task for copy claim to header (#12427)

* task for copy claim to header

* updateed outtput

* resolved pr comments

content/en/docs/tasks/security/authentication/claim-to-header/index.md

@@ -0,0 +1,111 @@
+---
+title: Copy JWT Claims to HTTP Headers
+description: Shows how users can copy their jWT claims to http headers.
+weight: 30
+keywords: [security,authentication,JWT,claim]
+aliases:
+    - /docs/tasks/security/istio-auth.html
+    - /docs/tasks/security/authn-policy/
+owner: istio/wg-security-maintainers
+test: yes
+status: Experimental
+---
+This task shows you how to copy valid JWT claims to http headers after JWT authentication is successfully completed via Istio request authentication policy.
+
+{{< warning >}}
+Only claims of type string, boolean, and integer are supported. Array type claims are not supported at this time.
+{{< /warning >}}
+
+{{< boilerplate experimental-feature-warning >}}
+
+## Before you begin
+
+Before you begin this task, do the following:
+
+* Familiarize yourself with [Istio end user authentication](/docs/tasks/security/authentication/authn-policy/#end-user-authentication) support.
+
+* Install Istio using [Istio installation guide](/docs/setup/install/istioctl/).
+
+* Deploy `httpbin` and `sleep` workloads in namespace `foo` with sidecar injection enabled.
+Deploy the example namespace and workloads using these commands:
+
+    {{< text bash >}}
+    $ kubectl create ns foo
+    $ kubectl label namespace foo istio-injection=enabled
+    $ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n foo
+    $ kubectl apply -f @samples/sleep/sleep.yaml@ -n foo
+    {{< /text >}}
+
+* Verify that `sleep` successfully communicates with `httpbin` using this command:
+
+    {{< text bash >}}
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
+    200
+    {{< /text >}}
+
+{{< warning >}}
+If you don’t see the expected output, retry after a few seconds.
+Caching and propagation can cause a delay.
+{{< /warning >}}
+
+## Allow requests with valid JWT and list-typed claims
+
+1. The following command creates the `jwt-example` request authentication policy
+for the `httpbin` workload in the `foo` namespace. This policy
+accepts a JWT issued by `testing@secure.istio.io` and copies the value of claim `foo` to an http header `X-Jwt-Claim-Foo`:
+
+    {{< text bash >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: security.istio.io/v1beta1
+    kind: RequestAuthentication
+    metadata:
+      name: "jwt-example"
+      namespace: foo
+    spec:
+      selector:
+        matchLabels:
+          app: httpbin
+      jwtRules:
+      - issuer: "testing@secure.istio.io"
+        jwksUri: "{{< github_file >}}/security/tools/jwt/samples/jwks.json"
+        outputClaimToHeaders:
+        - header: "x-jwt-claim-foo"
+          claim: "foo"
+    EOF
+    {{< /text >}}
+
+1. Verify that a request with an invalid JWT is denied:
+
+    {{< text bash >}}
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer invalidToken" -w "%{http_code}\n"
+    401
+    {{< /text >}}
+
+1. Get the JWT which is issued by `testing@secure.istio.io` and has a claim with key `foo`.
+
+    {{< text syntax="bash" expandlinks="false" >}}
+    $ TOKEN=$(curl {{< github_file >}}/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+    {"exp":4685989700,"foo":"bar","iat":1532389700,"iss":"testing@secure.istio.io","sub":"testing@secure.istio.io"}
+    {{< /text >}}
+
+1. Verify that a request with a valid JWT is allowed:
+
+    {{< text bash >}}
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n"
+    200
+    {{< /text >}}
+
+1. Verify that a request contains a valid http header with JWT claim value:
+
+    {{< text bash >}}
+    $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | grep "X-Jwt-Claim-Foo" | sed -e 's/^[ \t]*//'
+    "X-Jwt-Claim-Foo": "bar"
+    {{< /text >}}
+
+## Clean up
+
+1. Remove the namespace `foo`:
+
+    {{< text bash >}}
+    $ kubectl delete namespace foo
+    {{< /text >}}

content/en/docs/tasks/security/authentication/claim-to-header/snips.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+#          docs/tasks/security/authentication/claim-to-header/index.md
+####################################################################################################
+
+snip_before_you_begin_1() {
+kubectl create ns foo
+kubectl label namespace foo istio-injection=enabled
+kubectl apply -f samples/httpbin/httpbin.yaml -n foo
+kubectl apply -f samples/sleep/sleep.yaml -n foo
+}
+
+snip_before_you_begin_2() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
+}
+
+! read -r -d '' snip_before_you_begin_2_out <<\ENDSNIP
+200
+ENDSNIP
+
+snip_allow_requests_with_valid_jwt_and_listtyped_claims_1() {
+kubectl apply -f - <<EOF
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: "jwt-example"
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  jwtRules:
+  - issuer: "testing@secure.istio.io"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
+    outputClaimToHeaders:
+    - header: "x-jwt-claim-foo"
+      claim: "foo"
+EOF
+}
+
+snip_allow_requests_with_valid_jwt_and_listtyped_claims_2() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer invalidToken" -w "%{http_code}\n"
+}
+
+! read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_2_out <<\ENDSNIP
+401
+ENDSNIP
+
+snip_allow_requests_with_valid_jwt_and_listtyped_claims_3() {
+TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+}
+
+! read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_3_out <<\ENDSNIP
+{"exp":4685989700,"foo":"bar","iat":1532389700,"iss":"testing@secure.istio.io","sub":"testing@secure.istio.io"}
+ENDSNIP
+
+snip_allow_requests_with_valid_jwt_and_listtyped_claims_4() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n"
+}
+
+! read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_4_out <<\ENDSNIP
+200
+ENDSNIP
+
+snip_allow_requests_with_valid_jwt_and_listtyped_claims_5() {
+kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | grep "X-Jwt-Claim-Foo" | sed -e 's/^[ \t]*//'
+}
+
+! read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_5_out <<\ENDSNIP
+"X-Jwt-Claim-Foo": "bar"
+ENDSNIP
+
+snip_clean_up_1() {
+kubectl delete namespace foo
+}

content/en/docs/tasks/security/authentication/claim-to-header/test.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+ 
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+ 
+set -e
+set -u
+set -o pipefail
+ 
+# @setup profile=default
+ 
+# Set retries to a higher value because config update is slow.
+export VERIFY_TIMEOUT=300
+ 
+snip_before_you_begin_1
+ 
+_wait_for_deployment foo httpbin
+_wait_for_deployment foo sleep
+ 
+# Pull the Istio branch from the docs configuration file.
+ISTIO_BRANCH=$(yq '.source_branch_name' "${REPO_ROOT}"/data/args.yml)
+ 
+TOKEN_URL="https://raw.githubusercontent.com/istio/istio/${ISTIO_BRANCH}/security/tools/jwt/samples/demo.jwt"
+ 
+export TOKEN
+export TOKEN_GROUP
+ 
+_verify_same  snip_before_you_begin_2 "$snip_before_you_begin_2_out"
+ 
+snip_allow_requests_with_valid_jwt_and_listtyped_claims_1
+_wait_for_istio requestauthentication foo jwt-example
+ 
+_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_2 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_2_out"
+ 
+_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_3 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_3_out"
+
+TOKEN=$(curl "${TOKEN_URL}" -s)
+ 
+_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_4 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_4_out"
+ 
+_verify_same snip_allow_requests_with_valid_jwt_and_listtyped_claims_5 "$snip_allow_requests_with_valid_jwt_and_listtyped_claims_5_out"
+ 
+# @cleanup
+snip_clean_up_1