contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

External Authorization and request headers

Open hasiotis opened this issue 3 years ago • 2 comments

What question do you have?:

We have been happily using contour with External Authorization. We are using our own authorization server. As the next step for our authorization server will need to set some company-specific headers (ex. x-company-role). We intend to sanitize any custom x-company-* headers when they reach the authorization server.

As an extra security measure, we tried to strip all those headers in order to be sure that a malicious client will not be able to set arbitrary values (that we might miss to sanitize)

policy:
  request-headers:
    remove:
      - x-company-role

It turns out this configuration completely strips the headers, even the ones that the authorization server adds. Do you believe it is a valid request to have headers from the authorization server not be subject to any header policy (perhaps with a flag for that behavior)?

Environment:

  • Contour version: 1.20.1
  • Kubernetes version: v1.21.12-eks-a64ea69
  • Contour helm chart: 7.8.0 (bitnami contour)
  • Cloud provider or hardware configuration: aws eks

hasiotis avatar Aug 03 '22 19:08 hasiotis

to clarify, we have a few hops here:

  1. client request -> Envoy (which may have the x-company-role header)
  2. Envoy auth request -> auth server
  3. Auth server response -> Envoy (which tells Envoy to sets the x-company-role header)
  4. Envoy proxying authenticated client request -> app (with headers removed as per listed policy)
  5. app response -> Envoy
  6. Envoy proxying response -> client

the request header policy you list above should be stripping the specified header(s) from step 4, I'm not sure Envoy at that level can tell which headers have been set by the auth server or the original request

since the headers to add to the request come from the auth server itself and it's logic (and not something programmed in Contour), I'm not sure if theres something we can really program in Contour to circumvent this, though I'll keep thinking about it

sunjayBhatia avatar Aug 04 '22 17:08 sunjayBhatia

Thanks for the clarification @sunjayBhatia, it does provide insight on how that translates to envoy flow.

hasiotis avatar Aug 05 '22 08:08 hasiotis

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Oct 05 '22 00:10 github-actions[bot]