Skip to content
Permalink

Comparing changes

This is a direct comparison between two commits made in this repository or its related repositories. View the default comparison for this range or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: 3scale/APIcast
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v3.11.0
Choose a base ref
..
head repository: 3scale/APIcast
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v3.12.0
Choose a head ref
Showing with 776 additions and 262 deletions.
  1. +6 −4 .circleci/config.yml
  2. +32 −16 CHANGELOG.md
  3. +4 −1 Makefile
  4. +1 −1 docker-compose-devel.yml
  5. +2 −1 gateway/Roverfile.lock
  6. +12 −3 gateway/http.d/apicast.conf.liquid
  7. +1 −1 gateway/src/apicast/configuration_loader/remote_v2.lua
  8. +5 −4 gateway/src/apicast/http_proxy.lua
  9. +9 −4 gateway/src/apicast/oauth/oidc.lua
  10. +20 −0 gateway/src/apicast/policy/clear_context/clear_context.lua
  11. +1 −0 gateway/src/apicast/policy/clear_context/init.lua
  12. +0 −1 gateway/src/apicast/policy/tls/tls.lua
  13. +2 −1 gateway/src/apicast/policy_chain.lua
  14. +1 −1 gateway/src/apicast/version.lua
  15. +10 −7 gateway/src/resty/http/proxy.lua
  16. +1 −1 spec/configuration_loader/remote_v2_spec.lua
  17. +43 −4 spec/oauth/oidc_spec.lua
  18. +26 −0 spec/policy/clear_context/clear_context_spec.lua
  19. +1 −1 spec/policy/oidc_authentication/oidc_authentication_spec.lua
  20. +2 −2 spec/policy/rate_limit/rate_limit_spec.lua
  21. +2 −0 spec/policy/tls/tls_spec.lua
  22. +2 −44 spec/resty/http/proxy_spec.lua
  23. +2 −2 spec/resty/http_ng/backend/async_resty_spec.lua
  24. +1 −1 spec/resty/http_ng/backend/resty_spec.lua
  25. +57 −5 t/apicast-oidc.t
  26. +111 −1 t/apicast-path-routing.t
  27. +1 −1 t/apicast-policy-3scale-batcher-blackbox.t
  28. +1 −1 t/apicast-policy-3scale-batcher.t
  29. +10 −11 t/apicast-policy-camel.t
  30. +1 −1 t/apicast-policy-headers.t
  31. +15 −12 t/apicast-policy-http-proxy.t
  32. +7 −7 t/apicast-policy-jwt-claim-check.t
  33. +7 −7 t/apicast-policy-keycloak-role-check.t
  34. +99 −1 t/apicast-policy-logging.t
  35. +8 −8 t/apicast-policy-oauth-mtls.t
  36. +2 −1 t/apicast-policy-oidc_authentication.t
  37. +2 −2 t/apicast-policy-payload_limits.t
  38. +1 −1 t/apicast-policy-rate-limit.t
  39. +118 −4 t/apicast-policy-routing.t
  40. +5 −5 t/apicast-policy-tls_validation.t
  41. +3 −2 t/apicast-policy-token-introspection.t
  42. +2 −2 t/apicast-subset-of-services.t
  43. +1 −1 t/configuration-loading-when-needed.t
  44. +139 −89 t/http-proxy.t
10 changes: 6 additions & 4 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
@@ -146,7 +146,8 @@ jobs:
- run: make test-runtime-image gateway-logs --keep-going
- login-docker:
command: |
IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH}}"
CIRCLE_BRANCH_LOWER=`echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]'`
IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH_LOWER}}"
if [ "${IMAGE_TAG}" == "master" ]
then
IMAGE_TAG="latest"
@@ -179,7 +180,8 @@ jobs:
- login-docker:
command: |
IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH}}-builder"
CIRCLE_BRANCH_LOWER=`echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]'`
IMAGE_TAG="${CIRCLE_TAG:-${CIRCLE_BRANCH_LOWER}}-builder"
if [ "${IMAGE_TAG}" == "master-builder" ]
then
IMAGE_TAG="latest-builder"
@@ -259,7 +261,7 @@ jobs:

prove:
executor: openresty

resource_class: medium+
parallelism: 3
steps:
- attach-workspace
@@ -281,7 +283,7 @@ jobs:
machine: true
steps:
- checkout
- run: IMAGE_TAG=${CIRCLE_TAG:-${CIRCLE_BRANCH}} make benchmark
- run: IMAGE_TAG=`echo $CIRCLE_BRANCH | tr '[:upper:]' '[:lower:]'` make benchmark
- run: IMAGE_TAG=master make benchmark
- store_artifacts:
path: tmp/benchmark
48 changes: 32 additions & 16 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
# Change Log

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).


