From 04de3e3d40347f950b79e94f5ee3f8556d51d586 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Thu, 9 Nov 2023 10:49:56 -0700 Subject: [PATCH] core/envoy: fix remove cookie lua script (#4641) * core/envoy: fix remove cookie lua script * fix matching prefix * fix test data --- config/envoyconfig/lua_test.go | 3 +++ .../envoyconfig/luascripts/clean-upstream.lua | 26 ++++++++++++------- .../main_http_connection_manager_filter.json | 2 +- 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/config/envoyconfig/lua_test.go b/config/envoyconfig/lua_test.go index b3badf32e..8b3f8d7d2 100644 --- a/config/envoyconfig/lua_test.go +++ b/config/envoyconfig/lua_test.go @@ -24,9 +24,11 @@ func TestLuaCleanUpstream(t *testing.T) { "context-type": "text/plain", "authorization": "Pomerium JWT", "x-pomerium-authorization": "JWT", + "cookie": "cookieA=aaa_pomerium=123; cookieb=bbb; _pomerium=ey;_pomerium_test1=stillhere ; _pomerium_test2=stillhere", } metadata := map[string]interface{}{ "remove_pomerium_authorization": true, + "remove_pomerium_cookie": "_pomerium", } dynamicMetadata := map[string]map[string]interface{}{} handle := newLuaResponseHandle(L, headers, metadata, dynamicMetadata) @@ -40,6 +42,7 @@ func TestLuaCleanUpstream(t *testing.T) { assert.Equal(t, map[string]string{ "context-type": "text/plain", + "cookie": "cookieA=aaa_pomerium=123; cookieb=bbb; _pomerium_test1=stillhere ; _pomerium_test2=stillhere", }, headers) } diff --git a/config/envoyconfig/luascripts/clean-upstream.lua b/config/envoyconfig/luascripts/clean-upstream.lua index 64bd60315..f12079f8d 100644 --- a/config/envoyconfig/luascripts/clean-upstream.lua +++ b/config/envoyconfig/luascripts/clean-upstream.lua @@ -1,15 +1,23 @@ -function remove_pomerium_cookie(cookie_name, cookie) - -- lua doesn't support optional capture groups - -- so we replace twice to handle pomerium=xyz at the end of the string - cookie = cookie:gsub(cookie_name .. "=[^;]+; ", "") - cookie = cookie:gsub(cookie_name .. "=[^;]+", "") - return cookie -end - function has_prefix(str, prefix) return str ~= nil and str:sub(1, #prefix) == prefix end +function remove_pomerium_cookie(cookie_name, cookie) + local result = "" + for c in cookie:gmatch("([^;]+)") do + c = c:gsub("^ +","") + local name = c:match("^([^=]+)") + if name ~= cookie_name then + if string.len(result) > 0 then + result = result .. "; " .. c + else + result = result .. c + end + end + end + return result +end + function envoy_on_request(request_handle) local headers = request_handle:headers() local metadata = request_handle:metadata() @@ -18,7 +26,7 @@ function envoy_on_request(request_handle) if remove_cookie_name then local cookie = headers:get("cookie") if cookie ~= nil then - newcookie = remove_pomerium_cookie(remove_cookie_name, cookie) + local newcookie = remove_pomerium_cookie(remove_cookie_name, cookie) headers:replace("cookie", newcookie) end end diff --git a/config/envoyconfig/testdata/main_http_connection_manager_filter.json b/config/envoyconfig/testdata/main_http_connection_manager_filter.json index cc9cc0bb2..82a78649e 100644 --- a/config/envoyconfig/testdata/main_http_connection_manager_filter.json +++ b/config/envoyconfig/testdata/main_http_connection_manager_filter.json @@ -75,7 +75,7 @@ "typedConfig": { "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua", "defaultSourceCode": { - "inlineString": "function remove_pomerium_cookie(cookie_name, cookie)\n -- lua doesn't support optional capture groups\n -- so we replace twice to handle pomerium=xyz at the end of the string\n cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n return cookie\nend\n\nfunction has_prefix(str, prefix)\n return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local metadata = request_handle:metadata()\n\n local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n if remove_cookie_name then\n local cookie = headers:get(\"cookie\")\n if cookie ~= nil then\n newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n headers:replace(\"cookie\", newcookie)\n end\n end\n\n local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n if remove_authorization then\n local authorization = headers:get(\"authorization\")\n local authorization_prefix = \"Pomerium \"\n if has_prefix(authorization, authorization_prefix) then\n headers:remove(\"authorization\")\n end\n\n headers:remove('x-pomerium-authorization')\n end\nend\n\nfunction envoy_on_response(response_handle) end\n" + "inlineString": "function has_prefix(str, prefix)\n return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction remove_pomerium_cookie(cookie_name, cookie)\n local result = \"\"\n for c in cookie:gmatch(\"([^;]+)\") do\n c = c:gsub(\"^ +\",\"\")\n local name = c:match(\"^([^=]+)\")\n if name ~= cookie_name then\n if string.len(result) \u003e 0 then\n result = result .. \"; \" .. c\n else\n result = result .. c\n end\n end\n end\n return result\nend\n\nfunction envoy_on_request(request_handle)\n local headers = request_handle:headers()\n local metadata = request_handle:metadata()\n\n local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n if remove_cookie_name then\n local cookie = headers:get(\"cookie\")\n if cookie ~= nil then\n local newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n headers:replace(\"cookie\", newcookie)\n end\n end\n\n local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n if remove_authorization then\n local authorization = headers:get(\"authorization\")\n local authorization_prefix = \"Pomerium \"\n if has_prefix(authorization, authorization_prefix) then\n headers:remove(\"authorization\")\n end\n\n headers:remove('x-pomerium-authorization')\n end\nend\n\nfunction envoy_on_response(response_handle) end\n" } } },