## Backport
This PR is auto-generated from #18154 to be assessed for backporting due
to the inclusion of the label backport/1.16.
The below text is copied from the body of the original PR.
---
### Description
Addresses
https://github.com/hashicorp/consul/pull/17171#issuecomment-1636930705
### Testing & Reproduction steps
<!--
* In the case of bugs, describe how to replicate
* If any manual tests were done, document the steps and the conditions
to replicate
* Call out any important/ relevant unit tests, e2e tests or integration
tests you have added or are adding
-->
### Links
<!--
Include any links here that might be helpful for people reviewing your
PR (Tickets, GH issues, API docs, external benchmarks, tools docs, etc).
If there are none, feel free to delete this section.
Please be mindful not to leak any customer or confidential information.
HashiCorp employees may want to use our internal URL shortener to
obfuscate links.
-->
### PR Checklist
* [ ] updated test coverage
* [ ] external facing docs updated
* [ ] appropriate backport labels added
* [ ] not a security concern
---
<details>
<summary> Overview of commits </summary>
- f5a6411ce7cbda9dddc506b731210d4ebda6bdb1
</details>
Co-authored-by: David Yu <dyu@hashicorp.com>
## Backport
This PR is auto-generated from #18062 to be assessed for backporting due
to the inclusion of the label backport/1.16.
The below text is copied from the body of the original PR.
---
### Description
<!-- Please describe why you're making this change, in plain English.
-->
- Currently the jwt-auth filter doesn't take into account the service
identity when validating jwt-auth, it only takes into account the path
and jwt provider during validation. This causes issues when multiple
source intentions restrict access to an endpoint with different JWT
providers.
- To fix these issues, rather than use the JWT auth filter for
validation, we use it in metadata mode and allow it to forward the
successful validated JWT token payload to the RBAC filter which will
make the decisions.
This PR ensures requests with and without JWT tokens successfully go
through the jwt-authn filter. The filter however only forwards the data
for successful/valid tokens. On the RBAC filter level, we check the
payload for claims and token issuer + existing rbac rules.
### Testing & Reproduction steps
<!--
* In the case of bugs, describe how to replicate
* If any manual tests were done, document the steps and the conditions
to replicate
* Call out any important/ relevant unit tests, e2e tests or integration
tests you have added or are adding
-->
- This test covers a multi level jwt requirements (requirements at top
level and permissions level). It also assumes you have envoy running,
you have a redis and a sidecar proxy service registered, and have a way
to generate jwks with jwt. I mostly use:
https://www.scottbrady91.com/tools/jwt for this.
- first write your proxy defaults
```
Kind = "proxy-defaults"
name = "global"
config {
protocol = "http"
}
```
- Create two providers
```
Kind = "jwt-provider"
Name = "auth0"
Issuer = "https://ronald.local"
JSONWebKeySet = {
Local = {
JWKS = "eyJrZXlzIjog....."
}
}
```
```
Kind = "jwt-provider"
Name = "okta"
Issuer = "https://ronald.local"
JSONWebKeySet = {
Local = {
JWKS = "eyJrZXlzIjogW3...."
}
}
```
- add a service intention
```
Kind = "service-intentions"
Name = "redis"
JWT = {
Providers = [
{
Name = "okta"
},
]
}
Sources = [
{
Name = "*"
Permissions = [{
Action = "allow"
HTTP = {
PathPrefix = "/workspace"
}
JWT = {
Providers = [
{
Name = "okta"
VerifyClaims = [
{
Path = ["aud"]
Value = "my_client_app"
},
{
Path = ["sub"]
Value = "5be86359073c434bad2da3932222dabe"
}
]
},
]
}
},
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
JWT = {
Providers = [
{
Name = "auth0"
},
]
}
}]
}
]
```
- generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with
different claims than `/workspace` expects and 1 with correct claims
- connect to your envoy (change service and address as needed) to view
logs and potential errors. You can add: `-- --log-level debug` to see
what data is being forwarded
```
consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502
```
- Make the following requests:
```
curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v
RBAC filter denied
curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v
RBAC filter denied
curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v
Successful request
```
### TODO
* [x] Update test coverage
* [ ] update integration tests (follow-up PR)
* [x] appropriate backport labels added
---
<details>
<summary> Overview of commits </summary>
- 70536f5a38507d7468f62d00dd93a6968a3d9cf3
</details>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
## Backport
This PR is auto-generated from #18134 to be assessed for backporting due
to the inclusion of the label backport/1.16.
The below text is copied from the body of the original PR.
---
### Description
- Fix unmatched bracket in the
[doc](https://developer.hashicorp.com/consul/docs/services/usage/checks#ttl-check-configuration)
(see the following screenshot of the page)
<img width="618" alt="Screenshot 2023-07-13 at 9 01 19 PM"
src="https://github.com/hashicorp/consul/assets/463631/20707735-906f-4b06-999d-44e6329a9fec">
### Testing & Reproduction steps
<!--
* In the case of bugs, describe how to replicate
* If any manual tests were done, document the steps and the conditions
to replicate
* Call out any important/ relevant unit tests, e2e tests or integration
tests you have added or are adding
-->
### Links
<!--
Include any links here that might be helpful for people reviewing your
PR (Tickets, GH issues, API docs, external benchmarks, tools docs, etc).
If there are none, feel free to delete this section.
Please be mindful not to leak any customer or confidential information.
HashiCorp employees may want to use our internal URL shortener to
obfuscate links.
-->
### PR Checklist
* [ ] updated test coverage
* [ ] external facing docs updated
* [ ] appropriate backport labels added
* [ ] not a security concern
---
<details>
<summary> Overview of commits </summary>
- d40243b3a37b58737bd5cbb104913ce0c2c87f3c
</details>
Co-authored-by: cskh <hui.kang@hashicorp.com>
## Backport
This PR is auto-generated from #18004 to be assessed for backporting due
to the inclusion of the label backport/1.16.
The below text is copied from the body of the original PR.
---
### Description
<!-- Please describe why you're making this change, in plain English.
-->
- Add jwt-provider docs for jwks cluster configuration. The
configuration was added here:
https://github.com/hashicorp/consul/pull/17978
---
<details>
<summary> Overview of commits </summary>
- 1ab3c3be1e85f4b70a0eafbc875a28311f030e49
</details>
Co-authored-by: Ronald Ekambi <ronekambi@gmail.com>
## Backport
This PR is auto-generated from #18124 to be assessed for backporting due
to the inclusion of the label backport/1.16.
🚨
>**Warning** automatic cherry-pick of commits failed. If the first
commit failed,
you will see a blank no-op commit below. If at least one commit
succeeded, you
will see the cherry-picked commits up to, _not including_, the commit
where
the merge conflict occurred.
The person who merged in the original PR is:
@jmurret
This person should manually cherry-pick the original PR into a new
backport PR,
and close this one when the manual backport PR is merged in.
> merge conflict error: POST
https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict
[]
The below text is copied from the body of the original PR.
---
### Description
The following jobs started failing when go 1.20.6 was released:
- `go-test-api-1-19`
- `go-test-api-1-20`
- `compatibility-integration-tests`
- `upgrade-integration-tests`
`compatibility-integration-tests` and `compatibility-integration-tests`
to this testcontainers issue:
https://github.com/testcontainers/testcontainers-go/issues/1359. This
issue calls for testcontainers to release a new version when one of
their dependencies is fixed. When that is done, we will unpin the go
versions in `compatibility-integration-tests` and
`compatibility-integration-tests`.
### Testing & Reproduction steps
See these jobs broken in CI and then see them work with this PR.
---
<details>
<summary> Overview of commits </summary>
- 747195f7aaf291305681bb7d8ae070761a2aef55 -
516492420bf43427f1cf89adce4d4e222bbb5aaa -
f4d6ca19f8e543048e167b9c47528eeb0bdb656f -
a47407115e086bb5eff6b34a08839989534b505f -
8c03b36e00719b65a87d277012dea2ac08b67442 -
c50b17c46ec64dfea20f61d242e1998c804eb8f7 -
7b55f66218e3a17a0c609a1d85d45f6d1a1e6961 -
93ce5fcc61fe0292f4e0cba98c7101fbe5142139
</details>
---------
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
Co-authored-by: Chris Thain <32781396+cthain@users.noreply.github.com>
* backport of commit 0d7bee8adcf2a80aa7045ad7efcef080241f3a1e
* backport of commit 408cbe8ae0e24dd0d4947a872ebe4cc05f05805e
* backport of commit a0854784dcdc2a26bff3c5f39a687d6db73bc64a
* backport of commit 71c4c6564f78008fb653b70c4c354368423415ae
* backport of commit 0c060fa2badfe3d465065b08bdde2951f81b05a3
---------
Co-authored-by: Luke Kysow <1034429+lkysow@users.noreply.github.com>
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 4034bb2b3eba81ea13bf6d3a62d27094d96ffc24
