[NET-3092] JWT Verify claims handling (#17452)
* [NET-3092] JWT Verify claims handling
This commit is contained in:
parent
24cb491c89
commit
e273c08fda
|
@ -0,0 +1,3 @@
|
|||
```release-note:feature
|
||||
mesh: Support configuring JWT authentication in Envoy.
|
||||
```
|
|
@ -16,6 +16,18 @@ import (
|
|||
"google.golang.org/protobuf/types/known/wrapperspb"
|
||||
)
|
||||
|
||||
const (
|
||||
jwtEnvoyFilter = "envoy.filters.http.jwt_authn"
|
||||
jwtMetadataKeyPrefix = "jwt_payload"
|
||||
)
|
||||
|
||||
// This is an intermediate JWTProvider form used to associate
|
||||
// unique payload keys to providers
|
||||
type jwtAuthnProvider struct {
|
||||
ComputedName string
|
||||
Provider *structs.IntentionJWTProvider
|
||||
}
|
||||
|
||||
func makeJWTAuthFilter(pCE map[string]*structs.JWTProviderConfigEntry, intentions structs.SimplifiedIntentions) (*envoy_http_v3.HttpFilter, error) {
|
||||
providers := map[string]*envoy_http_jwt_authn_v3.JwtProvider{}
|
||||
var rules []*envoy_http_jwt_authn_v3.RequirementRule
|
||||
|
@ -24,29 +36,33 @@ func makeJWTAuthFilter(pCE map[string]*structs.JWTProviderConfigEntry, intention
|
|||
if intention.JWT == nil && !hasJWTconfig(intention.Permissions) {
|
||||
continue
|
||||
}
|
||||
for _, jwtReq := range collectJWTRequirements(intention) {
|
||||
if _, ok := providers[jwtReq.Name]; ok {
|
||||
for _, jwtReq := range collectJWTAuthnProviders(intention) {
|
||||
if _, ok := providers[jwtReq.ComputedName]; ok {
|
||||
continue
|
||||
}
|
||||
|
||||
jwtProvider, ok := pCE[jwtReq.Name]
|
||||
jwtProvider, ok := pCE[jwtReq.Provider.Name]
|
||||
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("provider specified in intention does not exist. Provider name: %s", jwtReq.Name)
|
||||
return nil, fmt.Errorf("provider specified in intention does not exist. Provider name: %s", jwtReq.Provider.Name)
|
||||
}
|
||||
envoyCfg, err := buildJWTProviderConfig(jwtProvider)
|
||||
// If intention permissions use HTTP-match criteria with
|
||||
// VerifyClaims, then generate a clone of the jwt provider with a
|
||||
// unique key for payload_in_metadata. The RBAC filter relies on
|
||||
// the key to check the correct claims for the matched request.
|
||||
envoyCfg, err := buildJWTProviderConfig(jwtProvider, jwtReq.ComputedName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
providers[jwtReq.Name] = envoyCfg
|
||||
providers[jwtReq.ComputedName] = envoyCfg
|
||||
}
|
||||
|
||||
for _, perm := range intention.Permissions {
|
||||
for k, perm := range intention.Permissions {
|
||||
if perm.JWT == nil {
|
||||
continue
|
||||
}
|
||||
for _, prov := range perm.JWT.Providers {
|
||||
rule := buildRouteRule(prov, perm, "/")
|
||||
rule := buildRouteRule(prov, perm, "/", k)
|
||||
rules = append(rules, rule)
|
||||
}
|
||||
}
|
||||
|
@ -54,8 +70,7 @@ func makeJWTAuthFilter(pCE map[string]*structs.JWTProviderConfigEntry, intention
|
|||
if intention.JWT != nil {
|
||||
for _, provider := range intention.JWT.Providers {
|
||||
// The top-level provider applies to all requests.
|
||||
// TODO(roncodingenthusiast): Handle provider.VerifyClaims
|
||||
rule := buildRouteRule(provider, nil, "/")
|
||||
rule := buildRouteRule(provider, nil, "/", 0)
|
||||
rules = append(rules, rule)
|
||||
}
|
||||
}
|
||||
|
@ -70,37 +85,65 @@ func makeJWTAuthFilter(pCE map[string]*structs.JWTProviderConfigEntry, intention
|
|||
Providers: providers,
|
||||
Rules: rules,
|
||||
}
|
||||
return makeEnvoyHTTPFilter("envoy.filters.http.jwt_authn", cfg)
|
||||
return makeEnvoyHTTPFilter(jwtEnvoyFilter, cfg)
|
||||
}
|
||||
|
||||
func collectJWTRequirements(i *structs.Intention) []*structs.IntentionJWTProvider {
|
||||
var jReqs []*structs.IntentionJWTProvider
|
||||
func collectJWTAuthnProviders(i *structs.Intention) []*jwtAuthnProvider {
|
||||
var reqs []*jwtAuthnProvider
|
||||
|
||||
if i.JWT != nil {
|
||||
jReqs = append(jReqs, i.JWT.Providers...)
|
||||
for _, prov := range i.JWT.Providers {
|
||||
reqs = append(reqs, &jwtAuthnProvider{Provider: prov, ComputedName: makeComputedProviderName(prov.Name, nil, 0)})
|
||||
}
|
||||
}
|
||||
|
||||
jReqs = append(jReqs, getPermissionsProviders(i.Permissions)...)
|
||||
reqs = append(reqs, getPermissionsProviders(i.Permissions)...)
|
||||
|
||||
return jReqs
|
||||
return reqs
|
||||
}
|
||||
|
||||
func getPermissionsProviders(p []*structs.IntentionPermission) []*structs.IntentionJWTProvider {
|
||||
intentionProviders := []*structs.IntentionJWTProvider{}
|
||||
for _, perm := range p {
|
||||
func getPermissionsProviders(p []*structs.IntentionPermission) []*jwtAuthnProvider {
|
||||
var reqs []*jwtAuthnProvider
|
||||
for k, perm := range p {
|
||||
if perm.JWT == nil {
|
||||
continue
|
||||
}
|
||||
intentionProviders = append(intentionProviders, perm.JWT.Providers...)
