Commit 21c30d94 authored by ashley kelham's avatar ashley kelham
Browse files

Merge branch 'os-core-commmon-20-multiple-idp-support' into 'master'

Add Envoy filter definitions for multiple IdP support

See merge request osdu/platform/deployment-and-operations/infra-azure-provisioning!213
parents 6bea4d26 e1a4e9bc
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: remove-user-appid-header
namespace: osdu
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua.remove-user-appid-header
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():remove("x-user-id")
request_handle:headers():remove("x-app-id")
end
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: user-from-msft-aad-token
namespace: osdu
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.lua.remove-user-appid-header
patch:
operation: INSERT_AFTER
value:
name: envoy.lua.user-from-msft-aad-token
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
msft_issuer = "https://sts.windows.net/{{ .Values.global.azure.tenant }}/"
function envoy_on_request(request_handle)
local jwt_authn = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn")
if jwt_authn then
if jwt_authn[msft_issuer] then
request_handle:headers():add("x-app-id", jwt_authn[msft_issuer]["aud"])
if jwt_authn[msft_issuer]["upn"] then
request_handle:headers():add("x-user-id", jwt_authn[msft_issuer]["upn"])
elseif jwt_authn[msft_issuer]["unique_name"] then
request_handle:headers():add("x-user-id", jwt_authn[msft_issuer]["unique_name"])
elseif jwt_authn[msft_issuer]["appid"] then
request_handle:headers():add("x-user-id", jwt_authn[msft_issuer]["appid"])
end
end
end
end
---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: user-from-msftonline-token
namespace: osdu
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: envoy.http_connection_manager
subFilter:
name: envoy.lua.remove-user-appid-header
patch:
operation: INSERT_AFTER
value:
name: envoy.lua.user-from-msftonline-token
typed_config:
"@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
msft_issuer = "https://login.microsoftonline.com/{{ .Values.global.azure.tenant }}/v2.0"
function envoy_on_request(request_handle)
local jwt_authn = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn")
if jwt_authn then
if jwt_authn[msft_issuer] then
request_handle:headers():add("x-app-id", jwt_authn[msft_issuer]["aud"])
if jwt_authn[msft_issuer]["oid"] then
request_handle:headers():add("x-user-id", jwt_authn[msft_issuer]["oid"])
elseif jwt_authn[msft_issuer]["azp"] then
request_handle:headers():add("x-user-id", jwt_authn[msft_issuer]["azp"])
end
end
end
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment