Security policy not enforcing with looping

Support Installation and Deployment
, ,
1

I have confiured three APIDefinitions, one for ingress, one with auth_token and another one with jwt.
There is a security policy applied for the api with auth_token but it does not seem to be enforcing
Here are the configuratons:
apiDefinition-entrypoint:

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: example-entrypoint
  namespace: tyk
spec:
  name: example-entrypoint
  protocol: http
  use_keyless: true
  active: true
  proxy:
    target_url: https://api-rate-limit.example.com/
    listen_path: /
    strip_listen_path: false
  version_data:
    default_version: default
    not_versioned: true
    versions:
      Default:
        name: default
        use_extended_paths: true
        extended_paths: 
          url_rewrites:
            - match_pattern: /(.*)
              method: GET
              path: /{id}
              rewrite_to_internal:
                query: 'check_limits=true'
                target:
                  name: example-apikey
                  namespace: tyk
                path: apikey/$1
              triggers:
                - "on": "all"
                  options:
                    header_matches:
                      "Authorization":
                        match_rx: "^Bearer"
                  rewrite_to_internal: 
                    query: 'check_limits=true'
                    target:
                      name: example-jwt
                      namespace: tyk
                    path: bearer/$1

here is the apiDefinition for example-apikey:

apiVersion: tyk.tyk.io/v1alpha1
kind: ApiDefinition
metadata:
  name: example-apikey
  namespace: tyk
spec:
  name: example-apikey
  protocol: http
  use_keyless: false
  active: true
  proxy:
    target_url: https://api-rate-limit.example.com/
    listen_path: "/apikey"
    strip_listen_path: true
  auth:
    auth_header_name: 'Authorization'
  auth_configs:
    authToken:
      auth_header_name: 'Authorization'
      use_param: true
      param_name: apikey
  base_identity_provided_by: auth_token
  use_standard_auth: true
  internal: true

And here is the securitypolicy:

apiVersion: tyk.tyk.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: example-apikey
  namespace: tyk
spec:
  name: Rate Limit, Quota and Throttling policy at apikey
  state: active
  active: true
  is_inactive: false
  access_rights_array:
    - name: example-apikey
      namespace: tyk
      versions:
        - Default
  partitions:
    acl: false
    complexity: false
    per_api: false
    quota: true
    rate_limit: true
  quota_max: 1
  quota_renewal_rate: 60
  rate: 1
  per: 60

I have tested the internal api by putting internal: false and directly creating an apicall to that api, and the security policy is working okay in that case but securitypolicy is not enforcing in case of looping.
Though I can verify from logs:

time="Sep 21 04:23:21" level=debug msg="URL Re-written to: tyk://dHlrL2FkdC1jYXJnby1tb3ZlbWVudHMtYXBpa2V5/apikey/v5/reference/test/?apikey=<apikey>?check_limits=true"

also, I can see from logs that following MW are running successfully: RateLimitAndQuotaCheck,Accessrightscheck, authkey etc.

2

I will try and replicate this and get back to you. In the meantime, do you mind sharing the version of your gateway?

3

Thanks for your reply. We are using gateway v5.0.0

4

@utkarsh079 , can you please check your query again and see if the issue persist? We saw from your post that there seems to be two query operators ? . It should only have one ? used at the first parameter and the rest should use &.

image
image710×122 4.96 KB

5

Thanks for your reply. I actually figure it out an looks like its bug within tyk. It assumes that there is no query coming in with the api an adds ?check_limits=true . But I have use a workaround by removing query: check_limits=true an aded the same path

6

Hi @utkarsh079,

So this is good now?