From 7cbffcd4ab4392cec9c33dea2dad1ee614a47681 Mon Sep 17 00:00:00 2001 From: Kebe Date: Mon, 10 Oct 2022 05:14:11 +0000 Subject: [PATCH] Add from_cookies filed for JWTRule --- kubernetes/customresourcedefinitions.gen.yaml | 5 ++ security/v1beta1/jwt.gen.json | 7 +++ security/v1beta1/jwt.pb.go | 52 +++++++++++++------ security/v1beta1/jwt.pb.html | 19 +++++++ security/v1beta1/jwt.proto | 12 +++++ .../v1beta1/request_authentication.gen.json | 7 +++ 6 files changed, 87 insertions(+), 15 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 1ec0b6effae..5b6ae7a8a9b 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6586,6 +6586,11 @@ spec: description: If set to true, the original token will be kept for the upstream request. type: boolean + fromCookies: + description: List of Cookie names from which JWT is expected. + items: + type: string + type: array fromHeaders: description: List of header locations from which JWT is expected. items: diff --git a/security/v1beta1/jwt.gen.json b/security/v1beta1/jwt.gen.json index a7fbbc746f2..f60c0274422 100644 --- a/security/v1beta1/jwt.gen.json +++ b/security/v1beta1/jwt.gen.json @@ -57,6 +57,13 @@ "type": "string" } }, + "fromCookies": { + "description": "List of Cookie names from which JWT is expected. For example, if JWT is provided via Cookie header value (e.g `Cookie: auth-token=\u003cJWT\u003e;`)", + "type": "array", + "items": { + "type": "string" + } + }, "outputPayloadToHeader": { "description": "This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, the payload will not be emitted.", "type": "string" diff --git a/security/v1beta1/jwt.pb.go b/security/v1beta1/jwt.pb.go index 163d12c48b4..e4e94b51b56 100644 --- a/security/v1beta1/jwt.pb.go +++ b/security/v1beta1/jwt.pb.go @@ -143,6 +143,19 @@ type JWTRule struct { // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of // such requests is undefined. FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"` + // List of Cookie names from which JWT is expected. For example, if JWT is provided via Cookie header value + // (e.g `Cookie: auth-token=;`) + // + // ```yaml + // + // fromCookies: + // - "auth-token" + // + // ``` + // + // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of + // such requests is undefined. + FromCookies []string `protobuf:"bytes,11,rep,name=from_cookies,json=fromCookies,proto3" json:"from_cookies,omitempty"` // This field specifies the header name to output a successfully verified JWT payload to the // backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, // the payload will not be emitted. @@ -225,6 +238,13 @@ func (x *JWTRule) GetFromParams() []string { return nil } +func (x *JWTRule) GetFromCookies() []string { + if x != nil { + return x.FromCookies + } + return nil +} + func (x *JWTRule) GetOutputPayloadToHeader() string { if x != nil { return x.OutputPayloadToHeader @@ -307,7 +327,7 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{ 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xca, 0x02, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xed, 0x02, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1c, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, @@ -321,20 +341,22 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{ 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x66, 0x72, 0x6f, 0x6d, 0x50, 0x61, 0x72, - 0x61, 0x6d, 0x73, 0x12, 0x37, 0x0a, 0x18, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x70, 0x61, - 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x6f, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, - 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, - 0x6c, 0x6f, 0x61, 0x64, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x34, 0x0a, 0x16, - 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, - 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x66, 0x6f, - 0x72, 0x77, 0x61, 0x72, 0x64, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x54, 0x6f, 0x6b, - 0x65, 0x6e, 0x22, 0x3d, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, - 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, - 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, - 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, - 0x78, 0x42, 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, - 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, - 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x61, 0x6d, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x63, 0x6f, 0x6f, 0x6b, + 0x69, 0x65, 0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x43, + 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x73, 0x12, 0x37, 0x0a, 0x18, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, + 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x6f, 0x5f, 0x68, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, + 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, + 0x34, 0x0a, 0x16, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x6f, 0x72, 0x69, 0x67, 0x69, + 0x6e, 0x61, 0x6c, 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x14, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, + 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0x3d, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, + 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, + 0x65, 0x66, 0x69, 0x78, 0x42, 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, + 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, + 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/security/v1beta1/jwt.pb.html b/security/v1beta1/jwt.pb.html index efb5da0eb4c..7d02f941704 100644 --- a/security/v1beta1/jwt.pb.html +++ b/security/v1beta1/jwt.pb.html @@ -156,6 +156,25 @@

JWTRule

Note: Requests with multiple tokens (at different locations) are not supported, the output principal of such requests is undefined.

+ + +No + + + +fromCookies +string[] + +

List of Cookie names from which JWT is expected. For example, if JWT is provided via Cookie header value +(e.g Cookie: auth-token=<JWT>;)

+ +
  fromCookies:
+  - "auth-token"
+
+ +

Note: Requests with multiple tokens (at different locations) are not supported, the output principal of +such requests is undefined.

+ No diff --git a/security/v1beta1/jwt.proto b/security/v1beta1/jwt.proto index 858b7f283ab..6b711af6ebe 100644 --- a/security/v1beta1/jwt.proto +++ b/security/v1beta1/jwt.proto @@ -136,6 +136,18 @@ message JWTRule { // such requests is undefined. repeated string from_params = 7; + // List of Cookie names from which JWT is expected. For example, if JWT is provided via Cookie header value + // (e.g `Cookie: auth-token=;`) + // + // ```yaml + // fromCookies: + // - "auth-token" + // ``` + // + // Note: Requests with multiple tokens (at different locations) are not supported, the output principal of + // such requests is undefined. + repeated string from_cookies = 11; + // This field specifies the header name to output a successfully verified JWT payload to the // backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, // the payload will not be emitted. diff --git a/security/v1beta1/request_authentication.gen.json b/security/v1beta1/request_authentication.gen.json index 68280f10e25..fb8104d4225 100644 --- a/security/v1beta1/request_authentication.gen.json +++ b/security/v1beta1/request_authentication.gen.json @@ -57,6 +57,13 @@ "type": "string" } }, + "fromCookies": { + "description": "List of Cookie names from which JWT is expected. For example, if JWT is provided via Cookie header value (e.g `Cookie: auth-token=\u003cJWT\u003e;`)", + "type": "array", + "items": { + "type": "string" + } + }, "outputPayloadToHeader": { "description": "This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is `base64_encoded(jwt_payload_in_JSON)`. If it is not specified, the payload will not be emitted.", "type": "string"