build: Add smoke test to CI test action and added new release action

.github/workflows/release.yml

@@ -0,0 +1,34 @@
+name: Release Rock
+
+on:
+  push:
+    tags:
+      - 'v*'  # Trigger for version tags
+
+jobs:
+  build_and_release:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@main
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Check if rockspec files are present
+        run: |
+          VERSION="$(make release-info | grep -oP '^VERSION=\K.*')"
+          ROCKSPEC_RELEASE_FILE="$(make release-info | grep -oP '^ROCKSPEC_RELEASE_FILE=\K.*')"
+          if [ ! -f "${ROCKSPEC_RELEASE_FILE}" ]; then
+            echo "No rockspec files found. Exiting."
+            exit 1
+          fi
+          # Compare tag with version with VERSIOn
+          if [ "${GITHUB_REF}" != "refs/tags/v${VERSION}" ]; then
+            echo "Tag does not match version. Exiting."
+            exit 1
+          fi
+      - name: Publish to LuaRocks
+        env:
+          LUAROCKS_API_KEY: ${{ secrets.LUAROCKS_API_KEY }}
+        run: |
+          ROCKSPEC_RELEASE_FILE="$(make release-info | grep -oP '^ROCKSPEC_RELEASE_FILE=\K.*')"
+          luarocks upload --temp-key="${LUAROCKS_API_KEY}" "${ROCKSPEC_RELEASE_FILE}"

.github/workflows/sast.yml

@@ -13,7 +13,7 @@ jobs:
   semgrep:
     timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
     name: Semgrep SAST
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       # required for all workflows
       security-events: write

.github/workflows/tests.yml

@@ -34,3 +34,27 @@ jobs:
           artifact-name: code-coverage-report
           github-token: ${{ secrets.GITHUB_TOKEN }}
           update-comment: true
+  smoke-tests:
+    timeout-minutes: ${{ fromJSON(vars.GHA_DEFAULT_TIMEOUT || 10) }}
+    name: Smoke Tests
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Create .env file
+        run: |
+          cp .env.tpl .env
+      - name: Run the smoke test server
+        run: |
+          make smoke-test-run-server DOCKER_RUN_FLAGS_TTY='-d'
+      - name: Wait for service to be ready
+        run: |
+          # Wait until kong is ready
+          timeout 60s bash -c 'until docker exec kong-plugin-kong-authz-openfga-smoke-test curl -i http://localhost:8007/status/ready; do sleep 5; done'
+      - name: Run smoke tests
+        run: |
+          make smoke-test-run-test DOCKER_RUN_FLAGS_TTY=''

.gitignore

@@ -9,7 +9,7 @@ luacov.stats.out
 # exclude LuaCov report
 luacov.report.out
 # Exclude all rockspec files except the main one
-/*.rockspec
+/kong-plugin-*-dev-*.rockspec
 !/kong-plugin.rockspec
 # curl netrc
 /.netrc

BACKLOG.md

@@ -9,9 +9,9 @@
 
 - [ ] Add live tests to the OpenFGA server addition to the mock server.
 - [ ] Add an example that uses Consumer in conjunction with the Basic Authentication plugin.
-- [ ] Add build, test, and deploy pipeline (GitHub Actions) to the project
-- [ ] Add GitHub action to perform a smoke test
-- [ ] Add GitHub action to publish .rock when a version was tagged. Use LUAROCKS_API_KEY secret.
+- [x] Add build, test, and deploy pipeline (GitHub Actions) to the project
+- [x] Add GitHub action to perform a smoke test
+- [x] Add GitHub action to publish .rock when a version was tagged. Use LUAROCKS_API_KEY secret.
 
 ## Cleanup
 

CHANGELOG.md

@@ -15,12 +15,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added function to make FGA requests with retry logic
 - Added unit tests to mock HTTP requests and return different responses based on call count
 - Added support for EMMY Debugger with configurable host and port
+- Added smoke test to CI pipeline
+- Added GitHub action to publish the plugin to luarocks.org when a version is tagged
 
 ### Changed
 
 - Extracted `kong.response.exit(500, "An unexpected error occurred")` to its own function
 - Extracted the code inside the `repeat ... until` loop into its own function
 - Modified `make_fga_request` to return a boolean indicating allow/deny
+- For local development, a kong-*dev-0.rockspec file is used to install the plugin. This helps segregate
+  the testing from the release process.
+- Changed the rockspec license to MIT.
 
