Skip to content

Commit 5dc7565

Browse files
authored
jwe-decrypt: default metadata namespace aligned with other boe extensions (#308)
1 parent 61e2746 commit 5dc7565

4 files changed

Lines changed: 10 additions & 8 deletions

File tree

extensions/composer/jwe-decrypt/manifest.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -121,10 +121,10 @@ examples:
121121
- title: Add decrypted payload to metadata
122122
description: |
123123
Set `output_metadata` in the config to store the decrypted payload in Envoy's dynamic metadata instead of a
124-
header. Specify the `key` to store the value under. The `namespace` defaults to `jwe-decrypt` if omitted.
124+
header. Specify the `key` to store the value under. The `namespace` defaults to `io.builtonenvoy.jwe-decrypt` if omitted.
125125
Downstream filters such as JWT authn, OPA, or ext_authz can then read the value from this metadata.
126126
code: |
127-
# Store the decrypted payload in the default "jwe-decrypt" namespace
127+
# Store the decrypted payload in the default "io.builtonenvoy.jwe-decrypt" namespace
128128
boe run --extension jwe-decrypt --config '{
129129
"private_key": { "file": "/path/to/private-key.pem" },
130130
"algorithm": "RSA-OAEP",

extensions/composer/jwe-decrypt/plugin.go

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@ import (
1717
"github.com/tetratelabs/built-on-envoy/extensions/composer/pkg"
1818
)
1919

20+
const defaultMetadataNamespace = "io.builtonenvoy.jwe-decrypt"
21+
2022
// Config represents the JSON configuration for this filter.
2123
type jweDecryptConfig struct {
2224
// PrivateKey is the PKCS8 private key used for decryption, provided either via a file path or inline.
@@ -31,7 +33,7 @@ type jweDecryptConfig struct {
3133
// OutputHeader is the name of the header where the decrypted payload will be stored.
3234
OutputHeader string `json:"output_header"`
3335
// OutputMetadata specifies the metadata namespace and key under which the decrypted payload will be stored.
34-
// The namespace defaults to "jwe-decrypt" if not specified.
36+
// The namespace defaults to "io.builtonenvoy.jwe-decrypt" if not specified.
3537
OutputMetadata *pkg.MetadataKey `json:"output_metadata"`
3638

3739
privateKey *boeJwe.Keys
@@ -148,10 +150,10 @@ func (f *JWEDecryptHttpFilterConfigFactory) Create(handle shared.HttpFilterConfi
148150
if cfg.InputHeader == "" {
149151
cfg.InputHeader = "Authorization"
150152
}
151-
// Default metadata namespace to "jwe-decrypt" if not specified
153+
// Default metadata namespace if not specified
152154
if cfg.OutputMetadata != nil {
153155
if cfg.OutputMetadata.Namespace == "" {
154-
cfg.OutputMetadata.Namespace = "jwe-decrypt"
156+
cfg.OutputMetadata.Namespace = defaultMetadataNamespace
155157
}
156158
if err := cfg.OutputMetadata.Validate(); err != nil {
157159
handle.Log(shared.LogLevelError, "jwe-decrypt: invalid output metadata config: "+err.Error())

extensions/composer/jwe-decrypt/plugin_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -738,7 +738,7 @@ func TestJWEDecryptHttpFilterConfigFactory_Create_DefaultMetadataNamespace(t *te
738738
require.NoError(t, err)
739739
jweFilterFactory, ok := filterFactory.(*jweDecryptHttpFilterFactory)
740740
require.True(t, ok)
741-
require.Equal(t, "jwe-decrypt", jweFilterFactory.config.OutputMetadata.Namespace)
741+
require.Equal(t, "io.builtonenvoy.jwe-decrypt", jweFilterFactory.config.OutputMetadata.Namespace)
742742
}
743743

744744
func TestJWEDecryptHttpFilterConfigFactory_Create_CustomMetadataNamespace(t *testing.T) {

website/public/extensions.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -511,8 +511,8 @@
511511
},
512512
{
513513
"title": "Add decrypted payload to metadata",
514-
"description": "Set `output_metadata` in the config to store the decrypted payload in Envoy's dynamic metadata instead of a\nheader. Specify the `key` to store the value under. The `namespace` defaults to `jwe-decrypt` if omitted.\nDownstream filters such as JWT authn, OPA, or ext_authz can then read the value from this metadata.\n",
515-
"code": "# Store the decrypted payload in the default \"jwe-decrypt\" namespace\nboe run --extension jwe-decrypt --config '{\n \"private_key\": { \"file\": \"/path/to/private-key.pem\" },\n \"algorithm\": \"RSA-OAEP\",\n \"input_header\": \"X-JWE-Token\",\n \"output_metadata\": { \"key\": \"jwe_decrypted_payload\" }\n}'\n\n# Store the decrypted payload in a custom namespace\nboe run --extension jwe-decrypt --config '{\n \"private_key\": { \"file\": \"/path/to/private-key.pem\" },\n \"input_header\": \"X-JWE-Token\",\n \"output_metadata\": { \"namespace\": \"my-namespace\", \"key\": \"jwe_decrypted_payload\" }\n}'\n"
514+
"description": "Set `output_metadata` in the config to store the decrypted payload in Envoy's dynamic metadata instead of a\nheader. Specify the `key` to store the value under. The `namespace` defaults to `io.builtonenvoy.jwe-decrypt` if omitted.\nDownstream filters such as JWT authn, OPA, or ext_authz can then read the value from this metadata.\n",
515+
"code": "# Store the decrypted payload in the default \"io.builtonenvoy.jwe-decrypt\" namespace\nboe run --extension jwe-decrypt --config '{\n \"private_key\": { \"file\": \"/path/to/private-key.pem\" },\n \"algorithm\": \"RSA-OAEP\",\n \"input_header\": \"X-JWE-Token\",\n \"output_metadata\": { \"key\": \"jwe_decrypted_payload\" }\n}'\n\n# Store the decrypted payload in a custom namespace\nboe run --extension jwe-decrypt --config '{\n \"private_key\": { \"file\": \"/path/to/private-key.pem\" },\n \"input_header\": \"X-JWE-Token\",\n \"output_metadata\": { \"namespace\": \"my-namespace\", \"key\": \"jwe_decrypted_payload\" }\n}'\n"
516516
}
517517
],
518518
"minEnvoyVersion": "1.37.1",

0 commit comments

Comments
 (0)