Add new jwt issuer format route option (#5338)

2025-08-03 08:50:42 +02:00 · 2024-10-25 13:07:47 -04:00 · 2024-10-25 13:07:47 -04:00 · a42e286637
commit a42e286637
parent 9e9ed8853f
5 changed files with 831 additions and 680 deletions
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@ -32,7 +32,18 @@ type HeadersRequest struct {
 // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
 func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) (*HeadersRequest, error) {
 	input := new(HeadersRequest)
-	input.Issuer = http.Hostname
+	var issuerFormat string
+	if policy != nil {
+		issuerFormat = policy.JWTIssuerFormat
+	}
+	switch issuerFormat {
+	case "", "hostOnly":
+		input.Issuer = http.Hostname
+	case "uri":
+		input.Issuer = fmt.Sprintf("https://%s/", http.Hostname)
+	default:
+		return nil, fmt.Errorf("invalid issuer format: %q", policy.JWTIssuerFormat)
+	}
 	if policy != nil {
 		input.EnableGoogleCloudServerlessAuthentication = policy.EnableGoogleCloudServerlessAuthentication
 		input.EnableRoutingKey = policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_RING_HASH ||
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -53,6 +53,48 @@ func TestNewHeadersRequestFromPolicy(t *testing.T) {
 	}, req)
 }

+func TestNewHeadersRequestFromPolicy_IssuerFormat(t *testing.T) {
+	policy := &config.Policy{
+		EnableGoogleCloudServerlessAuthentication: true,
+		From: "https://*.example.com",
+		To: config.WeightedURLs{
+			{
+				URL: *mustParseURL("http://to.example.com"),
+			},
+		},
+	}
+	for _, tc := range []struct {
+		format   string
+		expected string
+		err      string
+	}{
+		{format: "", expected: "from.example.com"},
+		{format: "hostOnly", expected: "from.example.com"},
+		{format: "uri", expected: "https://from.example.com/"},
+		{format: "foo", err: `invalid issuer format: "foo"`},
+	} {
+		policy.JWTIssuerFormat = tc.format
+		req, err := NewHeadersRequestFromPolicy(policy, RequestHTTP{
+			Hostname: "from.example.com",
+			ClientCertificate: ClientCertificateInfo{
+				Leaf: "--- FAKE CERTIFICATE ---",
+			},
+		})
+		if tc.err != "" {
+			assert.ErrorContains(t, err, tc.err)
+		} else {
+			assert.Equal(t, &HeadersRequest{
+				EnableGoogleCloudServerlessAuthentication: true,
+				Issuer:     tc.expected,
+				ToAudience: "https://to.example.com",
+				ClientCertificate: ClientCertificateInfo{
+					Leaf: "--- FAKE CERTIFICATE ---",
+				},
+			}, req)
+		}
+	}
+}
+
 func TestNewHeadersRequestFromPolicy_nil(t *testing.T) {
 	req, _ := NewHeadersRequestFromPolicy(nil, RequestHTTP{Hostname: "from.example.com"})
 	assert.Equal(t, &HeadersRequest{