consul/test/integration/connect/envoy/case-l7-intentions-request-.../setup.sh

#!/bin/bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1


set -euo pipefail

upsert_config_entry primary '
kind     = "service-defaults"
name     = "s2"
protocol = "http"
'

upsert_config_entry primary '
kind = "mesh"
http {
  incoming {
    request_normalization {
      insecure_disable_path_normalization = false // explicitly set to the default for clarity
      merge_slashes                       = true
      path_with_escaped_slashes_action    = "UNESCAPE_AND_FORWARD"
      headers_with_underscores_action     = "REJECT_REQUEST"
    }
  }
}
'

upsert_config_entry primary '
kind = "service-intentions"
name = "s2"
sources {
  name = "s1"
  permissions = [
    // paths
    {
      action = "deny"
      http {
        path_exact = "/value/supersecret"
      }
    },
    // headers
    {
      action = "deny"
      http {
        header = [{
          name  = "x-check"
          contains = "bad"
          ignore_case = true
        }]
      }
    },
    {
      action = "deny"
      http {
        header = [{
          name  = "x-check"
          exact = "exactbad"
          ignore_case = true
        }]
      }
    },
    {
      action = "deny"
      http {
        header = [{
          name   = "x-check"
          prefix = "prebad-"
          ignore_case = true
        }]
      }
    },
    {
      action = "deny"
      http {
        header = [{
          name   = "x-check"
          suffix = "-sufbad"
          ignore_case = true
        }]
      }
    },
    // redundant with above case, but included for real-world example
    // and to cover values containing ".".
    {
      action = "deny"
      http {
        header = [{
          name   = "Host"
          suffix = "bad.com"
          ignore_case = true
        }]
      }
    }
  ]
}
'

register_services primary

gen_envoy_bootstrap s1 19000
gen_envoy_bootstrap s2 19001
[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816) mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage 2024-10-16 16:23:33 +00:00			`#!/bin/bash`
			`# Copyright (c) HashiCorp, Inc.`
			`# SPDX-License-Identifier: BUSL-1.1`


			`set -euo pipefail`

			`upsert_config_entry primary '`
			`kind = "service-defaults"`
			`name = "s2"`
			`protocol = "http"`
			`'`

			`upsert_config_entry primary '`
			`kind = "mesh"`
			`http {`
			`incoming {`
			`request_normalization {`
			`insecure_disable_path_normalization = false // explicitly set to the default for clarity`
			`merge_slashes = true`
			`path_with_escaped_slashes_action = "UNESCAPE_AND_FORWARD"`
			`headers_with_underscores_action = "REJECT_REQUEST"`
			`}`
			`}`
			`}`
			`'`

			`upsert_config_entry primary '`
			`kind = "service-intentions"`
			`name = "s2"`
			`sources {`
			`name = "s1"`
			`permissions = [`
			`// paths`
			`{`
			`action = "deny"`
			`http {`
			`path_exact = "/value/supersecret"`
			`}`
			`},`
			`// headers`
			`{`
			`action = "deny"`
			`http {`
			`header = [{`
			`name = "x-check"`
			`contains = "bad"`
			`ignore_case = true`
			`}]`
			`}`
			`},`
			`{`
			`action = "deny"`
			`http {`
			`header = [{`
			`name = "x-check"`
			`exact = "exactbad"`
			`ignore_case = true`
			`}]`
			`}`
			`},`
			`{`
			`action = "deny"`
			`http {`
			`header = [{`
			`name = "x-check"`
			`prefix = "prebad-"`
			`ignore_case = true`
			`}]`
			`}`
			`},`
			`{`
			`action = "deny"`
			`http {`
			`header = [{`
			`name = "x-check"`
			`suffix = "-sufbad"`
			`ignore_case = true`
			`}]`
			`}`
			`},`
			`// redundant with above case, but included for real-world example`
			`// and to cover values containing ".".`
			`{`
			`action = "deny"`
			`http {`
			`header = [{`
			`name = "Host"`
			`suffix = "bad.com"`
			`ignore_case = true`
			`}]`
			`}`
			`}`
			`]`
			`}`
			`'`

			`register_services primary`

			`gen_envoy_bootstrap s1 19000`
			`gen_envoy_bootstrap s2 19001`