search

ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
3.25k stars 359 forks source link

Oathkeeper does not support using .MatchContext.RegexpCaptureGroups using glob matching strategy. #946

Open gen1us2k opened 2 years ago

gen1us2k commented 2 years ago

Preflight checklist

Describe the bug

A detailed explanation can be found in this discussion. I assume that oathkeeper has this issue because of missing implementation of FindStringSubmatch and ReplaceAllString methods for globMatchingEngine

Reproducing the bug

set matchingStrategy: glob and use these access rules

- id: allow-test
  upstream:
    url: http://host.docker.internal:8080/
    preserve_host: true
  match:
    url: http://localhost:4455/<{*,*/*}>
    methods:
    - GET
  authenticators:
  - handler: noop
  authorizer:
    handler: allow
  mutators:
  - handler: header
    config:
      headers:
        X-Groups: "{{ printIndex .MatchContext.RegexpCaptureGroups 0  }}"

----- Request Start -----> Method: GET Path: /foo/bar

Headers: X-Groups:
X-Header: map[Accept:[/] User-Agent:[curl/7.77.0]] X-Method: GET X-Url: http://localhost:4455/foo/bar
<----- Request End -----

Relevant log output

No response

Relevant configuration

No response

Version

v0.38.23-beta.1

On which operating system are you observing this issue?

No response

In which environment are you deploying?

No response

Additional Context

No response

aeneasr commented 2 years ago

That's true, unfortunately, I don't know whether it will be possible to fix this as the glob library does not support capture groups as far as I know. The only alternative would be to use an alternate implementation of glob matching that supports capture groups, but I don't know if such a library exists?

a-manraj-pvotal commented 2 years ago

@aeneasr have to check licensing but a reference from pachyderm exists : https://github.com/pachyderm/pachyderm/pull/3834/files