Move SNI into JwksURI struct

Author: javorszky

internal/configs/version2/http.go

@@ -428,22 +428,22 @@ func (rl LimitReqOptions) String() string {
 
 // JWTAuth holds JWT authentication configuration.
 type JWTAuth struct {
-	Key            string
-	Secret         string
-	Realm          string
-	Token          string
-	KeyCache       string
-	JwksSNIName    string
-	JwksSNIEnabled bool
-	JwksURI        JwksURI
+	Key      string
+	Secret   string
+	Realm    string
+	Token    string
+	KeyCache string
+	JwksURI  JwksURI
 }
 
 // JwksURI defines the components of a JwksURI
 type JwksURI struct {
-	JwksScheme string
-	JwksHost   string
-	JwksPort   string
-	JwksPath   string
+	JwksScheme     string
+	JwksHost       string
+	JwksPort       string
+	JwksPath       string
+	JwksSNIName    string
+	JwksSNIEnabled bool
 }
 
 // BasicAuth refers to basic HTTP authentication mechanism options

internal/configs/version2/nginx-plus.virtualserver.tmpl

@@ -236,13 +236,13 @@ server {
         proxy_cache jwks_uri_{{ $s.VSName }};
         proxy_cache_valid 200 12h;
         {{- end }}
+        {{- with .JwksURI }}
         {{- if .JwksSNIEnabled }}
         proxy_ssl_server_name on;
         {{- if .JwksSNIName }}
         proxy_ssl_name {{ .JwksSNIName }};
         {{- end }}
         {{- end }}
-        {{- with .JwksURI }}
         proxy_set_header Host {{ .JwksHost }};
         set $idp_backend {{ .JwksHost }};
         proxy_pass {{ .JwksScheme}}://$idp_backend{{ if .JwksPort }}:{{ .JwksPort }}{{ end }}{{ .JwksPath }};

internal/configs/version2/templates_test.go

@@ -2349,17 +2349,17 @@ var (
 		Server: Server{
 			JWTAuthList: map[string]*JWTAuth{
 				"default/jwt-policy": {
-					Key:            "default/jwt-policy",
-					Realm:          "Spec Realm API",
-					Token:          "$http_token",
-					KeyCache:       "1h",
-					JwksSNIEnabled: true,
-					JwksSNIName:    "sni.idp.spec.example.com",
+					Key:      "default/jwt-policy",
+					Realm:    "Spec Realm API",
+					Token:    "$http_token",
+					KeyCache: "1h",
 					JwksURI: JwksURI{
-						JwksScheme: "https",
-						JwksHost:   "idp.spec.example.com",
-						JwksPort:   "443",
-						JwksPath:   "/spec-keys",
+						JwksScheme:     "https",
+						JwksHost:       "idp.spec.example.com",
+						JwksPort:       "443",
+						JwksPath:       "/spec-keys",
+						JwksSNIEnabled: true,
+						JwksSNIName:    "sni.idp.spec.example.com",
 					},
 				},
 				"default/jwt-policy-route": {

internal/configs/virtualserver.go

@@ -1169,20 +1169,20 @@ func (p *policiesCfg) addJWTAuthConfig(
 		uri, _ := url.Parse(jwtAuth.JwksURI)
 
 		JwksURI := &version2.JwksURI{
-			JwksScheme: uri.Scheme,
-			JwksHost:   uri.Hostname(),
-			JwksPort:   uri.Port(),
-			JwksPath:   uri.Path,
+			JwksScheme:     uri.Scheme,
+			JwksHost:       uri.Hostname(),
+			JwksPort:       uri.Port(),
+			JwksPath:       uri.Path,
+			JwksSNIName:    jwtAuth.SNIName,
+			JwksSNIEnabled: jwtAuth.SNIEnabled,
 		}
 
 		p.JWTAuth.Auth = &version2.JWTAuth{
-			Key:            polKey,
-			JwksURI:        *JwksURI,
-			Realm:          jwtAuth.Realm,
-			Token:          jwtAuth.Token,
-			KeyCache:       jwtAuth.KeyCache,
-			JwksSNIEnabled: jwtAuth.SNIEnabled,
-			JwksSNIName:    jwtAuth.SNIServerName,
+			Key:      polKey,
+			JwksURI:  *JwksURI,
+			Realm:    jwtAuth.Realm,
+			Token:    jwtAuth.Token,
+			KeyCache: jwtAuth.KeyCache,
 		}
 		p.JWTAuth.JWKSEnabled = true
 		return res

