Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass #21816

Merged
merged 1 commit into from
Oct 16, 2024
Merged

[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass #21816

merged 1 commit into from
Oct 16, 2024

Conversation

zalimeni
Copy link
Member

@zalimeni zalimeni commented Oct 12, 2024
edited
Loading

Description

This PR brings in all previously reviewed changes from the zalimeni/feature/net-1151-l7-intentions-security-fixes feature branch into main and release branches. All changes were previously approved as part of Enterprise reviews except for the changelog added in this PR.

Changes include:

I'll squash and rebase these commits prior to merge to make backports more manageable.

Once this PR is merged, I'll cut api across active release branches, which will allow for hashicorp/consul-k8s#4385 to be updated and merged as well, completing the cross-repo changeset.

Testing & Reproduction steps

See previous PRs for testing details. All unit and integration tests are expected to pass.

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@github-actions github-actions bot added theme/api Relating to the HTTP API interface theme/cli Flags and documentation for the CLI interface theme/ui Anything related to the UI theme/envoy/xds Related to Envoy support labels Oct 12, 2024
@zalimeni zalimeni added the backport/all Apply backports for all active releases per .release/versions.hcl label Oct 12, 2024
@zalimeni zalimeni changed the title [NET-1151 NET-11228] CE draft [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass Oct 14, 2024
@zalimeni zalimeni marked this pull request as ready for review October 14, 2024 14:45
@zalimeni zalimeni requested review from a team as code owners October 14, 2024 14:45
@vercel vercel bot temporarily deployed to Preview – consul October 14, 2024 14:49 Inactive
@zalimeni zalimeni force-pushed the zalimeni/feature/net-1151-l7-intentions-security-fixes branch 4 times, most recently from b844f93 to 7f5b4db Compare October 14, 2024 16:49
@zalimeni zalimeni force-pushed the zalimeni/feature/net-1151-l7-intentions-security-fixes branch from 7f5b4db to 947d789 Compare October 14, 2024 17:00
@zalimeni
Copy link
Member Author

Fixed whitespace causing issues w/ docs mesh config entry render, and incorrect copilot-ed defaults I missed in the last two entries.

dduzgun-security
dduzgun-security approved these changes Oct 15, 2024
View reviewed changes
Copy link
Contributor

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work, LGTM! 🙌 Only 2 suggestions for the changelogs.

.changelog/21816.txt Outdated Show resolved Hide resolved
.changelog/21816.txt Outdated Show resolved Hide resolved
@zalimeni zalimeni force-pushed the zalimeni/feature/net-1151-l7-intentions-security-fixes branch from b62f0fa to 650ad8a Compare October 16, 2024 01:50
@zalimeni
Copy link
Member Author

Rebased and squashed for merge

@zalimeni zalimeni force-pushed the zalimeni/feature/net-1151-l7-intentions-security-fixes branch from 650ad8a to 810ba95 Compare October 16, 2024 15:21
@zalimeni
Copy link
Member Author

Fixed minor docs misalignment from docs PR -> api/agent structs

@zalimeni
mesh: add options for HTTP incoming request normalization
9e7757d 
Expose global mesh configuration to enforce inbound HTTP request
normalization on mesh traffic via Envoy xDS config.

mesh: enable inbound URL path normalization by default

mesh: add support for L7 header match contains and ignore_case

Enable partial string and case-insensitive matching in L7 intentions
header match rules.

ui: support L7 header match contains and ignore_case

Co-authored-by: Phil Renaud <phil@riotindustries.com>

test: add request normalization integration bats tests

Add both "positive" and "negative" test suites, showing normalization in
action as well as expected results when it is not enabled, for the same
set of test cases.

Also add some alternative service container test helpers for verifying
raw HTTP request paths, which is difficult to do with Fortio.

docs: update security and reference docs for L7 intentions bypass prevention

- Update security docs with best practices for service intentions
  configuration
- Update configuration entry references for mesh and intentions to
  reflect new values and add guidance on usage
@zalimeni zalimeni force-pushed the zalimeni/feature/net-1151-l7-intentions-security-fixes branch from 810ba95 to 9e7757d Compare October 16, 2024 15:37
@zalimeni zalimeni merged commit d9206fc into main Oct 16, 2024
107 checks passed
@zalimeni zalimeni deleted the zalimeni/feature/net-1151-l7-intentions-security-fixes branch October 16, 2024 16:23
@hc-github-team-consul-core hc-github-team-consul-core added backport/1.20 Changes are backported to 1.20 backport/ent/1.15 Changes are backported to 1.15 ent backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent labels Oct 16, 2024
@hc-github-team-consul-core hc-github-team-consul-core mentioned this pull request Oct 16, 2024
Merged
4 tasks
@zalimeni zalimeni removed backport/ent/1.15 Changes are backported to 1.15 ent backport/all Apply backports for all active releases per .release/versions.hcl backport/ent/1.18 Changes are backported to 1.18 ent backport/ent/1.19 Changes are backported to 1.19 ent labels Oct 16, 2024
This was referenced Oct 16, 2024
Merged
Merged
Merged
Merged
This was referenced Oct 17, 2024
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Oct 18, 2024
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndhanushkodi ndhanushkodi ndhanushkodi approved these changes

@dduzgun-security dduzgun-security dduzgun-security approved these changes

@blake blake Awaiting requested review from blake

@jmurret jmurret Awaiting requested review from jmurret

Assignees
No one assigned
Labels
backport/1.20 Changes are backported to 1.20 theme/api Relating to the HTTP API interface theme/cli Flags and documentation for the CLI interface theme/envoy/xds Related to Envoy support theme/ui Anything related to the UI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zalimeni @ndhanushkodi @dduzgun-security @hc-github-team-consul-core