-
Notifications
You must be signed in to change notification settings - Fork 1
/
introspect-envoyfilter-ingressgateway.yaml
101 lines (90 loc) · 3.41 KB
/
introspect-envoyfilter-ingressgateway.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: wso2-introspect-filter-ingressgateway
namespace: istio-system
spec:
filters:
- listenerMatch:
listenerType: GATEWAY
filterName: envoy.lua
filterType: HTTP
filterConfig:
inlineCode: |
function envoy_on_request(request_handle)
local oauth = request_handle:headers():get("Authorization")
if oauth == nil then
request_handle:respond(
{[":status"] = "401", ["Content-type"] = "application/json"},
"{\"fault\": { \"code\": 900902, \"message\": \"Missing Credentials\"," ..
" \"description\": \"Required OAuth credentials not provided. Make sure " ..
"your API invocation call has a header: \\\"Authorization: Bearer ACCESS_TOKEN\\\"\"}}")
end
words = {}
for word in oauth:gmatch("%S+") do table.insert(words, word) end
if words[2] == nil then
request_handle:respond(
{[":status"] = "401", ["Content-type"] = "application/json"},
"{\"fault\": { \"code\": 900902, \"message\": \"Missing Credentials\"," ..
" \"description\": \"Required OAuth credentials not provided. Make sure " ..
"your API invocation call has a header: \\\"Authorization: Bearer ACCESS_TOKEN\\\"\"}}")
end
payload = "token=" .. words[2]
local headers, body = request_handle:httpCall(
"outbound|9443||wso2apim-with-analytics-apim-service.wso2.svc",
{
[":method"] = "POST",
[":path"] = "/oauth2/introspect",
[":authority"] = "wso2apim-with-analytics-apim-service.wso2.svc",
["authorization"] = "Basic YWRtaW46YWRtaW4="
},
payload,
5000)
local activeString
for word in body:gmatch('([^,]+)')
do
if string.match(word, "active") then
activeString = word
end
end
local resVal = {}
if activeString == nil then
request_handle:respond(
{[":status"] = "500", ["Content-type"] = "application/json"},
"{\"fault\": { \"code\": 900900, \"message\": \"Internal Server Error\"," ..
" \"description\": \"Internal Server Error Occurred\"}}")
end
for word in activeString:gmatch("([^:]+)") do table.insert(resVal, word) end
if string.match(resVal[2], "false") then
request_handle:respond(
{[":status"] = "401", ["Content-type"] = "application/json"},
"{\"fault\": { \"code\": 900901, \"message\": \"Invalid Credentials\"," ..
" \"description\": \"Invalid Credentials. Make sure you have given the correct access token\"}}")
end
end
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: wso2-endpoint-dr
namespace: istio-system
spec:
host: "wso2apim-with-analytics-apim-service.wso2.svc"
trafficPolicy:
tls:
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: wso2-endpoint-se
namespace: istio-system
spec:
hosts:
- wso2apim-with-analytics-apim-service.wso2.svc
ports:
- number: 9443
name: https
protocol: HTTPS
resolution: DNS
location: MESH_EXTERNAL