Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2534

Reject invalid jwks and add integration test for jwt rules

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • None
    • maistra-2.0.7
    • None
    • None

    Description

      From rhn-support-ssadhale (In support email)

      IHAC who is facing issues when configuring jwksURI in
      RequestAuthentication resource for HTTPS URIs.

      Error:

      2021-07-22T13:56:57.275247Z     warning envoy
      config  [external/envoy/source/common/config/grpc_subscription_impl.cc:101]
      gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected:
      Error adding/updating listener(s) virtualInbound: Proto constraint
      validation failed (JwtAuthenticationValidationError.Providers[key]:
      ["embedded message failed validation"] | caused by
      JwtProviderValidationError.LocalJwks: ["embedded message failed
      validation"] | caused by DataSourceValidationError.InlineString:
      ["value length must be at least " '\x01' " bytes"]): providers {

      I have researched and I found out that the issue was also raised upstream
      <https://github.com/istio/istio/issues/24629> and the PR
      <https://github.com/istio/istio/pull/25934/files> also seems to have been
      released for the istio master branch and 1.6 branch as well.

      Comparing the code with our maistra 2.0 branch it does not seem to be
      present but the 2.1 branch has it.

      References:
      1) Maistra GH 2.0
      <https://github.com/maistra/istio/blob/maistra-2.0/pilot/pkg/security/authn/v1beta1/policy_applier.go>

      2) Maistra GH 2.1
      <https://github.com/maistra/istio/blob/maistra-2.1/pilot/pkg/security/authn/v1beta1/policy_applier.go>

      Should we be creating a backport for this issue ?

      Attachments

        Issue Links

          Activity

            People

              shaansar Shamsher Ansari (Inactive)
              shaansar Shamsher Ansari (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: