Uploaded image for project: 'Maistra'
  1. Maistra
  2. MAISTRA-2534

Reject invalid jwks and add integration test for jwt rules

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • maistra-2.0.7
    • None
    • None
    • None
    • Sprint 7, Sprint 8

      From rhn-support-ssadhale (In support email)

      IHAC who is facing issues when configuring jwksURI in
      RequestAuthentication resource for HTTPS URIs.

      Error:

      2021-07-22T13:56:57.275247Z     warning envoy
      config  [external/envoy/source/common/config/grpc_subscription_impl.cc:101]
      gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected:
      Error adding/updating listener(s) virtualInbound: Proto constraint
      validation failed (JwtAuthenticationValidationError.Providers[key]:
      ["embedded message failed validation"] | caused by
      JwtProviderValidationError.LocalJwks: ["embedded message failed
      validation"] | caused by DataSourceValidationError.InlineString:
      ["value length must be at least " '\x01' " bytes"]): providers {

      I have researched and I found out that the issue was also raised upstream
      <https://github.com/istio/istio/issues/24629> and the PR
      <https://github.com/istio/istio/pull/25934/files> also seems to have been
      released for the istio master branch and 1.6 branch as well.

      Comparing the code with our maistra 2.0 branch it does not seem to be
      present but the 2.1 branch has it.

      References:
      1) Maistra GH 2.0
      <https://github.com/maistra/istio/blob/maistra-2.0/pilot/pkg/security/authn/v1beta1/policy_applier.go>

      2) Maistra GH 2.1
      <https://github.com/maistra/istio/blob/maistra-2.1/pilot/pkg/security/authn/v1beta1/policy_applier.go>

      Should we be creating a backport for this issue ?

            shaansar Shamsher Ansari (Inactive)
            shaansar Shamsher Ansari (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: