Merge pull request #307 from 3bit-techs/disable_keepalive

Ability to disable keepalive
zmartzone · Feb 11, 2020 · a0d2707 · a0d2707
2 parents 8c50303 + 620b8d9
commit a0d2707
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 9 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -33,3 +33,4 @@ reporting bugs, providing fixes, suggesting useful features or other:
 	Michael Johansen <https://github.com/mijohansen>
 	Joshua Erney <https://github.com/JoshTheGoldfish>
 	Nick Wiedenbrueck <https://github.com/cretzel>
+	Eduardo Gonçalves <https://github.com/Dudssource>
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,9 @@
+02/06/2020
+- ability to disable keepalive from lua-resty-http
+  By disabling keepalive we disable the native connection pool,
+  avoiding errors when dealing with invalid connections. This is 
+  specially useful when proxying ajax requests.
+
 02/05/2020
 - no longer echo the URI parameters back on default error page when
   OIDC provider returns an error in call to redirect_uri; see #306;

diff --git a/README.md b/README.md
@@ -143,6 +143,8 @@ h2JHukolz9xf6qN61QMLSd83+kwoBr2drp6xg3eGDLIkQCQLrkY=
              --client_jwt_assertion_expires_in = 60,
              -- When using https to any OP endpoints, enforcement of SSL certificate check can be mandated ("yes") or not ("no").
              --ssl_verify = "no",
+             -- Connection keepalive with the OP can be enabled ("yes") or disabled ("no").
+             --keepalive = "no",
 
              --authorization_params = { hd="zmartzone.eu" },
              --scope = "openid email profile",

diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -495,7 +495,8 @@ function openidc.call_token_endpoint(opts, endpoint, body, auth, endpoint_name,
     method = "POST",
     body = ngx.encode_args(body),
     headers = headers,
-    ssl_verify = (opts.ssl_verify ~= "no")
+    ssl_verify = (opts.ssl_verify ~= "no"),
+    keepalive = (opts.keepalive ~= "no")
   }))
   if not res then
     err = "accessing " .. ep_name .. " endpoint (" .. endpoint .. ") failed: " .. err
@@ -527,7 +528,8 @@ function openidc.call_userinfo_endpoint(opts, access_token)
   local res, err = httpc:request_uri(opts.discovery.userinfo_endpoint,
                                      decorate_request(opts.http_request_decorator, {
     headers = headers,
-    ssl_verify = (opts.ssl_verify ~= "no")
+    ssl_verify = (opts.ssl_verify ~= "no"),
+    keepalive = (opts.keepalive ~= "no")
   }))
   if not res then
     err = "accessing (" .. opts.discovery.userinfo_endpoint .. ") failed: " .. err
@@ -561,7 +563,7 @@ local function openidc_load_jwt_none_alg(enc_hdr, enc_payload)
 end
 
 -- get the Discovery metadata from the specified URL
-local function openidc_discover(url, ssl_verify, timeout, exptime, proxy_opts, http_request_decorator)
+local function openidc_discover(url, ssl_verify, keepalive, timeout, exptime, proxy_opts, http_request_decorator)
   log(DEBUG, "openidc_discover: URL is: " .. url)
 
   local json, err
@@ -574,7 +576,8 @@ local function openidc_discover(url, ssl_verify, timeout, exptime, proxy_opts, h
     openidc_configure_timeouts(httpc, timeout)
     openidc_configure_proxy(httpc, proxy_opts)
     local res, error = httpc:request_uri(url, decorate_request(http_request_decorator, {
-      ssl_verify = (ssl_verify ~= "no")
+      ssl_verify = (ssl_verify ~= "no"),
+      keepalive = (keepalive ~= "no")
     }))
     if not res then
       err = "accessing discovery url (" .. url .. ") failed: " .. error
@@ -602,7 +605,7 @@ local function openidc_ensure_discovered_data(opts)
   local err
   if type(opts.discovery) == "string" then
     local discovery
-    discovery, err = openidc_discover(opts.discovery, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts,
+    discovery, err = openidc_discover(opts.discovery, opts.ssl_verify, opts.keepalive, opts.timeout, opts.jwk_expires_in, opts.proxy_opts,
                                       opts.http_request_decorator)
     if not err then
       opts.discovery = discovery
@@ -686,7 +689,7 @@ function openidc.get_discovery_doc(opts)
   return opts.discovery, err
 end
 
-local function openidc_jwks(url, force, ssl_verify, timeout, exptime, proxy_opts, http_request_decorator)
+local function openidc_jwks(url, force, ssl_verify, keepalive, timeout, exptime, proxy_opts, http_request_decorator)
   log(DEBUG, "openidc_jwks: URL is: " .. url .. " (force=" .. force .. ") (decorator=" .. (http_request_decorator and type(http_request_decorator) or "nil"))
 
   local json, err, v
@@ -703,7 +706,8 @@ local function openidc_jwks(url, force, ssl_verify, timeout, exptime, proxy_opts
     openidc_configure_timeouts(httpc, timeout)
     openidc_configure_proxy(httpc, proxy_opts)
     local res, error = httpc:request_uri(url, decorate_request(http_request_decorator, {
-      ssl_verify = (ssl_verify ~= "no")
+      ssl_verify = (ssl_verify ~= "no"),
+      keepalive = (keepalive ~= "no")
     }))
     if not res then
       err = "accessing jwks url (" .. url .. ") failed: " .. error
@@ -861,7 +865,7 @@ local function openidc_pem_from_jwk(opts, kid)
   local jwk, jwks
 
   for force = 0, 1 do
-    jwks, err = openidc_jwks(opts.discovery.jwks_uri, force, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts,
+    jwks, err = openidc_jwks(opts.discovery.jwks_uri, force, opts.ssl_verify, opts.keepalive, opts.timeout, opts.jwk_expires_in, opts.proxy_opts,
                              opts.http_request_decorator)
     if err then
       return nil, err

diff --git a/tests/spec/test_support.lua b/tests/spec/test_support.lua
@@ -18,7 +18,8 @@ local DEFAULT_OIDC_CONFIG = {
    },
    client_id = "client_id",
    client_secret = "client_secret",
-   ssl_verify = "no"
+   ssl_verify = "no",
+   keepalive = "yes"
 }
 
 local DEFAULT_ID_TOKEN = {