From 0b26929a68db6badb61dd7749fbce8cfc344eb12 Mon Sep 17 00:00:00 2001 From: An Tran Date: Tue, 28 Nov 2023 12:55:01 +1000 Subject: [PATCH 1/2] JWT claim check policy: uri was not escape correctly The uri was not escaped correctly so the mapping rule will not work as expected. --- .../jwt_claim_check/jwt_claim_check.lua | 7 +- t/apicast-policy-jwt-claim-check.t | 81 +++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) diff --git a/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua b/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua index 859782e8c..0f95fdb3c 100644 --- a/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua +++ b/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua @@ -5,6 +5,7 @@ local Condition = require('apicast.conditions.condition') local MappingRule = require('apicast.mapping_rule') local Operation = require('apicast.conditions.operation') local TemplateString = require('apicast.template_string') +local escape = require("resty.http.uri_escape") local ipairs = ipairs @@ -58,6 +59,10 @@ end local function is_rule_denied_request(rule, context) local uri = context:get_uri() + -- URI need to be escaped to be able to match values with special characters + -- (like spaces) + -- Example: if URI is `/foo /bar` it will be translated to `/foo%20/bar` + local escaped_uri = escape.escape_uri(uri) local request_method = ngx.req.get_method() local resource = rule.resource:render(context) @@ -71,7 +76,7 @@ local function is_rule_denied_request(rule, context) -- the name of the metric is irrelevant metric_system_name = 'hits' }) - if mapping_rule:matches(request_method, uri) then + if mapping_rule:matches(request_method, escaped_uri) then mapping_rule_match = true break end diff --git a/t/apicast-policy-jwt-claim-check.t b/t/apicast-policy-jwt-claim-check.t index 7d4b0c8be..34773f03e 100644 --- a/t/apicast-policy-jwt-claim-check.t +++ b/t/apicast-policy-jwt-claim-check.t @@ -564,3 +564,84 @@ the URI is not longer valid at all, and JWT is not expected to work correctly. ["yay, api backend\n","Request blocked due to JWT claim policy\n"] --- no_error_log [error] + + + +=== TEST 8: JWT claim reject request with invalid token and URI contain special characters +--- backend + location /transactions/oauth_authrep.xml { + content_by_lua_block { + ngx.exit(200) + } + } + +--- configuration +{ + "oidc": [ + { + "issuer": "https://example.com/auth/realms/apicast", + "config": { "id_token_signing_alg_values_supported": [ "RS256" ] }, + "keys": { "somekid": { "pem": "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALClz96cDQ965ENYMfZzG+Acu25lpx2K\nNpAALBQ+catCA59us7+uLY5rjQR6SOgZpCz5PJiKNAdRPDJMXSmXqM0CAwEAAQ==\n-----END PUBLIC KEY-----", "alg": "RS256" } } + } + ], + "services": [ + { + "id": 42, + "backend_version": "oauth", + "backend_authentication_type": "service_token", + "backend_authentication_value": "token-value", + "proxy": { + "authentication_method": "oidc", + "oidc_issuer_endpoint": "https://example.com/auth/realms/apicast", + "api_backend": "http://test:$TEST_NGINX_SERVER_PORT/", + "proxy_rules": [ + { "pattern": "/groups/{groupID}$", "http_method": "GET", "metric_system_name": "hits", "delta": 1 } + ], + "policy_chain": [ + { + "name": "apicast.policy.jwt_claim_check", + "configuration": { + "rules" : [{ + "operations": [ + {"op": "==", "jwt_claim": "foo", "jwt_claim_type": "plain", "value": "1"} + ], + "combine_op": "and", + "methods": ["GET"], + "resource": "/groups/{groupdID}$" + }] + } + }, + { "name": "apicast.policy.apicast" } + ] + } + } + ] +} +--- upstream + location /groups { + content_by_lua_block { + ngx.say('yay, api backend'); + } + } +--- request eval +[ + "GET /groups/%2020", + "GET /groups/%2020%0A30" +] +--- more_headers eval +::authorization_bearer_jwt('audience', { + realm_access => { + roles => [ 'director' ] + }, + foo => "invalid", +}, 'somekid') +--- error_code eval +[403, 403] +--- response_body eval +[ + "Request blocked due to JWT claim policy\x{0a}", + "Request blocked due to JWT claim policy\x{0a}" +] +--- no_error_log +[error] + From 5f07f78740c8070daff7af01dcd8708270c7d876 Mon Sep 17 00:00:00 2001 From: An Tran Date: Tue, 28 Nov 2023 12:55:09 +1000 Subject: [PATCH 2/2] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2009063e0..1c9535be1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Fixed token instrospection field removed [PR #1438](https://github.com/3scale/APIcast/pull/1438) [THREESCALE-10591](https://issues.redhat.com/browse/THREESCALE-10591) +- Fixed issue with URL was not correctly escaped when using the JWT claim check policy [THREESCALE-10308](https://issues.redhat.com/browse/THREESCALE-10308) [PR #1428](https://github.com/3scale/APIcast/pull/1428) + ### Added - Detect number of CPU shares when running on Cgroups V2 [PR #1410](https://github.com/3scale/apicast/pull/1410) [THREESCALE-10167](https://issues.redhat.com/browse/THREESCALE-10167)