Skip to content

Commit a7b45fb

Browse files
thebengeuthebengeu
committed
fix: use rbac instead of lua filter for basic auth
1 parent 60a766b commit a7b45fb

File tree

3 files changed

+41
-25
lines changed

3 files changed

+41
-25
lines changed

ansible/files/envoy_config/basic_auth.lua

Lines changed: 0 additions & 12 deletions
This file was deleted.

ansible/files/envoy_config/lds.yaml

Lines changed: 39 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ resources:
66
address: 0.0.0.0
77
port_value: 80
88
filter_chains:
9-
- filters: &ref_2
9+
- filters: &ref_1
1010
- name: envoy.filters.network.http_connection_manager
1111
typed_config:
1212
'@type': >-
@@ -107,8 +107,6 @@ resources:
107107
'@type': >-
108108
type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
109109
source_codes:
110-
basic_auth:
111-
filename: /etc/envoy/basic_auth.lua
112110
remove_apikey_query_parameter:
113111
filename: /etc/envoy/remove_apikey_query_parameter.lua
114112
- name: envoy.filters.http.router
@@ -118,6 +116,26 @@ resources:
118116
dynamic_stats: false
119117
local_reply_config:
120118
mappers:
119+
- filter:
120+
and_filter:
121+
filters:
122+
- status_code_filter:
123+
comparison:
124+
value:
125+
default_value: 403
126+
runtime_key: unused
127+
- header_filter:
128+
header:
129+
name: ':path'
130+
string_match:
131+
prefix: /customer/v1/privileged/
132+
status_code: 401
133+
body:
134+
inline_string: Unauthorized
135+
headers_to_add:
136+
- header:
137+
key: WWW-Authenticate
138+
value: Basic realm="Unknown"
121139
- filter:
122140
and_filter:
123141
filters:
@@ -166,7 +184,7 @@ resources:
166184
body:
167185
inline_string: Healthy
168186
typed_per_filter_config: &ref_0
169-
envoy.filters.http.rbac: &ref_1
187+
envoy.filters.http.rbac:
170188
'@type': >-
171189
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
172190
- match:
@@ -255,15 +273,23 @@ resources:
255273
cluster: admin_api
256274
prefix_rewrite: /privileged/
257275
typed_per_filter_config:
258-
envoy.filters.http.lua:
276+
envoy.filters.http.rbac:
259277
'@type': >-
260-
type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute
261-
name: basic_auth
262-
envoy.filters.http.rbac: *ref_1
263-
metadata:
264-
filter_metadata:
265-
envoy.filters.http.lua:
266-
credentials: c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
278+
type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute
279+
rbac:
280+
rules:
281+
action: DENY
282+
policies:
283+
basic_auth:
284+
permissions:
285+
- any: true
286+
principals:
287+
- header:
288+
name: authorization
289+
invert_match: true
290+
string_match:
291+
exact: Basic c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5
292+
treat_missing_header_as_empty: true
267293
- match:
268294
prefix: /metrics/aggregated
269295
route:
@@ -293,7 +319,7 @@ resources:
293319
address: 0.0.0.0
294320
port_value: 443
295321
filter_chains:
296-
- filters: *ref_2
322+
- filters: *ref_1
297323
transport_socket:
298324
name: envoy.transport_sockets.tls
299325
typed_config:

docker/all-in-one/init/configure-envoy.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,9 +29,11 @@ if [ -f "${INIT_PAYLOAD_PATH:-}" ]; then
2929
fi
3030

3131
# Inject project specific configuration
32+
# "c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5" is base64-encoded "service_role:service_key".
3233
sed -i -e "s|anon_key|$ANON_KEY|g" \
3334
-e "s|service_key|$SERVICE_ROLE_KEY|g" \
3435
-e "s|supabase_admin_key|$ADMIN_API_KEY|g" \
36+
-e "s|c2VydmljZV9yb2xlOnNlcnZpY2Vfa2V5|$(echo -n "service_role:$SERVICE_ROLE_KEY" | base64 --wrap 0)|g" \
3537
"$ENVOY_LDS_CONF"
3638

3739
# Update Envoy ports

0 commit comments

Comments
 (0)