Created
July 24, 2023 15:53
-
-
Save shpwrck/9e3cf289cf8deb7af86911b3fe1bbab6 to your computer and use it in GitHub Desktop.
Path Based Regex with Gloo Platform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: networking.gloo.solo.io/v2 | |
| kind: VirtualDestination | |
| metadata: | |
| name: ext-auth-service | |
| namespace: gloo-mesh-addons | |
| spec: | |
| ports: | |
| - number: 8083 | |
| protocol: GRPC | |
| services: | |
| - cluster: mgmt | |
| name: ext-auth-service | |
| namespace: gloo-mesh-addons | |
| --- | |
| # JWT Policy | |
| apiVersion: security.policy.gloo.solo.io/v2 | |
| kind: JWTPolicy | |
| metadata: | |
| name: jwt-policy | |
| namespace: httpbin | |
| spec: | |
| applyToRoutes: | |
| - route: | |
| labels: | |
| route: httpbin | |
| config: | |
| phase: | |
| preAuthz: {} | |
| providers: | |
| provider1: | |
| claimsToHeaders: | |
| - append: true | |
| claim: org | |
| header: x-org | |
| - append: true | |
| claim: email | |
| header: x-email | |
| issuer: https://localhost | |
| local: | |
| inline: |- | |
| -----BEGIN PUBLIC KEY----- | |
| MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJ63gUYg0G1aOY03DN8d | |
| emJIk8XeWcdycuJFQeGK6N+sdpt+p5Q6B61dirSkZcslTXBB9CL92j0Ez+2J4O0M | |
| +kUxvnGI58TNkwdzQJsRA2LW7TpaCOIHiQMLevm9vtGQy3imzC3g/oaN7FBj0D41 | |
| 0knKOfxzeK7MTN7Xi2zCh6QGnN6+SUw8dBr+s6JToAlhpHqZtvK4naTUUFdhKXMd | |
| EqALB+n13YBekex/gGVr3FZnLliuU7HHs1tASQjhIZcMG22gbKT/ta9lm7ivEAXF | |
| 5qEft4XzVPjbqs2wyluPf8j5BU17Dvc8VIU/nSmcPqoawWi49gD89Q7dJZiK149w | |
| dQIDAQAB | |
| -----END PUBLIC KEY----- | |
| tokenSource: | |
| headers: | |
| - name: X-Auth | |
| prefix: 'Bearer ' | |
| queryParams: | |
| - auth_token | |
| --- | |
| # OPA Policy | |
| apiVersion: v1 | |
| kind: ConfigMap | |
| metadata: | |
| name: regex | |
| namespace: httpbin | |
| data: | |
| policy.rego: |- | |
| package test | |
| default allow = false | |
| allow { | |
| # Make sure the JWT is from Solo | |
| [_, payload, _] := io.jwt.decode(replace(input.http_request.headers["x-auth"],"Bearer ", "")) | |
| payload["org"] == "solo-io" | |
| # Make sure the path is a given regex | |
| # Regexp Syntax: https://github.com/google/re2/wiki/Syntax | |
| regex.match("^/anything/a/[0-9]+/b/[0-9]+$",input.http_request.path) | |
| } | |
| --- | |
| # Server Configuration | |
| apiVersion: admin.gloo.solo.io/v2 | |
| kind: ExtAuthServer | |
| metadata: | |
| name: ext-auth-server | |
| namespace: httpbin | |
| spec: | |
| destinationServer: | |
| kind: VIRTUAL_DESTINATION | |
| ref: | |
| name: ext-auth-service | |
| namespace: gloo-mesh-addons | |
| cluster: mgmt | |
| --- | |
| # Policy Configuration | |
| apiVersion: security.policy.gloo.solo.io/v2 | |
| kind: ExtAuthPolicy | |
| metadata: | |
| name: httpbin-regex | |
| namespace: httpbin | |
| spec: | |
| applyToRoutes: | |
| - route: | |
| labels: | |
| extauth: regex | |
| config: | |
| server: | |
| name: ext-auth-server | |
| namespace: httpbin | |
| cluster: mgmt | |
| glooAuth: | |
| configs: | |
| - opaAuth: | |
| modules: | |
| - name: regex | |
| namespace: httpbin | |
| query: "data.test.allow == true" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment