Enable automated security plugins at the service (root spec) level (#5378)

* feat(plugins): enable support for service-level security definition plugins * feat(plugins): add tests for service-level security plugins * fix(syntax): match regexes to last commit * fix lint Co-authored-by: Filipe Freire <livrofubia@gmail.com>
2024-11-07 22:30:15 +00:00 · 2022-12-14 15:30:56 +00:00 · 2022-12-14 15:30:56 +00:00 · 46bb161134
commit 46bb161134
parent 1bb9607c39
2 changed files with 137 additions and 1 deletions
--- a/packages/openapi-2-kong/src/declarative-config/services.test.ts
+++ b/packages/openapi-2-kong/src/declarative-config/services.test.ts
@ -1,4 +1,5 @@
 import { describe, expect, it } from '@jest/globals';
+import { OpenAPIV3 } from 'openapi-types';

 import { OA3Operation } from '../types';
 import { DCRoute, DCService } from '../types/declarative-config';
@ -336,6 +337,138 @@ describe('services', () => {
      expect(await generateServices(spec, tags)).toEqual([specResult]);
    });

+    it('generates service with securityDefinition-based openid-connect plugin', async () => {
+      const spec = getSpec();
+
+      const securityScheme = {
+        type: 'openIdConnect',
+        openIdConnectUrl: 'https://idp-endpoint.example.com/.well-kown',
+        'x-kong-security-openid-connect': {
+          config: {
+            'auth_methods': ['bearer'],
+          },
+          enabled: true,
+          protocols: ['http', 'https'],
+        },
+      } as OpenAPIV3.OpenIdSecurityScheme;
+
+      if (!spec.components) {
+        spec.components = {};
+      }
+
+      spec.components.securitySchemes = {
+        'common-aad-scheme': securityScheme,
+      };
+
+      spec.security = [
+        {
+          'common-aad-scheme': ['Api.Security.All'],
+        },
+      ];
+
+      spec.paths = {
+        '/dogs': {
+          summary: 'Dog stuff',
+          get: {},
+          post: {
+            security: [
+              {
+                'common-aad-scheme': ['Api.Security.Write'],
+              },
+            ],
+          },
+        },
+      };
+
+      const specResult = getSpecResult();
+      specResult.plugins = [
+        {
+          name: 'openid-connect',
+          config: {
+            'issuer': 'https://idp-endpoint.example.com/.well-kown',
+            'auth_methods': ['bearer'],
+            'scopes_required': ['Api.Security.All'],
+          },
+          tags: tags,
+        },
+      ];
+
+      specResult.routes = [
+        {
+          name: 'My_API-dogs-get',
+          strip_path: false,
+          methods: ['GET'],
+          paths: ['/dogs$'],
+          tags,
+        },
+        {
+          name: 'My_API-dogs-post',
+          strip_path: false,
+          methods: ['POST'],
+          paths: ['/dogs$'],
+          tags,
+          plugins: [
+            {
+              name: 'openid-connect',
+              config: {
+                'issuer': 'https://idp-endpoint.example.com/.well-kown',
+                'auth_methods': ['bearer'],
+                'scopes_required': ['Api.Security.Write'],
+              },
+              tags: tags,
+            },
+          ],
+        },
+      ];
+
+      expect(await generateServices(spec, tags)).toEqual([specResult]);
+    });
+
+    it('generates service and route (override) with securityDefinition-based openid-connect plugin', async () => {
+      const spec = getSpec();
+
+      const securityScheme = {
+        type: 'openIdConnect',
+        openIdConnectUrl: 'https://idp-endpoint.example.com/.well-kown',
+        'x-kong-security-openid-connect': {
+          config: {
+            'auth_methods': ['bearer'],
+          },
+          enabled: true,
+          protocols: ['http', 'https'],
+        },
+      } as OpenAPIV3.OpenIdSecurityScheme;
+
+      if (!spec.components) {
+        spec.components = {};
+      }
+
+      spec.components.securitySchemes = {
+        'common-aad-scheme': securityScheme,
+      };
+
+      spec.security = [
+        {
+          'common-aad-scheme': ['Api.Security.All'],
+        },
+      ];
+
+      const specResult = getSpecResult();
+      specResult.plugins = [
+        {
+          name: 'openid-connect',
+          config: {
+            'issuer': 'https://idp-endpoint.example.com/.well-kown',
+            'auth_methods': ['bearer'],
+            'scopes_required': ['Api.Security.All'],
+          },
+          tags: tags,
+        },
+      ];
+
+      expect(await generateServices(spec, tags)).toEqual([specResult]);
+    });
+
    it('replaces variables', async () => {
      const spec = getSpec();
      spec.servers = [
--- a/packages/openapi-2-kong/src/declarative-config/services.ts
+++ b/packages/openapi-2-kong/src/declarative-config/services.ts
@ -49,6 +49,9 @@ export async function generateService(server: OA3Server, api: OpenApi3Spec, tags
    throw new Error(`expected '${xKongServiceDefaults}' to be an object`);
  }

+  // Generate generic and security-related service-level plugin objects
+  const serviceSecurityPlugins = generateSecurityPlugins(null, api, tags);
+
  const service: DCService = {
    ...serviceDefaults,
    name,
@ -58,7 +61,7 @@ export async function generateService(server: OA3Server, api: OpenApi3Spec, tags
    // not a hostname, but the Upstream name
    port: Number(parsedUrl.port || '80'),
    path: parsedUrl.pathname,
-    plugins: globalPlugins.plugins,
+    plugins: [...globalPlugins.plugins, ...serviceSecurityPlugins],
    routes: [],
    tags,
  };