From 52658c57c31013efeb34329a6d42292254b6e560 Mon Sep 17 00:00:00 2001 From: Frank Budinsky Date: Fri, 14 Jul 2023 15:58:43 -0400 Subject: [PATCH] JWT routing task fixes (#13570) * JWT routing task fixes * revert gtwapi * fix test * lint * more lint --- .../docs/tasks/security/authentication/jwt-route/index.md | 6 +++--- .../docs/tasks/security/authentication/jwt-route/snips.sh | 4 ++-- .../en/docs/tasks/security/authentication/jwt-route/test.sh | 2 ++ 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/content/en/docs/tasks/security/authentication/jwt-route/index.md b/content/en/docs/tasks/security/authentication/jwt-route/index.md index c5e7c92c7f..c6c3c72f14 100644 --- a/content/en/docs/tasks/security/authentication/jwt-route/index.md +++ b/content/en/docs/tasks/security/authentication/jwt-route/index.md @@ -139,7 +139,7 @@ identity and more secure compared using the unauthenticated HTTP attributes (e.g 1. Validate the ingress gateway routes the request with a valid JWT token that includes the claim `groups: group1`: {{< text syntax="bash" expandlinks="false" >}} - $ TOKEN_GROUP=$(curl {{< github_file >}}/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode - + $ TOKEN_GROUP=$(curl {{< github_file >}}/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode {"exp":3537391104,"groups":["group1","group2"],"iat":1537391104,"iss":"testing@secure.istio.io","scope":["scope1","scope2"],"sub":"testing@secure.istio.io"} {{< /text >}} @@ -151,8 +151,8 @@ identity and more secure compared using the unauthenticated HTTP attributes (e.g 1. Validate the ingress gateway returns the HTTP code 404 with a valid JWT but does not include the claim `groups: group1`: - {{< text syntax="bash" expandlinks="false" >}} - $ TOKEN_NO_GROUP=$(curl {{< github_file >}}/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode - + {{< text syntax="bash" >}} + $ TOKEN_NO_GROUP=$(curl {{< github_file >}}/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode {"exp":4685989700,"foo":"bar","iat":1532389700,"iss":"testing@secure.istio.io","sub":"testing@secure.istio.io"} {{< /text >}} diff --git a/content/en/docs/tasks/security/authentication/jwt-route/snips.sh b/content/en/docs/tasks/security/authentication/jwt-route/snips.sh index 74499b6324..811167b47d 100644 --- a/content/en/docs/tasks/security/authentication/jwt-route/snips.sh +++ b/content/en/docs/tasks/security/authentication/jwt-route/snips.sh @@ -97,7 +97,7 @@ HTTP/1.1 401 Unauthorized ENDSNIP snip_validating_ingress_routing_based_on_jwt_claims_3() { -TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode - +TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode } ! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_3_out <<\ENDSNIP @@ -114,7 +114,7 @@ HTTP/1.1 200 OK ENDSNIP snip_validating_ingress_routing_based_on_jwt_claims_5() { -TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode - +TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode } ! read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_5_out <<\ENDSNIP diff --git a/content/en/docs/tasks/security/authentication/jwt-route/test.sh b/content/en/docs/tasks/security/authentication/jwt-route/test.sh index 13f855f02c..92b792e789 100644 --- a/content/en/docs/tasks/security/authentication/jwt-route/test.sh +++ b/content/en/docs/tasks/security/authentication/jwt-route/test.sh @@ -43,11 +43,13 @@ _verify_elided snip_validating_ingress_routing_based_on_jwt_claims_2 "$snip_vali # Pull the Istio branch from the docs configuration file. ISTIO_BRANCH=$(yq '.source_branch_name' "${REPO_ROOT}"/data/args.yml) +_verify_same snip_validating_ingress_routing_based_on_jwt_claims_3 "$snip_validating_ingress_routing_based_on_jwt_claims_3_out" TOKEN_GROUP_URL="https://raw.githubusercontent.com/istio/istio/${ISTIO_BRANCH}/security/tools/jwt/samples/groups-scope.jwt" export TOKEN_GROUP TOKEN_GROUP=$(curl "${TOKEN_GROUP_URL}" -s) _verify_elided snip_validating_ingress_routing_based_on_jwt_claims_4 "$snip_validating_ingress_routing_based_on_jwt_claims_4_out" +_verify_same snip_validating_ingress_routing_based_on_jwt_claims_5 "$snip_validating_ingress_routing_based_on_jwt_claims_5_out" TOKEN_NO_GROUP_URL="https://raw.githubusercontent.com/istio/istio/${ISTIO_BRANCH}/security/tools/jwt/samples/demo.jwt" export TOKEN_NO_GROUP TOKEN_NO_GROUP=$(curl "${TOKEN_NO_GROUP_URL}" -s)