 ### Fixed
 

Makefile

@@ -4,8 +4,9 @@ PLUGIN_FILES = $(shell find kong -type f -name '*.lua')
 
 KONG_IMAGE_TAG := $(KONG_VERSION)-rhel@sha256:$(KONG_IMAGE_HASH)
 
-ROCKSPEC_FILE := kong-plugin-$(KONG_PLUGIN_NAME)-$(KONG_PLUGIN_VERSION)-$(KONG_PLUGIN_REVISION).rockspec
-ROCK_FILE := kong-plugin-$(KONG_PLUGIN_NAME)-$(KONG_PLUGIN_VERSION)-$(KONG_PLUGIN_REVISION).all.rock
+ROCKSPEC_DEV_FILE := kong-plugin-$(KONG_PLUGIN_NAME)-dev-0.rockspec
+ROCKSPEC_RELEASE_FILE := kong-plugin-$(KONG_PLUGIN_NAME)-$(KONG_PLUGIN_VERSION)-$(KONG_PLUGIN_REVISION).rockspec
+ROCK_RELEASE_FILE := kong-plugin-$(KONG_PLUGIN_NAME)-$(KONG_PLUGIN_VERSION)-$(KONG_PLUGIN_REVISION).all.rock
 
 SERVROOT_PATH := servroot
 
@@ -129,8 +130,6 @@ CONTAINER_CI_KONG_TOOLING_BUILD = DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=$(BUILDKIT
 	--build-arg KONG_IMAGE_TAG='$(KONG_IMAGE_TAG)' \
 	--build-arg KONG_TARGET_VERSION='$(KONG_VERSION)' \
 	--build-arg KONG_PLUGIN_NAME='$(KONG_PLUGIN_NAME)' \
-	--build-arg KONG_PLUGIN_VERSION='$(KONG_PLUGIN_VERSION)' \
-	--build-arg KONG_PLUGIN_REVISION='$(KONG_PLUGIN_REVISION)' \
 	--build-arg PONGO_KONG_VERSION='$(PONGO_KONG_VERSION)' \
 	--build-arg PONGO_ARCHIVE='$(PONGO_ARCHIVE)' \
 	--build-arg STYLUA_VERSION='$(STYLUA_VERSION)' \
@@ -144,11 +143,13 @@ CONTAINER_CI_KONG_SMOKE_TEST_BUILD = DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=$(BUILD
 	--build-arg KONG_IMAGE_NAME='$(KONG_IMAGE_NAME)' \
 	--build-arg KONG_IMAGE_TAG='$(KONG_IMAGE_TAG)' \
 	--build-arg KONG_PLUGIN_NAME='$(KONG_PLUGIN_NAME)' \
-	--build-arg KONG_PLUGIN_VERSION='$(KONG_PLUGIN_VERSION)' \
-	--build-arg KONG_PLUGIN_REVISION='$(KONG_PLUGIN_REVISION)' \
-	--build-arg KONG_PLUGIN_ROCK_FILE='$(ROCK_FILE)' \
+	--build-arg KONG_PLUGIN_ROCKSPEC_FILE='$(ROCKSPEC_DEV_FILE)' \
 	.
 
+CONTAINER_CI_KONG_RUN := MSYS_NO_PATHCONV=1 $(DOCKER) run $(DOCKER_RUN_FLAGS) \
+	-v '$(PWD):$(DOCKER_MOUNT_IN_CONTAINER)' \
+	'$(KONG_IMAGE_NAME):$(KONG_IMAGE_TAG)'
+
 CONTAINER_CI_KONG_TOOLING_RUN := MSYS_NO_PATHCONV=1 $(DOCKER) run $(DOCKER_RUN_FLAGS) \
 	-p 9966:9966 \
 	-e KONG_SPEC_TEST_REDIS_HOST='$(CONTAINER_CI_REDIS_NAME)' \
@@ -205,12 +206,24 @@ TAG ?=
 .PHONY: all
 all: test
 
-$(ROCKSPEC_FILE): kong-plugin.rockspec
-	cp kong-plugin.rockspec $(ROCKSPEC_FILE)
+$(ROCKSPEC_DEV_FILE): kong-plugin.rockspec
+	cp kong-plugin.rockspec $(ROCKSPEC_DEV_FILE)
+	$(CONTAINER_CI_KONG_RUN) sh -c '(cd $(DOCKER_MOUNT_IN_CONTAINER); luarocks new_version $(ROCKSPEC_DEV_FILE) --tag=dev-0 --dir .)'
+
+$(ROCKSPEC_RELEASE_FILE): $(ROCKSPEC_DEV_FILE)
+	$(CONTAINER_CI_KONG_RUN) sh -c '(cd $(DOCKER_MOUNT_IN_CONTAINER); luarocks new_version $(ROCKSPEC_DEV_FILE) --tag=v$(KONG_PLUGIN_VERSION)-$(KONG_PLUGIN_REVISION) --dir .)'
+
+.PHONY: release-rockspec
+release-rockspec: $(ROCKSPEC_RELEASE_FILE)
+
+.PHONY: release-rockspec
+release-info:
+	@echo "VERSION=v$(KONG_PLUGIN_VERSION)-$(KONG_PLUGIN_REVISION)"
+	@echo "ROCKSPEC_RELEASE_FILE=$(ROCKSPEC_RELEASE_FILE)"
 
 # Rebuild the rock file every time the rockspec or the kong/**/.lua files change
-$(ROCK_FILE): container-ci-kong-tooling $(ROCKSPEC_FILE) $(PLUGIN_FILES)
-	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd $(DOCKER_MOUNT_IN_CONTAINER); luarocks make --pack-binary-rock --deps-mode none $(ROCKSPEC_FILE))'
+$(ROCK_RELEASE_FILE): container-ci-kong-tooling $(ROCKSPEC_RELEASE_FILE) $(PLUGIN_FILES)
+	$(CONTAINER_CI_KONG_TOOLING_RUN) sh -c '(cd $(DOCKER_MOUNT_IN_CONTAINER); luarocks make --pack-binary-rock --deps-mode none $(ROCKSPEC_RELEASE_FILE))'
 
 test-results:
 	mkdir -p $(TEST_RESULTS_PATH)
@@ -223,10 +236,10 @@ tail-logs:
 test: lint test-unit
 
 .PHONY: pack
-pack: $(ROCK_FILE)
+pack: $(ROCK_RELEASE_FILE)
 
 .PHONY: container-ci-kong-tooling
-container-ci-kong-tooling: $(ROCKSPEC_FILE) container-network-ci
+container-ci-kong-tooling: $(ROCKSPEC_DEV_FILE) container-network-ci
 	$(CONTAINER_CI_KONG_TOOLING_BUILD)
 
 .PHONY: container-ci-kong-tooling-debug
@@ -235,7 +248,7 @@ container-ci-kong-tooling-debug: DOCKER_NO_CACHE = '--no-cache'
 container-ci-kong-tooling-debug: container-ci-kong-tooling
 
 .PHONY: container-ci-kong-smoke-test
-container-ci-kong-smoke-test: $(ROCK_FILE) container-network-ci
+container-ci-kong-smoke-test: $(ROCKSPEC_DEV_FILE) container-network-ci
 	$(CONTAINER_CI_KONG_SMOKE_TEST_BUILD)
 
 .PHONY: container-ci-kong-smoke-test-debug
@@ -340,6 +353,7 @@ clean-servroot:
 .PHONY: clean-rockspec
 clean-rockspec:
 	-$(RMDIR) kong-plugin-*.rockspec
+#-git ls-files --others --exclude-standard --ignored -- | grep 'kong-plugin-.*\.rockspec' | xargs $(RM) || true
 
 .PHONY: clean-rock
 clean-rock:

README.md

@@ -286,21 +286,22 @@ The project bundles a mock server for OpenFGA.
 
