Compilation results for cp2058.codfw.wmnet: System changes detected

You can retrieve this result from host.json.

Catalog differences

Summary

Total Resources:	3969
Resources added:	0
Resources removed:	0
Resources modified:	4
Change percentage:	0.10%

Resources modified

Haproxy::Confd_site[tls]

File[/etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl]

Content differences:

--- /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl.orig
+++ /etc/confd/templates/_etc_haproxy_conf.d_tls.cfg.tmpl
@@ -120,6 +120,7 @@
     http-request del-header tracestate if !wikimedia_trust
     http-request del-header traceparent if !wikimedia_trust
     http-request del-header X-Experiment-Enrollments
+    http-request del-header X-JWT-Sub
 
     # Copy X-Analytics hdr into var to safely log it after deletion
     http-response set-var(txn.x_analytics,ifnotempty) res.fhdr(X-Analytics)
@@ -271,6 +272,23 @@
     acl is_identified_bot_request var(req.trusted_request) -m str B
     acl is_auth_request var(req.trusted_request) -m str C
 
+    http-request set-var(req.bearer) http_auth_bearer if { req.fhdr(Authorization) -m found }
+    http-request set-var(req.bearer,ifnotset) req.cook(sessionJwt)
+    http-request set-var(req.jwt_alg) var(req.bearer),jwt_header_query('$.alg')
+    http-request set-var(req.exp,ifnotempty) var(req.bearer),jwt_payload_query('$.exp','int')
+    http-request set-var(req.exp,ifnotset) var(req.bearer),jwt_payload_query('$.sxp','int')
+    http-request set-var(req.now) date()
+    # validate the algorithm
+    acl is_valid_jwt_alg var(req.jwt_alg) -m str "RS256"
+    # validate the signature
+    acl is_valid_jwt_sig var(req.bearer),jwt_verify(req.jwt_alg,"/etc/haproxy/jwt/mw-oauth-2025-07-31.key") 1
+    # validate the exp date: this is part of the JWT payload so it should be validated after ensuring that the signature is valid
+    acl is_valid_jwt_exp_date var(req.exp),sub(req.now) -m int ge 0
+    # We exclude trusted (A) and bot (B) requests here to avoid downgrading to C, but we open the
+    # door for potential upgrades from F to C.
+    http-request set-var(req.trusted_request) str(C) if !is_trusted_request !is_identified_bot_request is_valid_jwt_alg is_valid_jwt_sig is_valid_jwt_exp_date
+    # If the jwt is correctly signed, save the subject in a header we will remove in varnish. This also applies to trusted requests.
+    http-request set-header X-JWT-Sub %[var(req.bearer),jwt_payload_query('$.sub')] if is_valid_jwt_alg is_valid_jwt_sig is_valid_jwt_exp_date
 
     # Following configuration is used to classify clients as "user|robot|other" based on UA string
     # Initialize req.ua_class

Confd::File[/etc/haproxy/conf.d/tls.cfg]

File[/etc/haproxy/jwt]

Parameters differences:

--- File[/etc/haproxy/jwt].orig
+++ File[/etc/haproxy/jwt]

@@
-    ensure  => absent
+    ensure  => directory
@@
-    recurse => False
+    recurse => True

Compilation results for cp2058.codfw.wmnet: System changes detected

Catalog differences

Summary

Resources modified

Relevant files