## [3.11.0] 2021-09-03
## [Unreleased]

### Fixed

@@ -31,6 +33,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
- Fixed issues with OIDC filters [PR #1304](https://github.com/3scale/APIcast/pull/1304) [PR #1306](https://github.com/3scale/APIcast/pull/1306) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
- Fixed issues with OIDC filters [PR #1304](https://github.com/3scale/APIcast/pull/1304) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
- Fixed issues with Upstream MTLS certs [PR #1307](https://github.com/3scale/APIcast/pull/1307) [THREESCALE-7508](https://issues.redhat.com/browse/THREESCALE-7508)
- Fixed warning messages [PR #1318](https://github.com/3scale/APIcast/pull/1318) [THREESCALE-7906](https://issues.redhat.com/browse/THREESCALE-7906)
- Fixed dirty context [PR #1328](https://github.com/3scale/APIcast/pull/1328) [THREESCALE-8000](https://issues.redhat.com/browse/THREESCALE-8000) [THREESCALE-8007](https://issues.redhat.com/browse/THREESCALE-8007)
- Fixed jwk alg confusion [PR #1329](https://github.com/3scale/APIcast/pull/1329) [THREESCALE-8249](https://issues.redhat.com/browse/THREESCALE-8249)
- Fixed issue with resolving target server hostnames to IP when using CONNECT method [PR #1323](https://github.com/3scale/APIcast/pull/1323) [THREESCALE-7967](https://issues.redhat.com/browse/THREESCALE-7967)
- Fixed issue with resolving target server hostnames to IPs when forwarding requests through http/s proxy [PR #1323](https://github.com/3scale/APIcast/pull/1323) [THREESCALE-7967](https://issues.redhat.com/browse/THREESCALE-7967)
- Fixed dirty context [PR #1328](https://github.com/3scale/APIcast/pull/1328) [THREESCALE-8000](https://issues.redhat.com/browse/THREESCALE-8000) [THREESCALE-8007](https://issues.redhat.com/browse/THREESCALE-8007) [THREESCALE-8252](https://issues.redhat.com/browse/THREESCALE-8252)
- Fixed dirty context (part 2 of PR #1328) when tls termination policy is in the policy chain [PR #1333](https://github.com/3scale/APIcast/pull/1333)

### Added

@@ -51,7 +60,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
- Added on_failed policy [PR#1286](https://github.com/3scale/APIcast/pull/1286) [THREESCALE-6705](https://issues.redhat.com/browse/THREESCALE-6705)
- Master branch containers builds are now latest tag on quay.io [PR#1289](https://github.com/3scale/APIcast/pull/1289) [THREESCALE-7251](https://issues.redhat.com/browse/THREESCALE-7251)


## [3.10.0] 2021-01-04

Beta1 is stable and moved to final release.
@@ -71,6 +79,7 @@ Beta1 is stable and moved to final release.
## [3.10.0-alpha1] 2020-10-13

### Added

- Support Proxy Protocol [PR #1211](https://github.com/3scale/APIcast/pull/1211) [THREESCALE-5366](https://issues.redhat.com/browse/THREESCALE-5366)
- Enable support to log credentials on logging policy [PR #1217](https://github.com/3scale/APIcast/pull/1217) [THREESCALE-5273](https://issues.redhat.com/browse/THREESCALE-5273)
- Add a way to support more than 1000 services in a single instance [PR #1222](https://github.com/3scale/APIcast/pull/1222) [THREESCALE-5308](https://issues.redhat.com/browse/THREESCALE-5308)
@@ -79,21 +88,21 @@ Beta1 is stable and moved to final release.
- Add response/request content size limits [PR #1227](https://github.com/3scale/APIcast/pull/1227) [THREESCALE-5244](https://issues.redhat.com/browse/THREESCALE-5244)
- Add HTTP codes policy [PR #1236](https://github.com/3scale/APIcast/pull/1236) [THREESCALE-6255](https://issues.redhat.com/browse/THREESCALE-6255)



