jwt_authn: Add subject constraints for JwtProviders (#32374)

Adds new `subjects` config field to restrict subjects accepted from a `JwtProvider` partially implementing #31455 Risk Level: Low Testing: Unit testing Docs Changes: Added `subjects` description inline in proto. Release Notes: Attached Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): Feature is opt in, without specifying the config, there's no behavior change. Signed-off-by: Matthew Jones <mattjo@squareup.com> Mirrored from https://github.com/envoyproxy/envoy @ 08231e383fc3fb1c3bb207774d8295995759552a
9 months ago · e724bf6b9a
parent 2059357065
commit e724bf6b9a
2 changed files with 17 additions and 1 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/BUILD
+++ b/envoy/extensions/filters/http/jwt_authn/v3/BUILD
@ -8,6 +8,7 @@ api_proto_package(
    deps = [
        "//envoy/config/core/v3:pkg",
        "//envoy/config/route/v3:pkg",
+        "//envoy/type/matcher/v3:pkg",
        "@com_github_cncf_xds//udpa/annotations:pkg",
    ],
 )
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -5,6 +5,7 @@ package envoy.extensions.filters.http.jwt_authn.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/http_uri.proto";
 import "envoy/config/route/v3/route_components.proto";
+import "envoy/type/matcher/v3/string.proto";

 import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
@ -53,7 +54,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 19]
+// [#next-free-field: 20]
 message JwtProvider {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@ -104,6 +105,20 @@ message JwtProvider {
  //
  repeated string audiences = 2;

+  // Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
+  // that the JwtProvider can assert. For instance, this could implement JWT-SVID
+  // `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
+  // If not specified, will not check subjects in the token.
+  //
+  // Example:
+  //
+  // .. code-block:: yaml
+  //
+  //     subjects:
+  //       prefix: spiffe://spiffe.example.com/
+  //
+  type.matcher.v3.StringMatcher subjects = 19;
+
  // `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
  // validate signature of a JWT. This field specifies where to fetch JWKS.
  oneof jwks_source_specifier {