* backport of commit 9c4c3c50f07d4072bb981c16cf993118fd7f6f1d
* backport of commit 7282078993aa51915afa801bdabded0f78397cb5
---------
Co-authored-by: Tom Davies <thomas.23.davies@bt.com>
* backport of commit 3ef758cefb78124d160bd69681fbb226b062e399
* backport of commit f7c54b6ce2ac3bb185a12aad5f649f4eed237cca
* backport of commit 6b2e88c154c2cab5bf6f013417d6b134171f16c0
* backport of commit 87dc79fddb162451ce9dd6d46615397dccb22dc9
* backport of commit 3d9805c133ab6dfde39cd41135a4c7f4048466b5
* backport of commit e76ec0a1937e7722edc554d96fa3e792bd1f56a0
* backport of commit 4b03ba27c1190e02af46e52261a2417534fdf3f4
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit e1bf4284947af9edd36e9d6f4d2c32e2d1fe9b14
* backport of commit ddf214e638327cdf4b76d325d3c4194d6e26cee3
* backport of commit e41bd9c4e372c2b83d673d6f5c4afcfb44bdf14f
* backport of commit b9cfc86e145d0b90474a1e13f5f02ce7599d9f0f
* backport of commit 0ddf013d6c4e7d44c0c6dfff8fe0c56e5c4b6ca5
* backport of commit 1b0b513b05c1b14c9eb69f0e74f72fc7a0bba118
* backport of commit 29442ad641b0de0df9753cdd207b9f15bc76e6e5
* backport of commit 5e7ddf5c7ef764e7df8fa4f6cd03431e89e8b441
* backport of commit f2b6fa7b4362ecde79b3b8a9752da6d2774d44d8
* backport of commit 83b84a985a131c0ce2b10351f6dd5ca68cef5bf2
* backport of commit 56d81738cc8143ddec27cc5134af23da4bfc2dd8
* backport of commit 0ab44f06c7249adc8a0ba43c369c66ae1f18e8c8
* backport of commit 69c99fbccb711d32194eefd04419b854cacf8750
* backport of commit b79e1245c1bf765c97462f322c09965314317b0a
* backport of commit fb1441976be9c78a2d658b094e178a0c0f75eb5e
* backport of commit 3b7b2a04242e17fc88296fc248ba491e697697c4
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 91c82db42b95f66f7edc75a668a3ebd44338e74f
* backport of commit 4be71ab9413232c1ccd537c66011bb529af65d34
---------
Co-authored-by: Xinyi Wang <xinyi.wang@hashicorp.com>
* backport of commit 1c8b71521297965bf04034caed10d29586084447
* backport of commit 0d690d9eb6d6f29bb2771f59c1a3c707360d92a5
---------
Co-authored-by: Tu Nguyen <im2nguyen@gmail.com>
* backport of commit 4f7d21da6cc2b314f82e92958dc215f25a023cb9
* backport of commit d1ba0e877c5713112dd77a2b1f8b16e34ea6c456
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit afa1f42cc719b13074f2f286202d8f21b8000753
* backport of commit e0970025d4c2e2702af30e642b37dd5e32561756
* backport of commit 2f2aad545b1ebcae22bb481b57115a679eb539e5
* backport of commit 4a5c9c181f50343911cd30fbb0f0475e473a2c7b
---------
Co-authored-by: Ranjandas <thejranjan@gmail.com>
Co-authored-by: Chris S. Kim <kisunji92@gmail.com>
* backport of commit a8658bf7c88722c0b88481637c213ce838eb3c7c
* backport of commit 966673b5fe20854f815211fe97cfff30056a002d
* backport of commit 7cea575b3a5c28f014fb35c42f46079ccbeaeef0
* backport of commit 17e57a3abe52c19d323c4159b1521788298e8216
* backport of commit 86a7dc34657c4434cb89077fff95217744e596e5
* backport of commit 7f541fffaabb377de97e13b20e8052b9573643df
* backport of commit 4e46d282ff8f24418321e32924c466762dd3f459
* backport of commit 72d7b61634ffc539f4c5a70de6c648a51a74c9f4
* backport of commit 2b6169f7cb3bd374ce0a378fc174268790dd1d4b
* backport of commit b94a833ec952979e9fc7d6518ce30897b3477323
* backport of commit 74e0ec2a05ead2da243086dedab606ff16185afe
* backport of commit be0167b4920f2406f53f326780fff2f7633734d7
* backport of commit a92a3088b4d5431fc6668c1859cd46301e44af8e
* backport of commit 4b02d312d718ac9ea265d8d39463a7625e659c51
* backport of commit f131207d42ce1684a49e18c4096def2fa6d68a82
* backport of commit 3f0be37f49b0b006e5d9ecdba8e9a4af8c933230
* backport of commit 29ed7aaf6f7e080e41e896111b9f25b95af880a7
* backport of commit 8ae546707beaf3a52c28f2e5d8a9d85b965ee93c
* backport of commit 8ed74fcf442dd8cf5e9abb8317d106564c47cfd1
* backport of commit 36537bafb6962d2f966da754a19cbc6a23ef2535
* backport of commit ef7599d7789a216e688a4663538b2e9d06f82c07
---------
Co-authored-by: David Yu <dyu@hashicorp.com>
* backport of commit 93ccfe4c1195ba0ab2d12443f25d9cf29e9e4f0c
* Ensure RSA keys are at least 2048 bits in length (#17911)
* Ensure RSA keys are at least 2048 bits in length
* Add changelog
* update key length check for FIPS compliance
* Fix no new variables error and failing to return when error exists from
validating
* clean up code for better readability
* actually return value
---------
Co-authored-by: jm96441n <john.maguire@hashicorp.com>