### Fixed

- Fixed issues with allow caching mode and 3scale batcher [PR #1216](https://github.com/3scale/APIcast/pull/1216) [THREESCALE-5753](https://issues.redhat.com/browse/THREESCALE-5753)
- Fixed issues when Auth Caching is disabled [PR #1225](https://github.com/3scale/APIcast/pull/1225) [THREESCALE-4464](https://issues.redhat.com/browse/THREESCALE-4464)
- Fixed issues with service filter and OIDC [PR #1229](https://github.com/3scale/APIcast/pull/1229) [THREESCALE-6042](https://issues.redhat.com/browse/THREESCALE-6042)
- Increased size of dictionaries used by the Batching policy to 20 MB. Users
with many services might have experienced issues with this policy because the
size of those dictionaries was not enough to store everything the policy needs
to function correctly. [PR #1231](https://github.com/3scale/APIcast/pull/1231)
with many services might have experienced issues with this policy because the
size of those dictionaries was not enough to store everything the policy needs
to function correctly. [PR #1231](https://github.com/3scale/APIcast/pull/1231)
- Fixed issue with Camel service over HTTPs when Routing Policy [PR #1230](https://github.com/3scale/APIcast/pull/1230) [THREESCALE-5891](https://issues.redhat.com/browse/THREESCALE-5891)
- Fixed doc issue on SERVICES_FILTER parameter [PR #1233](https://github.com/3scale/APIcast/pull/1233) [THREESCALE-5421](https://issues.redhat.com/browse/THREESCALE-5421)
- Non-alphanumeric metric name in 3scale-batcher policy [PR #1234](https://github.com/3scale/APIcast/pull/1234) [THREESCALE-4913](https://issues.redhat.com/browse/THREESCALE-4913)

## [3.9.1] 2020-10-13

- Fixed issues when using fully qualified DNS query [PR #1235](https://github.com/3scale/APIcast/pull/1235) [THREESCALE-4752](https://issues.redhat.com/browse/THREESCALE-4752)
- Fixed issues with OIDC validation [PR #1239](https://github.com/3scale/APIcast/pull/1239) [THREESCALE-6313](https://issues.redhat.com/browse/THREESCALE-6313)
- Fixed issues with Liquid body size [PR #1240](https://github.com/3scale/APIcast/pull/1240) [THREESCALE-6315](https://issues.redhat.com/browse/THREESCALE-6315)
@@ -122,7 +131,6 @@ No issues found on beta1,so becames final release.
- Fixed issues with path routing and query args [THREESCALE-5149](https://issues.redhat.com/browse/THREESCALE-5149) [PR #1190](https://github.com/3scale/APIcast/pull/1190)
- Fixed issue with IPCheck policy when forwarder-for value contains port [THREESCALE-5258](https://issues.redhat.com/browse/THREESCALE-5258) [PR #1192](https://github.com/3scale/APIcast/pull/1192)


### Added

- Added upstream Mutual TLS policy [THREESCALE-672](https://issues.jboss.org/browse/THREESCALE-672) [PR #1182](https://github.com/3scale/APIcast/pull/1182)
@@ -135,23 +143,23 @@ No issues found on beta1,so becames final release.
- New content_caching Prometheus metric [THREESCALE-5439](https://issues.jboss.org/browse/THREESCALE-5439) [PR #1203](https://github.com/3scale/APIcast/pull/1203)
- Added Camel policy [PR #1193](https://github.com/3scale/APIcast/pull/1193) [THREESCALE-4867](https://issues.jboss.org/browse/THREESCALE-4867)


## [3.8.0] - 2020-03-24

`3.8.0-cr1` was considered final and became `3.8.0`.

## [3.8.0-cr1] - 2020-03-07

### Fixed

- Fixed naming issues in policies [THREESCALE-4150](https://issues.jboss.org/browse/THREESCALE-4150) [PR #1167](https://github.com/3scale/APIcast/pull/1167)
- Fixed issues on invalid config in logging policy [THREESCALE-4605](https://issues.jboss.org/browse/THREESCALE-4605) [PR #1168](https://github.com/3scale/APIcast/pull/1168)
- Fixed issues with routing policy and GRPC one [THREESCALE-4684](https://issues.jboss.org/browse/THREESCALE-4684) [PR #1177](https://github.com/3scale/APIcast/pull/1177) [PR #1179](https://github.com/3scale/APIcast/pull/1179)

## [3.8.0-alpha2] - 2020-02-18

### Fixed
- Check status is bigger than zero on caching policy [THREESCALE-4471](https://issues.jboss.org/browse/THREESCALE-4471) [PR #1163](https://github.com/3scale/APIcast/pull/1163)

- Check status is bigger than zero on caching policy [THREESCALE-4471](https://issues.jboss.org/browse/THREESCALE-4471) [PR #1163](https://github.com/3scale/APIcast/pull/1163)

## [3.8.0-alpha1] - 2020-01-31

@@ -164,7 +172,6 @@ No issues found on beta1,so becames final release.
- Added Request_id on ngx.log function. [THREESCALE-3644](https://issues.jboss.org/browse/THREESCALE-3644) [PR #1156](https://github.com/3scale/APIcast/pull/1156)
- Logging policy add the option to log JWT claims [THREESCALE-4326](https://issues.jboss.org/browse/THREESCALE-4326) [PR #1160](https://github.com/3scale/APIcast/pull/1160)


### Fixed

- When PATH routing was enabled the URL was not correctly escaped [THREESCALE-3468](https://issues.jboss.org/browse/THREESCALE-3468) [PR #1150](https://github.com/3scale/APIcast/pull/1150)
@@ -173,7 +180,6 @@ No issues found on beta1,so becames final release.
- Fix issues with non-alphanumeric variables in liquid [THREESCALE-3968](https://issues.jboss.org/browse/THREESCALE-3968) [PR #1158](https://github.com/3scale/APIcast/pull/1158)
- Fix issues with double mapping rules [THREESCALE-3950](https://issues.jboss.org/browse/THREESCALE-3950) [PR #1159](https://github.com/3scale/APIcast/pull/1159)


## [3.7.0] - 2019-11-27

`3.7.0-rc2` was considered final and became `3.7.0`.
@@ -200,7 +206,6 @@ No issues found on beta1,so becames final release.

- Fix issues with escaped characters in URI [THREESCALE-3468](https://issues.jboss.org/browse/THREESCALE-3468) [PR #1123](https://github.com/3scale/APIcast/pull/1123)


## [3.7.0-beta1]- 2019-09-13

### Added
@@ -240,7 +245,6 @@ No issues found on beta1,so becames final release.

- Extended variables in Liquid template operations [PR #1081](https://github.com/3scale/APIcast/pull/1081), [THREESCALE-2927](https://issues.jboss.org/browse/THREESCALE-2927)


## [3.6.0-beta1] - 2019-06-18

### Added
@@ -371,11 +375,11 @@ Apart from the changes mentioned in this section, this version also includes the
`3.3.0-cr2` was considered final and became `3.3.0`.

- The configuration schema of the rate-limit policy has changed from `3.2.0` so
if you were using it, please adapt your configuration file accordingly.
if you were using it, please adapt your configuration file accordingly.
- The Native OAuth 2.0 flow is deprecated. Please consider using the OIDC
integration instead.
integration instead.
- The new conditional policy is considered experimental. The way conditions are
expressed might change in future releases.
expressed might change in future releases.

## [3.3.0-cr2] - 2018-09-25

@@ -667,6 +671,7 @@ expressed might change in future releases.
- Live and ready endpoints now set correct Content-Type header in the response[PR #441](https://github.com/3scale/apicast/pull/441), [THREESCALE-377](https://issues.jboss.org/browse/THREESCALE-377)

## [3.1.0] - 2017-10-27

- 3.1.0-rc2 was considered final and became 3.1.0.

## [3.1.0-rc2] - 2017-09-29
@@ -791,6 +796,7 @@ expressed might change in future releases.
- Ability to Authenticate against API using RHSSO and OpenID Connect [PR #283](https://github.com/3scale/apicast/pull/283)

### Fixed

- `http_ng` client supports auth passsed in the url, and default client options if the request options are missing for methods with body (POST, PUT, etc.) [PR #310](https://github.com/3scale/apicast/pull/310)
- Fixed lazy configuration loader to recover from failures [PR #313](https://github.com/3scale/apicast/pull/313)
- Fixed undefined variable `p` in post\_action [PR #316](https://github.com/3scale/apicast/pull/316)
@@ -815,6 +821,7 @@ expressed might change in future releases.
## [3.0.0-beta1] - 2017-03-03

### Changed

- Lazy load DNS resolver to improve performance [PR #251](https://github.com/3scale/apicast/pull/251)
- Execute queries to all defined nameservers in parallel [PR #260](https://github.com/3scale/apicast/pull/260)
- `RESOLVER` ENV variable overrides all other nameservers detected from `/etc/resolv.conf` [PR #260](https://github.com/3scale/apicast/pull/260)
@@ -846,34 +853,43 @@ expressed might change in future releases.
## [3.0.0-alpha2] - 2017-02-06

### Added

- A way to override backend endpoint [PR #248](https://github.com/3scale/apicast/pull/248)

### Changed

- Cache all calls to `os.getenv` via custom module [PR #231](https://github.com/3scale/apicast/pull/231)
- Bump s2i-openresty to 1.11.2.2-1 [PR #239](https://github.com/3scale/apicast/pull/239)
- Use resty-resolver over nginx resolver for HTTP [PR #237](https://github.com/3scale/apicast/pull/237)
- Use resty-resolver over nginx resolver for Redis [PR #237](https://github.com/3scale/apicast/pull/237)
- Internal change to reduce global state [PR #233](https://github.com/3scale/apicast/pull/233)

### Fixed

- [OAuth] Return correct state value back to client

### Removed

- Nginx resolver directive auto detection. Rely on internal DNS resolver [PR #237](https://github.com/3scale/apicast/pull/237)

## [3.0.0-alpha1] - 2017-01-16

### Added

- A CHANGELOG.md to track important changes
- User-Agent header with APIcast version and system information [PR #214](https://github.com/3scale/apicast/pull/214)
- Try to load configuration from V2 API [PR #193](https://github.com/3scale/apicast/pull/193)

### Changed

- Require openresty 1.11.2 [PR #194](https://github.com/3scale/apicast/pull/194)
- moved development from `v2` branch to `master` [PR #209](https://github.com/3scale/apicast/pull/209)
- `X-3scale-Debug` HTTP header now uses Service Token [PR #217](https://github.com/3scale/apicast/pull/217)

## [2.0.0] - 2016-11-29

### Changed

- Major rewrite using JSON configuration instead of code generation.

[Unreleased]: https://github.com/3scale/apicast/compare/v3.10.0...HEAD
5 changes: 4 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -221,7 +221,10 @@ rover: $(ROVER)
$(S2I_CONTEXT)/Roverfile.lock : $(S2I_CONTEXT)/Roverfile $(S2I_CONTEXT)/apicast-scm-1.rockspec
$(ROVER) lock --roverfile=$(S2I_CONTEXT)/Roverfile

lua_modules: $(ROVER) $(S2I_CONTEXT)/Roverfile.lock
translate_git_protocol:
@git config --global url.https://github.com/.insteadOf git://github.com/

