I wan to modify the http response code and the body from Istio ingress

6/18/2021

I have currently written below auth manifest for Istio.

kind: RequestAuthentication
metadata:
 name: "jwt-validation"
 namespace: some-namespace
spec:
 selector:
    matchLabels:
        auth: required
 jwtRules:
 - issuer: "https://you.auth0.com/"
   jwksUri: "https://you.auth0.com/.well-known/jwks.json"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: jwt-auth-policy
 namespace: some-namespace
spec:
  selector:
    matchLabels:
      auth: required
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]

for which i am getting the below response from browser

RBAC: access denied

But instead of this i wan to get a Json response

saying

{
    "status": "failure",
    "message": "Not Authorised"
}

with status code 403 Now i have tried the below Lua filter

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: custom-filter-response-code
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.extAuthz" 
    patch:
      operation: INSERT_AFTER
      value: 
       name: envoy.custom-resp
       typed_config:
          "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua"
          inlineCode: |
            function envoy_on_response(response_handle) 
              if response_handle:headers():get(":status") == "401" then
                response_handle:headers():replace(":status", "403")
              else 
                local body = response_handle:body()
                local jsonString = tostring(body:getBytes(0, body:length()))
                jsonString = jsonString:gsub("(status|failur)", "(message|Not Authorised)")
                response_handle:body():set(jsonString)
              end

Please Guide me with correct snippet

-- Samir Parhi
envoyproxy
istio-gateway
istio-sidecar
kubernetes
lua

0 Answers