Add support for specifying a correlation ID header to help trace calls to the OIDC provider

.env

@@ -2,7 +2,7 @@ BUILD_IMG_NAME=nokia/kong-oidc
 INTEGRATION_PATH=test/docker/integration
 UNIT_PATH=test/docker/unit
 
-KONG_BASE_TAG=:1.0-centos
+KONG_BASE_TAG=:centos
 KONG_TAG=
 KONG_DB_TAG=:10.1
 KONG_DB_PORT=5432

.travis.yml

@@ -5,10 +5,10 @@ language: python
 sudo: true
 
 env:
-  - LUA_VERSION="5.1" KONG_VERSION="0.13.0-0" LUA_RESTY_OPENIDC_VERSION="1.6.1-1"
-  - LUA_VERSION="5.1" KONG_VERSION="0.12.3-0" LUA_RESTY_OPENIDC_VERSION="1.6.1-1"
-  - LUA_VERSION="5.1" KONG_VERSION="0.11.2-0" LUA_RESTY_OPENIDC_VERSION="1.6.1-1"
-  - LUA_VERSION="5.1" KONG_VERSION="1.0.2-0" LUA_RESTY_OPENIDC_VERSION="1.6.1-1"
+  - LUA_VERSION="5.1" KONG_VERSION="0.13.0-0" LUA_RESTY_OPENIDC_VERSION="1.7.0-2"
+  - LUA_VERSION="5.1" KONG_VERSION="0.12.3-0" LUA_RESTY_OPENIDC_VERSION="1.7.0-2"
+  - LUA_VERSION="5.1" KONG_VERSION="0.11.2-0" LUA_RESTY_OPENIDC_VERSION="1.7.0-2"
+  - LUA_VERSION="5.1" KONG_VERSION="1.0.2-0" LUA_RESTY_OPENIDC_VERSION="1.7.0-2"
 
 script:
   - sudo -E bash ci/root.sh

bin/run-unit-tests.sh

@@ -5,7 +5,7 @@
   docker build \
     --build-arg KONG_BASE_TAG=${KONG_BASE_TAG} \
     -t ${BUILD_IMG_NAME} \
-    -f ${UNIT_PATH}/Dockerfile .
+    -f ${UNIT_PATH}/Dockerfile . --no-cache
   docker run -it --rm ${BUILD_IMG_NAME} /bin/bash test/unit/run.sh
 )
 

ci/setup.sh

@@ -3,7 +3,7 @@ set -e
 
 export LUA_VERSION=${LUA_VERSION:-5.1}
 export KONG_VERSION=${KONG_VERSION:-0.13.1-0}
-export LUA_RESTY_OPENIDC_VERSION=${LUA_RESTY_OPENIDC_VERSION:-1.6.1-1}
+export LUA_RESTY_OPENIDC_VERSION=${LUA_RESTY_OPENIDC_VERSION:-1.7.0-2}
 
 pip install hererocks
 hererocks lua_install -r^ --lua=${LUA_VERSION}

kong-oidc-1.1.0-0.rockspec → kong-oidc-1.2.0-0.rockspec

@@ -1,8 +1,8 @@
 package = "kong-oidc"
-version = "1.1.0-0"
+version = "1.2.0-0"
 source = {
     url = "git://github.com/nokia/kong-oidc",
-    tag = "v1.1.0",
+    tag = "v1.2.0",
     dir = "kong-oidc"
 }
 description = {
@@ -22,7 +22,7 @@ description = {
     license = "Apache 2.0"
 }
 dependencies = {
-    "lua-resty-openidc ~> 1.6.1-1"
+    "lua-resty-openidc ~> 1.7.0-2"
 }
 build = {
     type = "builtin",

kong/plugins/oidc/schema.lua

@@ -18,6 +18,7 @@ return {
     recovery_page_path = { type = "string" },
     logout_path = { type = "string", required = false, default = '/logout' },
     redirect_after_logout_uri = { type = "string", required = false, default = '/' },
-    filters = { type = "string" }
+    filters = { type = "string" },
+    correlation_id_header = { type = "string", required = false, default = '' }
   }
 }

kong/plugins/oidc/utils.lua

@@ -12,6 +12,15 @@ local function parseFilters(csvFilters)
   return filters
 end
 
+function M.add_correlation_id_header(correlation_id_header_key, correlation_id_header_value)
+  return function(req)
+    local h = req.headers or {}
+    h[correlation_id_header_key] = correlation_id_header_value
+    req.headers = h
+    return req
+  end
+end
+
 function M.get_redirect_uri_path(ngx)
   local function drop_query()
     local uri = ngx.var.request_uri
@@ -40,7 +49,7 @@ function M.get_redirect_uri_path(ngx)
 end
 
 function M.get_options(config, ngx)
-  return {
+  local opts = {
     client_id = config.client_id,
     client_secret = config.client_secret,
     discovery = config.discovery,
@@ -57,8 +66,13 @@ function M.get_options(config, ngx)
     recovery_page_path = config.recovery_page_path,
     filters = parseFilters(config.filters),
     logout_path = config.logout_path,
-    redirect_after_logout_uri = config.redirect_after_logout_uri,
+    redirect_after_logout_uri = config.redirect_after_logout_uri
   }
+  if config.correlation_id_header then
+    local correlation_id_header_value = ngx.req.get_headers()[config.correlation_id_header]
+    opts.http_request_decorator = M.add_correlation_id_header(config.correlation_id_header, correlation_id_header_value)
+  end
+  return opts
 end
 
 function M.exit(httpStatusCode, message, ngxCode)

test/docker/integration/Dockerfile

@@ -1,5 +1,6 @@
 ARG KONG_BASE_TAG
 FROM kong${KONG_BASE_TAG}
+USER root
 
 ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua;;
 # For lua-cjson
@@ -10,8 +11,11 @@ RUN yum install -y unzip gcc
 RUN luarocks install luacov
 RUN luarocks install luaunit
 RUN luarocks install lua-cjson
+RUN luarocks install lua-resty-session
+RUN luarocks install lua-resty-http
+RUN luarocks install lua-resty-string
 
