Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

Wildcard in middle of resource url whitelist pattern don't work #661

Open
crubier opened this issue Jul 7, 2020 · 0 comments
Open

Wildcard in middle of resource url whitelist pattern don't work #661

crubier opened this issue Jul 7, 2020 · 0 comments

Comments

@crubier
Copy link

crubier commented Jul 7, 2020

Wildcard in middle resource of url whitelist pattern don't work

Summary

Trying to run the proxy with the following arguments

--enable-default-deny=false
--resources "uri=/_next/static/*/pages/test|roles=employee|methods=GET"

Gives exactly the same result as

--enable-default-deny=false
--resources "uri=/_next/static/*|roles=employee|methods=GET"

Which means that all resources under _next/static/ get blocked.

Environment

Docker Image bitnami/keycloak-gatekeeper:9 on Kubernetes

Other arguments used:

--client-id=gatekeeper
--client-secret=foobar
--discovery-url=https://foobar.com/auth/realms/foobar
--secure-cookie=true
--verbose=true
--enable-logging=true
--preserve-host=true
--enable-default-deny=false
--enable-token-header=true
--enable-authorization-header=false
--enable-authorization-cookies=true
--cors-origins=*
--cors-methods=GET
--cors-methods=POST
--cors-methods=HEAD
--cors-methods=PUT
--listen=:3000
--enable-refresh-tokens=true
--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j
--upstream-keepalives=true
--upstream-url=http://foobar.foobar.svc:8080

Expected Results

Actual Results

/_next/static/1234567890/pages/test should be blocked but things like /_next/static/1234567890/foo should not be blocked. This is a problem for me because the 1234567890 part of the URL is a hash that changes often.

Steps to reproduce

A kubernetes cluster, but I think the issue is probably reproduceable easily on any kindd of deployment

Additional Information

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant