shpwrck/extauth.yaml

## extauth.yaml
---
apiVersion: networking.gloo.solo.io/v2
kind: VirtualDestination
metadata:
  name: ext-auth-service
  namespace: gloo-mesh-addons
spec:
  ports:
  - number: 8083
    protocol: GRPC
  services:
  - cluster: mgmt
    name: ext-auth-service
    namespace: gloo-mesh-addons
---
# JWT Policy
apiVersion: security.policy.gloo.solo.io/v2
kind: JWTPolicy
metadata:
  name: jwt-policy
  namespace: httpbin
spec:
  applyToRoutes:
  - route:
      labels:
        route: httpbin
  config:
    phase:
      preAuthz: {}
    providers:
      provider1:
        claimsToHeaders:
        - append: true
          claim: org
          header: x-org
        - append: true
          claim: email
          header: x-email
        issuer: https://localhost
        local:
          inline: |-
            -----BEGIN PUBLIC KEY-----
            MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJ63gUYg0G1aOY03DN8d
            emJIk8XeWcdycuJFQeGK6N+sdpt+p5Q6B61dirSkZcslTXBB9CL92j0Ez+2J4O0M
            +kUxvnGI58TNkwdzQJsRA2LW7TpaCOIHiQMLevm9vtGQy3imzC3g/oaN7FBj0D41
            0knKOfxzeK7MTN7Xi2zCh6QGnN6+SUw8dBr+s6JToAlhpHqZtvK4naTUUFdhKXMd
            EqALB+n13YBekex/gGVr3FZnLliuU7HHs1tASQjhIZcMG22gbKT/ta9lm7ivEAXF
            5qEft4XzVPjbqs2wyluPf8j5BU17Dvc8VIU/nSmcPqoawWi49gD89Q7dJZiK149w
            dQIDAQAB
            -----END PUBLIC KEY-----
        tokenSource:
          headers:
          - name: X-Auth
            prefix: 'Bearer '
          queryParams:
          - auth_token
---
# OPA Policy
apiVersion: v1
kind: ConfigMap
metadata:
  name: regex
  namespace: httpbin
data:
  policy.rego: |-
    package test

    default allow = false
    allow {
      # Make sure the JWT is from Solo
      [_, payload, _] := io.jwt.decode(replace(input.http_request.headers["x-auth"],"Bearer ", ""))
      payload["org"] == "solo-io"

      # Make sure the path is a given regex
      # Regexp Syntax: https://github.com/google/re2/wiki/Syntax
      regex.match("^/anything/a/[0-9]+/b/[0-9]+$",input.http_request.path)
    }
---
# Server Configuration
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  name: ext-auth-server
  namespace: httpbin
spec:
  destinationServer:
    kind: VIRTUAL_DESTINATION
    ref:
      name: ext-auth-service
      namespace: gloo-mesh-addons
      cluster: mgmt
---
# Policy Configuration
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  name: httpbin-regex
  namespace: httpbin
spec:
  applyToRoutes:
  - route:
      labels:
        extauth: regex
  config:
    server:
      name: ext-auth-server
      namespace: httpbin
      cluster: mgmt
    glooAuth:
      configs:
      - opaAuth:
          modules:
          - name: regex
            namespace: httpbin
          query: "data.test.allow == true"
	---
	apiVersion: networking.gloo.solo.io/v2
	kind: VirtualDestination
	metadata:
	name: ext-auth-service
	namespace: gloo-mesh-addons
	spec:
	ports:
	- number: 8083
	protocol: GRPC
	services:
	- cluster: mgmt
	name: ext-auth-service
	namespace: gloo-mesh-addons
	---
	# JWT Policy
	apiVersion: security.policy.gloo.solo.io/v2
	kind: JWTPolicy
	metadata:
	name: jwt-policy
	namespace: httpbin
	spec:
	applyToRoutes:
	- route:
	labels:
	route: httpbin
	config:
	phase:
	preAuthz: {}
	providers:
	provider1:
	claimsToHeaders:
	- append: true
	claim: org
	header: x-org
	- append: true
	claim: email
	header: x-email
	issuer: https://localhost
	local:
	inline: \|-
	-----BEGIN PUBLIC KEY-----
	MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJ63gUYg0G1aOY03DN8d
	emJIk8XeWcdycuJFQeGK6N+sdpt+p5Q6B61dirSkZcslTXBB9CL92j0Ez+2J4O0M
	+kUxvnGI58TNkwdzQJsRA2LW7TpaCOIHiQMLevm9vtGQy3imzC3g/oaN7FBj0D41
	0knKOfxzeK7MTN7Xi2zCh6QGnN6+SUw8dBr+s6JToAlhpHqZtvK4naTUUFdhKXMd
	EqALB+n13YBekex/gGVr3FZnLliuU7HHs1tASQjhIZcMG22gbKT/ta9lm7ivEAXF
	5qEft4XzVPjbqs2wyluPf8j5BU17Dvc8VIU/nSmcPqoawWi49gD89Q7dJZiK149w
	dQIDAQAB
	-----END PUBLIC KEY-----
	tokenSource:
	headers:
	- name: X-Auth
	prefix: 'Bearer '
	queryParams:
	- auth_token
	---
	# OPA Policy
	apiVersion: v1
	kind: ConfigMap
	metadata:
	name: regex
	namespace: httpbin
	data:
	policy.rego: \|-
	package test

	default allow = false
	allow {
	# Make sure the JWT is from Solo
	[_, payload, _] := io.jwt.decode(replace(input.http_request.headers["x-auth"],"Bearer ", ""))
	payload["org"] == "solo-io"

	# Make sure the path is a given regex
	# Regexp Syntax: https://github.com/google/re2/wiki/Syntax
	regex.match("^/anything/a/[0-9]+/b/[0-9]+$",input.http_request.path)
	}
	---
	# Server Configuration
	apiVersion: admin.gloo.solo.io/v2
	kind: ExtAuthServer
	metadata:
	name: ext-auth-server
	namespace: httpbin
	spec:
	destinationServer:
	kind: VIRTUAL_DESTINATION
	ref:
	name: ext-auth-service
	namespace: gloo-mesh-addons
	cluster: mgmt
	---
	# Policy Configuration
	apiVersion: security.policy.gloo.solo.io/v2
	kind: ExtAuthPolicy
	metadata:
	name: httpbin-regex
	namespace: httpbin
	spec:
	applyToRoutes:
	- route:
	labels:
	extauth: regex
	config:
	server:
	name: ext-auth-server
	namespace: httpbin
	cluster: mgmt
	glooAuth:
	configs:
	- opaAuth:
	modules:
	- name: regex
	namespace: httpbin
	query: "data.test.allow == true"