filters/jwtMetrics: extend the filter to support validating multiple claim keys (#3472)

ayruslore · web-flow · commit aeb46b5fe389 · 2025-04-11T14:00:55.000+02:00
This change extends the filter validate a full claim object instead of
just validating the issuer / 'iss' key. With this change we also
deprecate the issuers field and use the Claims field. With Claims field,
'iss' and other private claim keys can be validated.

Signed-off-by: speruri &lt;surya.srikar.peruri@zalando.de&gt;
diff --git a/docs/reference/filters.md b/docs/reference/filters.md
@@ -1601,8 +1601,9 @@ and increments the following counters:
 * `missing-token`: request does not have `Authorization` header
 * `invalid-token-type`: `Authorization` header value is not a `Bearer` type
 * `invalid-token`: `Authorization` header does not contain a JWT token
-* `missing-issuer`: JWT token does not have `iss` claim
-* `invalid-issuer`: JWT token does not have any of the configured issuers
+* `missing-issuer`: *DEPRECATED* JWT token does not have `iss` claim
+* `invalid-issuer`: *DEPRECATED* JWT token does not have any of the configured issuers
+* `invalid-claims`: JWT token does not have any of the configured claims
 
 Each counter name uses concatenation of request method, escaped hostname and response status as a prefix, e.g.:
 
@@ -1623,10 +1624,18 @@ Examples:
 jwtMetrics("{issuers: ['https://example.com', 'https://example.org']}")
 ```
 
+```
+jwtMetrics("{claims: [{'iss': 'https://example.com', 'realm': 'emp'}, {'iss': 'https://example.org', 'realm': 'org'}]}")
+```
+
 ```
 // opt-out by annotation
 annotate("oauth.disabled", "this endpoint is public") ->
 jwtMetrics("{issuers: ['https://example.com', 'https://example.org'], optOutAnnotations: [oauth.disabled]}")
+
+// opt-out by annotation with claims
+annotate("oauth.disabled", "this endpoint is public") ->
+jwtMetrics("{claims: [{'iss': 'https://example.com', 'realm': 'emp'}], optOutAnnotations: [oauth.disabled]}")
 ```
 
 ```
diff --git a/filters/auth/jwt_metrics.go b/filters/auth/jwt_metrics.go
@@ -20,10 +20,12 @@ type (
 	// jwtMetricsFilter implements [yamlConfig],
 	// make sure it is not modified after initialization.
 	jwtMetricsFilter struct {
-		Issuers           []string `json:"issuers,omitempty"`
-		OptOutAnnotations []string `json:"optOutAnnotations,omitempty"`
-		OptOutStateBag    []string `json:"optOutStateBag,omitempty"`
-		OptOutHosts       []string `json:"optOutHosts,omitempty"`
+		// Issuers is *DEPRECATED* and will be removed in the future. Use the Claims field instead.
+		Issuers           []string         `json:"issuers,omitempty"`
+		OptOutAnnotations []string         `json:"optOutAnnotations,omitempty"`
+		OptOutStateBag    []string         `json:"optOutStateBag,omitempty"`
+		OptOutHosts       []string         `json:"optOutHosts,omitempty"`
+		Claims            []map[string]any `json:"claims,omitempty"`
 
 		optOutHostsCompiled []*regexp.Regexp
 	}
@@ -117,24 +119,51 @@ func (f *jwtMetricsFilter) Response(ctx filters.FilterContext) {
 		return
 	}
 
-	if len(f.Issuers) > 0 {
-		token, err := jwt.Parse(tv)
+	var token *jwt.Token
+	if len(f.Issuers) > 0 || len(f.Claims) > 0 {
+		t, err := jwt.Parse(tv)
 		if err != nil {
 			count("invalid-token")
 			return
 		}
+		token = t
+	}
 
+	if len(f.Issuers) > 0 {
 		// https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
 		if issuer, ok := token.Claims["iss"].(string); !ok {
 			count("missing-issuer")
 		} else if !slices.Contains(f.Issuers, issuer) {
 			count("invalid-issuer")
 		}
 	}
+
+	if len(f.Claims) > 0 {
+		found := false
+		for _, claim := range f.Claims {
+			if containsAll(token.Claims, claim) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			count("invalid-claims")
+		}
+	}
 }
 
 var escapeMetricKeySegmentPattern = regexp.MustCompile("[^a-zA-Z0-9_]")
 