internal/configs/virtualserver_test.go

@@ -5641,11 +5641,11 @@ func TestGenerateVirtualServerConfigJWKSPolicy(t *testing.T) {
 				},
 				Spec: conf_v1.PolicySpec{
 					JWTAuth: &conf_v1.JWTAuth{
-						Realm:         "Spec Realm API",
-						JwksURI:       "https://idp.spec.example.com:443/spec-keys",
-						KeyCache:      "1h",
-						SNIEnabled:    true,
-						SNIServerName: "idp.spec.example.com",
+						Realm:      "Spec Realm API",
+						JwksURI:    "https://idp.spec.example.com:443/spec-keys",
+						KeyCache:   "1h",
+						SNIEnabled: true,
+						SNIName:    "idp.spec.example.com",
 					},
 				},
 			},
@@ -5711,16 +5711,16 @@ func TestGenerateVirtualServerConfigJWKSPolicy(t *testing.T) {
 		Server: version2.Server{
 			JWTAuthList: map[string]*version2.JWTAuth{
 				"default/jwt-policy": {
-					Key:            "default/jwt-policy",
-					Realm:          "Spec Realm API",
-					KeyCache:       "1h",
-					JwksSNIEnabled: true,
-					JwksSNIName:    "idp.spec.example.com",
+					Key:      "default/jwt-policy",
+					Realm:    "Spec Realm API",
+					KeyCache: "1h",
 					JwksURI: version2.JwksURI{
-						JwksScheme: "https",
-						JwksHost:   "idp.spec.example.com",
-						JwksPort:   "443",
-						JwksPath:   "/spec-keys",
+						JwksScheme:     "https",
+						JwksHost:       "idp.spec.example.com",
+						JwksPort:       "443",
+						JwksPath:       "/spec-keys",
+						JwksSNIEnabled: true,
+						JwksSNIName:    "idp.spec.example.com",
 					},
 				},
 				"default/jwt-policy-route": {
@@ -5736,16 +5736,16 @@ func TestGenerateVirtualServerConfigJWKSPolicy(t *testing.T) {
 				},
 			},
 			JWTAuth: &version2.JWTAuth{
-				Key:            "default/jwt-policy",
-				Realm:          "Spec Realm API",
-				KeyCache:       "1h",
-				JwksSNIName:    "idp.spec.example.com",
-				JwksSNIEnabled: true,
+				Key:      "default/jwt-policy",
+				Realm:    "Spec Realm API",
+				KeyCache: "1h",
 				JwksURI: version2.JwksURI{
-					JwksScheme: "https",
-					JwksHost:   "idp.spec.example.com",
-					JwksPort:   "443",
-					JwksPath:   "/spec-keys",
+					JwksScheme:     "https",
+					JwksHost:       "idp.spec.example.com",
+					JwksPort:       "443",
+					JwksPath:       "/spec-keys",
+					JwksSNIName:    "idp.spec.example.com",
+					JwksSNIEnabled: true,
 				},
 			},
 			JWKSAuthEnabled: true,

pkg/apis/configuration/v1/types.go

@@ -652,13 +652,13 @@ type VariableCondition struct {
 
 // JWTAuth holds JWT authentication configuration.
 type JWTAuth struct {
-	Realm         string `json:"realm"`
-	Secret        string `json:"secret"`
-	Token         string `json:"token"`
-	JwksURI       string `json:"jwksURI"`
-	KeyCache      string `json:"keyCache"`
-	SNIEnabled    bool   `json:"sniEnabled"`
-	SNIServerName string `json:"sniName"`
+	Realm      string `json:"realm"`
+	Secret     string `json:"secret"`
+	Token      string `json:"token"`
+	JwksURI    string `json:"jwksURI"`
+	KeyCache   string `json:"keyCache"`
+	SNIEnabled bool   `json:"sniEnabled"`
+	SNIName    string `json:"sniName"`
 }
 
 // BasicAuth holds HTTP Basic authentication configuration

pkg/apis/configuration/validation/policy.go

@@ -216,18 +216,18 @@ func validateJWT(jwt *v1.JWTAuth, fieldPath *field.Path) field.ErrorList {
 		}
 
 		// if SNI server name is provided, but SNI is not enabled, return an error
-		if jwt.SNIServerName != "" && !jwt.SNIEnabled {
+		if jwt.SNIName != "" && !jwt.SNIEnabled {
 			allErrs = append(allErrs, field.Forbidden(fieldPath.Child("sniServerName"), "sniServerName can only be set when sniEnabled is true"))
 		}
 
