Istio's 1.21 AuthorizationPolicy requestPrincipals aren't processed correctly if JWT contains "/*" in "sub" claim as well as exact match

antonsukhanov commented 3 months ago

Is this the right place to submit this?

[X] This is not a security vulnerability or a crashing bug
[X] This is not a question about how to use Istio

Bug Description

After upgrading from Istio v1.20.4 to v1.21.4, requestPrincipals from JWT tokens with /* symbols are not processed correctly. As well as exact matches (see below).

Example JWT token (GitHub Actions OIDC):

{
  ...
  "sub": "repo:my-github-org/some-repo:ref:refs/heads/main",
  "iss": "https://token.actions.githubusercontent.com/",
  ...
}

requestPrincipals match tests: ❌ https://token.actions.githubusercontent.com/repo:my-github-org/some-repo:ref:refs/heads/main ❌ https://token.actions.githubusercontent.com/repo:my-github-org/* ✅ https://token.actions.githubusercontent.com/repo:my-github-org* ✅ https://token.actions.githubusercontent.com/repo:*

apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata:
  ...
spec:
  jwtRules:
    - forwardOriginalToken: true
      issuer: 'https://token.actions.githubusercontent.com'
      jwksUri: 'https://token.actions.githubusercontent.com/.well-known/jwks'
      outputClaimToHeaders:
        - claim: repository
          header: repository
  selector:
    matchLabels:
      ...

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  ...
spec:
  rules:
    - from:
        - source:
            namespaces:
              - istio-gateway
            requestPrincipals:
              - https://token.actions.githubusercontent.com/repo:my-github-org/*
      to:
        - operation:
            paths:
              - /api/*
            ports:
              - '8080'
  selector:
    matchLabels:
      ...

Version

$ istioctl version
istiod version: 1.20.4
istiod version: 1.21.4
data plane version: 1.20.4 (N proxies), 1.21.4 (N proxies)

$ kubectl version
Client Version: v1.30.3
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.4-eks-036c24b

Additional Information

No response

zirain commented 3 months ago

cc @kyessenov

kyessenov commented 2 months ago

This has been mentioned a few times, but the workaround is to use when clause and claims[iss] and claim[sub] directly, e.g. https://github.com/istio/istio/issues/50246#issuecomment-2073049886.

sergeyshevch commented 2 weeks ago

@kyessenov It also can lead to some issues. For example you need to add 2 pair of iss/sub into same route. Then, you need to create 2 separate rules for it because otherwise when will work incorrectly

istio / istio