 # Change openidc version when version in rockspec changes
-RUN luarocks install lua-resty-openidc 1.6.0
+RUN luarocks install lua-resty-openidc 1.7.0-2
 
 COPY . /usr/local/kong-oidc

test/docker/unit/Dockerfile

@@ -1,18 +1,23 @@
 ARG KONG_BASE_TAG
 FROM kong${KONG_BASE_TAG}
+USER root
 
 ENV LUA_PATH /usr/local/share/lua/5.1/?.lua;/usr/local/kong-oidc/?.lua
 # For lua-cjson
 ENV LUA_CPATH /usr/local/lib/lua/5.1/?.so
 
 # Install unzip for luarocks, gcc for lua-cjson
-RUN yum install -y unzip gcc 
+RUN yum install -y unzip gcc
+
 RUN luarocks install luacov
 RUN luarocks install luaunit
 RUN luarocks install lua-cjson
+RUN luarocks install lua-resty-session
+RUN luarocks install lua-resty-http
+RUN luarocks install lua-resty-string
 
 # Change openidc version when version in rockspec changes
-RUN luarocks install lua-resty-openidc 1.6.1-1
+RUN luarocks install lua-resty-openidc 1.7.0-2
 
 WORKDIR /usr/local/kong-oidc
 

test/unit/test_introspect.lua

@@ -1,3 +1,34 @@
+local ffi = require "ffi"
+local ffi_new = ffi.new
+local ffi_str = ffi.string
+local C = ffi.C
+--local setmetatable = setmetatable
+--local error = error
+
+
+local _M = { _VERSION = '0.14' }
+
+
+ffi.cdef[[
+int RAND_bytes(unsigned char *buf, int num);
+int RAND_pseudo_bytes(unsigned char *buf, int num);
+]]
+
+
+function _M.bytes(len, strong)
+    local buf = ffi_new("char[?]", len)
+    if strong then
+        if C.RAND_bytes(buf, len) == 0 then
+            return nil
+        end
+    else
+        C.RAND_pseudo_bytes(buf,len)
+    end
+
+    return ffi_str(buf, len)
+end
+
+
 local lu = require("luaunit")
 
 TestIntrospect = require("test.unit.mockable_case"):extend()
@@ -6,6 +37,7 @@ TestIntrospect = require("test.unit.mockable_case"):extend()
 function TestIntrospect:setUp()
   TestIntrospect.super:setUp()
   self.handler = require("kong.plugins.oidc.handler")()
+  _M.bytes(1, 1)
 end
 
 function TestIntrospect:tearDown()

test/unit/test_utils.lua

@@ -25,6 +25,47 @@ function TestUtils:testRedirectUriPath()
   lu.assertEquals(utils.get_redirect_uri_path(ngx), "/long/path/")
 end
 
+function TestUtils:testAddCorrelationIdHeader()
+  local correlation_id_header = "x-correlation-id"
+  local correlation_id_header_value = "booga"
+  local add_correlation_id_header_method = utils.add_correlation_id_header(correlation_id_header, correlation_id_header_value)
+
+  local req1 = {}
+  req1 = add_correlation_id_header_method(req1)
+  lu.assertEquals(req1.headers[correlation_id_header], correlation_id_header_value)
+
+  local req2 = {
+    headers = {
+      dummy_header = "dontcare"
+    }
+  }
+  req2 = add_correlation_id_header_method(req2)
+  lu.assertEquals(req2.headers[correlation_id_header], correlation_id_header_value)
+  lu.assertEquals(req2.headers["dummy_header"], "dontcare")
+end
+
+function TestUtils:testCorrelationIdHeaderOptions()
+  local opts1 = utils.get_options({
+    client_id = 1,
+    client_secret = 2}, {var = {request_uri = "/path"},
+    req = {get_uri_args = function() return nil end}})
+
+  lu.assertEquals(opts1.http_request_decorator, nil)
+
+  local correlation_id_header = "correlation_id_header"
+  local correlation_id_header_value = "booga"
+  local opts2 = utils.get_options({
+    client_id = 1,
+    client_secret = 2,
+    correlation_id_header = correlation_id_header
+  }, {var = {request_uri = "/path"},
+    req = {get_headers = function() return {correlation_id_header=correlation_id_header_value} end,
+    get_uri_args = function() return nil end}})
+
+  local req = opts2.http_request_decorator({})
+  lu.assertEquals(req.headers[correlation_id_header], correlation_id_header_value)
+end
+
 function TestUtils:testOptions()
   local opts = utils.get_options({
     client_id = 1,