToken passed in the authorization header of the routing request
 -- @param provider the name of the provider we will load from a file. Currently supported google/github/facebook
 -- @return the json object recieved from exchanging tokens with the provider
   function exchange(token, provider)
     -- exchange tokens with the provider
     local loaded, provider = pcall(require, utils.concatStrings({'oauth/', provider}))

     if not loaded then
       request.err(500, 'Error loading OAuth provider authentication module')
       return
     end

     local token = provider(token)
     -- cache the token
     return token
 end

 _M.process = process
 _M.processWithRedis = processWithRedis
 return _M
	-- Copyright (c) 2016 IBM. All rights reserved.
	--
	-- Permission is hereby granted, free of charge, to any person obtaining a
	-- copy of this software and associated documentation files (the "Software"),
	-- to deal in the Software without restriction, including without limitation
	-- the rights to use, copy, modify, merge, publish, distribute, sublicense,
	-- and/or sell copies of the Software, and to permit persons to whom the
	-- Software is furnished to do so, subject to the following conditions:
	--
	-- The above copyright notice and this permission notice shall be included in
	-- all copies or substantial portions of the Software.
	--
	-- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	-- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	-- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	-- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	-- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
	-- FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
	-- DEALINGS IN THE SOFTWARE.

	--- @module oauth
	-- A module to check with an oauth provider and reject an api call with a bad oauth token
	-- @author David Green (greend), Alex Song (songs)



	local utils = require "lib/utils"
	local request = require "lib/request"
	local redis = require "lib/redis"
	local cjson = require "cjson"

	local REDIS_HOST = os.getenv("REDIS_HOST")
	local REDIS_PORT = os.getenv("REDIS_PORT")
	local REDIS_PASS = os.getenv("REDIS_PASS")

	-- Process the security object
	-- @param securityObj security object from nginx conf file
	-- @return oauthId oauth identification
	local _M = {}

	function process(securityObj)
	local red = redis.init(REDIS_HOST, REDIS_PORT, REDIS_PASS, 1000)
	local result = processWithRedis(red, securityObj)
	redis.close(red)
	return result
	end

	function processWithRedis(red, securityObj)

	local accessToken = ngx.var['http_Authorization']
	if accessToken == nil then
	request.err(401, "No Authorization header provided")
	end
	local token = {}
	local key = utils.concatStrings({"oauth:providers:", securityObj.provider, ":tokens:", accessToken})
	-- If we haven't cached the token go to the oauth provider
	if not (red:exists(key) == 1) then
	token = exchange(accessToken, securityObj.provider)
	else
	token = cjson.decode(red:get(key))
	end

	if token == nil or not (token.error == nil) then
	request.err(401, "Token didn't work or provider doesn't support OpenID connect.")
	return false
	end
	red:set(key, cjson.encode(token))

	if not token.expires == nil then
	red:expire(key, token.expires)
	end
	return ''
	-- only check with the provider if we haven't cached the token.
	end

	--- Exchange tokens with an oauth provider. Loads a provider based on configuration in the nginx.conf
	-- @param token the accessToken passed in the authorization header of the routing request
	-- @param provider the name of the provider we will load from a file. Currently supported google/github/facebook
	-- @return the json object recieved from exchanging tokens with the provider
	function exchange(token, provider)
	-- exchange tokens with the provider
	local loaded, provider = pcall(require, utils.concatStrings({'oauth/', provider}))

	if not loaded then
	request.err(500, 'Error loading OAuth provider authentication module')
	return
	end

	local token = provider(token)
	-- cache the token
	return token
	end

	_M.process = process
	_M.processWithRedis = processWithRedis
	return _M