Allow adding extra cookie options via CP_EDGE_BEARER_COOKIE_EXTRA

deploy/docker/cp-edge/endpoints-config/route.template.loc.conf

@@ -6,6 +6,7 @@ location {edge_route_location} {
     set $run_id "{run_id}";
     set $edge_jwt_auth "{edge_jwt_auth}";
     set $edge_pass_bearer "{edge_pass_bearer}";
+    set $bearer_cookie_extra "{bearer_cookie_extra}";
     default_type text/html;
     access_by_lua_file /etc/nginx/validate_cookie.lua;
     proxy_cookie_path {edge_cookie_location} {edge_cookie_location};

deploy/docker/cp-edge/sync-routes.py

@@ -56,6 +56,10 @@
 EDGE_COOKIE_NO_REPLACE = 'CP_EDGE_COOKIE_NO_REPLACE'
 EDGE_JWT_NO_AUTH = 'CP_EDGE_JWT_NO_AUTH'
 EDGE_PASS_BEARER = 'CP_EDGE_PASS_BEARER'
+# This can be used to add any extra option to the bearer cookie generated
+# e.g. Secure;SameSite=None;Partitioned;
+# Which allows external services to use the cookie (used for SSO integration with EDGE)
+EDGE_BEARER_COOKIE_EXTRA = os.getenv('CP_EDGE_BEARER_COOKIE_EXTRA', '')
 EDGE_DNS_RECORD_FORMAT = os.getenv('CP_EDGE_DNS_RECORD_FORMAT', '{job_name}.{region_name}')
 EDGE_DISABLE_NAME_SUFFIX_FOR_DEFAULT_ENDPOINT = os.getenv('EDGE_DISABLE_NAME_SUFFIX_FOR_DEFAULT_ENDPOINT', 'True').lower() == 'true'
 EDGE_EXTERNAL_APP = 'CP_EDGE_EXTERNAL_APP'
@@ -660,6 +664,7 @@ def get_service_list(active_runs_list, pod_id, pod_run_id, pod_ip):
                                         if EDGE_PASS_BEARER in additional:
                                                 additional = additional.replace(EDGE_PASS_BEARER, "")
                                                 edge_pass_bearer = True
+
                                         #######################################################
 
                                         is_external_app = False
@@ -805,6 +810,7 @@ def create_service_location(service_spec, service_url_dict, edge_region_id):
                 .replace('{additional}', service_spec["additional"]) \
                 .replace('{edge_jwt_auth}', str(service_spec["edge_jwt_auth"])) \
                 .replace('{edge_pass_bearer}', str(service_spec["edge_pass_bearer"])) \
+                .replace('{bearer_cookie_extra}', EDGE_BEARER_COOKIE_EXTRA) \
                 .replace('{edge_cookie_location}', service_spec["cookie_location"] if service_spec["cookie_location"] else service_location)
         nginx_sensitive_route_definitions = []
         if service_spec["sensitive"]:

deploy/docker/cp-edge/validate_cookie.lua

@@ -195,7 +195,11 @@ if token == nil then
     return
 else
     -- If "bearer" param is found - set it as cookie and redirect to initial uri
-        ngx.header['Set-Cookie'] = 'bearer=' .. token  .. '; path=/'
-        ngx.say('<html><body><script>window.location.href = "' .. req_uri .. '"</script></body></html>')
-        return
+    local bearer_cookie_extra = ''
+    if ngx.var.bearer_cookie_extra ~= nil then
+        bearer_cookie_extra = ngx.var.bearer_cookie_extra
+    end
+    ngx.header['Set-Cookie'] = 'bearer=' .. token  .. '; path=/;' .. bearer_cookie_extra
+    ngx.say('<html><body><script>window.location.href = "' .. req_uri .. '"</script></body></html>')
+    return
 end