From 89c843169eac14f87628353af6120959335b18b2 Mon Sep 17 00:00:00 2001 From: Beng Eu Date: Mon, 4 Dec 2023 16:31:09 +0800 Subject: [PATCH] Use rbac instead of lua filter for basic auth --- ansible/files/envoy_config/basic_auth.lua | 12 ------ ansible/files/envoy_config/lds.yaml | 52 +++++++++++++++++------ docker/all-in-one/init/configure-envoy.sh | 2 + 3 files changed, 41 insertions(+), 25 deletions(-) delete mode 100644 ansible/files/envoy_config/basic_auth.lua diff --git a/ansible/files/envoy_config/basic_auth.lua b/ansible/files/envoy_config/basic_auth.lua deleted file mode 100644 index c1bf98f94..000000000 --- a/ansible/files/envoy_config/basic_auth.lua +++ /dev/null @@ -1,12 +0,0 @@ -function envoy_on_request(request_handle) - local authorization = request_handle:headers():get("authorization") - - if authorization and authorization:find("^[Bb][Aa][Ss][Ii][Cc] " .. request_handle:metadata():get("credentials")) then - return - end - - request_handle:respond({ - [":status"] = "401", - ["WWW-Authenticate"] = "Basic realm=\"Unknown\"" - }, "Unauthorized") -end diff --git a/ansible/files/envoy_config/lds.yaml b/ansible/files/envoy_config/lds.yaml index 21a993911..7fc899cb2 100644 --- a/ansible/files/envoy_config/lds.yaml +++ b/ansible/files/envoy_config/lds.yaml @@ -6,7 +6,7 @@ resources: address: 0.0.0.0 port_value: 80 filter_chains: - - filters: &ref_2 + - filters: &ref_1 - name: envoy.filters.network.http_connection_manager typed_config: '@type': >- @@ -107,8 +107,6 @@ resources: '@type': >- type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua source_codes: - basic_auth: - filename: /etc/envoy/basic_auth.lua remove_apikey_query_parameter: filename: /etc/envoy/remove_apikey_query_parameter.lua - name: envoy.filters.http.router @@ -118,6 +116,26 @@ resources: dynamic_stats: false local_reply_config: mappers: + - filter: + and_filter: + filters: + - status_code_filter: + comparison: + value: + default_value: 403 + runtime_key: unused + - header_filter: + header: + name: ':path' + string_match: + prefix: /customer/v1/privileged/ + status_code: 401 + body: + inline_string: Unauthorized + headers_to_add: + - header: + key: WWW-Authenticate + value: Basic realm="Unknown" - filter: and_filter: filters: @@ -166,7 +184,7 @@ resources: body: inline_string: Healthy typed_per_filter_config: &ref_0 - envoy.filters.http.rbac: &ref_1 + envoy.filters.http.rbac: '@type': >- type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute - match: @@ -255,15 +273,22 @@ resources: cluster: admin_api prefix_rewrite: /privileged/ typed_per_filter_config: - envoy.filters.http.lua: + envoy.filters.http.rbac: '@type': >- - type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute - name: basic_auth - envoy.filters.http.rbac: *ref_1 - metadata: - filter_metadata: - envoy.filters.http.lua: - credentials: c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5 + type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute + rbac: + rules: + action: DENY + policies: + basic_auth: + permissions: + - any: true + principals: + - header: + name: authorization + invert_match: true + string_match: + exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5 - match: prefix: /metrics/aggregated route: @@ -293,7 +318,7 @@ resources: address: 0.0.0.0 port_value: 443 filter_chains: - - filters: *ref_2 + - filters: *ref_1 transport_socket: name: envoy.transport_sockets.tls typed_config: @@ -305,3 +330,4 @@ resources: filename: /etc/kong/fullChain.pem private_key: filename: /etc/kong/privKey.pem + diff --git a/docker/all-in-one/init/configure-envoy.sh b/docker/all-in-one/init/configure-envoy.sh index 05d6084a9..7acbcef9d 100755 --- a/docker/all-in-one/init/configure-envoy.sh +++ b/docker/all-in-one/init/configure-envoy.sh @@ -29,9 +29,11 @@ if [ -f "${INIT_PAYLOAD_PATH:-}" ]; then fi # Inject project specific configuration +# "c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5" is base64-encoded "service_role:service_key". sed -i -e "s|anon_key|$ANON_KEY|g" \ -e "s|service_key|$SERVICE_ROLE_KEY|g" \ -e "s|supabase_admin_key|$ADMIN_API_KEY|g" \ + -e "s|c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5|$(echo -n "service_role:$SERVICE_ROLE_KEY" | base64 --wrap 0)|g" \ "$ENVOY_LDS_CONF" # Update Envoy ports