consul/agent/xds/testdata/rbac
Michael Zalimeni d9206fc7e2
[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816)
mesh: add options for HTTP incoming request normalization

Expose global mesh configuration to enforce inbound HTTP request
normalization on mesh traffic via Envoy xDS config.

mesh: enable inbound URL path normalization by default

mesh: add support for L7 header match contains and ignore_case

Enable partial string and case-insensitive matching in L7 intentions
header match rules.

ui: support L7 header match contains and ignore_case

Co-authored-by: Phil Renaud <phil@riotindustries.com>

test: add request normalization integration bats tests

Add both "positive" and "negative" test suites, showing normalization in
action as well as expected results when it is not enabled, for the same
set of test cases.

Also add some alternative service container test helpers for verifying
raw HTTP request paths, which is difficult to do with Fortio.

docs: update security and reference docs for L7 intentions bypass prevention

- Update security docs with best practices for service intentions
  configuration
- Update configuration entry references for mesh and intentions to
  reflect new values and add guidance on usage
2024-10-16 12:23:33 -04:00
..
default-allow-deny-all-and-path-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-deny-all-and-path-allow.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-deny-all-and-path-deny--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-deny-all-and-path-deny.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-kitchen-sink--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-kitchen-sink.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-one-deny--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-one-deny.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-path-allow--httpfilter.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-allow-path-allow.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-path-deny--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-path-deny.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-service-wildcard-deny--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-service-wildcard-deny.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816) 2024-10-16 12:23:33 -04:00
default-allow-single-intention-with-kitchen-sink-perms.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-two-path-deny-and-path-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-allow-two-path-deny-and-path-allow.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-allow-deny--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-allow-deny.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-deny-all-and-path-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-deny-all-and-path-allow.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-deny-all-and-path-deny--httpfilter.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-deny-all-and-path-deny.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-kitchen-sink--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-kitchen-sink.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-mixed-precedence--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-mixed-precedence.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-one-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-one-allow.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-path-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-path-allow.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-path-deny--httpfilter.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-path-deny.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-peered-kitchen-sink--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-peered-kitchen-sink.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-service-wildcard-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-service-wildcard-allow.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816) 2024-10-16 12:23:33 -04:00
default-deny-single-intention-with-kitchen-sink-perms.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
default-deny-two-path-deny-and-path-allow--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
default-deny-two-path-deny-and-path-allow.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
empty-top-level-jwt-with-one-permission--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
empty-top-level-jwt-with-one-permission.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
top-level-jwt-no-permissions--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
top-level-jwt-no-permissions.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
top-level-jwt-with-multiple-permissions--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
top-level-jwt-with-multiple-permissions.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
top-level-jwt-with-one-permission--httpfilter.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
top-level-jwt-with-one-permission.golden xds: update golden tests to be deterministic (#18707) 2023-09-11 11:40:19 -05:00
v2-L4-deny-L7-allow--httpfilter.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-L4-deny-L7-allow.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-default-allow--httpfilter.golden Fix SAN matching on terminating gateways (#20417) 2024-01-31 12:17:45 -06:00
v2-default-allow.golden Add V2 TCP traffic permissions (#18771) 2023-09-13 09:03:42 -04:00
v2-default-deny--httpfilter.golden Fix SAN matching on terminating gateways (#20417) 2024-01-31 12:17:45 -06:00
v2-default-deny.golden Allow connections through Terminating Gateways from peered clusters NET-3463 (#18959) 2023-10-05 21:54:23 +00:00
v2-ignore-empty-permissions--httpfilter.golden Fix SAN matching on terminating gateways (#20417) 2024-01-31 12:17:45 -06:00
v2-ignore-empty-permissions.golden Handle Traffic Permissions With Empty Sources Properly (#19024) 2023-09-28 15:11:59 -04:00
v2-kitchen-sink--httpfilter.golden Fix SAN matching on terminating gateways (#20417) 2024-01-31 12:17:45 -06:00
v2-kitchen-sink.golden NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
v2-path-excludes--httpfilter.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-path-excludes.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-path-method-header-excludes--httpfilter.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-path-method-header-excludes.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-single-permission-multiple-destination-rules--httpfilter.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-single-permission-multiple-destination-rules.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-single-permission-with-excludes--httpfilter.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-single-permission-with-excludes.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-single-permission-with-kitchen-sink-perms--httpfilter.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00
v2-single-permission-with-kitchen-sink-perms.golden add traffic permissions excludes and tests (#20453) 2024-02-07 20:21:44 +00:00