lua_modules: $(ROVER) $(S2I_CONTEXT)/Roverfile.lock translate_git_protocol
# This variable is to skip issues with openssl 1.1.1
# https://github.com/wahern/luaossl/issues/175
EXTRA_CFLAGS="-DHAVE_EVP_KDF_CTX=1" $(ROVER) install --roverfile=$(S2I_CONTEXT)/Roverfile > /dev/null
2 changes: 1 addition & 1 deletion docker-compose-devel.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
version: '2.2'
services:
development:
image: ${IMAGE:-quay.io/3scale/s2i-openresty-centos7:master}
image: ${IMAGE:-quay.io/3scale/s2i-openresty-centos7:1.19.3.6-20-centos8}
depends_on:
- redis
working_dir: /home/centos/
3 changes: 2 additions & 1 deletion gateway/Roverfile.lock
Original file line number Diff line number Diff line change
@@ -10,7 +10,8 @@ fifo 0.2-0||development
http 0.3-0||development
inspect 3.1.1-0||production
ldoc 1.4.6-2||development
liquid 0.1.7-1||production
date 2.2-2||production
liquid 0.1.8-1||production
jsonschema 0.8-0|aa4740624cca4c10585bd7d086b42aa0b9ab14fa|testing
lpeg 1.0.2-1||development
lpeg_patterns 0.5-0||development
15 changes: 12 additions & 3 deletions gateway/http.d/apicast.conf.liquid
Original file line number Diff line number Diff line change
@@ -1,9 +1,20 @@
log_format time '[$time_local] $target_host:$server_port $remote_addr:$remote_port "$request" $status $body_bytes_sent ($request_time) $post_action_impact';

map $status $extended_access_log {
# Use maps as variables because some logs can be raised out of the server context
# where variables cannot be set, this allow us to avoid a warning
map "" $extended_access_log {
default '';
}

map "" $access_logs_enabled {
default '1';
}

map "" $extended_access_logs_enabled {
default '0';
}


log_format extended escape=none '$extended_access_log';

server {
@@ -50,9 +61,7 @@ server {
server {
{% capture log_buffer %} {%if log_buffer_size %}buffer={{ log_buffer_size }} {% endif %} {% endcapture %}

set $access_logs_enabled '1';
access_log {{ access_log_file | default: "/dev/stdout" }} time if=$access_logs_enabled {{ log_buffer }};
set $extended_access_logs_enabled '0';
access_log {{ access_log_file | default: "/dev/stdout" }} extended if=$extended_access_logs_enabled {{ log_buffer }};

{%- assign http_port = port.apicast | default: 8080 %}
2 changes: 1 addition & 1 deletion gateway/src/apicast/configuration_loader/remote_v2.lua
Original file line number Diff line number Diff line change
@@ -104,7 +104,7 @@ local function endpoint_for_services_with_host(portal_endpoint, env, host)
local query_args = encode_args({ host = host })

return format(
"%s/admin/api/services/proxy/configs/%s.json?%s",
"%s/admin/api/account/proxy_configs/%s.json?%s",
portal_endpoint,
env,
query_args
9 changes: 5 additions & 4 deletions gateway/src/apicast/http_proxy.lua
Original file line number Diff line number Diff line change
@@ -58,6 +58,7 @@ function _M.resolve(uri)
return ip, port
end

-- #TODO: This local function is no longer called as of PR#1323 and should be removed
local function resolve(uri)
local host = uri.host
local port = uri.port
@@ -70,12 +71,12 @@ local function resolve(uri)
end

local function absolute_url(uri)
local host, port = resolve(uri)

-- target server requires hostname not IP and DNS resolution is left to the proxy itself as specified in the RFC #7231
-- https://httpwg.org/specs/rfc7231.html#CONNECT
return format('%s://%s:%s%s',
uri.scheme,
host,
port,
uri.host,
uri.port,
uri.path or '/'
)
end
13 changes: 9 additions & 4 deletions gateway/src/apicast/oauth/oidc.lua
Original file line number Diff line number Diff line change
@@ -103,9 +103,9 @@ local function timestamp_to_seconds_from_now(expiry, clock)
return ttl
end

local function find_public_key(jwt, keys)
local function find_jwk(jwt, keys)
local jwk = keys and keys[jwt.header.kid]
if jwk then return jwk.pem end
if jwk then return jwk end
end

-- Parses the token - in this case we assume it's a JWT token
@@ -182,8 +182,13 @@ function _M:verify(jwt, cache_key)
return false, '[jwt] invalid alg'
end

-- TODO: this should be able to use DER format instead of PEM
local pubkey = find_public_key(jwt, self.keys)
-- Find jwk with matching kid for current JWT in request
local jwk_obj = find_jwk(jwt, self.keys)

local pubkey = jwk_obj.pem
if jwk_obj.alg ~= jwt.header.alg then
return false, '[jwt] alg mismatch'
end

jwt = JWT:verify_jwt_obj(pubkey, jwt, self.jwt_claims)

Loading