 - <https://marketplace.visualstudio.com/items?itemName=sumneko.lua>
 - <https://marketplace.visualstudio.com/items?itemName=dwenegar.vscode-luacheck>
+- <https://marketplace.visualstudio.com/items?itemName=tangzx.emmylua>
 
 # Release a new version
 
 1. Checkout the main branch
    1. `git checkout main`
 2. Update the version number in [plugin.properties](plugin.properties)
-3. Update the version number in [kong-plugin.rockspec](kong-plugin.rockspec)
-4. Update the version number in [README.md](README.md)
+3. Update the version number in [README.md](README.md)
+4. Generate the release rockspec file
+   1. `make release-rockspec`
 5. Update the version number in [kong/plugins/kong-authz-openfga/handler.lua](kong/plugins/kong-authz-openfga/handler.lua)
 6. Add a new section to [CHANGELOG.md](CHANGELOG.md) with the release highlights
 7. Commit the changes, create a tag and push changes and tag to the remote repository
-   1. `git add plugin.properties kong-plugin.rockspec README.md kong/plugins/*/handler.lua CHANGELOG.md`
+   1. `git add plugin.properties *.rockspec README.md kong/plugins/*/handler.lua CHANGELOG.md`
    2. `git commit -m "Release x.y.z-r"`
    3. `git tag x.y.z-r`
    4. `git push`
    5. `git push --tags`
-8. @TODO: Add step to publish the \*.rock file to LuaRocks
-9. @TODO: Add step to perform a release in GitHub
+8. @TODO: Add step to perform a release in GitHub

_build/images/kong-smoke-test/Dockerfile

@@ -5,21 +5,23 @@ FROM ${KONG_IMAGE_NAME}:${KONG_IMAGE_TAG} AS builder
 USER root
 
 ARG KONG_PLUGIN_NAME
-ARG KONG_PLUGIN_VERSION
-ARG KONG_PLUGIN_REVISION
-ARG KONG_PLUGIN_ROCK_FILE
+ARG KONG_PLUGIN_ROCKSPEC_FILE
 
 RUN dnf install -y gcc m4 --setopt=install_weak_deps=False \
   && dnf clean all
 
-COPY ${KONG_PLUGIN_ROCK_FILE} /${KONG_PLUGIN_ROCK_FILE}
+WORKDIR /plugin
+COPY . .
 
-RUN luarocks install /${KONG_PLUGIN_ROCK_FILE}
+# Install from .rockspec
+RUN find && luarocks make ${KONG_PLUGIN_ROCKSPEC_FILE}
 
 FROM ${KONG_IMAGE_NAME}:${KONG_IMAGE_TAG}
 
 ENV KONG_LOG_LEVEL=debug
 
+ENV KONG_NGINX_WORKER_PROCESSES=1
+
 # Add the Lua files (.lua)
 COPY --from=builder /usr/local/share/lua/5.1 /usr/local/share/lua/5.1
 

_build/images/kong-smoke-test/Dockerfile.dockerignore

@@ -0,0 +1,8 @@
+# Ignore all files
+*
+
+# Exclude the following files
+!/kong/
+!/README.md
+!/LICENSE
+!/kong-plugin-*-dev-0.rockspec

_build/images/kong-tooling/Dockerfile

@@ -8,17 +8,13 @@ USER root
 # the variable KONG_VERSION can't be used and will always be an empty string.
 ARG KONG_TARGET_VERSION
 ARG KONG_PLUGIN_NAME
-ARG KONG_PLUGIN_VERSION
-ARG KONG_PLUGIN_REVISION
 ARG PONGO_KONG_VERSION
 ARG PONGO_ARCHIVE
 ARG STYLUA_VERSION
 ARG EMMY_LUA_DEBUGGER_VERSION
 
