OpenID Connectの設定をする。

[selmertsx]

• luaのopenid-connectパッケージを入れる
• Azure ADのOpenID Connectの資料を読み込む

[selmertsx]

lua-resty-openidc

https://github.com/zmartzone/lua-resty-openidc

↑で入れる。opmかlua rocksが必要になる。

[selmertsx]

https://github.com/openresty/docker-openresty#opm

この資料を読むと下記のように書いてある。

Starting at version 1.11.2.2, OpenResty for Linux includes a package manager called opm, which can be found at /usr/local/openresty/bin/opm.
opm is built in all the images except alpine and stretch

opmはすでに入っているようだ。

[selmertsx]

nginxのDockerfileを↓のように書き換えた。

FROM openresty/openresty:1.13.6.2-0-centos

RUN rm -f /etc/nginx/conf.d/*
ADD conf.d/app.conf /etc/nginx/conf.d/app.conf
RUN opm install zmartzone/lua-resty-openidc
CMD ["/usr/bin/openresty", "-g", "daemon off;"]

[selmertsx]

* Fetching zmartzone/lua-resty-openidc
  Downloading https://opm.openresty.org/api/pkg/tarball/zmartzone/lua-resty-openidc-1.6.1.opm.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 24740  100 24740    0     0  43487      0 --:--:-- --:--:-- --:--:-- 43556
* Fetching pintsized/lua-resty-http >= 0.08
  Downloading https://opm.openresty.org/api/pkg/tarball/pintsized/lua-resty-http-0.12.opm.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 19953  100 19953    0     0  35959      0 --:--:-- --:--:-- --:--:-- 36016
Package pintsized/lua-resty-http 0.12 installed successfully under /usr/local/openresty/site/ .
* Fetching cdbattags/lua-resty-jwt >= 0.2.0
  Downloading https://opm.openresty.org/api/pkg/tarball/cdbattags/lua-resty-jwt-0.2.0.opm.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 26288  100 26288    0     0  46202      0 --:--:-- --:--:-- --:--:-- 46281
* Fetching jkeys089/lua-resty-hmac >= 0.02
  Downloading https://opm.openresty.org/api/pkg/tarball/jkeys089/lua-resty-hmac-0.02.opm.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5083  100  5083    0     0  11358      0 --:--:-- --:--:-- --:--:-- 11371
* Fetching openresty/lua-resty-string >= 0.08
  Downloading https://opm.openresty.org/api/pkg/tarball/openresty/lua-resty-string-0.11.opm.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6144  100  6144    0     0  13551      0 --:--:-- --:--:-- --:--:-- 13562
Package openresty/lua-resty-string 0.11 installed successfully under /usr/local/openresty/site/ .
Package jkeys089/lua-resty-hmac 0.02 installed successfully under /usr/local/openresty/site/ .
Package cdbattags/lua-resty-jwt 0.2.0 installed successfully under /usr/local/openresty/site/ .
* Fetching bungle/lua-resty-session >= 2.8
  Downloading https://opm.openresty.org/api/pkg/tarball/bungle/lua-resty-session-2.22.opm.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 34274  100 34274    0     0  54301      0 --:--:-- --:--:-- --:--:-- 54231
Package lua-resty-string-0.11 already installed.
Package bungle/lua-resty-session 2.22 installed successfully under /usr/local/openresty/site/ .
Package zmartzone/lua-resty-openidc 1.6.1 installed successfully under /usr/local/openresty/site/ .

