rename claims

Author: yaacov

README.md

@@ -61,8 +61,8 @@ Allowed JWT claims are:
 
 - exp - int, expiration (unix time)
 - nbf - int, not before (unix time)
-- allowedAPIMethods - string, comma seperated list of allowed API methods (e.g. is "get,post")
-- allowedAPIRegexp - string, a reular expresion of allowed api call paths.
+- matchMethod - string, comma seperated list of allowed API methods (e.g. is "get,post")
+- matchPath - string, a reular expresion of allowed api call paths.
 
 ![alt demo gif](https://raw.githubusercontent.com/yaacov/oc-gate/main/web/public/custom_tokens.gif)
 

deploy/README.md

@@ -63,15 +63,15 @@ Create a JWT specific for the k8s object you want to allow holder of this JWT to
 
 ``` bash
 # To sign the JWT use the private key that belong to the public key in the running oc-gate
-# The "allowedAPIRegexp" claim use regexp to allow specific k8s path
+# The "matchPath" claim use regexp to allow specific k8s path
 # use '^' to force start of path, and '$' to force end of path.
-# Other claims the proxy will respect are: allowedAPIMethods, exp and nbf
+# Other claims the proxy will respect are: matchMethod, exp and nbf
 
 # Create a token with path restriction,
-echo {\"allowedAPIRegexp\":\"^/k8s/api/v1/pods\"} | jwt -key ./test/key.pem -alg RS256 -sign -
+echo {\"matchPath\":\"^/k8s/api/v1/pods\"} | jwt -key ./test/key.pem -alg RS256 -sign -
 
 # Create a token with experation date and allowed API path
-echo {\"exp\": $(expr $(date +%s) + 100),\"allowedAPIRegexp\":\"^/k8s/api/v1/namespaces/test\"} | jwt -key ./test/key.pem -alg RS256 -sign -
+echo {\"exp\": $(expr $(date +%s) + 100),\"matchPath\":\"^/k8s/api/v1/namespaces/test\"} | jwt -key ./test/key.pem -alg RS256 -sign -
 ```
 
 This token can now be given to a user that will have access only to this specific k8s object(s).

pkg/proxy/token.go

@@ -16,10 +16,10 @@ func handleError(w http.ResponseWriter, err error) {
 	fmt.Fprintf(w, "{\"kind\": \"Status\", \"api\": \"ocgate\", \"status\": \"Forbidden\", \"message\": \"%s\",\"code\": %d}", err, http.StatusForbidden)
 }
 
-func validateRequest(httpMethod string, httpPath string, apiPAth string, allowedAPIMethods string, k8sAllowedAPIRegexp *regexp.Regexp) error {
+func validateRequest(httpMethod string, httpPath string, apiPAth string, matchMethod string, matchPathRegexp *regexp.Regexp) error {
 	// Validate method
-	if allowedAPIMethods != "" {
-		if !strings.Contains(allowedAPIMethods, strings.ToLower(httpMethod)) {
+	if matchMethod != "" {
+		if !strings.Contains(strings.ToLower(matchMethod), strings.ToLower(httpMethod)) {
 			return fmt.Errorf("%s method not allowedd", httpMethod)
 		}
 	}
@@ -29,7 +29,7 @@ func validateRequest(httpMethod string, httpPath string, apiPAth string, allowed
 	if len(httpPath) > len(apiPAth) &&
 		httpPath[:len(apiPAth)] == apiPAth &&
 		httpPath[len(apiPAth):] != "/.well-known/oauth-authorization-server" &&
-		!k8sAllowedAPIRegexp.MatchString(httpPath) {
+		!matchPathRegexp.MatchString(httpPath) {
 		return fmt.Errorf("%s path not allowed", httpPath)
 	}
 
@@ -53,18 +53,18 @@ func validateToken(token string, secret []byte, publicKey *rsa.PublicKey, apiPat
 	}
 
 	if claims, ok := tok.Claims.(jwt.MapClaims); ok && tok.Valid {
-		var allowedAPIMethods string
-		var allowedAPIRegexp string
+		var matchMethod string
+		var matchPath string
 
-		if allowedAPIMethods, ok = claims["allowedAPIMethods"].(string); !ok {
-			allowedAPIMethods = ""
+		if matchMethod, ok = claims["matchMethod"].(string); !ok {
+			matchMethod = ""
 		}
-		if allowedAPIRegexp, ok = claims["allowedAPIRegexp"].(string); !ok {
-			allowedAPIRegexp = ""
+		if matchPath, ok = claims["matchPath"].(string); !ok {
+			matchPath = ""
 		}
-		k8sAllowedAPIRegexp := regexp.MustCompile(allowedAPIRegexp)
+		matchPathRegexp := regexp.MustCompile(matchPath)
 
-		err := validateRequest(httpMethod, httpPath, apiPath, allowedAPIMethods, k8sAllowedAPIRegexp)
+		err := validateRequest(httpMethod, httpPath, apiPath, matchMethod, matchPathRegexp)
 		if err != nil {
 			return nil, err
 		}