-COPY kong-plugin-${KONG_PLUGIN_NAME}-${KONG_PLUGIN_VERSION}-${KONG_PLUGIN_REVISION}.rockspec /kong-plugin-${KONG_PLUGIN_NAME}-${KONG_PLUGIN_VERSION}-${KONG_PLUGIN_REVISION}.rockspec
-COPY _build/images/kong-plugin-testing-0.1.0-0.rockspec /kong-plugin-testing-0.1.0-0.rockspec
-
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 RUN dnf install -y cmake gcc m4 git --setopt=install_weak_deps=False \
   && curl -sSf -L https://github.com/Kong/kong-pongo/archive/refs/heads/master.tar.gz | tar xfvz - -C / --strip-components 3 kong-pongo-master/kong-versions/"${PONGO_KONG_VERSION}" \
   && echo 'database = off' >> /kong/spec/kong_tests.conf \
@@ -31,14 +27,18 @@ RUN dnf install -y cmake gcc m4 git --setopt=install_weak_deps=False \
   && cd /tmp/EmmyLuaDebugger-${EMMY_LUA_DEBUGGER_VERSION}/build \
   && cmake .. -DCMAKE_BUILD_TYPE=Release -DEMMY_CORE_VERSION=${EMMY_LUA_DEBUGGER_VERSION} \
   && cmake --build . --config Release \
-  # Install package dependencies defined in the plugin rockspec file.
-  && luarocks build /kong-plugin-${KONG_PLUGIN_NAME}-${KONG_PLUGIN_VERSION}-${KONG_PLUGIN_REVISION}.rockspec --only-deps OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong \
-  # Install package dependencies used for unit and integration tests.
-  && luarocks build /kong-plugin-testing-0.1.0-0.rockspec --only-deps OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong \
   && unzip /tmp/stylua-linux-x86_64.zip -d /usr/local/bin \
   && cp /tmp/EmmyLuaDebugger-${EMMY_LUA_DEBUGGER_VERSION}/build/emmy_core/emmy_core.so /usr/local/lib/lua/5.1 \
   && rm -rf /var/tmp/*
 
+COPY _build/images/kong-plugin-testing-0.1.0-0.rockspec /kong-plugin-testing-0.1.0-0.rockspec
+# Install package dependencies used for unit and integration tests.
+RUN luarocks build /kong-plugin-testing-0.1.0-0.rockspec --only-deps OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong
+
+COPY kong-plugin-${KONG_PLUGIN_NAME}-dev-0.rockspec /kong-plugin-${KONG_PLUGIN_NAME}-dev-0.rockspec
+# Install package dependencies defined in the plugin rockspec file.
+RUN luarocks build /kong-plugin-${KONG_PLUGIN_NAME}-dev-0.rockspec --only-deps OPENSSL_DIR=/usr/local/kong CRYPTO_DIR=/usr/local/kong
+
 FROM ${KONG_IMAGE_NAME}:${KONG_IMAGE_TAG}
 
 ENV LUA_PATH="/kong-plugin/?.lua;/kong-plugin/?/init.lua;;"

kong-plugin.rockspec

@@ -2,8 +2,8 @@ local plugin_name = "kong-authz-openfga"
 local package_name = "kong-plugin-" .. plugin_name
 local package_namespace = "kong.plugins." .. plugin_name
 local package_path = "kong/plugins/" .. plugin_name
-local package_version = "0.1.0"
-local rockspec_revision = "1"
+local package_version = "dev"
+local rockspec_revision = "0"
 
 package = package_name
 version = package_version .. "-" .. rockspec_revision
@@ -15,10 +15,11 @@ source = {
 description = {
   summary = "Kong plugin for kong-authz-openfga integration",
   homepage = "https://github.com/dol/kong-authz-openfga",
-  license = "proprietary",
+  license = "MIT",
 }
 
 dependencies = {
+  "lua ~> 5.1",
 }
 
 build = {

kong/plugins/kong-authz-openfga/access.lua

@@ -57,7 +57,7 @@ local function make_fga_request(httpc, url, fga_request, conf)
     return false, "Failed to decode FGA response body: " .. json_err
   end
 
-  if (response.status == 200 and body.allowed ~= nil and type(body.allowed) == "boolean") then
+  if response.status == 200 and body.allowed ~= nil and type(body.allowed) == "boolean" then
     return body.allowed, nil
   end
 
@@ -117,7 +117,7 @@ function _M.execute(conf)
     -- Backoff timeout only after the first attempt was not successful
     if attempts > 1 then
       local backoff_timeout = (conf.failed_attempts_backoff_timeout * 2 ^ (attempts - 1)) / 1000
-      kong.log.info("Querying OpenFGA. Backoff timeout: ", backoff_timeout, " seconds, ",attempt_info)
+      kong.log.info("Querying OpenFGA. Backoff timeout: ", backoff_timeout, " seconds, ", attempt_info)
       ngx.sleep(backoff_timeout)
     else
       kong.log.info("Querying OpenFGA: ", attempt_info)
@@ -135,7 +135,7 @@ function _M.execute(conf)
 
     -- Log the error and retry the request
     kong.log.err(raise_err, ", ", attempt_info)
-  until (attempts >= conf.max_attempts)
+  until attempts >= conf.max_attempts
 
   return unexpected_error()
 end