|
||||
for _, prov := range perm.JWT.Providers {
|
||||
reqs = append(reqs, &jwtAuthnProvider{Provider: prov, ComputedName: makeComputedProviderName(prov.Name, perm, k)})
|
||||
}
|
||||
}
|
||||
|
||||
return intentionProviders
|
||||
return reqs
|
||||
}
|
||||
|
||||
func buildJWTProviderConfig(p *structs.JWTProviderConfigEntry) (*envoy_http_jwt_authn_v3.JwtProvider, error) {
|
||||
// makeComputedProviderName is used to create names for unique provider per permission
|
||||
// This is to stop jwt claims cross validation across permissions/providers.
|
||||
//
|
||||
// eg. If Permission x is the 3rd permission and has a provider of original name okta
|
||||
// this function will return okta_3 as the computed provider name
|
||||
func makeComputedProviderName(name string, perm *structs.IntentionPermission, idx int) string {
|
||||
if perm == nil {
|
||||
return name
|
||||
}
|
||||
return fmt.Sprintf("%s_%d", name, idx)
|
||||
}
|
||||
|
||||
// buildPayloadInMetadataKey is used to create a unique payload key per provider/permissions.
|
||||
// This is to ensure claims are validated/forwarded specifically under the right permission/path
|
||||
// and ensure we don't accidentally validate claims from different permissions/providers.
|
||||
//
|
||||
// eg. With a provider named okta, the second permission in permission list will have a provider of:
|
||||
// okta_2 and a payload key of: jwt_payload_okta_2. Whereas an okta provider with no specific permission
|
||||
// will have a payload key of: jwt_payload_okta
|
||||
func buildPayloadInMetadataKey(providerName string, perm *structs.IntentionPermission, idx int) string {
|
||||
return fmt.Sprintf("%s_%s", jwtMetadataKeyPrefix, makeComputedProviderName(providerName, perm, idx))
|
||||
}
|
||||
|
||||
func buildJWTProviderConfig(p *structs.JWTProviderConfigEntry, metadataKeySuffix string) (*envoy_http_jwt_authn_v3.JwtProvider, error) {
|
||||
envoyCfg := envoy_http_jwt_authn_v3.JwtProvider{
|
||||
Issuer: p.Issuer,
|
||||
Audiences: p.Audiences,
|
||||
PayloadInMetadata: buildPayloadInMetadataKey(metadataKeySuffix, nil, 0),
|
||||
}
|
||||
|
||||
if p.Forwarding != nil {
|
||||
|
@ -216,7 +259,7 @@ func buildJWTRetryPolicy(r *structs.JWKSRetryPolicy) *envoy_core_v3.RetryPolicy
|
|||
return &pol
|
||||
}
|
||||
|
||||
func buildRouteRule(provider *structs.IntentionJWTProvider, perm *structs.IntentionPermission, defaultPrefix string) *envoy_http_jwt_authn_v3.RequirementRule {
|
||||
func buildRouteRule(provider *structs.IntentionJWTProvider, perm *structs.IntentionPermission, defaultPrefix string, permIdx int) *envoy_http_jwt_authn_v3.RequirementRule {
|
||||
rule := &envoy_http_jwt_authn_v3.RequirementRule{
|
||||
Match: &envoy_route_v3.RouteMatch{
|
||||
PathSpecifier: &envoy_route_v3.RouteMatch_Prefix{Prefix: defaultPrefix},
|
||||
|
@ -224,7 +267,7 @@ func buildRouteRule(provider *structs.IntentionJWTProvider, perm *structs.Intent
|
|||
RequirementType: &envoy_http_jwt_authn_v3.RequirementRule_Requires{
|
||||
Requires: &envoy_http_jwt_authn_v3.JwtRequirement{
|
||||
RequiresType: &envoy_http_jwt_authn_v3.JwtRequirement_ProviderName{
|
||||
ProviderName: provider.Name,
|
||||
ProviderName: makeComputedProviderName(provider.Name, perm, permIdx),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -65,21 +65,21 @@ var (
|
|||
pWithOktaProvider = &structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathPrefix: "/some-special-path",
|
||||
PathPrefix: "some-special-path",
|
||||
},
|
||||
JWT: oktaIntention,
|
||||
}
|
||||
pWithMultiProviders = &structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathPrefix: "/some-special-path",
|
||||
PathPrefix: "some-special-path",
|
||||
},
|
||||
JWT: multiProviderIntentions,
|
||||
}
|
||||
pWithNoJWT = &structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathPrefix: "/some-special-path",
|
||||
PathPrefix: "some-special-path",
|
||||
},
|
||||
}
|
||||
fullRetryPolicy = &structs.JWKSRetryPolicy{
|
||||
|
@ -206,51 +206,123 @@ func TestMakeJWTAUTHFilters(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestCollectJWTRequirements(t *testing.T) {
|
||||
var (
|
||||
emptyReq = []*structs.IntentionJWTProvider{}
|
||||
oneReq = []*structs.IntentionJWTProvider{&oktaProvider}
|
||||
multiReq = append(oneReq, &auth0Provider)
|
||||
)
|
||||
|
||||
func TestMakeComputedProviderName(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
intention *structs.Intention
|
||||
expected []*structs.IntentionJWTProvider
|
||||
name string
|
||||
perm *structs.IntentionPermission
|
||||
idx int
|
||||
expected string
|
||||
}{
|
||||
"empty-top-level-jwt-and-empty-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web"}),
|
||||
expected: emptyReq,
|
||||
"no-permissions": {
|
||||
name: "okta",
|
||||
idx: 0,
|
||||
expected: "okta",
|
||||
},
|
||||
"top-level-jwt-and-empty-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: oktaIntention}),
|
||||
expected: oneReq,
|
||||
"exact-path-permission": {
|
||||
name: "auth0",
|
||||
perm: &structs.IntentionPermission{
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathExact: "admin",
|
||||
},
|
||||
"multi-top-level-jwt-and-empty-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: multiProviderIntentions}),
|
||||
expected: multiReq,
|
||||
},
|
||||
"top-level-jwt-and-one-jwt-permission": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: auth0Intention, perms: pWithOktaProvider}),