 func escapeMetricKeySegment(s string) string {
 	return escapeMetricKeySegmentPattern.ReplaceAllLiteralString(s, "_")
 }
+
+// containsAll returns true if all key-values of b are present in a.
+func containsAll(a, b map[string]any) bool {
+	for kb, vb := range b {
+		if va, ok := a[kb]; !ok || va != vb {
+			return false
+		}
+	}
+	return true
+}
diff --git a/filters/auth/jwt_metrics_test.go b/filters/auth/jwt_metrics_test.go
@@ -73,6 +73,16 @@ func TestJwtMetrics(t *testing.T) {
 			},
 			expectedTag: "missing-token",
 		},
+		{
+			name:    "missing-token with claims",
+			filters: `jwtMetrics("{claims: [{iss: foo}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test"},
+			status:  http.StatusOK,
+			expected: map[string]int64{
+				"jwtMetrics.custom.GET.foo_test.200.missing-token": 1,
+			},
+			expectedTag: "missing-token",
+		},
 		{
 			name:    "invalid-token-type",
 			filters: `jwtMetrics("{issuers: [foo, bar]}")`,
@@ -85,6 +95,18 @@ func TestJwtMetrics(t *testing.T) {
 			},
 			expectedTag: "invalid-token-type",
 		},
+		{
+			name:    "invalid-token-type with claims",
+			filters: `jwtMetrics("{claims: [{iss: foo}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{"Basic foobarbaz"}},
+			},
+			status: http.StatusOK,
+			expected: map[string]int64{
+				"jwtMetrics.custom.GET.foo_test.200.invalid-token-type": 1,
+			},
+			expectedTag: "invalid-token-type",
+		},
 		{
 			name:    "invalid-token",
 			filters: `jwtMetrics("{issuers: [foo, bar]}")`,
@@ -97,6 +119,18 @@ func TestJwtMetrics(t *testing.T) {
 			},
 			expectedTag: "invalid-token",
 		},
+		{
+			name:    "invalid-token with claims",
+			filters: `jwtMetrics("{claims: [{iss: foo}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{"Bearer invalid-token"}},
+			},
+			status: http.StatusOK,
+			expected: map[string]int64{
+				"jwtMetrics.custom.GET.foo_test.200.invalid-token": 1,
+			},
+			expectedTag: "invalid-token",
+		},
 		{
 			name:    "missing-issuer",
 			filters: `jwtMetrics("{issuers: [foo, bar]}")`,
@@ -126,7 +160,21 @@ func TestJwtMetrics(t *testing.T) {
 			expectedTag: "invalid-issuer",
 		},
 		{
-			name:    "no invalid-issuer for empty issuers",
+			name:    "invalid-claims with one claim key",
+			filters: `jwtMetrics("{claims: [{iss: foo}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{
+					"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "baz"}) + ".signature",
+				}},
+			},
+			status: http.StatusOK,
+			expected: map[string]int64{
+				"jwtMetrics.custom.GET.foo_test.200.invalid-claims": 1,
+			},
+			expectedTag: "invalid-claims",
+		},
+		{
+			name:    "no invalid-issuer for empty issuers/claims",
 			filters: `jwtMetrics()`,
 			request: &http.Request{Method: "GET", Host: "foo.test",
 				Header: http.Header{"Authorization": []string{
@@ -158,6 +206,53 @@ func TestJwtMetrics(t *testing.T) {
 			status:   http.StatusOK,
 			expected: map[string]int64{},
 		},
+		{
+			name:    "no invalid-claims when matches first",
+			filters: `jwtMetrics("{claims: [{iss: foo, bat: ball}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{
+					"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "foo", "bat": "ball"}) + ".signature",
+				}},
+			},
+			status:   http.StatusOK,
+			expected: map[string]int64{},
+		},
+		{
+			name:    "no invalid-claims when matches second",
+			filters: `jwtMetrics("{claims: [{iss: foo, bar: baz}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{
+					"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "bar"}) + ".signature",
+				}},
+			},
+			status:   http.StatusOK,
+			expected: map[string]int64{},
+		},
+		{
+			name:    "invalid-claims when no full claim matches",
+			filters: `jwtMetrics("{claims: [{iss: foo, bar: baz}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{
+					"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "foo", "bar": "bat"}) + ".signature",
+				}},
+			},
+			status: http.StatusOK,
+			expected: map[string]int64{
+				"jwtMetrics.custom.GET.foo_test.200.invalid-claims": 1,
+			},
+			expectedTag: "invalid-claims",
+		},
+		{
+			name:    "no invalid-claims when full claim matches and token has extra keys",
+			filters: `jwtMetrics("{claims: [{iss: foo, bar: baz}, {iss: bar}]}")`,
+			request: &http.Request{Method: "GET", Host: "foo.test",
+				Header: http.Header{"Authorization": []string{
+					"Bearer header." + marshalBase64JSON(t, map[string]any{"iss": "foo", "bar": "baz", "bat": "ball"}) + ".signature",
+				}},
+			},
+			status:   http.StatusOK,
+			expected: map[string]int64{},
+		},
 		{
 			name:    "missing-token without opt-out",
 			filters: `jwtMetrics("{issuers: [foo, bar], optOutAnnotations: [oauth.disabled]}")`,
