3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 00:40:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

add global jwt_issuer_format option (#5508)

Browse source 
Add a corresponding global setting for the existing route-level
jwt_issuer_format option. The route-level option will take precedence
when set to a non-empty string.
This commit is contained in:
Kenneth Jenkins 2025-03-11 14:11:50 -07:00 committed by GitHub
parent b86c9931b1
commit ad183873f4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 902 additions and 781 deletions
Download patch file Download diff file Expand all files Collapse all files

19
config/policy.go
View file

@ -167,7 +167,7 @@ type Policy struct {
// Possible values:
// - "hostOnly" (default): Issuer strings will be the hostname of the route, with no scheme or trailing slash.
// - "uri": Issuer strings will be a complete URI, including the scheme and ending with a trailing slash.
JWTIssuerFormat string `mapstructure:"jwt_issuer_format" yaml:"jwt_issuer_format,omitempty"`
JWTIssuerFormat JWTIssuerFormat `mapstructure:"jwt_issuer_format" yaml:"jwt_issuer_format,omitempty"`
// BearerTokenFormat indicates how authorization bearer tokens are interepreted. Possible values:
// - "default": Only Bearer tokens prefixed with Pomerium- will be interpreted by Pomerium
// - "idp_access_token": The Bearer token will be interpreted as an IdP access token.
@ -309,6 +309,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
IDPClientID: pb.GetIdpClientId(),
IDPClientSecret: pb.GetIdpClientSecret(),
JWTGroupsFilter: NewJWTGroupsFilter(pb.JwtGroupsFilter),
JWTIssuerFormat: JWTIssuerFormatFromPB(pb.JwtIssuerFormat),
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
KubernetesServiceAccountTokenFile: pb.GetKubernetesServiceAccountTokenFile(),
LogoURL: pb.GetLogoUrl(),
@ -390,9 +391,9 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
switch pb.GetJwtIssuerFormat() {
case configpb.IssuerFormat_IssuerHostOnly:
p.JWTIssuerFormat = "hostOnly"
p.JWTIssuerFormat = JWTIssuerFormatHostOnly
case configpb.IssuerFormat_IssuerURI:
p.JWTIssuerFormat = "uri"
p.JWTIssuerFormat = JWTIssuerFormatURI
}
p.BearerTokenFormat = BearerTokenFormatFromPB(pb.BearerTokenFormat)
@ -468,6 +469,7 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
Id: p.ID,
IdleTimeout: idleTimeout,
JwtGroupsFilter: p.JWTGroupsFilter.ToSlice(),
JwtIssuerFormat: p.JWTIssuerFormat.ToPB(),
KubernetesServiceAccountToken: p.KubernetesServiceAccountToken,
KubernetesServiceAccountTokenFile: p.KubernetesServiceAccountTokenFile,
LogoUrl: p.LogoURL,
@ -555,13 +557,6 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
pb.LoadBalancingWeights = weights
}
switch p.JWTIssuerFormat {
case "", "hostOnly":
pb.JwtIssuerFormat = configpb.IssuerFormat_IssuerHostOnly
case "uri":
pb.JwtIssuerFormat = configpb.IssuerFormat_IssuerURI
}
pb.BearerTokenFormat = p.BearerTokenFormat.ToPB()
for _, rwh := range p.RewriteResponseHeaders {
@ -698,6 +693,10 @@ func (p *Policy) Validate() error {
p.compiledRegex, _ = regexp.Compile(rawRE)
}
if !p.JWTIssuerFormat.Valid() {
return fmt.Errorf("config: unsupported jwt_issuer_format value %q", p.JWTIssuerFormat)
}
return nil
}