[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass #21816
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
theme/api
zalimeni
added
the
backport/all
zalimeni
changed the title
zalimeni
requested review from
blake,
jmurret,
ndhanushkodi and
dduzgun-security
zalimeni
force-pushed
the
zalimeni/feature/net-1151-l7-intentions-security-fixes
branch
4 times, most recently
from
b844f93
to
7f5b4db
Compare
zalimeni
force-pushed
the
zalimeni/feature/net-1151-l7-intentions-security-fixes
branch
from
7f5b4db
to
947d789
Compare
|
Fixed whitespace causing issues w/ docs mesh config entry render, and incorrect copilot-ed defaults I missed in the last two entries. |
dduzgun-security
approved these changes
Oct 15, 2024
ndhanushkodi
approved these changes
Oct 15, 2024
zalimeni
force-pushed
the
zalimeni/feature/net-1151-l7-intentions-security-fixes
branch
from
b62f0fa
to
650ad8a
Compare
|
Rebased and squashed for merge |
zalimeni
force-pushed
the
zalimeni/feature/net-1151-l7-intentions-security-fixes
branch
from
650ad8a
to
810ba95
Compare
|
Fixed minor docs misalignment from docs PR -> api/agent structs |
zalimeni
deleted the
zalimeni/feature/net-1151-l7-intentions-security-fixes
branch
hc-github-team-consul-core
added
backport/1.20
zalimeni
removed
backport/ent/1.15
This was referenced Oct 16, 2024
This was referenced Oct 17, 2024
This was referenced Oct 18, 2024
Merged
4 tasks
missylbytes
pushed a commit
that referenced
this pull request
Oct 29, 2024
…atch options to prevent L7 intentions bypass (#21816) mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage
missylbytes
pushed a commit
that referenced
this pull request
Oct 30, 2024
…atch options to prevent L7 intentions bypass (#21816) mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR brings in all previously reviewed changes from the
zalimeni/feature/net-1151-l7-intentions-security-fixesfeature branch intomainand release branches. All changes were previously approved as part of Enterprise reviews except for the changelog added in this PR.Changes include:
I'll squash and rebase these commits prior to merge to make backports more manageable.
Once this PR is merged, I'll cut
apiacross active release branches, which will allow for hashicorp/consul-k8s#4385 to be updated and merged as well, completing the cross-repo changeset.Testing & Reproduction steps
See previous PRs for testing details. All unit and integration tests are expected to pass.
PR Checklist