-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathistio-envoy-filter-jwt-lua.yaml
207 lines (192 loc) · 8.39 KB
/
istio-envoy-filter-jwt-lua.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: jwt-lua-filter
spec:
filters:
- listenerMatch:
listenerType: GATEWAY
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
-- Json Parsing based on https://gist.github.com/tylerneylon/59f4bcf316be525b30ab
-- Base64 decoding based on wikipedia description of 8/6bit encoding.
-- base64 char array.. note final 2 chars are for RFC4648-URL encoding
-- as per JWT spec section 2 terminology 'Base64url Encoding'
local alpha='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'
-- convert to 6 char long binary string. (max int 64!)
function toBinaryString(int)
if int > 64 then
error("Bad number "..int.." to convert to binary")
end
local remaining = tonumber(int)
local bits = ''
for i = 5, 0, -1 do
local pow = 2 ^ i
if remaining >= pow then
bits = bits .. '1'
remaining = remaining - pow
else
bits = bits .. '0'
end
end
return bits
end
function fromBinaryString(bits)
return tonumber(bits, 2)
end
function decodeBase64(encoded)
local bitstr = ''
local decoded = ''
-- decode chars into bitstring
for i = 1, string.len(encoded) do
local offset, _ = string.find(alpha, string.sub(encoded, i, i))
if offset == nil then
error("Bad base64 character " .. string.sub(encoded, i, i))
end
bitstr = bitstr .. toBinaryString(offset-1)
end
-- decode bitstring back to chars
for i = 1, string.len(bitstr), 8 do
decoded = decoded .. string.char(fromBinaryString(string.sub(bitstr, i, i+7)))
end
return decoded
end
-- json handling
local json = {}
local function kind_of(obj)
if type(obj) ~= 'table' then return type(obj) end
local i = 1
for _ in pairs(obj) do
if obj[i] ~= nil then i = i + 1 else return 'table' end
end
if i == 1 then return 'table' else return 'array' end
end
local function escape_str(s)
local in_char = {'\\', '"', '/', '\b', '\f', '\n', '\r', '\t'}
local out_char = {'\\', '"', '/', 'b', 'f', 'n', 'r', 't'}
for i, c in ipairs(in_char) do
s = s:gsub(c, '\\' .. out_char[i])
end
return s
end
-- Returns pos, did_find; there are two cases:
-- 1. Delimiter found: pos = pos after leading space + delim; did_find = true.
-- 2. Delimiter not found: pos = pos after leading space; did_find = false.
-- This throws an error if err_if_missing is true and the delim is not found.
local function skip_delim(str, pos, delim, err_if_missing)
pos = pos + #str:match('^%s*', pos)
if str:sub(pos, pos) ~= delim then
if err_if_missing then
error('Expected ' .. delim .. ' near position ' .. pos)
end
return pos, false
end
return pos + 1, true
end
-- Expects the given pos to be the first character after the opening quote.
-- Returns val, pos; the returned pos is after the closing quote character.
local function parse_str_val(str, pos, val)
val = val or ''
local early_end_error = 'End of input found while parsing string.'
if pos > #str then error(early_end_error) end
local c = str:sub(pos, pos)
if c == '"' then return val, pos + 1 end
if c ~= '\\' then return parse_str_val(str, pos + 1, val .. c) end
-- We must have a \ character.
local esc_map = {b = '\b', f = '\f', n = '\n', r = '\r', t = '\t'}
local nextc = str:sub(pos + 1, pos + 1)
if not nextc then error(early_end_error) end
return parse_str_val(str, pos + 2, val .. (esc_map[nextc] or nextc))
end
-- Returns val, pos; the returned pos is after the number's final character.
local function parse_num_val(str, pos)
local num_str = str:match('^-?%d+%.?%d*[eE]?[+-]?%d*', pos)
local val = tonumber(num_str)
if not val then error('Error parsing number at position ' .. pos .. '.') end
return val, pos + #num_str
end
json.null = {} -- one-off table to represent the null value.
function json.parse(str, pos, end_delim)
pos = pos or 1
if pos > #str then error('Reached unexpected end of input.') end
local pos = pos + #str:match('^%s*', pos) -- Skip whitespace.
local first = str:sub(pos, pos)
if first == '{' then -- Parse an object.
local obj, key, delim_found = {}, true, true
pos = pos + 1
while true do
key, pos = json.parse(str, pos, '}')
if key == nil then return obj, pos end
if not delim_found then error('Comma missing between object items.') end
pos = skip_delim(str, pos, ':', true) -- true -> error if missing.
obj[key], pos = json.parse(str, pos)
pos, delim_found = skip_delim(str, pos, ',')
end
elseif first == '[' then -- Parse an array.
local arr, val, delim_found = {}, true, true
pos = pos + 1
while true do
val, pos = json.parse(str, pos, ']')
if val == nil then return arr, pos end
if not delim_found then error('Comma missing between array items.') end
arr[#arr + 1] = val
pos, delim_found = skip_delim(str, pos, ',')
end
elseif first == '"' then -- Parse a string.
return parse_str_val(str, pos + 1)
elseif first == '-' or first:match('%d') then -- Parse a number.
return parse_num_val(str, pos)
elseif first == end_delim then -- End of an object or array.
return nil, pos + 1
else -- Parse true, false, or null.
local literals = {['true'] = true, ['false'] = false, ['null'] = json.null}
for lit_str, lit_val in pairs(literals) do
local lit_end = pos + #lit_str - 1
if str:sub(pos, lit_end) == lit_str then return lit_val, lit_end + 1 end
end
local pos_info_str = 'position ' .. pos .. ': ' .. str:sub(pos, pos + 10)
error('Invalid json syntax starting at ' .. pos_info_str)
end
end
function decode_jwt(jwt)
i=0
result = {}
for match in (jwt..'.'):gmatch("(.-)%.") do
result[i]=decodeBase64(match)
i=i+1
end
-- header
head = json.parse(result[0])
-- claims
claims = json.parse(result[1])
return {head=head,claims=claims}
end
function add_header(k,v,prefix,headers)
if "number" == type (k) then
headers:add(prefix,v)
else
headers:add(prefix.."-"..k,v)
end
end
function add_table_as_headers(table, prefix, headers)
for k,v in pairs(table) do
if "string" == type( v ) then
add_header(k,v,prefix,headers)
elseif "table" == type( v ) then
add_table_as_headers(v,prefix.."-"..k,headers)
end
end
end
function envoy_on_request(request_handle)
local jwtHeaderName = "JWTHeaderName"
headers = request_handle:headers()
jwt = headers:get(jwtHeaderName)
if jwt == nil then
headers:add("jwt","headernotfound")
else
content = decode_jwt(jwt)
add_table_as_headers(content["claims"],jwtHeaderName,headers)
end
end