Add new jwt issuer format route option (#5338)

2025-04-29 10:26:29 +02:00 · 2024-10-25 13:07:47 -04:00 · 2024-10-25 13:07:47 -04:00 · a42e286637
commit a42e286637
parent 9e9ed8853f
5 changed files with 831 additions and 680 deletions
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@ -32,7 +32,18 @@ type HeadersRequest struct {
 // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
 func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) (*HeadersRequest, error) {
 	input := new(HeadersRequest)
+	var issuerFormat string
+	if policy != nil {
+		issuerFormat = policy.JWTIssuerFormat
+	}
+	switch issuerFormat {
+	case "", "hostOnly":
 		input.Issuer = http.Hostname
+	case "uri":
+		input.Issuer = fmt.Sprintf("https://%s/", http.Hostname)
+	default:
+		return nil, fmt.Errorf("invalid issuer format: %q", policy.JWTIssuerFormat)
+	}
 	if policy != nil {
 		input.EnableGoogleCloudServerlessAuthentication = policy.EnableGoogleCloudServerlessAuthentication
 		input.EnableRoutingKey = policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_RING_HASH ||
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -53,6 +53,48 @@ func TestNewHeadersRequestFromPolicy(t *testing.T) {
 	}, req)
 }

+func TestNewHeadersRequestFromPolicy_IssuerFormat(t *testing.T) {
+	policy := &config.Policy{
+		EnableGoogleCloudServerlessAuthentication: true,
+		From: "https://*.example.com",
+		To: config.WeightedURLs{
+			{
+				URL: *mustParseURL("http://to.example.com"),
+			},
+		},
+	}
+	for _, tc := range []struct {
+		format   string
+		expected string
+		err      string
+	}{
+		{format: "", expected: "from.example.com"},
+		{format: "hostOnly", expected: "from.example.com"},
+		{format: "uri", expected: "https://from.example.com/"},
+		{format: "foo", err: `invalid issuer format: "foo"`},
+	} {
+		policy.JWTIssuerFormat = tc.format
+		req, err := NewHeadersRequestFromPolicy(policy, RequestHTTP{
+			Hostname: "from.example.com",
+			ClientCertificate: ClientCertificateInfo{
+				Leaf: "--- FAKE CERTIFICATE ---",
+			},
+		})
+		if tc.err != "" {
+			assert.ErrorContains(t, err, tc.err)
+		} else {
+			assert.Equal(t, &HeadersRequest{
+				EnableGoogleCloudServerlessAuthentication: true,
+				Issuer:     tc.expected,
+				ToAudience: "https://to.example.com",
+				ClientCertificate: ClientCertificateInfo{
+					Leaf: "--- FAKE CERTIFICATE ---",
+				},
+			}, req)
+		}
+	}
+}
+
 func TestNewHeadersRequestFromPolicy_nil(t *testing.T) {
 	req, _ := NewHeadersRequestFromPolicy(nil, RequestHTTP{Hostname: "from.example.com"})
 	assert.Equal(t, &HeadersRequest{
--- a/config/policy.go
+++ b/config/policy.go
@ -157,6 +157,12 @@ type Policy struct {
 	// to upstream requests.
 	EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"`

+	// JWTIssuerFormat controls the format of the 'iss' claim in JWTs passed to upstream services by this route.
+	// Possible values:
+	// - "hostOnly" (default): Issuer strings will be the hostname of the route, with no scheme or trailing slash.
+	// - "uri": Issuer strings will be a complete URI, including the scheme and ending with a trailing slash.
+	JWTIssuerFormat string `mapstructure:"jwt_issuer_format" yaml:"jwt_issuer_format,omitempty"`
+
 	SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"`

 	EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"`
@ -321,6 +327,13 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		p.EnvoyOpts.Name = pb.Name
 	}

+	switch pb.GetJwtIssuerFormat() {
+	case configpb.IssuerFormat_IssuerHostOnly:
+		p.JWTIssuerFormat = "hostOnly"
+	case configpb.IssuerFormat_IssuerURI:
+		p.JWTIssuerFormat = "uri"
+	}
+
 	for _, rwh := range pb.RewriteResponseHeaders {
 		p.RewriteResponseHeaders = append(p.RewriteResponseHeaders, RewriteHeader{
 			Header: rwh.GetHeader(),
@ -461,6 +474,13 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		pb.LoadBalancingWeights = weights
 	}

+	switch p.JWTIssuerFormat {
+	case "", "hostOnly":
+		pb.JwtIssuerFormat = configpb.IssuerFormat_IssuerHostOnly
+	case "uri":
+		pb.JwtIssuerFormat = configpb.IssuerFormat_IssuerURI
+	}
+
 	for _, rwh := range p.RewriteResponseHeaders {
 		pb.RewriteResponseHeaders = append(pb.RewriteResponseHeaders, &configpb.RouteRewriteHeader{
 			Header: rwh.Header,
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
--- a/pkg/grpc/config/config.proto
+++ b/pkg/grpc/config/config.proto
@ -38,7 +38,16 @@ message RouteDirectResponse {
  string body = 2;
 }

-// Next ID: 65.
+enum IssuerFormat {
+  // Issuer strings will be the hostname of the route, with no scheme or
+  // trailing slash.
+  IssuerHostOnly = 0;
+  // Issuer strings will be a complete URI, including the scheme and ending
+  // with a trailing slash.
+  IssuerURI = 1;
+}
+
+// Next ID: 66.
 message Route {
  string name = 1;

@ -105,6 +114,7 @@ message Route {
  string kubernetes_service_account_token = 26;
  string kubernetes_service_account_token_file = 64;
  bool enable_google_cloud_serverless_authentication = 42;
+  IssuerFormat jwt_issuer_format = 65;

  envoy.config.cluster.v3.Cluster envoy_opts = 36;