Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support regex-based paths ignoring for RBAC authz/authn #130

Closed
knopt opened this issue Jul 12, 2021 · 5 comments
Closed

Support regex-based paths ignoring for RBAC authz/authn #130

knopt opened this issue Jul 12, 2021 · 5 comments

Comments

@knopt
Copy link

knopt commented Jul 12, 2021
edited
Loading

Hi there!

I'd like to propose a new feature, which would allow to ignore authn/authz for specific paths, based on a regex. This would allow to handle more complex authn/authz logic than ignore-paths flag does.

I would suggest to introduce ignore-regex flag, which would accept single go-style regex, and exclude any path that matches the regex from authn/authz. This exclusion would be additional to ignore-paths exclusion, meaning that if a path matches one of paths from ignore-paths it will be excluded as well. Currently a path has to equal to one of paths from ignore-paths to be excluded.

Example usage would be specifing --ignore-regex='/path/(.)*' to exclude all subpaths from authn/authz.

Please let me know your thoughts. Once we agree on the solution I'll be happy to submit a PR.

Thanks,
Tomasz
@brancz
Copy link
Owner

brancz commented Jul 12, 2021

cc @s-urbaniak

@knopt
Copy link
Author

knopt commented Jul 19, 2021

@brancz @s-urbaniak Do you have any suggestions?

@s-urbaniak
Copy link
Collaborator

@knopt thank you for the feature suggestion! A couple of comments:

  • Instead af allowing full-blown regular expressions in security sensitive proxies I would rather suggest to with a simpler wildcard based approach, i.e. using https://pkg.go.dev/path#Match.
  • Introducing interleaving command line parameters can lead to unexpected results. We had a similar discussion in Add support for ignore-paths #91 (comment). Hence, I would like to leave the clear orthogonality between --ignore-paths and --allow-paths.
  • A single expression setting sounds unaligned with the existing --*-paths settings

How about simply extending the current --ignore-paths and --allow-paths cmdline parameters to allow wildcard matches using https://pkg.go.dev/path#Match? This would be backwards compatible and would suffice your concrete use case.

@knopt
Copy link
Author

knopt commented Jul 27, 2021

@s-urbaniak thanks for the reply!

  1. Using https://pkg.go.dev/path#Match sounds great!
  2. Reusing --ignore-paths and --allow-paths: that makes sense when using Match as all special characters of Match are restricted characters in URI. I guess here we would rely on the fact that set of allowed URI characters (see https://www.ietf.org/rfc/rfc3986.txt) is exclusive to Match special characters.

So I guess we agree on the solution, I'll try to post the PR in a couple of days

@simonpasquier simonpasquier mentioned this issue Jul 27, 2021
Merged
@s-urbaniak
Copy link
Collaborator

@knopt feel free to try #135

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@s-urbaniak @brancz @knopt