From 0ad71b5e7836df8c0453658919ca2498aba62f53 Mon Sep 17 00:00:00 2001 From: longwuliang Date: Tue, 12 Mar 2024 12:42:53 +0800 Subject: [PATCH] support specify jwt requirement --- kubernetes/customresourcedefinitions.gen.yaml | 20 +++ releasenotes/notes/2733.yaml | 9 ++ security/v1/jwt.pb.go | 134 +++++++++++++---- security/v1/jwt.proto | 27 +++- security/v1beta1/jwt.pb.go | 135 ++++++++++++++---- security/v1beta1/jwt.pb.html | 55 ++++++- security/v1beta1/jwt.proto | 27 +++- 7 files changed, 354 insertions(+), 53 deletions(-) create mode 100644 releasenotes/notes/2733.yaml diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index fae0c2b7dac..74b7b721d21 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -8175,6 +8175,16 @@ spec: items: type: string type: array + failureMode: + description: |- + This field specifies a Jwt requirement. + + Valid Options: PERMISSIVE, IGNORE, STRICT + enum: + - PERMISSIVE + - IGNORE + - STRICT + type: string forwardOriginalToken: description: If set to true, the original token will be kept for the upstream request. @@ -8299,6 +8309,16 @@ spec: items: type: string type: array + failureMode: + description: |- + This field specifies a Jwt requirement. + + Valid Options: PERMISSIVE, IGNORE, STRICT + enum: + - PERMISSIVE + - IGNORE + - STRICT + type: string forwardOriginalToken: description: If set to true, the original token will be kept for the upstream request. diff --git a/releasenotes/notes/2733.yaml b/releasenotes/notes/2733.yaml new file mode 100644 index 00000000000..80342b7d71b --- /dev/null +++ b/releasenotes/notes/2733.yaml @@ -0,0 +1,9 @@ +apiVersion: release-notes/v2 +kind: feature +area: security +issue: + - https://github.com/istio/istio/issues/43982 + +releaseNotes: + - | + **Added** a `failure_mode` field to specify a Jwt requirement. This is optional, the default value is `PERMISSIVE`. \ No newline at end of file diff --git a/security/v1/jwt.pb.go b/security/v1/jwt.pb.go index 7028fb898fd..3d80a2742f8 100644 --- a/security/v1/jwt.pb.go +++ b/security/v1/jwt.pb.go @@ -43,6 +43,60 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// FailureMode specifies a Jwt requirement. +type JWTRule_FailureMode int32 + +const ( + // The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. + // This is the default behavior. + JWTRule_PERMISSIVE JWTRule_FailureMode = 0 + // The requirement is always satisfied even if JWT is missing or the JWT verification fails. + JWTRule_IGNORE JWTRule_FailureMode = 1 + // The requirement is satisfied only if JWT is presented and verification successful. + JWTRule_STRICT JWTRule_FailureMode = 2 +) + +// Enum value maps for JWTRule_FailureMode. +var ( + JWTRule_FailureMode_name = map[int32]string{ + 0: "PERMISSIVE", + 1: "IGNORE", + 2: "STRICT", + } + JWTRule_FailureMode_value = map[string]int32{ + "PERMISSIVE": 0, + "IGNORE": 1, + "STRICT": 2, + } +) + +func (x JWTRule_FailureMode) Enum() *JWTRule_FailureMode { + p := new(JWTRule_FailureMode) + *p = x + return p +} + +func (x JWTRule_FailureMode) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (JWTRule_FailureMode) Descriptor() protoreflect.EnumDescriptor { + return file_security_v1_jwt_proto_enumTypes[0].Descriptor() +} + +func (JWTRule_FailureMode) Type() protoreflect.EnumType { + return &file_security_v1_jwt_proto_enumTypes[0] +} + +func (x JWTRule_FailureMode) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use JWTRule_FailureMode.Descriptor instead. +func (JWTRule_FailureMode) EnumDescriptor() ([]byte, []int) { + return file_security_v1_jwt_proto_rawDescGZIP(), []int{0, 0} +} + // @@ -75,6 +129,15 @@ const ( // fromHeaders: // - "x-goog-iap-jwt-assertion" // ``` +// +// The following example specifies that the JWT must be presented and verification successful. +// +// ```yaml +// - issuer: issuer-foo +// jwksUri: https://example.com/.well-known/jwks.json +// failureMode: STRICT +// +// ``` type JWTRule struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -188,6 +251,8 @@ type JWTRule struct { // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, // will spend waiting for the JWKS to be fetched. Default is 5s. Timeout *duration.Duration `protobuf:"bytes,13,opt,name=timeout,proto3" json:"timeout,omitempty"` + // This field specifies a Jwt requirement. This is optional, the default value is `PERMISSIVE`. + FailureMode JWTRule_FailureMode `protobuf:"varint,14,opt,name=failure_mode,json=failureMode,proto3,enum=istio.security.v1.JWTRule_FailureMode" json:"failure_mode,omitempty"` } func (x *JWTRule) Reset() { @@ -299,6 +364,13 @@ func (x *JWTRule) GetTimeout() *duration.Duration { return nil } +func (x *JWTRule) GetFailureMode() JWTRule_FailureMode { + if x != nil { + return x.FailureMode + } + return JWTRule_PERMISSIVE +} + // This message specifies a header location to extract JWT token. type JWTHeader struct { state protoimpl.MessageState @@ -427,7 +499,7 @@ var file_security_v1_jwt_proto_rawDesc = []byte{ 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, - 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf5, 0x03, 0x0a, 0x07, + 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf7, 0x04, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, @@ -459,17 +531,25 @@ var file_security_v1_jwt_proto_rawDesc = []byte{ 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, - 0x6f, 0x75, 0x74, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, - 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, - 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, - 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, - 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, - 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, - 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, - 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x33, + 0x6f, 0x75, 0x74, 0x12, 0x49, 0x0a, 0x0c, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x5f, 0x6d, + 0x6f, 0x64, 0x65, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, + 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, 0x57, + 0x54, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, + 0x65, 0x52, 0x0b, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x22, 0x35, + 0x0a, 0x0b, 0x46, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0e, 0x0a, + 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x00, 0x12, 0x0a, 0x0a, + 0x06, 0x49, 0x47, 0x4e, 0x4f, 0x52, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x54, 0x52, + 0x49, 0x43, 0x54, 0x10, 0x02, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, + 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, + 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, + 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, + 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, + 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, + 0x69, 0x6d, 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, + 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -484,22 +564,25 @@ func file_security_v1_jwt_proto_rawDescGZIP() []byte { return file_security_v1_jwt_proto_rawDescData } +var file_security_v1_jwt_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_security_v1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_security_v1_jwt_proto_goTypes = []interface{}{ - (*JWTRule)(nil), // 0: istio.security.v1.JWTRule - (*JWTHeader)(nil), // 1: istio.security.v1.JWTHeader - (*ClaimToHeader)(nil), // 2: istio.security.v1.ClaimToHeader - (*duration.Duration)(nil), // 3: google.protobuf.Duration + (JWTRule_FailureMode)(0), // 0: istio.security.v1.JWTRule.FailureMode + (*JWTRule)(nil), // 1: istio.security.v1.JWTRule + (*JWTHeader)(nil), // 2: istio.security.v1.JWTHeader + (*ClaimToHeader)(nil), // 3: istio.security.v1.ClaimToHeader + (*duration.Duration)(nil), // 4: google.protobuf.Duration } var file_security_v1_jwt_proto_depIdxs = []int32{ - 1, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader - 2, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader - 3, // 2: istio.security.v1.JWTRule.timeout:type_name -> google.protobuf.Duration - 3, // [3:3] is the sub-list for method output_type - 3, // [3:3] is the sub-list for method input_type - 3, // [3:3] is the sub-list for extension type_name - 3, // [3:3] is the sub-list for extension extendee - 0, // [0:3] is the sub-list for field type_name + 2, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader + 3, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader + 4, // 2: istio.security.v1.JWTRule.timeout:type_name -> google.protobuf.Duration + 0, // 3: istio.security.v1.JWTRule.failure_mode:type_name -> istio.security.v1.JWTRule.FailureMode + 4, // [4:4] is the sub-list for method output_type + 4, // [4:4] is the sub-list for method input_type + 4, // [4:4] is the sub-list for extension type_name + 4, // [4:4] is the sub-list for extension extendee + 0, // [0:4] is the sub-list for field type_name } func init() { file_security_v1_jwt_proto_init() } @@ -550,13 +633,14 @@ func file_security_v1_jwt_proto_init() { File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_security_v1_jwt_proto_rawDesc, - NumEnums: 0, + NumEnums: 1, NumMessages: 3, NumExtensions: 0, NumServices: 0, }, GoTypes: file_security_v1_jwt_proto_goTypes, DependencyIndexes: file_security_v1_jwt_proto_depIdxs, + EnumInfos: file_security_v1_jwt_proto_enumTypes, MessageInfos: file_security_v1_jwt_proto_msgTypes, }.Build() File_security_v1_jwt_proto = out.File diff --git a/security/v1/jwt.proto b/security/v1/jwt.proto index 143b80631f8..9a46e7057ba 100644 --- a/security/v1/jwt.proto +++ b/security/v1/jwt.proto @@ -58,6 +58,15 @@ option go_package="istio.io/api/security/v1"; // fromHeaders: // - "x-goog-iap-jwt-assertion" // ``` +// +// The following example specifies that the JWT must be presented and verification successful. +// +// ```yaml +// - issuer: issuer-foo +// jwksUri: https://example.com/.well-known/jwks.json +// failureMode: STRICT +// ``` +// message JWTRule { // Identifies the issuer that issued the JWT. See // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) @@ -183,8 +192,24 @@ message JWTRule { // will spend waiting for the JWKS to be fetched. Default is 5s. google.protobuf.Duration timeout = 13; + // FailureMode specifies a Jwt requirement. + enum FailureMode { + // The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. + // This is the default behavior. + PERMISSIVE = 0; + + // The requirement is always satisfied even if JWT is missing or the JWT verification fails. + IGNORE = 1; + + // The requirement is satisfied only if JWT is presented and verification successful. + STRICT = 2; + } + + // This field specifies a Jwt requirement. This is optional, the default value is `PERMISSIVE`. + FailureMode failure_mode = 14; + // $hide_from_docs - // Next available field number: 14 + // Next available field number: 15 } // This message specifies a header location to extract JWT token. diff --git a/security/v1beta1/jwt.pb.go b/security/v1beta1/jwt.pb.go index bee89c9e26e..a7ae69b27bd 100644 --- a/security/v1beta1/jwt.pb.go +++ b/security/v1beta1/jwt.pb.go @@ -42,6 +42,60 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// FailureMode specifies a Jwt requirement. +type JWTRule_FailureMode int32 + +const ( + // The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. + // This is the default behavior. + JWTRule_PERMISSIVE JWTRule_FailureMode = 0 + // The requirement is always satisfied even if JWT is missing or the JWT verification fails. + JWTRule_IGNORE JWTRule_FailureMode = 1 + // The requirement is satisfied only if JWT is presented and verification successful. + JWTRule_STRICT JWTRule_FailureMode = 2 +) + +// Enum value maps for JWTRule_FailureMode. +var ( + JWTRule_FailureMode_name = map[int32]string{ + 0: "PERMISSIVE", + 1: "IGNORE", + 2: "STRICT", + } + JWTRule_FailureMode_value = map[string]int32{ + "PERMISSIVE": 0, + "IGNORE": 1, + "STRICT": 2, + } +) + +func (x JWTRule_FailureMode) Enum() *JWTRule_FailureMode { + p := new(JWTRule_FailureMode) + *p = x + return p +} + +func (x JWTRule_FailureMode) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (JWTRule_FailureMode) Descriptor() protoreflect.EnumDescriptor { + return file_security_v1beta1_jwt_proto_enumTypes[0].Descriptor() +} + +func (JWTRule_FailureMode) Type() protoreflect.EnumType { + return &file_security_v1beta1_jwt_proto_enumTypes[0] +} + +func (x JWTRule_FailureMode) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use JWTRule_FailureMode.Descriptor instead. +func (JWTRule_FailureMode) EnumDescriptor() ([]byte, []int) { + return file_security_v1beta1_jwt_proto_rawDescGZIP(), []int{0, 0} +} + // @@ -74,6 +128,15 @@ const ( // fromHeaders: // - "x-goog-iap-jwt-assertion" // ``` +// +// The following example specifies that the JWT must be presented and verification successful. +// +// ```yaml +// - issuer: issuer-foo +// jwksUri: https://example.com/.well-known/jwks.json +// failureMode: STRICT +// +// ``` type JWTRule struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -187,6 +250,8 @@ type JWTRule struct { // The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, // will spend waiting for the JWKS to be fetched. Default is 5s. Timeout *duration.Duration `protobuf:"bytes,13,opt,name=timeout,proto3" json:"timeout,omitempty"` + // This field specifies a Jwt requirement. This is optional, the default value is `PERMISSIVE`. + FailureMode JWTRule_FailureMode `protobuf:"varint,14,opt,name=failure_mode,json=failureMode,proto3,enum=istio.security.v1beta1.JWTRule_FailureMode" json:"failure_mode,omitempty"` } func (x *JWTRule) Reset() { @@ -298,6 +363,13 @@ func (x *JWTRule) GetTimeout() *duration.Duration { return nil } +func (x *JWTRule) GetFailureMode() JWTRule_FailureMode { + if x != nil { + return x.FailureMode + } + return JWTRule_PERMISSIVE +} + // This message specifies a header location to extract JWT token. type JWTHeader struct { state protoimpl.MessageState @@ -427,7 +499,7 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{ 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xff, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x86, 0x05, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, @@ -459,17 +531,26 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{ 0x72, 0x73, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, - 