Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-6410

JWT Claim Check Policy does not work with APIaaP Backend

    XMLWordPrintable

Details

    • No
    • +

    Description

      The JWT Claim Check Policy check does not work when an API backend is connected to the Product using a path other than the default path ("/") for e.g. "/test". In this case, a routing policy is automatically generated and attached to the policy chain before APIcast . If the API backend is

      • accessed using a mapping rule GET "/test/"
      • A JWT claim check policy is used to protect the resource path "/test"

      The resulting policy chain would be as follows.

          "policy_chain": [
            {
              "name": "routing",
              "version": "builtin",
              "enabled": true,
              "configuration": {
                "rules": [
                  {
                    "url": "https://echo-api.3scale.net:443",
                    "owner_id": 3,
                    "owner_type": "BackendApi",
                    "condition": {
                      "operations": [
                        {
                          "match": "path",
                          "op": "matches",
                          "value": "^(/test/.*|/test/?)"
                        }
                      ]
                    },
                    "replace_path": "{{uri | remove_first: '/test'}}"
                  }
                ]
              }
            },
            {
              "name": "apicast",
              "version": "builtin",
              "configuration": {}
            },
            {
              "name": "jwt_claim_check",
              "version": "builtin",
              "configuration": {
                "rules": [
                    ....
                    "resource": "/test"
                  }
                ],
                "error_message": "Access to resource blocked"
              }
            },
          ]
      

      Issue

      For an incoming request uri such as "/test/foo/bar", the resource path "/test" does not match. Hence the JWT claim check policy is not enforced for this resource.

      Update:
      The JWT claim check policy, is not working to block a certain resource when APIaaP is enabled (when a routing policy is placed before the claim-check in the policy chain).

      Our problem is that, with a routing policy on top of the chain, we are setting the uri to `/` here: https://github.com/3scale/APIcast/blob/3eac1272b66817dfcf2d7cfdc8ed779cf934caeb/gateway/src/apicast/policy/routing/upstream_selector.lua#L43

      With that variable set to "/", the resource will never match (this https://github.com/3scale/APIcast/blob/3eac1272b66817dfcf2d7cfdc8ed779cf934caeb/gateway/src/apicast/policy/jwt_claim_check/jwt_claim_check.lua#L74 will always return false), unless, in fact, we use exactly `/` as a resource.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              rhn-support-cvajjhal Chandrasekhar Vajjhala
              Eloy Coto Eloy Coto
              Eloy Coto Eloy Coto
              David Rajnoha David Rajnoha
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: