Skip to content

Commit

Permalink
authorization api for jwt claims
Browse files Browse the repository at this point in the history 
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
  • Loading branch information
@zhaohuabing
zhaohuabing committed Aug 6, 2024
1 parent 194a7ea commit fedc86d
Show file tree
Hide file tree
Showing 6 changed files with 195 additions and 8 deletions.
45 changes: 43 additions & 2 deletions api/v1alpha1/authorization_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ type AuthorizationRule struct {
Action AuthorizationAction `json:"action"`

// Principal specifies the client identity of a request.
// If there are multiple principal types, all principals must match for the rule to match.
// For example, if there are two principals: one for client IP and one for JWT claim,
// the rule will match only if both the client IP and the JWT claim match.
Principal Principal `json:"principal"`
}

Expand All @@ -47,17 +50,55 @@ type Principal struct {
// ClientCIDRs are the IP CIDR ranges of the client.
// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
//
// If multiple CIDR ranges are specified, one of the CIDR ranges must match
// the client IP for the rule to match.
//
// The client IP is inferred from the X-Forwarded-For header, a custom header,
// or the proxy protocol.
// You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in
// the `ClientTrafficPolicy` to configure how the client IP is detected.
// +kubebuilder:validation:MinItems=1
ClientCIDRs []CIDR `json:"clientCIDRs"`

// TODO: Zhaohuabing the MinItems=1 validation can be relaxed to allow empty list
// after other principal types are supported. However, at least one principal is required
// JWTClaims are the claims in a JWT token.
//
// If multiple claims are specified, all claims must match for the rule to match.
// For example, if there are two claims: one for the audience and one for the issuer,
// the rule will match only if both the audience and the issuer match.
// Note: in order to use JWT claims for authorization, you must configure the
// JWT authentication in the same `SecurityPolicy`.
// +optional
// +notImplementedHide
JWTClaims []JWTClaim `json:"jwtClaims"`
}

// JWTClaim specifies a claim in a JWT token.
type JWTClaim struct {
// Type is the type of the claim.
// Valid values are "String" and "StringArray".
// For example, sub is a string claim, and groups is a string array claim.
// +kubebuilder:validation:Enum=String;StringArray
// +kubebuilder:default=String
// +unionDiscriminator
Type JWTClaimType `json:"type"`

// Name is the name of the claim.
Name string `json:"name"`

// Values are the values that the claim must match.
// If the claim is a string type, the specified value must match exactly.
// If the claim is a string array type, the specified value must match one of the values in the array.
// If multiple values are specified, one of the values must match for the rule to match.
Values []string `json:"values"`
}

type JWTClaimType string

const (
JWTClaimTypeString JWTClaimType = "String"
JWTClaimTypeStringArray JWTClaimType = "StringArray"
)

// AuthorizationAction defines the action to be taken if a rule matches.
// +kubebuilder:validation:Enum=Allow;Deny
type AuthorizationAction string
Expand Down
27 changes: 27 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

58 changes: 56 additions & 2 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,13 +86,18 @@ spec:
If not specified, Envoy Gateway will generate a unique name for the rule.n
type: string
principal:
description: Principal specifies the client identity of
a request.
description: |-
Principal specifies the client identity of a request.
If there are multiple principal types, all principals must match for the rule to match.
For example, if there are two principals: one for client IP and one for JWT claim,
the rule will match only if both the client IP and the JWT claim match.
properties:
clientCIDRs:
description: |-
ClientCIDRs are the IP CIDR ranges of the client.
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
Multiple CIDR ranges can be specified.
One of the CIDR ranges must match the client IP for the rule to match.
The client IP is inferred from the X-Forwarded-For header, a custom header,
Expand All @@ -107,6 +112,55 @@ spec:
type: string
minItems: 1
type: array
jwtClaims:
description: |-
JWTClaims are the claims in a JWT token.
Multiple claims can be specified.
If there are multiple claims, all claims must match for the rule to match.
For example, if there are two claims: one for the audience and one for the issuer,
the rule will match only if both the audience and the issuer match.
Note: in order to use JWT claims for authorization, you must configure the
JWT authentication in the same `SecurityPolicy`.
items:
description: JWTClaim specifies a claim in a JWT token.
properties:
name:
description: Name is the name of the claim.
type: string
value:
description: Matches are the values that the claim
must match.
items:
description: |-
StringMatch defines how to match any strings.
This is a general purpose match condition that can be used by other EG APIs
that need to match against a string.
properties:
type:
default: Exact
description: Type specifies how to match
against a string.
enum:
- Exact
- Prefix
- Suffix
- RegularExpression
type: string
value:
description: Value specifies the string
value that the match must have.
maxLength: 1024
minLength: 1
type: string
required:
- value
type: object
type: array
required:
- name
- value
type: object
type: array
required:
- clientCIDRs
type: object
Expand Down
3 changes: 3 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,12 +187,14 @@ securityPolicies:
clientCIDRs:
- 192.168.1.0/24
- 192.168.2.0/24
jwtClaims: null
- action: Deny
name: deny-location-2
principal:
clientCIDRs:
- 10.75.1.0/24
- 10.75.2.0/24
jwtClaims: null
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
Expand Down Expand Up @@ -255,6 +257,7 @@ securityPolicies:
clientCIDRs:
- 10.0.1.0/24
- 10.0.2.0/24
jwtClaims: null
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
Expand Down
35 changes: 33 additions & 2 deletions site/content/en/latest/api/extension_types.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `name` | _string_ | false | Name is a user-friendly name for the rule.<br />If not specified, Envoy Gateway will generate a unique name for the rule.n |
| `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. |
| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request. |
| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.<br />If there are multiple principal types, all principals must match for the rule to match.<br />For example, if there are two principals: one for client IP and one for JWT claim,<br />the rule will match only if both the client IP and the JWT claim match. |