|
||||
expected: multiReq,
|
||||
},
|
||||
"top-level-jwt-and-multi-jwt-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: fakeIntention, perms: pWithMultiProviders}),
|
||||
expected: append(multiReq, &fakeProvider),
|
||||
},
|
||||
"empty-top-level-jwt-and-one-jwt-permission": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", perms: pWithOktaProvider}),
|
||||
expected: oneReq,
|
||||
},
|
||||
"empty-top-level-jwt-and-multi-jwt-permission": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", perms: pWithMultiProviders}),
|
||||
expected: multiReq,
|
||||
idx: 5,
|
||||
expected: "auth0_5",
|
||||
},
|
||||
}
|
||||
|
||||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
reqs := collectJWTRequirements(tt.intention)
|
||||
reqs := makeComputedProviderName(tt.name, tt.perm, tt.idx)
|
||||
require.Equal(t, reqs, tt.expected)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestBuildPayloadInMetadataKey(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
name string
|
||||
perm *structs.IntentionPermission
|
||||
permIdx int
|
||||
expected string
|
||||
}{
|
||||
"no-permissions": {
|
||||
name: "okta",
|
||||
expected: "jwt_payload_okta",
|
||||
},
|
||||
"path-prefix-permission": {
|
||||
name: "auth0",
|
||||
perm: &structs.IntentionPermission{
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathPrefix: "admin",
|
||||
},
|
||||
},
|
||||
permIdx: 4,
|
||||
expected: "jwt_payload_auth0_4",
|
||||
},
|
||||
}
|
||||
|
||||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
reqs := buildPayloadInMetadataKey(tt.name, tt.perm, tt.permIdx)
|
||||
require.Equal(t, reqs, tt.expected)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestCollectJWTAuthnProviders(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
intention *structs.Intention
|
||||
expected []*jwtAuthnProvider
|
||||
}{
|
||||
"empty-top-level-jwt-and-empty-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web"}),
|
||||
expected: []*jwtAuthnProvider{},
|
||||
},
|
||||
"top-level-jwt-and-empty-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: oktaIntention}),
|
||||
expected: []*jwtAuthnProvider{{Provider: &oktaProvider, ComputedName: oktaProvider.Name}},
|
||||
},
|
||||
"multi-top-level-jwt-and-empty-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: multiProviderIntentions}),
|
||||
expected: []*jwtAuthnProvider{
|
||||
{Provider: &oktaProvider, ComputedName: oktaProvider.Name},
|
||||
{Provider: &auth0Provider, ComputedName: auth0Provider.Name},
|
||||
},
|
||||
},
|
||||
"top-level-jwt-and-one-jwt-permission": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: auth0Intention, perms: pWithOktaProvider}),
|
||||
expected: []*jwtAuthnProvider{
|
||||
{Provider: &auth0Provider, ComputedName: auth0Provider.Name},
|
||||
{Provider: &oktaProvider, ComputedName: "okta_0"},
|
||||
},
|
||||
},
|
||||
"top-level-jwt-and-multi-jwt-permissions": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", jwt: fakeIntention, perms: pWithMultiProviders}),
|
||||
expected: []*jwtAuthnProvider{
|
||||
{Provider: &fakeProvider, ComputedName: fakeProvider.Name},
|
||||
{Provider: &oktaProvider, ComputedName: "okta_0"},
|
||||
{Provider: &auth0Provider, ComputedName: "auth0_0"},
|
||||
},
|
||||
},
|
||||
"empty-top-level-jwt-and-one-jwt-permission": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", perms: pWithOktaProvider}),
|
||||
expected: []*jwtAuthnProvider{{Provider: &oktaProvider, ComputedName: "okta_0"}},
|
||||
},
|
||||
"empty-top-level-jwt-and-multi-jwt-permission": {
|
||||
intention: makeTestIntention(t, ixnOpts{src: "web", perms: pWithMultiProviders}),
|
||||
expected: []*jwtAuthnProvider{
|
||||
{Provider: &oktaProvider, ComputedName: "okta_0"},
|
||||
{Provider: &auth0Provider, ComputedName: "auth0_0"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
reqs := collectJWTAuthnProviders(tt.intention)
|
||||
require.ElementsMatch(t, reqs, tt.expected)
|
||||
})
|
||||
}
|
||||
|
@ -259,27 +331,32 @@ func TestCollectJWTRequirements(t *testing.T) {
|
|||
func TestGetPermissionsProviders(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
perms []*structs.IntentionPermission
|
||||
expected []*structs.IntentionJWTProvider
|
||||
expected []*jwtAuthnProvider
|
||||
}{
|
||||
"empty-permissions": {
|
||||
perms: []*structs.IntentionPermission{},
|
||||
expected: []*structs.IntentionJWTProvider{},
|
||||
expected: []*jwtAuthnProvider{},
|
||||
},
|
||||
"nil-permissions": {
|
||||
perms: nil,
|
||||
expected: []*structs.IntentionJWTProvider{},
|
||||
expected: []*jwtAuthnProvider{},
|
||||
},
|
||||
"permissions-with-no-jwt": {
|
||||
perms: []*structs.IntentionPermission{pWithNoJWT},
|
||||
expected: []*structs.IntentionJWTProvider{},
|
||||
expected: []*jwtAuthnProvider{},
|
||||
},
|
||||
"permissions-with-one-jwt": {
|
||||
perms: []*structs.IntentionPermission{pWithOktaProvider, pWithNoJWT},
|
||||
expected: []*structs.IntentionJWTProvider{&oktaProvider},
|
||||
expected: []*jwtAuthnProvider{
|
||||
{Provider: &oktaProvider, ComputedName: "okta_0"},
|
||||
},
|
||||
},
|
||||
"permissions-with-multiple-jwt": {
|
||||
perms: []*structs.IntentionPermission{pWithMultiProviders, pWithNoJWT},
|
||||
expected: []*structs.IntentionJWTProvider{&oktaProvider, &auth0Provider},
|
||||
expected: []*jwtAuthnProvider{
|
||||
{Provider: &auth0Provider, ComputedName: "auth0_0"},
|
||||
{Provider: &oktaProvider, ComputedName: "okta_0"},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
|
@ -338,6 +415,7 @@ func TestBuildJWTProviderConfig(t *testing.T) {
|
|||
Issuer: fullCE.Issuer,
|
||||
Audiences: fullCE.Audiences,
|
||||
ForwardPayloadHeader: "user-token",
|
||||
PayloadInMetadata: buildPayloadInMetadataKey(ceRemoteJWKS.Name, nil, 0),
|
||||
PadForwardPayloadHeader: false,
|
||||
Forward: true,
|
||||
JwksSourceSpecifier: &envoy_http_jwt_authn_v3.JwtProvider_LocalJwks{
|
||||
|
@ -355,6 +433,7 @@ func TestBuildJWTProviderConfig(t *testing.T) {
|
|||
expected: &envoy_http_jwt_authn_v3.JwtProvider{
|
||||
Issuer: fullCE.Issuer,
|
||||
Audiences: fullCE.Audiences,
|
||||
PayloadInMetadata: buildPayloadInMetadataKey(ceRemoteJWKS.Name, nil, 0),
|
||||
JwksSourceSpecifier: &envoy_http_jwt_authn_v3.JwtProvider_RemoteJwks{
|
||||
RemoteJwks: &envoy_http_jwt_authn_v3.RemoteJwks{
|
||||
HttpUri: &envoy_core_v3.HttpUri{
|
||||
|
@ -374,7 +453,7 @@ func TestBuildJWTProviderConfig(t *testing.T) {
|
|||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
res, err := buildJWTProviderConfig(tt.ce)
|
||||
res, err := buildJWTProviderConfig(tt.ce, tt.ce.GetName())
|
||||
|
||||
if tt.expectedError != "" {
|
||||
require.Error(t, err)
|
||||
|
@ -585,7 +664,7 @@ func TestBuildRouteRule(t *testing.T) {
|
|||
RequirementType: &envoy_http_jwt_authn_v3.RequirementRule_Requires{
|
||||
Requires: &envoy_http_jwt_authn_v3.JwtRequirement{
|
||||
RequiresType: &envoy_http_jwt_authn_v3.JwtRequirement_ProviderName{
|
||||
ProviderName: oktaProvider.Name,
|
||||
ProviderName: makeComputedProviderName(oktaProvider.Name, pWithMultiProviders, 0),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -602,7 +681,7 @@ func TestBuildRouteRule(t *testing.T) {
|
|||
RequirementType: &envoy_http_jwt_authn_v3.RequirementRule_Requires{
|
||||
Requires: &envoy_http_jwt_authn_v3.JwtRequirement{
|
||||
RequiresType: &envoy_http_jwt_authn_v3.JwtRequirement_ProviderName{
|
||||
ProviderName: oktaProvider.Name,
|
||||
ProviderName: makeComputedProviderName(oktaProvider.Name, pWithExactPath, 0),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -619,7 +698,7 @@ func TestBuildRouteRule(t *testing.T) {
|
|||
RequirementType: &envoy_http_jwt_authn_v3.RequirementRule_Requires{
|
||||
Requires: &envoy_http_jwt_authn_v3.JwtRequirement{
|
||||
RequiresType: &envoy_http_jwt_authn_v3.JwtRequirement_ProviderName{
|
||||
ProviderName: oktaProvider.Name,
|
||||
ProviderName: makeComputedProviderName(oktaProvider.Name, pWithRegex, 0),
|
||||
},
|
||||
},
|
||||
},
|
||||
|
@ -630,7 +709,7 @@ func TestBuildRouteRule(t *testing.T) {
|
|||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
res := buildRouteRule(tt.provider, tt.perm, tt.route)
|
||||
res := buildRouteRule(tt.provider, tt.perm, tt.route, 0)
|
||||
require.Equal(t, res, tt.expected)
|
||||
})
|
||||
}
|
||||
|
|
|
@ -232,16 +232,40 @@ func intentionToIntermediateRBACForm(
|
|||
rixn.Source.TrustDomain = bundle.TrustDomain
|
||||
}
|
||||
|
||||
if isHTTP && ixn.JWT != nil {
|
||||
var c []*JWTInfo
|
||||
for _, prov := range ixn.JWT.Providers {
|
||||
if len(prov.VerifyClaims) > 0 {
|
||||
c = append(c, makeJWTInfos(prov, nil, 0))
|
||||
}
|
||||
}
|
||||
if len(c) > 0 {
|
||||
rixn.jwtInfos = c
|
||||
}
|
||||
}
|
||||
|
||||
if len(ixn.Permissions) > 0 {
|
||||
if isHTTP {
|
||||
rixn.Action = intentionActionLayer7
|
||||
rixn.Permissions = make([]*rbacPermission, 0, len(ixn.Permissions))
|
||||
for _, perm := range ixn.Permissions {
|
||||
rixn.Permissions = append(rixn.Permissions, &rbacPermission{
|
||||
for k, perm := range ixn.Permissions {
|
||||
rbacPerm := rbacPermission{
|
||||
Definition: perm,
|
||||
Action: intentionActionFromString(perm.Action),
|
||||
Perm: convertPermission(perm),
|
||||
})
|
||||
}
|
||||
if perm.JWT != nil {
|
||||
var c []*JWTInfo
|
||||
for _, prov := range perm.JWT.Providers {
|
||||
if len(prov.VerifyClaims) > 0 {
|
||||
c = append(c, makeJWTInfos(prov, perm, k))
|
||||
}
|
||||
}
|
||||
if len(c) > 0 {
|
||||
rbacPerm.jwtInfos = c
|
||||
}
|
||||
}
|
||||
rixn.Permissions = append(rixn.Permissions, &rbacPerm)
|
||||
}
|
||||
} else {
|
||||
// In case L7 intentions slip through to here, treat them as deny intentions.
|
||||
|
@ -254,8 +278,17 @@ func intentionToIntermediateRBACForm(
|
|||
return rixn
|
||||
}
|
||||
|
||||
func makeJWTInfos(p *structs.IntentionJWTProvider, perm *structs.IntentionPermission, permKey int) *JWTInfo {
|
||||
return &JWTInfo{Claims: p.VerifyClaims, MetadataPayloadKey: buildPayloadInMetadataKey(p.Name, perm, permKey)}
|
||||
}
|
||||
|
||||
type intentionAction int
|
||||
|
||||
type JWTInfo struct {
|
||||
Claims []*structs.IntentionJWTClaimVerification
|
||||
MetadataPayloadKey string
|
||||
}
|
||||
|
||||
const (
|
||||
intentionActionDeny intentionAction = iota
|
||||
intentionActionAllow
|
||||
|
@ -294,6 +327,11 @@ type rbacIntention struct {
|
|||
Permissions []*rbacPermission
|
||||
Precedence int
|
||||
|
||||
// JWTInfo is used to track intentions' JWT information
|
||||
// This information is used to update HTTP filters for
|
||||
// JWT Payload & claims validation
|
||||
jwtInfos []*JWTInfo
|
||||
|
||||
// Skip is field used to indicate that this intention can be deleted in the
|
||||
// final pass. Items marked as true should generally not escape the method
|
||||
// that marked them.
|
||||
|
@ -366,6 +404,11 @@ type rbacPermission struct {
|
|||
Perm *envoy_rbac_v3.Permission
|
||||
NotPerms []*envoy_rbac_v3.Permission
|
||||
|
||||
// JWTInfo is used to track intentions' JWT information
|
||||
// This information is used to update HTTP filters for
|
||||
// JWT Payload & claims validation
|
||||
jwtInfos []*JWTInfo
|
||||
|
||||
// Skip is field used to indicate that this permission can be deleted in
|
||||
// the final pass. Items marked as true should generally not escape the
|
||||
// method that marked them.
|
||||
|
@ -531,6 +574,10 @@ func makeRBACRules(
|
|||
|
||||
var principalsL4 []*envoy_rbac_v3.Principal
|
||||
for i, rbacIxn := range rbacIxns {
|
||||
var infos []*JWTInfo
|
||||
if isHTTP {
|
||||
infos = collectJWTInfos(rbacIxn)
|
||||
}
|
||||
if rbacIxn.Action == intentionActionLayer7 {
|
||||
if len(rbacIxn.Permissions) == 0 {
|
||||
panic("invalid state: L7 intention has no permissions")
|
||||
|
@ -539,9 +586,14 @@ func makeRBACRules(
|
|||
panic("invalid state: L7 permissions present for TCP service")
|
||||
}
|
||||
|
||||
rbacPrincipals := optimizePrincipals([]*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal})
|
||||
if len(infos) > 0 {
|
||||
claimsPrincipal := jwtInfosToPrincipals(infos)
|
||||
rbacPrincipals = combineBasePrincipalWithJWTPrincipals(rbacPrincipals, claimsPrincipal)
|
||||
}
|
||||
// For L7: we should generate one Policy per Principal and list all of the Permissions
|
||||
policy := &envoy_rbac_v3.Policy{
|
||||
Principals: optimizePrincipals([]*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal}),
|
||||
Principals: rbacPrincipals,
|
||||
Permissions: make([]*envoy_rbac_v3.Permission, 0, len(rbacIxn.Permissions)),
|
||||
}
|
||||
for _, perm := range rbacIxn.Permissions {
|
||||
|
@ -551,6 +603,11 @@ func makeRBACRules(
|
|||
} else {
|
||||
// For L4: we should generate one big Policy listing all Principals
|
||||
principalsL4 = append(principalsL4, rbacIxn.ComputedPrincipal)
|
||||
// Append JWT principals to list of principals
|
||||
if len(infos) > 0 {
|
||||
claimsPrincipal := jwtInfosToPrincipals(infos)
|
||||
principalsL4 = combineBasePrincipalWithJWTPrincipals(principalsL4, claimsPrincipal)
|
||||
}
|
||||
}
|
||||
}
|
||||
if len(principalsL4) > 0 {
|
||||
|
@ -566,6 +623,109 @@ func makeRBACRules(
|
|||
return rbac
|
||||
}
|
||||
|
||||
// combineBasePrincipalWithJWTPrincipals ensure each RBAC/Network principal is associated with
|
||||
// the JWT principal
|
||||
func combineBasePrincipalWithJWTPrincipals(p []*envoy_rbac_v3.Principal, cp *envoy_rbac_v3.Principal) []*envoy_rbac_v3.Principal {
|
||||
res := make([]*envoy_rbac_v3.Principal, 0)
|
||||
|
||||
for _, principal := range p {
|
||||
if principal != nil && cp != nil {
|
||||
p := andPrincipals([]*envoy_rbac_v3.Principal{principal, cp})
|
||||
res = append(res, p)
|
||||
}
|
||||
}
|
||||
return res
|
||||
}
|
||||
|
||||
// collectJWTInfos extracts all the collected JWTInfos top level infos
|
||||
// and permission level infos and returns them as a single array
|
||||
func collectJWTInfos(rbacIxn *rbacIntention) []*JWTInfo {
|
||||
infos := make([]*JWTInfo, 0, len(rbacIxn.jwtInfos))
|
||||
|
||||
if len(rbacIxn.jwtInfos) > 0 {
|
||||
infos = append(infos, rbacIxn.jwtInfos...)
|
||||
}
|
||||
for _, perm := range rbacIxn.Permissions {
|
||||
infos = append(infos, perm.jwtInfos...)
|
||||
}
|
||||
|
||||
return infos
|
||||
}
|
||||
|
||||
func jwtInfosToPrincipals(c []*JWTInfo) *envoy_rbac_v3.Principal {
|
||||
ps := make([]*envoy_rbac_v3.Principal, 0)
|
||||
|
||||
for _, jwtInfo := range c {
|
||||
if jwtInfo != nil {
|
||||
for _, claim := range jwtInfo.Claims {
|
||||
ps = append(ps, jwtClaimToPrincipal(claim, jwtInfo.MetadataPayloadKey))
|
||||
}
|
||||
}
|
||||
}
|
||||
return orPrincipals(ps)
|
||||
}
|
||||
|
||||
// jwtClaimToPrincipal takes in a payloadkey which is the metadata key. This key is generated by using provider name,
|
||||
// permission index with a jwt_payload prefix. See buildPayloadInMetadataKey in agent/xds/jwt_authn.go
|
||||
//
|
||||
// This uniquely generated payloadKey is the first segment in the path to validate the JWT claims. The subsequent segments
|
||||
// come from the Path included in the IntentionJWTClaimVerification param.
|
||||
func jwtClaimToPrincipal(c *structs.IntentionJWTClaimVerification, payloadKey string) *envoy_rbac_v3.Principal {
|
||||
segments := pathToSegments(c.Path, payloadKey)
|
||||
|
||||
return &envoy_rbac_v3.Principal{
|
||||
Identifier: &envoy_rbac_v3.Principal_Metadata{
|
||||
Metadata: &envoy_matcher_v3.MetadataMatcher{
|
||||
Filter: jwtEnvoyFilter,
|
||||
Path: segments,
|
||||
Value: &envoy_matcher_v3.ValueMatcher{
|
||||
MatchPattern: &envoy_matcher_v3.ValueMatcher_StringMatch{
|
||||
StringMatch: &envoy_matcher_v3.StringMatcher{
|
||||
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
|
||||
Exact: c.Value,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// pathToSegments generates an array of MetadataMatcher_PathSegment that starts with the payloadkey
|
||||
// and is followed by all existing strings in the path.
|
||||
//
|
||||
// eg. calling: pathToSegments([]string{"perms", "roles"}, "jwt_payload_okta") should return the following:
|
||||
//
|
||||
// []*envoy_matcher_v3.MetadataMatcher_PathSegment{
|
||||
// {
|
||||
// Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "jwt_payload_okta"},
|
||||
// },
|
||||
// {
|
||||
// Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "perms"},
|
||||
// },
|
||||
// {
|
||||
// Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "roles"},
|
||||
// },
|
||||
// },
|
||||
func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment {
|
||||
|
||||
segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths))
|
||||
segments = append(segments, makeSegment(payloadKey))
|
||||
|
||||
for _, p := range paths {
|
||||
segments = append(segments, makeSegment(p))
|
||||
}
|
||||
|
||||
return segments
|
||||
}
|
||||
|
||||
func makeSegment(key string) *envoy_matcher_v3.MetadataMatcher_PathSegment {
|
||||
return &envoy_matcher_v3.MetadataMatcher_PathSegment{
|
||||
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: key},
|
||||
}
|
||||
}
|
||||
|
||||
func optimizePrincipals(orig []*envoy_rbac_v3.Principal) []*envoy_rbac_v3.Principal {
|
||||
// If they are all ORs, then OR them together.
|
||||
var orIds []*envoy_rbac_v3.Principal
|
||||
|
|
|
@ -484,6 +484,17 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
|
|||
ixn.Permissions = perms
|
||||
return ixn
|
||||
}
|
||||
testIntentionWithJWT := func(src string, action structs.IntentionAction, jwt *structs.IntentionJWTRequirement, perms ...*structs.IntentionPermission) *structs.Intention {
|
||||
ixn := testIntention(t, src, "api", action)
|
||||
ixn.JWT = jwt
|
||||
ixn.Action = action
|
||||
if perms != nil {
|
||||
ixn.Permissions = perms
|
||||
ixn.Action = ""
|
||||
}
|
||||
|
||||
return ixn
|
||||
}
|
||||
testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{
|
||||
{
|
||||
PeerName: "peer1",
|
||||
|
@ -506,6 +517,28 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
|
|||
PathPrefix: "/",
|
||||
},
|
||||
}
|
||||
oktaWithClaims = structs.IntentionJWTProvider{
|
||||
Name: "okta",
|
||||
VerifyClaims: []*structs.IntentionJWTClaimVerification{
|
||||
{Path: []string{"roles"}, Value: "testing"},
|
||||
},
|
||||
}
|
||||
auth0WithClaims = structs.IntentionJWTProvider{
|
||||
Name: "auth0",
|
||||
VerifyClaims: []*structs.IntentionJWTClaimVerification{
|
||||
{Path: []string{"perms", "role"}, Value: "admin"},
|
||||
},
|
||||
}
|
||||
jwtRequirement = &structs.IntentionJWTRequirement{
|
||||
Providers: []*structs.IntentionJWTProvider{
|
||||
&oktaWithClaims,
|
||||
},
|
||||
}
|
||||
auth0Requirement = &structs.IntentionJWTRequirement{
|
||||
Providers: []*structs.IntentionJWTProvider{
|
||||
&auth0WithClaims,
|
||||
},
|
||||
}
|
||||
permDenySlashPrefix = &structs.IntentionPermission{
|
||||
Action: structs.IntentionActionDeny,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
|
@ -804,6 +837,70 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
|
|||
),
|
||||
),
|
||||
},
|
||||
// ========= JWTAuthn Filter checks
|
||||
"top-level-jwt-no-permissions": {
|
||||
intentionDefaultAllow: false,
|
||||
intentions: sorted(
|
||||
testIntentionWithJWT("web", structs.IntentionActionAllow, jwtRequirement),
|
||||
),
|
||||
},
|
||||
"empty-top-level-jwt-with-one-permission": {
|
||||
intentionDefaultAllow: false,
|
||||
intentions: sorted(
|
||||
testIntentionWithJWT("web", structs.IntentionActionAllow, nil, &structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathPrefix: "some-path",
|
||||
},
|
||||
JWT: jwtRequirement,
|
||||
}),
|
||||
),
|
||||
},
|
||||
"top-level-jwt-with-one-permission": {
|
||||
intentionDefaultAllow: false,
|
||||
intentions: sorted(
|
||||
testIntentionWithJWT("web",
|
||||
structs.IntentionActionAllow,
|
||||
jwtRequirement,
|
||||
&structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathExact: "/v1/secret",
|
||||
},
|
||||
JWT: auth0Requirement,
|
||||
},
|
||||
&structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathExact: "/v1/admin",
|
||||
},
|
||||
},
|
||||
),
|
||||
),
|
||||
},
|
||||
"top-level-jwt-with-multiple-permissions": {
|
||||
intentionDefaultAllow: false,
|
||||
intentions: sorted(
|
||||
testIntentionWithJWT("web",
|
||||
structs.IntentionActionAllow,
|
||||
jwtRequirement,
|
||||
&structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathExact: "/v1/secret",
|
||||
},
|
||||
JWT: auth0Requirement,
|
||||
},
|
||||
&structs.IntentionPermission{
|
||||
Action: structs.IntentionActionAllow,
|
||||
HTTP: &structs.IntentionHTTPPermission{
|
||||
PathExact: "/v1/admin",
|
||||
},
|
||||
JWT: auth0Requirement,
|
||||
},
|
||||
),
|
||||
),
|
||||
},
|
||||
}
|
||||
|
||||
testLocalInfo := rbacLocalInfo{
|
||||
|
@ -1060,3 +1157,142 @@ func TestSpiffeMatcher(t *testing.T) {
|
|||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestPathToSegments(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
key string
|
||||
paths []string
|
||||
expected []*envoy_matcher_v3.MetadataMatcher_PathSegment
|
||||
}{
|
||||
"single-path": {
|
||||
key: "jwt_payload_okta",
|
||||
paths: []string{"perms"},
|
||||
expected: []*envoy_matcher_v3.MetadataMatcher_PathSegment{
|
||||
{
|
||||
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "jwt_payload_okta"},
|
||||
},
|
||||
{
|
||||
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "perms"},
|
||||
},
|
||||
},
|
||||
},
|
||||
"multi-paths": {
|
||||
key: "jwt_payload_okta",
|
||||
paths: []string{"perms", "roles"},
|
||||
expected: []*envoy_matcher_v3.MetadataMatcher_PathSegment{
|
||||
{
|
||||
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "jwt_payload_okta"},
|
||||
},
|
||||
{
|
||||
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "perms"},
|
||||
},
|
||||
{
|
||||
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "roles"},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
