Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support of env variables in rule sets loaded by the file_system provider using Bash syntax #775

Merged
merged 8 commits into from
Jul 22, 2023

Conversation

dadrus
Copy link
Owner

@dadrus dadrus commented Jul 20, 2023

Related issue(s)

closes #777

Checklist

  • I agree to follow this project's Code of Conduct.
  • I have read, and I am following this repository's Contributing Guidelines.
  • I have read the Security Policy.
  • I have referenced an issue describing the bug/feature request.
  • I have added tests that prove the correctness of my implementation.
  • I have updated the documentation.

Description

This PR enables access to environment variables from rule sets using Bash syntax (same way as this is already possible in the static configuration file) loaded by the file_system provider. By default this feature is disabled and if required enabled by making use of the new env_vars_enabled property, like e.g. shown below.

file_system:
  env_vars_enabled: true
  src: /path/to/rules/dir
  watch: true

WARNING: All environment variables, used in the rule set files must be known in advance to the heimdall process (when it starts). In addition, the usage of that functionality might lead to security issues. If an adversary is somehow able to add new or update existing rule sets, it would be theoretically able exfiltrating environment variables available to the heimdall process by crafting contextualizers or authorizers, which would forward the corresponding values to a controlled service. So, use with caution, disable the watching of rule set updates and try to avoid!

Usage example in a rule set:

version: "1alpha2"
name: my-rule-set
rules:
- id: rule:1
  match:
    url: https://my-service1.local/<**>
  forward_to:
    host: ${UPSTREAM_HOST:="default-backend:8080"}
  methods: [ "GET" ]
  execute:
    - authorizer: foobar

Here, the rule with the id rule:1 defines the host to be used for request forwarding using the UPSTREAM_HOST environment variable. If this variable is not set or is empty, the value default-backend:8080 is used instead.

Sorry, something went wrong.

@codecov
Copy link

codecov bot commented Jul 20, 2023

Codecov Report

Merging #775 (0afa01d) into main (86801ca) will increase coverage by 0.00%.
The diff coverage is 93.54%.

@@           Coverage Diff           @@
##             main     #775   +/-   ##
=======================================
  Coverage   89.59%   89.59%           
=======================================
  Files         215      216    +1     
  Lines        9223     9268   +45     
=======================================
+ Hits         8263     8304   +41     
- Misses        767      770    +3     
- Partials      193      194    +1     
Impacted Files Coverage Δ
internal/x/slicex/filter.go 100.00% <ø> (ø)
internal/rules/config/parser.go 87.80% <73.33%> (-8.75%) ⬇️
...ernal/rules/provider/cloudblob/ruleset_endpoint.go 93.50% <100.00%> (ø)
internal/rules/provider/filesystem/provider.go 83.85% <100.00%> (+0.14%) ⬆️
...al/rules/provider/httpendpoint/ruleset_endpoint.go 81.48% <100.00%> (ø)
internal/rules/rule_factory_impl.go 97.32% <100.00%> (+0.23%) ⬆️
internal/x/slicex/map.go 100.00% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@dadrus dadrus changed the title feat: Support of env variables in rule sets using Bash syntax feat: Support of env variables in rule sets loaded by the file_system provider using Bash syntax Jul 20, 2023
@dadrus dadrus merged commit 6fa6415 into main Jul 22, 2023
@dadrus dadrus deleted the feat/env_var_support_in_rule_set_files branch July 22, 2023 07:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Environment Variables in Filesystem Rules
1 participant