#!/bin/bash DISTRIBUTION=$1 # Install JQ for JSON parse in test case wget -O jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 chmod +x ./jq cp jq /usr/bin # Init HOST=$2 OP_HOST=$3 OXD_HOST=$4 KONG_PROXY_HOST=$2 KONG_ADMIN_HOST='localhost' OXD_PORT=8443 function test_oauth_auth_and_pep() { # Add metrics plugin globally sleep 1 echo "==================================================" echo "gluu_metrics" echo "==================================================" METRICS_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins -H 'Content-Type: application/json' -d '{"name":"gluu-metrics"}'` echo "METRICS_RESPONSE: " .. $METRICS_RESPONSE sleep 1 echo "==================================================" echo "test_oauth_auth_and_pep" echo "==================================================" # Create service in kong SERVICE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/services/ -H 'Content-Type: application/json' -d '{"name":"jsonplaceholder","url":"http://localhost:3000"}'` SERVICE_ID=`echo $SERVICE_RESPONSE | jq -r ".id"` echo "SERVICE_ID " .. $SERVICE_ID ROUTE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/routes/ -H 'Content-Type: application/json' -d '{"hosts": ["jsonplaceholder.typicode.com"],"service": {"id": "'$SERVICE_ID'"}}'` ROUTE_ID=`echo $ROUTE_RESPONSE | jq -r ".id"` echo "ROUTE_ID " .. $ROUTE_ID # Create OP Client for OAuth plugin OP_CLIENT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/register-site -H "Content-Type: application/json" -d '{"client_name":"test_oauth_pep","access_token_as_jwt":true,"rpt_as_jwt":true,"access_token_signing_alg":"RS256", "op_host":"https://'$OP_HOST'", "redirect_uris": ["https://client.example.com/cb"], "grant_types":["client_credentials"]}'` OXD_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".oxd_id"` CLIENT_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".client_id"` CLIENT_SECRET=`echo $OP_CLIENT_RESPONSE | jq -r ".client_secret"` echo "OXD_ID " .. $OXD_ID echo "CLIENT_ID " .. $CLIENT_ID echo "CLIENT_SECRET " .. $CLIENT_SECRET # Config plugins ## OAUTH-AUTH OAUTH_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins/ -H 'Content-Type: application/json' -d '{"name":"gluu-oauth-auth","config":{"oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","op_url":"https://'$OP_HOST'","oxd_id":"'$OXD_ID'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","pass_credentials":"pass"},"service": {"id": "'$SERVICE_ID'"}}'` OAUTH_PLUGIN_ID=`echo $OAUTH_PLUGIN_RESPONSE | jq -r ".id"` echo $OAUTH_PLUGIN_RESPONSE echo "OAUTH_AUTH_PLUGIN_ID " .. $OAUTH_PLUGIN_ID ## OAUTH-PEP OAUTH_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins/ -H 'Content-Type: application/json' -d '{"name":"gluu-oauth-pep","config":{"client_id":"'$CLIENT_ID'","oauth_scope_expression":"[{\"path\":\"/posts/??\",\"conditions\":[{\"httpMethods\":[\"GET\",\"DELETE\",\"POST\",\"PUT\"],\"scope_expression\":{\"rule\":{\"and\":[{\"var\":0},{\"var\":1}]},\"data\":[\"oxd\",\"openid\"]}}]},{\"path\":\"/comments/??\",\"conditions\":[{\"httpMethods\":[\"GET\",\"DELETE\",\"POST\",\"PUT\"],\"scope_expression\":{\"rule\":{\"and\":[{\"var\":0}]},\"data\":[\"oxd\"]}}]}]","op_url":"https://'$OP_HOST'","deny_by_default":true,"oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","client_secret":"'$CLIENT_SECRET'","oxd_id":"'$OXD_ID'"},"service": {"id": "'$SERVICE_ID'"}}'` OAUTH_PLUGIN_ID=`echo $OAUTH_PLUGIN_RESPONSE | jq -r ".id"` echo "OAUTH_PEP_PLUGIN_ID " .. $OAUTH_PLUGIN_ID # Create OP Client for Consumer OP_CLIENT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/register-site -H "Content-Type: application/json" -d '{"client_name":"test_oauth_pep","access_token_as_jwt":true,"rpt_as_jwt":true,"access_token_signing_alg":"RS256", "op_host":"https://'$OP_HOST'", "redirect_uris": ["https://client.example.com/cb"], "grant_types":["client_credentials"], "scope": ["openid", "oxd", "uma_protection"]}'` CONSUMER_OXD_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".oxd_id"` CONSUMER_CLIENT_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".client_id"` CONSUMER_CLIENT_SECRET=`echo $OP_CLIENT_RESPONSE | jq -r ".client_secret"` echo "OXD_ID " .. $CONSUMER_OXD_ID echo "CLIENT_ID " .. $CONSUMER_CLIENT_ID echo "CLIENT_SECRET " .. $CONSUMER_CLIENT_SECRET # Create kong consumer CONSUMER_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/consumers/ -H 'Content-Type: application/json' -d '{"username":"cons_jsonplaceholder","custom_id":"'$CONSUMER_CLIENT_ID'"}'` CONSUMER_ID=`echo $CONSUMER_RESPONSE | jq -r ".id"` echo "CONSUMER_ID " .. $CONSUMER_ID # OAUTH RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/get-client-token -H "Content-Type: application/json" -d '{"client_id":"'$CONSUMER_CLIENT_ID'","client_secret":"'$CONSUMER_CLIENT_SECRET'","op_host":"'$OP_HOST'", "scope":["openid", "oxd", "uma_protection"]}'` TOKEN=`echo $RESPONSE | jq -r ".access_token"` echo "Access Token " .. $TOKEN curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder.typicode.com' curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder.typicode.com' curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder.typicode.com' CHECK_STATUS=`curl -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder.typicode.com' --write-out "%{http_code}\n" --silent --output /dev/null http://$KONG_PROXY_HOST:8000/posts/1` if [ "$CHECK_STATUS" != "200" ]; then echo "OAuth PEP security fail" exit 1 fi } function test_uma_auth_and_pep() { # ========================================================================= # UMA Auth and PEP sleep 1 echo "==================================================" echo "test_uma_auth_and_pep" echo "==================================================" SERVICE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/services/ -H 'Content-Type: application/json' -d '{"name":"jsonplaceholder2","url":"http://localhost:3000"}'` SERVICE_ID=`echo $SERVICE_RESPONSE | jq -r ".id"` echo "SERVICE_ID " .. $SERVICE_ID ROUTE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/routes/ -H 'Content-Type: application/json' -d '{"hosts": ["jsonplaceholder2.typicode.com"],"service": {"id": "'$SERVICE_ID'"}}'` ROUTE_ID=`echo $ROUTE_RESPONSE | jq -r ".id"` echo "ROUTE_ID " .. $ROUTE_ID # Create OP Client for UMA_PEP OP_CLIENT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/register-site -H "Content-Type: application/json" -d '{"client_name":"test_uma_pep", "op_host":"https://'$OP_HOST'", "redirect_uris": ["https://client.example.com/cb"], "scope": ["openid", "oxd", "uma_protection"], "grant_types":["client_credentials"]}'` OXD_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".oxd_id"` CLIENT_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".client_id"` CLIENT_SECRET=`echo $OP_CLIENT_RESPONSE | jq -r ".client_secret"` echo "OXD_ID " .. $OXD_ID echo "CLIENT_ID " .. $CLIENT_ID echo "CLIENT_SECRET " .. $CLIENT_SECRET # Register resources using OXD # GET PROTECTION TOKEN RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/get-client-token -H "Content-Type: application/json" -d '{"client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","op_host":"'$OP_HOST'", "scope":["openid", "oxd", "uma_protection"]}'` TOKEN=`echo $RESPONSE | jq -r ".access_token"` echo "PROTECTION TOKEN " .. $TOKEN RS_PROTECT_CLIENT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/uma-rs-protect -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"oxd_id":"'$OXD_ID'","resources":[{"path":"/posts/??","conditions":[{"httpMethods":["GET","DELETE","POST","PUT"],"scope_expression":{"rule":{"and":[{"var":0},{"var":1}]},"data":["admin","employee"]}}]},{"path":"/comments/??","conditions":[{"httpMethods":["GET","DELETE","POST","PUT"],"scope_expression":{"rule":{"and":[{"var":0}]},"data":["admin"]}}]}]}'` echo "RS_PROTECT_CLIENT_RESPONSE " .. $RS_PROTECT_CLIENT_RESPONSE # Create anonymous kong consumer anonymous_CONSUMER_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/consumers/ -H 'Content-Type: application/json' -d '{"username":"anonymous","custom_id":"anonymous"}'` anonymous_CONSUMER_ID=`echo $anonymous_CONSUMER_RESPONSE | jq -r ".id"` echo "anonymous CONSUMER_ID " .. $anonymous_CONSUMER_ID # Config plugin ## UMA-AUTH UMA_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins/ -H 'Content-Type: application/json' -d '{"name":"gluu-uma-auth","config":{"anonymous": "'$anonymous_CONSUMER_ID'", "oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","op_url":"https://'$OP_HOST'","oxd_id":"'$OXD_ID'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","pass_credentials":"pass"},"service": {"id": "'$SERVICE_ID'"}}'` UMA_PLUGIN_ID=`echo $UMA_PLUGIN_RESPONSE | jq -r ".id"` echo "UMA_AUTH_PLUGIN_ID " .. $UMA_PLUGIN_ID ## UMA-PEP UMA_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins/ -H 'Content-Type: application/json' -d '{"name":"gluu-uma-pep","config":{"oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","op_url":"https://'$OP_HOST'","oxd_id":"'$OXD_ID'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","uma_scope_expression":"[{\"path\":\"/posts/??\",\"conditions\":[{\"httpMethods\":[\"GET\",\"DELETE\",\"POST\",\"PUT\"],\"scope_expression\":{\"rule\":{\"and\":[{\"var\":0},{\"var\":1}]},\"data\":[\"admin\",\"employee\"]}}]},{\"path\":\"/comments/??\",\"conditions\":[{\"httpMethods\":[\"GET\",\"DELETE\",\"POST\",\"PUT\"],\"scope_expression\":{\"rule\":{\"and\":[{\"var\":0}]},\"data\":[\"admin\"]}}]}]","deny_by_default":true},"service": {"id": "'$SERVICE_ID'"}}'` UMA_PLUGIN_ID=`echo $UMA_PLUGIN_RESPONSE | jq -r ".id"` echo "UMA_PEP_PLUGIN_ID " .. $UMA_PLUGIN_ID # UMA Auth TICKET=`curl -i -sS -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H 'Host: jsonplaceholder2.typicode.com' | sed -n 's/.*ticket="//p'` TICKET="${TICKET%??}" echo "TICKET " .. $TICKET RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/get-client-token -H "Content-Type: application/json" -d '{"client_id":"'$CONSUMER_CLIENT_ID'","client_secret":"'$CONSUMER_CLIENT_SECRET'","op_host":"'$OP_HOST'", "scope":["openid", "oxd", "uma_protection"]}'` TOKEN=`echo $RESPONSE | jq -r ".access_token"` echo "PROTECTION Token " .. $TOKEN RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/uma-rp-get-rpt -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"oxd_id":"'$CONSUMER_OXD_ID'","ticket":"'$TICKET'"}'` echo $RESPONSE TOKEN=`echo $RESPONSE | jq -r ".access_token"` echo "RPT Token " .. $TOKEN curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder2.typicode.com' curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder2.typicode.com' curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder2.typicode.com' CHECK_STATUS=`curl -H "Authorization: Bearer $TOKEN" -H 'Host: jsonplaceholder2.typicode.com' --write-out "%{http_code}\n" --silent --output /dev/null http://$KONG_PROXY_HOST:8000/posts/1` echo "CHECK_STATUS " .. $CHECK_STATUS if [ "$CHECK_STATUS" != "200" ]; then echo "UMA PEP security fail" exit 1 fi } function config_oidc_and_uma_pep() { ##################################### # Configure OIDC Plugin ##################################### sleep 1 echo "==================================================" echo "config_oidc_and_uma_pep" echo "==================================================" SERVICE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/services/ -H 'Content-Type: application/json' -d '{"name":"oidc-plugin-test","url":"http://localhost:4400"}'` SERVICE_ID=`echo $SERVICE_RESPONSE | jq -r ".id"` echo "SERVICE_ID " .. $SERVICE_ID ROUTE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/routes/ -H 'Content-Type: application/json' -d '{"hosts": ["'$HOST'"],"service": {"id": "'$SERVICE_ID'"}}'` ROUTE_ID=`echo $ROUTE_RESPONSE | jq -r ".id"` echo "ROUTE_ID " .. $ROUTE_ID OP_CLIENT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/register-site -H "Content-Type: application/json" -d '{"op_host":"https://'$OP_HOST'","oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","redirect_uris":["https://'$KONG_PROXY_HOST'/callback"],"client_name":"gg-openid-connect-client","post_logout_redirect_uris":["https://'$KONG_PROXY_HOST'/logout_redirect_uri"],"scope":["openid","oxd","email","profile", "uma_protection"],"grant_types":["client_credentials","authorization_code","refresh_token"],"claims_redirect_uri":["https://'$KONG_PROXY_HOST'/claims_callback"]}'` echo "OP_CLIENT_RESPONSE: " .. $OP_CLIENT_RESPONSE OXD_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".oxd_id"` CLIENT_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".client_id"` CLIENT_SECRET=`echo $OP_CLIENT_RESPONSE | jq -r ".client_secret"` echo "OXD_ID " .. $OXD_ID echo "CLIENT_ID " .. $CLIENT_ID echo "CLIENT_SECRET " .. $CLIENT_SECRET PAT_TOKEN_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/get-client-token -H "Content-Type: application/json" -d '{"op_host":"https://'$OP_HOST'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","scope":["openid","oxd"]}'` echo "PAT_TOKEN_RESPONSE:" .. $PAT_TOKEN_RESPONSE TOKEN=`echo $PAT_TOKEN_RESPONSE | jq -r ".access_token"` echo "PROTECTION Token " .. $TOKEN UMA_RS_PROTECT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/uma-rs-protect -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"oxd_id":"'$OXD_ID'","resources":[{"path":"/settings/??","conditions":[{"httpMethods":["GET"],"scope_expression":{"rule":{"and":[{"var":0}]},"data":["with-claims"]}}]}]}'` echo "UMA_RS_PROTECT_RESPONSE: " .. $UMA_RS_PROTECT_RESPONSE OIDC_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins -H "Content-Type: application/json" -d '{"name":"gluu-openid-connect","route":{"id":"'$ROUTE_ID'"},"config":{"oxd_id":"'$OXD_ID'","oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","op_url":"https://'$OP_HOST'","authorization_redirect_path":"/callback","logout_path":"/logout","post_logout_redirect_path_or_url":"/logout_redirect_uri","requested_scopes":["openid","oxd","email","profile", "uma_protection"],"required_acrs_expression":"[{\"path\":\"/payments/??\",\"conditions\":[{\"httpMethods\":[\"?\"],\"required_acrs\":[\"otp\"],\"no_auth\":false}]}]","max_id_token_age":3600,"max_id_token_auth_age":3600}}'` echo "OIDC_PLUGIN_RESPONSE: " .. $OIDC_PLUGIN_RESPONSE UMA_PEP_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins -H "Content-Type: application/json" -d '{"name":"gluu-uma-pep","route":{"id":"'$ROUTE_ID'"},"config":{"oxd_id":"'$OXD_ID'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","op_url":"https://'$OP_HOST'","oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","uma_scope_expression":"[{\"path\":\"/settings/??\",\"conditions\":[{\"httpMethods\":[\"GET\"],\"scope_expression\":{\"rule\":{\"and\":[{\"var\":0}]},\"data\":[\"with-claims\"]}}]}]","deny_by_default":false,"require_id_token":true,"obtain_rpt":true,"redirect_claim_gathering_url":true,"claims_redirect_path":"/claims_callback"}}'` echo "UMA_PEP_PLUGIN_RESPONSE: " .. $UMA_PEP_PLUGIN_RESPONSE } function test_gluu_metrics() { sleep 1 echo "==================================================" echo "test_gluu_metrics" echo "==================================================" GLUU_METRICS_RESPONSE=`curl -k -X GET http://localhost:8001/gluu-metrics` echo "GLUU_METRICS_RESPONSE: " .. $GLUU_METRICS_RESPONSE search_string="gluu_total_client_authenticated 8" if [[ $GLUU_METRICS_RESPONSE =~ $search_string ]]; then echo "Metrics Found Successfully" else echo "Failed to match metrics data gluu_total_client_authenticated 8" exit 1 fi } function test_oauth_auth_and_opa_pep() { sleep 1 echo "==================================================" echo "test_oauth_auth_and_opa_pep" echo "==================================================" ################################### #### Configure OPA PEP ################################### function docker_ubuntu { curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" apt-get -qqy update apt-get -qqy install docker-ce } function docker_deb { curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" apt-get -qqy update apt-get -qqy install docker-ce } function docker_rpm7 { yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum install -y docker-ce docker-ce-cli containerd.io systemctl start docker } function docker_rpm8 { yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum install -y https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm yum install -y docker-ce docker-ce-cli systemctl start docker } case $DISTRIBUTION in "bionic") docker_ubuntu ;; "focal") docker_ubuntu ;; "centos7") docker_rpm7 ;; "centos8") docker_rpm8 ;; "debian9") docker_deb ;; "debian10") docker_deb ;; esac OPA_ID=`docker run -p 8181 -d --name opa openpolicyagent/opa:0.10.5 run --server` sleep 5 OPA_PORT=`docker inspect --format='{{(index (index .NetworkSettings.Ports "8181/tcp") 0).HostPort}}' $OPA_ID` SERVICE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/services/ -H 'Content-Type: application/json' -d '{"name":"OAUTH-AUTH-OPA-Test","url":"http://localhost:3000"}'` SERVICE_ID=`echo $SERVICE_RESPONSE | jq -r ".id"` echo "SERVICE_ID " .. $SERVICE_ID ROUTE_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/routes/ -H 'Content-Type: application/json' -d '{"hosts": ["opa-test.com"],"service": {"id": "'$SERVICE_ID'"}}'` ROUTE_ID=`echo $ROUTE_RESPONSE | jq -r ".id"` echo "ROUTE_ID " .. $ROUTE_ID OP_CLIENT_RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/register-site -H "Content-Type: application/json" -d '{"client_name":"test_oauth_pep","access_token_as_jwt":true,"rpt_as_jwt":true,"access_token_signing_alg":"RS256", "op_host":"https://'$OP_HOST'", "redirect_uris": ["https://client.example.com/cb"], "grant_types":["client_credentials"]}'` OXD_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".oxd_id"` CLIENT_ID=`echo $OP_CLIENT_RESPONSE | jq -r ".client_id"` CLIENT_SECRET=`echo $OP_CLIENT_RESPONSE | jq -r ".client_secret"` echo "OXD_ID " .. $OXD_ID echo "CLIENT_ID " .. $CLIENT_ID echo "CLIENT_SECRET " .. $CLIENT_SECRET cd /root wget https://raw.githubusercontent.com/GluuFederation/gluu-gateway/version_4.0/t/scripts/policy.rego sed -i '12iinput.request_token_data.client_id = "'$CONSUMER_CLIENT_ID'"' policy.rego OPA_POLICY_ADD=`curl -X PUT --data-binary @policy.rego localhost:$OPA_PORT/v1/policies/example` OAUTH_PLUGIN_RESPONSE=`curl -k -X POST http://$KONG_ADMIN_HOST:8001/plugins/ -H 'Content-Type: application/json' -d '{"name":"gluu-oauth-auth","config":{"oxd_url":"https://'$OXD_HOST':'$OXD_PORT'","op_url":"https://'$OP_HOST'","oxd_id":"'$OXD_ID'","client_id":"'$CLIENT_ID'","client_secret":"'$CLIENT_SECRET'","pass_credentials":"pass"},"service": {"id": "'$SERVICE_ID'"}}'` echo $OAUTH_PLUGIN_RESPONSE OAUTH_PLUGIN_ID=`echo $OAUTH_PLUGIN_RESPONSE | jq -r ".id"` echo "OAUTH_AUTH_PLUGIN_ID " .. $OAUTH_PLUGIN_ID OPA_PLUGIN_RESPONSE=`curl -v -i -sS -X POST --url http://$KONG_ADMIN_HOST:8001/plugins/ --header 'content-type: application/json;charset=UTF-8' --data '{"name":"gluu-opa-pep","config":{"opa_url":"http://localhost:'$OPA_PORT'/v1/data/httpapi/authz?pretty=true&explain=full"},"service": {"id": "'$SERVICE_ID'"}}'` echo "OPA_PLUGIN_RESPONSE: " .. $OPA_PLUGIN_RESPONSE # OAUTH RESPONSE=`curl -k -X POST https://$OXD_HOST:$OXD_PORT/get-client-token -H "Content-Type: application/json" -d '{"client_id":"'$CONSUMER_CLIENT_ID'","client_secret":"'$CONSUMER_CLIENT_SECRET'","op_host":"'$OP_HOST'", "scope":["openid", "oxd", "uma_protection"]}'` TOKEN=`echo $RESPONSE | jq -r ".access_token"` echo "Access Token " .. $TOKEN curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: opa-test.com' curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: opa-test.com' curl -X GET http://$KONG_PROXY_HOST:8000/posts/1 -H "Authorization: Bearer $TOKEN" -H 'Host: opa-test.com' CHECK_STATUS=`curl -H "Authorization: Bearer $TOKEN" -H 'Host: opa-test.com' --write-out "%{http_code}\n" --silent --output /dev/null http://$KONG_PROXY_HOST:8000/posts/1` if [ "$CHECK_STATUS" != "200" ]; then echo "OAuth PEP security fail" exit 1 fi ss -ntlp } function setup_upstream_app() { sleep 1 echo "==================================================" echo "setup node ejs git" echo "==================================================" if [ "$DISTRIBUTION" == "centos7" -o "$DISTRIBUTION" == "centos8" ]; then yum install git -y elif [ "$DISTRIBUTION" == "debian9" -o "$DISTRIBUTION" == "debian10" ]; then apt install software-properties-common -y apt-get install git -y fi git clone https://github.com/ldeveloperl1985/node-ejs.git cd node-ejs npm i npm i -g pm2 pm2 start app.js sleep 1 echo "==================================================" echo "setup nodeejs git" echo "==================================================" git clone https://github.com/ldeveloperl1985/node-api.git cd node-api npm i pm2 start index.js sleep 1 } setup_upstream_app test_oauth_auth_and_pep test_uma_auth_and_pep config_oidc_and_uma_pep test_gluu_metrics test_oauth_auth_and_opa_pep