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x22, 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, - 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, - 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, - 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, - 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, - 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, - 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, - 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, - 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x12, 0x4e, 0x0a, 0x0c, 0x66, 0x61, 0x69, 0x6c, 0x75, + 0x72, 0x65, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e, + 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, + 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x46, + 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x0b, 0x66, 0x61, 0x69, 0x6c, + 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x22, 0x35, 0x0a, 0x0b, 0x46, 0x61, 0x69, 0x6c, 0x75, + 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0e, 0x0a, 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, + 0x53, 0x49, 0x56, 0x45, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x49, 0x47, 0x4e, 0x4f, 0x52, 0x45, + 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x10, 0x02, 0x22, 0x3c, + 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, + 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, + 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, + 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, + 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, + 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d, 0x69, + 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, + 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -484,22 +565,25 @@ func file_security_v1beta1_jwt_proto_rawDescGZIP() []byte { return file_security_v1beta1_jwt_proto_rawDescData } +var file_security_v1beta1_jwt_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_security_v1beta1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_security_v1beta1_jwt_proto_goTypes = []interface{}{ - (*JWTRule)(nil), // 0: istio.security.v1beta1.JWTRule - (*JWTHeader)(nil), // 1: istio.security.v1beta1.JWTHeader - (*ClaimToHeader)(nil), // 2: istio.security.v1beta1.ClaimToHeader - (*duration.Duration)(nil), // 3: google.protobuf.Duration + (JWTRule_FailureMode)(0), // 0: istio.security.v1beta1.JWTRule.FailureMode + (*JWTRule)(nil), // 1: istio.security.v1beta1.JWTRule + (*JWTHeader)(nil), // 2: istio.security.v1beta1.JWTHeader + (*ClaimToHeader)(nil), // 3: istio.security.v1beta1.ClaimToHeader + (*duration.Duration)(nil), // 4: google.protobuf.Duration } var file_security_v1beta1_jwt_proto_depIdxs = []int32{ - 1, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader - 2, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader - 3, // 2: istio.security.v1beta1.JWTRule.timeout:type_name -> google.protobuf.Duration - 3, // [3:3] is the sub-list for method output_type - 3, // [3:3] is the sub-list for method input_type - 3, // [3:3] is the sub-list for extension type_name - 3, // [3:3] is the sub-list for extension extendee - 0, // [0:3] is the sub-list for field type_name + 2, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader + 3, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader + 4, // 2: istio.security.v1beta1.JWTRule.timeout:type_name -> google.protobuf.Duration + 0, // 3: istio.security.v1beta1.JWTRule.failure_mode:type_name -> istio.security.v1beta1.JWTRule.FailureMode + 4, // [4:4] is the sub-list for method output_type + 4, // [4:4] is the sub-list for method input_type + 4, // [4:4] is the sub-list for extension type_name + 4, // [4:4] is the sub-list for extension extendee + 0, // [0:4] is the sub-list for field type_name } func init() { file_security_v1beta1_jwt_proto_init() } @@ -550,13 +634,14 @@ func file_security_v1beta1_jwt_proto_init() { File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_security_v1beta1_jwt_proto_rawDesc, - NumEnums: 0, + NumEnums: 1, NumMessages: 3, NumExtensions: 0, NumServices: 0, }, GoTypes: file_security_v1beta1_jwt_proto_goTypes, DependencyIndexes: file_security_v1beta1_jwt_proto_depIdxs, + EnumInfos: file_security_v1beta1_jwt_proto_enumTypes, MessageInfos: file_security_v1beta1_jwt_proto_msgTypes, }.Build() File_security_v1beta1_jwt_proto = out.File diff --git a/security/v1beta1/jwt.pb.html b/security/v1beta1/jwt.pb.html index 221fb8e4596..543274f7786 100644 --- a/security/v1beta1/jwt.pb.html +++ b/security/v1beta1/jwt.pb.html @@ -6,7 +6,7 @@ generator: protoc-gen-docs schema: istio.security.v1beta1.JWTRule aliases: [/docs/reference/config/security/v1beta1/jwt] -number_of_entries: 3 +number_of_entries: 4 ---