 		// if SNI is enabled and SNI server name is provided, make sure it's a valid URI
-		if jwt.SNIEnabled && jwt.SNIServerName != "" {
-			err := validation2.ValidateURI(jwt.SNIServerName,
+		if jwt.SNIEnabled && jwt.SNIName != "" {
+			err := validation2.ValidateURI(jwt.SNIName,
 				validation2.WithAllowedSchemes("https"),
 				validation2.WithUserAllowed(false),
 				validation2.WithDefaultScheme("https"))
 			if err != nil {
-				allErrs = append(allErrs, field.Invalid(fieldPath.Child("sniServerName"), jwt.SNIServerName, "sniServerName is not a valid URI"))
+				allErrs = append(allErrs, field.Invalid(fieldPath.Child("sniServerName"), jwt.SNIName, "sniServerName is not a valid URI"))
 			}
 		}
 	}

pkg/apis/configuration/validation/policy_test.go

@@ -100,10 +100,10 @@ func TestValidatePolicy_JWTIsNotValidOn(t *testing.T) {
 			policy: &v1.Policy{
 				Spec: v1.PolicySpec{
 					JWTAuth: &v1.JWTAuth{
-						Realm:         "My Product API",
-						JwksURI:       "https://myjwksuri.com",
-						KeyCache:      "1h",
-						SNIServerName: "ipd.org",
+						Realm:    "My Product API",
+						JwksURI:  "https://myjwksuri.com",
+						KeyCache: "1h",
+						SNIName:  "ipd.org",
 					},
 				},
 			},
@@ -113,11 +113,11 @@ func TestValidatePolicy_JWTIsNotValidOn(t *testing.T) {
 			policy: &v1.Policy{
 				Spec: v1.PolicySpec{
 					JWTAuth: &v1.JWTAuth{
-						Realm:         "My Product API",
-						JwksURI:       "https://myjwksuri.com",
-						KeyCache:      "1h",
-						SNIEnabled:    true,
-						SNIServerName: "msql://ipd.org",
+						Realm:      "My Product API",
+						JwksURI:    "https://myjwksuri.com",
+						KeyCache:   "1h",
+						SNIEnabled: true,
+						SNIName:    "msql://ipd.org",
 					},
 				},
 			},
@@ -209,11 +209,11 @@ func TestValidatePolicy_IsValidOnJWTPolicy(t *testing.T) {
 			policy: &v1.Policy{
 				Spec: v1.PolicySpec{
 					JWTAuth: &v1.JWTAuth{
-						Realm:         "My Product API",
-						KeyCache:      "1h",
-						JwksURI:       "https://login.mydomain.com/keys",
-						SNIEnabled:    true,
-						SNIServerName: "https://example.org",
+						Realm:      "My Product API",
+						KeyCache:   "1h",
+						JwksURI:    "https://login.mydomain.com/keys",
+						SNIEnabled: true,
+						SNIName:    "https://example.org",
 					},
 				},
 			},
@@ -843,12 +843,12 @@ func TestValidateJWT_PassesOnValidInput(t *testing.T) {
 		},
 		{
 			jwt: &v1.JWTAuth{
-				Realm:         "My Product API",
-				Token:         "$cookie_auth_token",
-				JwksURI:       "https://idp.com/token",
-				KeyCache:      "1h",
-				SNIEnabled:    true,
-				SNIServerName: "https://ipd.com:9999",
+				Realm:      "My Product API",
+				Token:      "$cookie_auth_token",
+				JwksURI:    "https://idp.com/token",
+				KeyCache:   "1h",
+				SNIEnabled: true,
+				SNIName:    "https://ipd.com:9999",
 			},
 			msg: "SNI enabled and valid SNI server name",
 		},
@@ -967,30 +967,30 @@ func TestValidateJWT_FailsOnInvalidInput(t *testing.T) {
 		},
 		{
 			jwt: &v1.JWTAuth{
-				Realm:         "My Product api",
-				JwksURI:       "https://idp.com/token",
-				KeyCache:      "1h",
-				SNIEnabled:    true,
-				SNIServerName: "msql://not-\\\\a-valid-sni",
+				Realm:      "My Product api",
+				JwksURI:    "https://idp.com/token",
+				KeyCache:   "1h",
+				SNIEnabled: true,
+				SNIName:    "msql://not-\\\\a-valid-sni",
 			},
 			msg: "invalid SNI server name",
 		},
 		{
 			jwt: &v1.JWTAuth{
-				Realm:         "My Product api",
-				JwksURI:       "https://idp.com/token",
-				KeyCache:      "1h",
-				SNIEnabled:    false,
-				SNIServerName: "https://idp.com",
+				Realm:      "My Product api",
+				JwksURI:    "https://idp.com/token",
+				KeyCache:   "1h",
+				SNIEnabled: false,
+				SNIName:    "https://idp.com",
 			},
 			msg: "SNI server name passed, SNI not enabled",
 		},
 		{
 			jwt: &v1.JWTAuth{
-				Realm:         "My Product api",
-				JwksURI:       "https://idp.com/token",
-				KeyCache:      "1h",
-				SNIServerName: "https://idp.com",
+				Realm:    "My Product api",
+				JwksURI:  "https://idp.com/token",
+				KeyCache: "1h",
+				SNIName:  "https://idp.com",
 			},
 			msg: "SNI server name passed, SNI not passed",
 		},