tests/integration/security/testdata/authz/v1beta1-jwt.yaml.tmpl

# Enforce access control based on JWT subject.

# The following policy enables JWT authentication on destination service.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: default
  namespace: {{ .Namespace }}
spec:
  jwtRules:
  - issuer: "test-issuer-1@istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
  - issuer: "test-issuer-2@istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/tests/common/jwt/jwks.json"
---

# The following policy enables authorization on workload:
# - Allow request principal test-issuer-1@istio.io/sub-1 to access path /token1
# - Allow request in group-2 to access path /token2
# - Allow request with any token to access path /tokenAny
# - Allow request with permission claim of "write" to access path /permission
# - Allow request with valid JWT token to access path /jwt1
# - Allow request with valid JWT token of presenter foo to access path with suffix "/presenter"
# - Allow request with valid JWT token of audiences bar to access path with suffix "/audiences"
# - Deny request with JWT token from test-issuer-1@istio.io to access path with suffix "/token3" and "GET" method

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: policy-{{ .dst }}
  namespace: "{{ .Namespace }}"
spec:
  selector:
    matchLabels:
      "app": "{{ .dst }}"
  rules:
  - to:
    - operation:
        paths: ["/token1"]
        methods: ["GET"]
    from:
    - source:
        requestPrincipals: ["test-issuer-1@istio.io/sub-1"]
  - to:
    - operation:
        paths: ["/token2"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[groups]
      values: ["group-2"]
  - to:
    - operation:
        paths: ["/tokenAny"]
        methods: ["GET"]
    from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:
        paths: ["/permission"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[permission]
      values: ["write"]
  - to:
    - operation:
        paths: ["/nested-key1"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[nested][key1]
      values: ["valueB"]
  - to:
    - operation:
        paths: ["/nested-non-exist"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[nested][non-exist]
      values: ["valueC"]
  - to:
    - operation:
        paths: ["/nested-key2"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[nested][key2]
      values: ["valueC"]
  - to:
    - operation:
        paths: ["/nested-2-key1"]
        methods: ["GET"]
    when:
    - key: request.auth.claims[nested][nested-2][key1]
      values: ["valueA"]
  - to:
    - operation:
        paths: ["/valid-jwt"]
    when:
    - key: request.auth.principal
      values: ["*"]
  - to:
    - operation:
        paths: ["*/presenter"]
    when:
    - key: request.auth.presenter
      values: ["bar"]
  - to:
    - operation:
        paths: ["*/audiences"]
    when:
    - key: request.auth.audiences
      values: ["foo"]
  - to:
    - operation:
        paths: ["/token3"]
        methods: ["GET"]
    from:
    - source:
        notRequestPrincipals: ["test-issuer-1@istio.io/sub-1"]
---