#### BackOffPolicy
Expand Down Expand Up @@ -2109,6 +2109,37 @@ _Appears in:_
| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.<br />When multiple JWT providers are specified, the JWT is considered valid if<br />any of the providers successfully validate the JWT. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |


#### JWTClaim



JWTClaim specifies a claim in a JWT token.

_Appears in:_
- [Principal](#principal)

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[JWTClaimType](#jwtclaimtype)_ | true | Type is the type of the claim.<br />Valid values are "String" and "StringArray".<br />For example, sub is a string claim, and groups is a string array claim. |
| `name` | _string_ | true | Name is the name of the claim. |
| `values` | _string array_ | true | Values are the values that the claim must match.<br />If the claim is a string type, the specified value must match exactly.<br />If the claim is a string array type, the specified value must match one of the values in the array.<br />If multiple values are specified, one of the values must match for the rule to match. |


#### JWTClaimType

_Underlying type:_ _string_



_Appears in:_
- [JWTClaim](#jwtclaim)

| Value | Description |
| ----- | ----------- |
| `String` | |
| `StringArray` | |


#### JWTExtractor


Expand Down Expand Up @@ -2667,7 +2698,7 @@ _Appears in:_

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the X-Forwarded-For header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />If multiple CIDR ranges are specified, one of the CIDR ranges must match<br />the client IP for the rule to match.<br /><br />The client IP is inferred from the X-Forwarded-For header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |


#### ProcessingModeOptions
Expand Down
35 changes: 33 additions & 2 deletions site/content/zh/latest/api/extension_types.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `name` | _string_ | false | Name is a user-friendly name for the rule.<br />If not specified, Envoy Gateway will generate a unique name for the rule.n |
| `action` | _[AuthorizationAction](#authorizationaction)_ | true | Action defines the action to be taken if the rule matches. |
| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request. |
| `principal` | _[Principal](#principal)_ | true | Principal specifies the client identity of a request.<br />If there are multiple principal types, all principals must match for the rule to match.<br />For example, if there are two principals: one for client IP and one for JWT claim,<br />the rule will match only if both the client IP and the JWT claim match. |


#### BackOffPolicy
Expand Down Expand Up @@ -2109,6 +2109,37 @@ _Appears in:_
| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.<br />When multiple JWT providers are specified, the JWT is considered valid if<br />any of the providers successfully validate the JWT. For additional details,<br />see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |


#### JWTClaim



JWTClaim specifies a claim in a JWT token.

_Appears in:_
- [Principal](#principal)

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `type` | _[JWTClaimType](#jwtclaimtype)_ | true | Type is the type of the claim.<br />Valid values are "String" and "StringArray".<br />For example, sub is a string claim, and groups is a string array claim. |
| `name` | _string_ | true | Name is the name of the claim. |
| `values` | _string array_ | true | Values are the values that the claim must match.<br />If the claim is a string type, the specified value must match exactly.<br />If the claim is a string array type, the specified value must match one of the values in the array.<br />If multiple values are specified, one of the values must match for the rule to match. |


#### JWTClaimType

_Underlying type:_ _string_



_Appears in:_
- [JWTClaim](#jwtclaim)

| Value | Description |
| ----- | ----------- |
| `String` | |
| `StringArray` | |


#### JWTExtractor


Expand Down Expand Up @@ -2667,7 +2698,7 @@ _Appears in:_

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />The client IP is inferred from the X-Forwarded-For header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |
| `clientCIDRs` | _[CIDR](#cidr) array_ | true | ClientCIDRs are the IP CIDR ranges of the client.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64"<br /><br />If multiple CIDR ranges are specified, one of the CIDR ranges must match<br />the client IP for the rule to match.<br /><br />The client IP is inferred from the X-Forwarded-For header, a custom header,<br />or the proxy protocol.<br />You can use the `ClientIPDetection` or the `EnableProxyProtocol` field in<br />the `ClientTrafficPolicy` to configure how the client IP is detected. |


#### ProcessingModeOptions
Expand Down

0 comments on commit fedc86d

Please sign in to comment.