Merge pull request #3 from lukaszbudnik/updated-luajwt-to-luaoauth

updated luajwt to luaoauth, docker pipeline changes
lukaszbudnik · Aug 23, 2021 · c568f1d · c568f1d
2 parents 5a51512 + f846252
commit c568f1d
Show file tree

Hide file tree

Showing 5 changed files with 242 additions and 143 deletions.
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -1,18 +1,12 @@
 name: Docker Image CI
 
-on:
-  push:
-    branches: [ main ]
-  pull_request:
-    branches: [ main ]
+on: [push, pull_request]
 
 jobs:
-
   build:
-
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
-    - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag haproxy-auth-gateway-local:$(date +%s)
+      - uses: actions/checkout@v2
+      - name: Build the Docker image
+        run: docker build . --file Dockerfile --tag haproxy-auth-gateway-local:$(date +%s)
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,52 @@
+name: Publish Docker image
+
+on:
+  push:
+    branches: [main]
+  release:
+    types: [published]
+
+jobs:
+  push_to_registries:
+    name: Push Docker image to Docker Hub and ghcr.io registries
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+            lukasz/haproxy-auth-gateway
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=edge
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+
+      - name: Build and push Docker images
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 FROM haproxytech/haproxy-debian:2.2
 RUN apt-get update && apt-get install -y git
 RUN git clone https://github.com/lukaszbudnik/haproxy-lua-jwt.git
-RUN cd haproxy-lua-jwt && chmod +x install.sh && ./install.sh luajwt
+RUN cd haproxy-lua-jwt && chmod +x install.sh && ./install.sh luaoauth
 COPY jwtverify.lua /usr/local/share/lua/5.3/jwtverify.lua
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ haproxy-auth-gateway features are:
 
 - parsing JWT token from the HTTP Authorization header
 - Keycloak realm roles support
-- RS256 signature verification
+- RS256, HS256, HS512 signature verification
 - expiration time verification
 - issuer verification
 - audience verification
@@ -33,21 +33,21 @@ The below example shows how to deploy & configure `lukasz/haproxy-auth-gateway`
 
 ## Kubernetes deployment
 
-haproxy-auth-gateway needs to have:
+haproxy-auth-gateway requires:
 
 - your haproxy config (_file_)
 - public key of the JWT issuer (_file_)
 - `OAUTH_PUBKEY_PATH` set to the path of the public key of the JWT issuer (_env variable_)
 - `OAUTH_ISSUER` and `OAUTH_AUDIENCE` are optional should you want a more fine-grained JWT verification (_env variable_)
 
-We can create haproxy config and public key files as config maps:
+You can create haproxy config and public key files as config maps:
 
 ```bash
 kubectl create configmap haproxy-auth-gateway-iss-cert --from-file=config/hotel.pem
 kubectl create configmap haproxy-auth-gateway-haproxy-cfg --from-file=config/haproxy.cfg
 ```
 
-Then we can map them to volumes and then mount them into haproxy-auth-gateway container. In the container spec we also set the env variables:
+Then you can map them to volumes and then mount them into haproxy-auth-gateway container. In the container spec you also set the env variables:
 
 ```yaml
 apiVersion: apps/v1
@@ -179,7 +179,7 @@ ewIDAQAB
 haproxy-auth-gateway will verify the above JWT correctly and will:
 
 - set `txn.authorized` variable to `true`
-- set `txn.realm_roles` variable to a comma separated list of `realm_access.roles`
+- set `txn.roles` variable to a comma separated list of `realm_access.roles`
 
 Later above variables can be used in haproxy ACLs, for example:
 
@@ -191,11 +191,23 @@ http-request lua.jwtverify
 # check if authorized successfully
 http-request deny unless { var(txn.authorized) -m bool }
 # check roles
-http-request deny if PATH_camarero ! { var(txn.realm_roles) -m sub camarero }
+http-request deny if PATH_camarero ! { var(txn.roles) -m sub camarero }
+```
+
+# Troubleshooting
+
+The script outputs many useful debug messages. To enable debug add the following configuration to you `haproxy.cfg`:
+
+```
+global
+    log stdout local0 debug
+
+defaults
+    log global
 ```
 
 # Original project
 
-haproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-jwt
+haproxy-auth-gateway is based on great project from haproxytech folks: https://github.com/haproxytech/haproxy-lua-oauth
 
 haproxy-auth-gateway contains changes to support Keycloak realm roles out of the box.