JWTRule

@@ -31,6 +31,11 @@

JWTRule

fromHeaders: - "x-goog-iap-jwt-assertion" +

The following example specifies that the JWT must be presented and verification successful.

+
- issuer: issuer-foo
+  jwksUri: https://example.com/.well-known/jwks.json
+  failureMode: STRICT
+
@@ -215,6 +220,17 @@

JWTRule

The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. Default is 5s.

+ + + + + + +
+No +
failureModeFailureMode +

This field specifies a Jwt requirement. This is optional, the default value is PERMISSIVE.

+ 		No @@ -304,3 +320,40 @@

ClaimToHeader

+

JWTRule.FailureMode

+
+

FailureMode specifies a Jwt requirement.

+ + + + + + + + + + + + + + + + + + + + + + +
NameDescription
PERMISSIVE +

The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. +This is the default behavior.

+ +
IGNORE +

The requirement is always satisfied even if JWT is missing or the JWT verification fails.

+ +
STRICT +

The requirement is satisfied only if JWT is presented and verification successful.

+ +
+
diff --git a/security/v1beta1/jwt.proto b/security/v1beta1/jwt.proto index 899d5939254..8a69f3b486a 100644 --- a/security/v1beta1/jwt.proto +++ b/security/v1beta1/jwt.proto @@ -57,6 +57,15 @@ option go_package="istio.io/api/security/v1beta1"; // fromHeaders: // - "x-goog-iap-jwt-assertion" // ``` +// +// The following example specifies that the JWT must be presented and verification successful. +// +// ```yaml +// - issuer: issuer-foo +// jwksUri: https://example.com/.well-known/jwks.json +// failureMode: STRICT +// ``` +// message JWTRule { // Identifies the issuer that issued the JWT. See // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1) @@ -182,8 +191,24 @@ message JWTRule { // will spend waiting for the JWKS to be fetched. Default is 5s. google.protobuf.Duration timeout = 13; + // FailureMode specifies a Jwt requirement. + enum FailureMode { + // The requirement is satisfied if JWT is missing, but failed if JWT is presented but invalid. + // This is the default behavior. + PERMISSIVE = 0; + + // The requirement is always satisfied even if JWT is missing or the JWT verification fails. + IGNORE = 1; + + // The requirement is satisfied only if JWT is presented and verification successful. + STRICT = 2; + } + + // This field specifies a Jwt requirement. This is optional, the default value is `PERMISSIVE`. + FailureMode failure_mode = 14; + // $hide_from_docs - // Next available field number: 14 + // Next available field number: 15 } // This message specifies a header location to extract JWT token.