From 33b3bc0b45a71374c58625a0b9b2e4477f3423e1 Mon Sep 17 00:00:00 2001 From: Ardika Bagus Date: Fri, 12 Apr 2024 22:30:05 +0700 Subject: [PATCH] chore: adjust comment and use pointer for non-manandatory field Signed-off-by: Ardika Bagus --- api/v1alpha1/jwt_types.go | 6 +- api/v1alpha1/zz_generated.deepcopy.go | 5 ++ ...ateway.envoyproxy.io_securitypolicies.yaml | 5 +- internal/gatewayapi/securitypolicy.go | 2 +- .../securitypolicy-with-jwt-optional.out.yaml | 82 ++++++++++--------- internal/ir/xds.go | 2 +- internal/xds/translator/jwt.go | 2 +- .../testdata/in/xds-ir/jwt-optional.yaml | 35 ++++---- site/content/en/latest/api/extension_types.md | 3 +- 9 files changed, 75 insertions(+), 67 deletions(-) diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go index f0bdd7d6f75..945ab68ae60 100644 --- a/api/v1alpha1/jwt_types.go +++ b/api/v1alpha1/jwt_types.go @@ -8,9 +8,9 @@ package v1alpha1 // JWT defines the configuration for JSON Web Token (JWT) authentication. type JWT struct { - // AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented. - // - AllowMissing bool `json:"allowMissing,omitempty"` + // AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified. + // Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented. + AllowMissing *bool `json:"allowMissing,omitempty"` // Providers defines the JSON Web Token (JWT) authentication provider type. // When multiple JWT providers are specified, the JWT is considered valid if diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 0055d7669f1..d959961e7bd 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -2202,6 +2202,11 @@ func (in *JSONPatchOperation) DeepCopy() *JSONPatchOperation { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *JWT) DeepCopyInto(out *JWT) { *out = *in + if in.AllowMissing != nil { + in, out := &in.AllowMissing, &out.AllowMissing + *out = new(bool) + **out = **in + } if in.Providers != nil { in, out := &in.Providers, &out.Providers *out = make([]JWTProvider, len(*in)) diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 63678fa69de..e5720170389 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -423,8 +423,9 @@ spec: authentication. properties: allowMissing: - description: AllowMissing specifies whether a missing JWT is acceptable, - but it will fail if an invalid JWT is presented. + description: |- + AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified. + Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented. type: boolean providers: description: |- diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 804c8d42d8a..e3d9dbd8f9c 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -527,7 +527,7 @@ func wildcard2regex(wildcard string) string { func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT { return &ir.JWT{ - AllowMissing: jwt.AllowMissing, + AllowMissing: ptr.Deref(jwt.AllowMissing, false), Providers: jwt.Providers, } } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml index de595317ec3..9b47bb8990d 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml @@ -307,27 +307,28 @@ xdsIR: weight: 1 hostname: '*' isHTTP2: true - jwt: - providers: - - audiences: - - one.foo.com - claimToHeaders: - - claim: claim1 - header: one-route-example-key - issuer: https://one.example.com - name: example1 - remoteJWKS: - uri: https://one.example.com/jwt/public-key/jwks.json - - audiences: - - two.foo.com - claimToHeaders: - - claim: claim2 - header: two-route-example-key - issuer: https://two.example.com - name: example2 - remoteJWKS: - uri: https://two.example.com/jwt/public-key/jwks.json name: grpcroute/default/grpcroute-1/rule/0/match/-1/* + security: + jwt: + providers: + - audiences: + - one.foo.com + claimToHeaders: + - claim: claim1 + header: one-route-example-key + issuer: https://one.example.com + name: example1 + remoteJWKS: + uri: https://one.example.com/jwt/public-key/jwks.json + - audiences: + - two.foo.com + claimToHeaders: + - claim: claim2 + header: two-route-example-key + issuer: https://two.example.com + name: example2 + remoteJWKS: + uri: https://two.example.com/jwt/public-key/jwks.json envoy-gateway/gateway-2: accessLog: text: @@ -357,28 +358,29 @@ xdsIR: weight: 1 hostname: gateway.envoyproxy.io isHTTP2: false - jwt: - allowMissing: true - providers: - - audiences: - - three.foo.com - claimToHeaders: - - claim: claim3 - header: three-route-example-key - extractFrom: - cookies: - - session_access_token - headers: - - name: Authorization - valuePrefix: 'Bearer ' - params: - - token - issuer: https://three.example.com - name: example3 - remoteJWKS: - uri: https://three.example.com/jwt/public-key/jwks.json name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io pathMatch: distinct: false name: "" prefix: / + security: + jwt: + allowMissing: true + providers: + - audiences: + - three.foo.com + claimToHeaders: + - claim: claim3 + header: three-route-example-key + extractFrom: + cookies: + - session_access_token + headers: + - name: Authorization + valuePrefix: 'Bearer ' + params: + - token + issuer: https://three.example.com + name: example3 + remoteJWKS: + uri: https://three.example.com/jwt/public-key/jwks.json diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 8bd92214e29..a0522e788a7 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -570,7 +570,7 @@ type CORS struct { // // +k8s:deepcopy-gen=true type JWT struct { - // AllowMissing specifies whether JWT authentication could be optionally required. + // AllowMissing determines whether a missing JWT is acceptable. // AllowMissing bool `json:"allowMissing,omitempty" yaml:"allowMissing,omitempty"` diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go index de5af852a99..822a5adf159 100644 --- a/internal/xds/translator/jwt.go +++ b/internal/xds/translator/jwt.go @@ -165,7 +165,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication, }) } - if route.JWT.AllowMissing { + if route.Security.JWT.AllowMissing { reqs = append(reqs, &jwtauthnv3.JwtRequirement{ RequiresType: &jwtauthnv3.JwtRequirement_AllowMissing{ AllowMissing: &emptypb.Empty{}, diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml index 4104cdefe5f..b43dd005257 100644 --- a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml @@ -12,23 +12,24 @@ http: hostname: "*" pathMatch: exact: "foo/bar" - jwt: - providers: - - name: example - issuer: https://www.example.com - audiences: - - foo.com - remoteJWKS: - uri: https://localhost/jwt/public-key/jwks.json - extractFrom: - cookies: - - session_access_token - headers: - - name: Authorization - valuePrefix: 'Bearer ' - params: - - token - allowMissing: true + security: + jwt: + providers: + - name: example + issuer: https://www.example.com + audiences: + - foo.com + remoteJWKS: + uri: https://localhost/jwt/public-key/jwks.json + extractFrom: + cookies: + - session_access_token + headers: + - name: Authorization + valuePrefix: 'Bearer ' + params: + - token + allowMissing: true destination: name: "first-route-dest" settings: diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 1167b8a9a39..4068596f6a4 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -1626,9 +1626,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `allowMissing` | _boolean_ | true | AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented. | -| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. | +| `allowMissing` | _boolean_ | true | AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented. | | `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |