Skip to content

Commit

Permalink
Use rbac instead of lua filter for basic auth
Browse files Browse the repository at this point in the history
  • Loading branch information
@thebengeu
thebengeu committed Dec 4, 2023
1 parent 6ed5a11 commit 722a8d5
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 25 deletions.
12 changes: 0 additions & 12 deletions ansible/files/envoy_config/basic_auth.lua
View file

This file was deleted.

53 changes: 40 additions & 13 deletions ansible/files/envoy_config/lds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ resources:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters: &ref_2
- filters: &ref_1
- name: envoy.filters.network.http_connection_manager
typed_config:
'@type': >-
Expand Down Expand Up @@ -107,8 +107,6 @@ resources:
'@type': >-
type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
source_codes:
basic_auth:
filename: /etc/envoy/basic_auth.lua
remove_apikey_query_parameter:
filename: /etc/envoy/remove_apikey_query_parameter.lua
- name: envoy.filters.http.router
Expand All @@ -118,6 +116,26 @@ resources:
dynamic_stats: false
local_reply_config:
mappers:
- filter:
and_filter:
filters:
- status_code_filter:
comparison:
value:
default_value: 403
runtime_key: unused
- header_filter:
header:
name: ':path'
string_match:
prefix: /customer/v1/privileged/
status_code: 401
body:
inline_string: Unauthorized
headers_to_add:
- header:
key: WWW-Authenticate
value: Basic realm="Unknown"
- filter:
and_filter:
filters:
Expand Down Expand Up @@ -166,7 +184,7 @@ resources:
body:
inline_string: Healthy
typed_per_filter_config: &ref_0
envoy.filters.http.rbac: &ref_1
envoy.filters.http.rbac:
'@type': >-
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
- match:
Expand Down Expand Up @@ -255,15 +273,23 @@ resources:
cluster: admin_api
prefix_rewrite: /privileged/
typed_per_filter_config:
envoy.filters.http.lua:
envoy.filters.http.rbac:
'@type': >-
type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
name: basic_auth
envoy.filters.http.rbac: *ref_1
metadata:
filter_metadata:
envoy.filters.http.lua:
credentials: c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
rbac:
rules:
action: DENY
policies:
basic_auth:
permissions:
- any: true
principals:
- header:
name: authorization
invert_match: true
string_match:
exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
treat_missing_header_as_empty: true
- match:
prefix: /metrics/aggregated
route:
Expand Down Expand Up @@ -293,7 +319,7 @@ resources:
address: 0.0.0.0
port_value: 443
filter_chains:
- filters: *ref_2
- filters: *ref_1
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
Expand All @@ -305,3 +331,4 @@ resources:
filename: /etc/kong/fullChain.pem
private_key:
filename: /etc/kong/privKey.pem

2 changes: 2 additions & 0 deletions docker/all-in-one/init/configure-envoy.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,11 @@ if [ -f "${INIT_PAYLOAD_PATH:-}" ]; then
fi

# Inject project specific configuration
# "c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5" is base64-encoded "service_role:service_key".
sed -i -e "s|anon_key|$ANON_KEY|g" \
-e "s|service_key|$SERVICE_ROLE_KEY|g" \
-e "s|supabase_admin_key|$ADMIN_API_KEY|g" \
-e "s|c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5|$(echo -n "service_role:$SERVICE_ROLE_KEY" | base64 --wrap 0)|g" \
"$ENVOY_LDS_CONF"

# Update Envoy ports
Expand Down

0 comments on commit 722a8d5

Please sign in to comment.