Skip to content

[THREESCALE-9510] Allow JWT Claim Check policy access to full request context when evaluate condition #1535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tkan145 merged 2 commits into from
Feb 16, 2025
Merged

[THREESCALE-9510] Allow JWT Claim Check policy access to full request context when evaluate condition #1535

tkan145 merged 2 commits into from
Feb 16, 2025

Conversation

@tkan145
Copy link
Contributor

@tkan145 tkan145 commented Feb 13, 2025
edited
Loading

What

Fix https://issues.redhat.com/browse/THREESCALE-9510

Verification steps

  • Checkout this branch and build a new runtime image
make runtime-image IMAGE_NAME=apicast-test
  • Move into dev-environment
cd dev-environments/keycloak-env
  • Edit apicast-config.json as follow
diff --git a/dev-environments/keycloak-env/apicast-config.json b/dev-environments/keycloak-env/apicast-config.json
index 071296cd..62fb24f5 100644
--- a/dev-environments/keycloak-env/apicast-config.json
+++ b/dev-environments/keycloak-env/apicast-config.json
@@ -90,6 +90,20 @@
               "auth_type": "use_3scale_oidc_issuer_endpoint"
             }
           },
+          {
+            "name": "apicast.policy.jwt_claim_check",
+            "configuration": {
+              "rules" : [{
+                  "operations": [
+                    {"op": "==", "jwt_claim": "{{jwt.realm_access.roles| first}}", "jwt_claim_type": "liquid", "value": "{{original_request.query | split: \"role=\" | last}}", "value_type": "liquid"}
+                  ],
+                  "combine_op": "and",
+                  "methods": ["GET"],
+                  "resource": "/"
+              }],
+              "enable_extended_context": true
+            }
+          },
           {
             "name": "apicast",
             "version": "builtin",
  • Start gateway and seed keycloak data
make gateway IMAGE_NAME=apicast-test
make keycloak-data
  • Retrieve access token
export ACCESS_TOKEN=$(make token)
  • Send a request and you should receive HTTP/1.1 200 OK
curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080/?role=default-roles-basic"
  • Now send another request with query role=default-roles-basic3
curl -v --resolve stg.example.com:8080:127.0.0.1 -H "Authorization: Bearer ${ACCESS_TOKEN}" "http://stg.example.com:8080/?role=default-roles-basic3"
  • HTTP/1.1 403 Forbidden should be returned

@tkan145 tkan145 requested a review from a team as a code owner February 13, 2025 02:10
@tkan145 tkan145 force-pushed the THREESCALE-9510-jwt-clain-check-extened-context branch from be5bb77 to c06d415 Compare February 13, 2025 02:46
@tkan145 tkan145 changed the title [THREESCALE-9510] - Allow JWT Claim Check policy access to full request context when evaluate condition [THREESCALE-9510] Allow JWT Claim Check policy access to full request context when evaluate condition Feb 13, 2025
eguzki
eguzki reviewed Feb 13, 2025
View reviewed changes
Copy link
Member

@eguzki eguzki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verification steps working.

LGTM

Not approved due to some comments I want to clarify on the doc side.

gateway/src/apicast/policy/jwt_claim_check/readme.md Outdated
"resource": "/resource",
"resource_type": "plain"
}
]
Copy link
Member

@eguzki eguzki Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
]
],
"enable_extended_context": true

Copy link
Contributor Author

@tkan145 tkan145 Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

gateway/src/apicast/policy/jwt_claim_check/readme.md Outdated
"resource": "/resource",
"resource_type": "plain"
}
]
Copy link
Member

@eguzki eguzki Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
]
],
"enable_extended_context": true

Copy link
Contributor Author

@tkan145 tkan145 Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

eguzki
eguzki reviewed Feb 13, 2025
View reviewed changes
gateway/src/apicast/policy/jwt_claim_check/readme.md Outdated
}
```

NOTE: when `enable_extended_context` is set, JWT claim value is access via `jwt` prefix.
Copy link
Member

@eguzki eguzki Feb 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only for liquid templating, isn't it? when plain templating is used, jwt. prefix is being added by the gateway

Copy link
Contributor Author

@tkan145 tkan145 Feb 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, you are right. I updated the readme

@tkan145 tkan145 merged commit b132033 into 3scale:master Feb 16, 2025
14 checks passed
@tkan145 tkan145 deleted the THREESCALE-9510-jwt-clain-check-extened-context branch February 16, 2025 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eguzki eguzki eguzki approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tkan145 @eguzki