segments := pathToSegments(tt.paths, tt.key)
|
||||
require.ElementsMatch(t, segments, tt.expected)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestJwtClaimToPrincipal(t *testing.T) {
|
||||
var (
|
||||
firstClaim = structs.IntentionJWTClaimVerification{
|
||||
Path: []string{"perms"},
|
||||
Value: "admin",
|
||||
}
|
||||
secondClaim = structs.IntentionJWTClaimVerification{
|
||||
Path: []string{"passage"},
|
||||
Value: "secret",
|
||||
}
|
||||
payloadKey = "dummy-key"
|
||||
firstPrincipal = envoy_rbac_v3.Principal{
|
||||
Identifier: &envoy_rbac_v3.Principal_Metadata{
|
||||
Metadata: &envoy_matcher_v3.MetadataMatcher{
|
||||
Filter: jwtEnvoyFilter,
|
||||
Path: pathToSegments(firstClaim.Path, payloadKey),
|
||||
Value: &envoy_matcher_v3.ValueMatcher{
|
||||
MatchPattern: &envoy_matcher_v3.ValueMatcher_StringMatch{
|
||||
StringMatch: &envoy_matcher_v3.StringMatcher{
|
||||
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
|
||||
Exact: firstClaim.Value,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
secondPrincipal = envoy_rbac_v3.Principal{
|
||||
Identifier: &envoy_rbac_v3.Principal_Metadata{
|
||||
Metadata: &envoy_matcher_v3.MetadataMatcher{
|
||||
Filter: jwtEnvoyFilter,
|
||||
Path: pathToSegments(secondClaim.Path, "second-key"),
|
||||
Value: &envoy_matcher_v3.ValueMatcher{
|
||||
MatchPattern: &envoy_matcher_v3.ValueMatcher_StringMatch{
|
||||
StringMatch: &envoy_matcher_v3.StringMatcher{
|
||||
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
|
||||
Exact: secondClaim.Value,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
)
|
||||
tests := map[string]struct {
|
||||
jwtInfos []*JWTInfo
|
||||
expected *envoy_rbac_v3.Principal
|
||||
}{
|
||||
"single-jwt-info": {
|
||||
jwtInfos: []*JWTInfo{
|
||||
{
|
||||
Claims: []*structs.IntentionJWTClaimVerification{&firstClaim},
|
||||
MetadataPayloadKey: payloadKey,
|
||||
},
|
||||
},
|
||||
expected: &envoy_rbac_v3.Principal{
|
||||
Identifier: &envoy_rbac_v3.Principal_OrIds{
|
||||
OrIds: &envoy_rbac_v3.Principal_Set{
|
||||
Ids: []*envoy_rbac_v3.Principal{&firstPrincipal},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
"multiple-jwt-info": {
|
||||
jwtInfos: []*JWTInfo{
|
||||
{
|
||||
Claims: []*structs.IntentionJWTClaimVerification{&firstClaim},
|
||||
MetadataPayloadKey: payloadKey,
|
||||
},
|
||||
{
|
||||
Claims: []*structs.IntentionJWTClaimVerification{&secondClaim},
|
||||
MetadataPayloadKey: "second-key",
|
||||
},
|
||||
},
|
||||
expected: &envoy_rbac_v3.Principal{
|
||||
Identifier: &envoy_rbac_v3.Principal_OrIds{
|
||||
OrIds: &envoy_rbac_v3.Principal_Set{
|
||||
Ids: []*envoy_rbac_v3.Principal{&firstPrincipal, &secondPrincipal},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for name, tt := range tests {
|
||||
tt := tt
|
||||
t.Run(name, func(t *testing.T) {
|
||||
principal := jwtInfosToPrincipals(tt.jwtInfos)
|
||||
require.Equal(t, principal, tt.expected)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
@ -3,8 +3,9 @@
|
|||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication",
|
||||
"providers": {
|
||||
"okta": {
|
||||
"okta_0": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta_0",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-okta.com/.well-known/jwks.json",
|
||||
|
@ -20,10 +21,10 @@
|
|||
"rules": [
|
||||
{
|
||||
"match": {
|
||||
"prefix": "/some-special-path"
|
||||
"prefix": "some-special-path"
|
||||
},
|
||||
"requires": {
|
||||
"providerName": "okta"
|
||||
"providerName": "okta_0"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
"providers": {
|
||||
"okta": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta",
|
||||
"localJwks": {
|
||||
"inlineString": "{\"keys\": [{\n \"crv\": \"P-256\",\n \"key_ops\": [\n \"verify\"\n ],\n \"kty\": \"EC\",\n \"x\": \"Wc9uZuPaB7Kh2FMc9wtJjRe8XD4yT2AYNAAkrYbVjuw\",\n \"y\": \"68hRTJiJNOwtrh4EoPXeVnRuH7hiSDJ_lmbbjfDfWq0\",\n \"alg\": \"ES256\",\n \"use\": \"sig\",\n \"kid\": \"ac1e8f90eddf61c429c61ca05b4f2e07\"\n}]}"
|
||||
}
|
||||
|
|
|
@ -5,6 +5,21 @@
|
|||
"providers": {
|
||||
"okta": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-okta.com/.well-known/jwks.json",
|
||||
"cluster": "jwks_cluster",
|
||||
"timeout": "1s"
|
||||
},
|
||||
"asyncFetch": {
|
||||
"fastListener": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"okta_0": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta_0",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-okta.com/.well-known/jwks.json",
|
||||
|
@ -18,6 +33,7 @@
|
|||
},
|
||||
"auth0": {
|
||||
"issuer": "another-issuer",
|
||||
"payloadInMetadata": "jwt_payload_auth0",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-auth0.com/.well-known/jwks.json",
|
||||
|
@ -33,10 +49,10 @@
|
|||
"rules": [
|
||||
{
|
||||
"match": {
|
||||
"prefix": "/some-special-path"
|
||||
"prefix": "some-special-path"
|
||||
},
|
||||
"requires": {
|
||||
"providerName": "okta"
|
||||
"providerName": "okta_0"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
"providers": {
|
||||
"okta": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-okta.com/.well-known/jwks.json",
|
||||
|
|
|
@ -5,6 +5,21 @@
|
|||
"providers": {
|
||||
"okta": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-okta.com/.well-known/jwks.json",
|
||||
"cluster": "jwks_cluster",
|
||||
"timeout": "1s"
|
||||
},
|
||||
"asyncFetch": {
|
||||
"fastListener": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"okta_0": {
|
||||
"issuer": "test-issuer",
|
||||
"payloadInMetadata": "jwt_payload_okta_0",
|
||||
"remoteJwks": {
|
||||
"httpUri": {
|
||||
"uri": "https://example-okta.com/.well-known/jwks.json",
|
||||
|
@ -20,10 +35,10 @@
|
|||
"rules": [
|
||||
{
|
||||
"match": {
|
||||
"prefix": "/some-special-path"
|
||||
"prefix": "some-special-path"
|
||||
},
|
||||
"requires": {
|
||||
"providerName": "okta"
|
||||
"providerName": "okta_0"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