[selmertsx]

install できてることの検証ってどうすれば良いんだろ... https://github.com/pintsized/lua-resty-http これ試すかぁ

[selmertsx]

local http = require "resty.http"
local httpc = http.new()
local res, err = httpc:request_uri("http://selmertsx.hatenablog.com/", {
  method = "GET",
  headers = {
    ["Content-Type"] = "application/x-www-form-urlencoded",
  }
})

ngx.say(res.body)

↑で動くことを確認した。https接続をしようとすると下記のエラー。

pomodoro-web | 2018/07/09 04:57:53 [crit] 95#95: *34 connect() to [2404:6800:4004:80a::2003]:443 failed (99: Cannot assign requested address), client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
pomodoro-web | 172.19.0.1 - - [09/Jul/2018:04:57:53 +0000] "GET /test HTTP/1.1" 200 62 "-" "curl/7.54.0"

https://github.com/pintsized/lua-resty-http/issues/42#issuecomment-359959429

[selmertsx]

pomodoro-web | 2018/07/09 05:22:28 [crit] 11#11: *4 connect() to [2404:6800:4004:80a::2003]:443 failed (99: Cannot assign requested address), client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
pomodoro-web | 2018/07/09 05:25:30 [error] 11#11: *7 lua ssl certificate verify error: (20: unable to get local issuer certificate), client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"
pomodoro-web | 172.19.0.1 - - [09/Jul/2018:05:25:30 +0000] "GET /test HTTP/1.1" 200 73 "-" "curl/7.54.0"

また違う感じのエラーが出た。

[selmertsx]

https://github.com/zmartzone/lua-resty-openidc これを見ると、下記の設定が必要になる。

  lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
  lua_ssl_verify_depth 5;

  # cache for discovery metadata documents
  lua_shared_dict discovery 1m;
  # cache for JWKs
  lua_shared_dict jwks 1m;

このあたりのdirectiveを理解できるようにしないと。

[selmertsx]

nginxのcontainerに証明書存在した

➜  pomodoro git:(master) ✗ docker exec -it pomodoro-web /bin/bash
[root@bba9dae7baca /]# ls -al /etc/ssl/certs/
total 8
drwxr-xr-x 2 root root 4096 Apr  2 18:38 .
drwxr-xr-x 5 root root 4096 Apr  2 18:38 ..
lrwxrwxrwx 1 root root   49 Apr  2 18:38 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
lrwxrwxrwx 1 root root   55 Apr  2 18:38 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

[selmertsx]

ということで、一旦https接続までできるようになったので、次に進む。

[selmertsx]

local opts = {
  redirect_uri_path = "/",
  discovery = "xxx",
  client_id = "xxx",
  client_secret = "xxx",
}
local res, err = require("resty.openidc").authenticate(opts)
if err then
  ngx.status = 500
  ngx.say(err)
  ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
ngx.req.set_header("X-USER", res.id_token.sub)

pomodoro-web | 2018/07/09 10:22:04 [debug] 45#45: *21 [lua] openidc.lua:488: openidc_discover(): response data: {"authorization_endpoint":"xxx....."} 
pomodoro-web | 2018/07/09 10:22:04 [error] 45#45: *21 [lua] openidc.lua:495: openidc_discover(): issuer field in Discovery data does not match URL, client: 172.19.0.1, server: localhost, request: "GET /test HTTP/1.1", host: "127.0.0.1:8080"

というわけで取りにいったけど、issuerの値がおかしいよ。って言われた。

[selmertsx]

とりあえず nginx と luaに環境変数渡してゴニョゴニョするところまではやる。

[selmertsx]

luaに環境変数を渡したい

https://stackoverflow.com/questions/39168380/nginx-env-directive-is-not-allowed-here https://qiita.com/catatsuy/items/696d8535de03d8c22a8b

一旦、こんなところか。ここまでやっていこう。

[selmertsx]

http://devdocs.io/nginx_lua_module/#system-environment-variable-support

nginx.confに載せろよ。って書いてある。

[selmertsx]

僕が利用している docker-openresty のconfはこんな感じ。 https://github.com/openresty/docker-openresty/blob/master/nginx.conf

これを書き換えれば良さそう。

https://github.com/openresty/docker-openresty/blob/master/centos/Dockerfile#L57

貼り付ける先はここっぽい。

[selmertsx]

一旦動くとこまで行ったのでclose