Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.11.0 GA
Affects Version/s: 2.9.1 GA
Component/s: Gateway
Labels:
- 2.11candidate1
- Support

Blocked:
False
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Doc Required:
No
QE Test Coverage:
+
Release Note Text:
Undefined
Target Release:

2.11.0 CR1

SFDC Cases Counter:
SFDC Cases Links:

Description

The JWT Claim Check Policy check does not work when an API backend is connected to the Product using a path other than the default path ("/") for e.g. "/test". In this case, a routing policy is automatically generated and attached to the policy chain before APIcast . If the API backend is

accessed using a mapping rule GET "/test/"
A JWT claim check policy is used to protect the resource path "/test"

The resulting policy chain would be as follows.

    "policy_chain": [
      {
        "name": "routing",
        "version": "builtin",
        "enabled": true,
        "configuration": {
          "rules": [
            {
              "url": "https://echo-api.3scale.net:443",
              "owner_id": 3,
              "owner_type": "BackendApi",
              "condition": {
                "operations": [
                  {
                    "match": "path",
                    "op": "matches",
                    "value": "^(/test/.*|/test/?)"
                  }
                ]
              },
              "replace_path": "{{uri | remove_first: '/test'}}"
            }
          ]
        }
      },
      {
        "name": "apicast",
        "version": "builtin",
        "configuration": {}
      },
      {
        "name": "jwt_claim_check",
        "version": "builtin",
        "configuration": {
          "rules": [
              ....
              "resource": "/test"
            }
          ],
          "error_message": "Access to resource blocked"
        }
      },
    ]

Issue

For an incoming request uri such as "/test/foo/bar", the resource path "/test" does not match. Hence the JWT claim check policy is not enforced for this resource.

Update:
The JWT claim check policy, is not working to block a certain resource when APIaaP is enabled (when a routing policy is placed before the claim-check in the policy chain).

Our problem is that, with a routing policy on top of the chain, we are setting the uri to `/` here: https://github.com/3scale/APIcast/blob/3eac1272b66817dfcf2d7cfdc8ed779cf934caeb/gateway/src/apicast/policy/routing/upstream_selector.lua#L43

With that variable set to "/", the resource will never match (this https://github.com/3scale/APIcast/blob/3eac1272b66817dfcf2d7cfdc8ed779cf934caeb/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua#L74 will always return false), unless, in fact, we use exactly `/` as a resource.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

apicast-config-svc-drajnoha-jwt-jdt-sandbox-3.json
4 kB
2021/05/13 9:33 AM

Issue Links

is blocked by

THREESCALE-6428 Add APIaaP Routing policy just before APICast policy

Closed

relates to

THREESCALE-9510 Allow JWT Claim Check against query parameters

To Develop

Activity

People

Assignee:: Unassigned

Reporter:: Chandrasekhar Vajjhala (Inactive)

Documenter:: Eloy Coto (Inactive)

Tester:: David Rajnoha (Inactive)

Developer:: Eloy Coto (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2020/11/24 5:47 PM

Updated:: 2024/03/25 7:00 PM

Resolved:: 2021/10/21 1:06 PM