59
agent/xds/testdata/rbac/empty-top-level-jwt-with-one-permission--httpfilter.golden
vendored
Normal file
59
agent/xds/testdata/rbac/empty-top-level-jwt-with-one-permission--httpfilter.golden
vendored
Normal file
|
@ -0,0 +1,59 @@
|
|||
{
|
||||
"name": "envoy.filters.http.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
"policies": {
|
||||
"consul-intentions-layer7-0": {
|
||||
"permissions": [
|
||||
{
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"prefix": "some-path"
|
||||
}
|
||||
}
|
||||
}
|
||||
],
|
||||
"principals": [
|
||||
{
|
||||
"andIds": {
|
||||
"ids": [
|
||||
{
|
||||
"authenticated": {
|
||||
"principalName": {
|
||||
"safeRegex": {
|
||||
"googleRe2": {},
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"orIds": {
|
||||
"ids": [
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_okta_0"},
|
||||
{"key": "roles"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "testing"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"name": "envoy.filters.network.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
|
||||
},
|
||||
"statPrefix": "connect_authz"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"name": "envoy.filters.http.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
"policies": {
|
||||
"consul-intentions-layer4": {
|
||||
"permissions": [
|
||||
{
|
||||
"any": true
|
||||
}
|
||||
],
|
||||
"principals": [
|
||||
{
|
||||
"andIds": {
|
||||
"ids": [
|
||||
{
|
||||
"authenticated": {
|
||||
"principalName": {
|
||||
"safeRegex": {
|
||||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"orIds": {
|
||||
"ids": [
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_okta"},
|
||||
{"key": "roles"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "testing"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"name": "envoy.filters.network.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
"policies": {
|
||||
"consul-intentions-layer4": {
|
||||
"permissions": [
|
||||
{
|
||||
"any": true
|
||||
}
|
||||
],
|
||||
"principals": [
|
||||
{
|
||||
"authenticated": {
|
||||
"principalName": {
|
||||
"safeRegex": {
|
||||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
},
|
||||
"statPrefix": "connect_authz"
|
||||
}
|
||||
}
|
113
agent/xds/testdata/rbac/top-level-jwt-with-multiple-permissions--httpfilter.golden
vendored
Normal file
113
agent/xds/testdata/rbac/top-level-jwt-with-multiple-permissions--httpfilter.golden
vendored
Normal file
|
@ -0,0 +1,113 @@
|
|||
{
|
||||
"name": "envoy.filters.http.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
"policies": {
|
||||
"consul-intentions-layer7-0": {
|
||||
"permissions": [
|
||||
{
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"exact": "/v1/secret"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"andRules": {
|
||||
"rules": [
|
||||
{
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"exact": "/v1/admin"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"notRule": {
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"exact": "/v1/secret"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"principals": [
|
||||
{
|
||||
"andIds": {
|
||||
"ids": [
|
||||
{
|
||||
"authenticated": {
|
||||
"principalName": {
|
||||
"safeRegex": {
|
||||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"orIds": {
|
||||
"ids": [
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_okta"},
|
||||
{"key": "roles"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "testing"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_auth0_0"},
|
||||
{"key": "perms"},
|
||||
{"key": "role"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "admin"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_auth0_1"},
|
||||
{"key": "perms"},
|
||||
{"key": "role"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "admin"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"name": "envoy.filters.network.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
|
||||
},
|
||||
"statPrefix": "connect_authz"
|
||||
}
|
||||
}
|
98
agent/xds/testdata/rbac/top-level-jwt-with-one-permission--httpfilter.golden
vendored
Normal file
98
agent/xds/testdata/rbac/top-level-jwt-with-one-permission--httpfilter.golden
vendored
Normal file
|
@ -0,0 +1,98 @@
|
|||
{
|
||||
"name": "envoy.filters.http.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
"policies": {
|
||||
"consul-intentions-layer7-0": {
|
||||
"permissions": [
|
||||
{
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"exact": "/v1/secret"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"andRules": {
|
||||
"rules": [
|
||||
{
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"exact": "/v1/admin"
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"notRule": {
|
||||
"urlPath": {
|
||||
"path": {
|
||||
"exact": "/v1/secret"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
],
|
||||
"principals": [
|
||||
{
|
||||
"andIds": {
|
||||
"ids": [
|
||||
{
|
||||
"authenticated": {
|
||||
"principalName": {
|
||||
"safeRegex": {
|
||||
"googleRe2": {
|
||||
|
||||
},
|
||||
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"orIds": {
|
||||
"ids": [
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_okta"},
|
||||
{"key": "roles"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "testing"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
{
|
||||
"metadata": {
|
||||
"filter":"envoy.filters.http.jwt_authn",
|
||||
"path": [
|
||||
{"key": "jwt_payload_auth0_0"},
|
||||
{"key": "perms"},
|
||||
{"key": "role"}
|
||||
],
|
||||
"value": {
|
||||
"stringMatch": {
|
||||
"exact": "admin"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"name": "envoy.filters.network.rbac",
|
||||
"typedConfig": {
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
|
||||
"rules": {
|
||||
|
||||
},
|
||||
"statPrefix": "connect_authz"
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue