core/envoy: fix remove cookie lua script (#4641)

* core/envoy: fix remove cookie lua script * fix matching prefix * fix test data
2025-07-29 22:48:15 +02:00 · 2023-11-09 10:49:56 -07:00 · 2023-11-09 10:49:56 -07:00 · 04de3e3d40
commit 04de3e3d40
parent 6cec77bad5
3 changed files with 21 additions and 10 deletions
--- a/config/envoyconfig/lua_test.go
+++ b/config/envoyconfig/lua_test.go
@ -24,9 +24,11 @@ func TestLuaCleanUpstream(t *testing.T) {
 		"context-type":             "text/plain",
 		"authorization":            "Pomerium JWT",
 		"x-pomerium-authorization": "JWT",
+		"cookie":                   "cookieA=aaa_pomerium=123; cookieb=bbb; _pomerium=ey;_pomerium_test1=stillhere ; _pomerium_test2=stillhere",
 	}
 	metadata := map[string]interface{}{
 		"remove_pomerium_authorization": true,
+		"remove_pomerium_cookie":        "_pomerium",
 	}
 	dynamicMetadata := map[string]map[string]interface{}{}
 	handle := newLuaResponseHandle(L, headers, metadata, dynamicMetadata)
@ -40,6 +42,7 @@ func TestLuaCleanUpstream(t *testing.T) {

 	assert.Equal(t, map[string]string{
 		"context-type": "text/plain",
+		"cookie":       "cookieA=aaa_pomerium=123; cookieb=bbb; _pomerium_test1=stillhere ; _pomerium_test2=stillhere",
 	}, headers)
 }

--- a/config/envoyconfig/luascripts/clean-upstream.lua
+++ b/config/envoyconfig/luascripts/clean-upstream.lua
@ -1,15 +1,23 @@
-function remove_pomerium_cookie(cookie_name, cookie)
-    -- lua doesn't support optional capture groups
-    -- so we replace twice to handle pomerium=xyz at the end of the string
-    cookie = cookie:gsub(cookie_name .. "=[^;]+; ", "")
-    cookie = cookie:gsub(cookie_name .. "=[^;]+", "")
-    return cookie
-end
-
 function has_prefix(str, prefix)
    return str ~= nil and str:sub(1, #prefix) == prefix
 end

+function remove_pomerium_cookie(cookie_name, cookie)
+    local result = ""
+    for c in cookie:gmatch("([^;]+)") do
+        c = c:gsub("^ +","")
+        local name = c:match("^([^=]+)")
+        if name ~= cookie_name then
+            if string.len(result) > 0 then
+                result = result .. "; " .. c
+            else
+                result = result .. c
+            end
+        end
+    end
+    return result
+end
+
 function envoy_on_request(request_handle)
    local headers = request_handle:headers()
    local metadata = request_handle:metadata()
@ -18,7 +26,7 @@ function envoy_on_request(request_handle)
    if remove_cookie_name then
        local cookie = headers:get("cookie")
        if cookie ~= nil then
-            newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)
+            local newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)
            headers:replace("cookie", newcookie)
        end
    end
--- a/config/envoyconfig/testdata/main_http_connection_manager_filter.json
+++ b/config/envoyconfig/testdata/main_http_connection_manager_filter.json
@ -75,7 +75,7 @@
        "typedConfig": {
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
          "defaultSourceCode": {
-            "inlineString": "function remove_pomerium_cookie(cookie_name, cookie)\n    -- lua doesn't support optional capture groups\n    -- so we replace twice to handle pomerium=xyz at the end of the string\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n    return cookie\nend\n\nfunction has_prefix(str, prefix)\n    return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n    if remove_cookie_name then\n        local cookie = headers:get(\"cookie\")\n        if cookie ~= nil then\n            newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n            headers:replace(\"cookie\", newcookie)\n        end\n    end\n\n    local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n    if remove_authorization then\n        local authorization = headers:get(\"authorization\")\n        local authorization_prefix = \"Pomerium \"\n        if has_prefix(authorization, authorization_prefix) then\n            headers:remove(\"authorization\")\n        end\n\n        headers:remove('x-pomerium-authorization')\n    end\nend\n\nfunction envoy_on_response(response_handle) end\n"
+            "inlineString": "function has_prefix(str, prefix)\n    return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction remove_pomerium_cookie(cookie_name, cookie)\n    local result = \"\"\n    for c in cookie:gmatch(\"([^;]+)\") do\n        c = c:gsub(\"^ +\",\"\")\n        local name = c:match(\"^([^=]+)\")\n        if name ~= cookie_name then\n            if string.len(result) \u003e 0 then\n                result = result .. \"; \" .. c\n            else\n                result = result .. c\n            end\n        end\n    end\n    return result\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n    if remove_cookie_name then\n        local cookie = headers:get(\"cookie\")\n        if cookie ~= nil then\n            local newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n            headers:replace(\"cookie\", newcookie)\n        end\n    end\n\n    local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n    if remove_authorization then\n        local authorization = headers:get(\"authorization\")\n        local authorization_prefix = \"Pomerium \"\n        if has_prefix(authorization, authorization_prefix) then\n            headers:remove(\"authorization\")\n        end\n\n        headers:remove('x-pomerium-authorization')\n    end\nend\n\nfunction envoy_on_response(response_handle) end\n"
          }
        }
      },