core/envoy: fix remove cookie lua script (#4641)

* core/envoy: fix remove cookie lua script

* fix matching prefix

* fix test data

config/envoyconfig/lua_test.go

@@ -24,9 +24,11 @@ func TestLuaCleanUpstream(t *testing.T) {
 		"context-type":             "text/plain",
 		"authorization":            "Pomerium JWT",
 		"x-pomerium-authorization": "JWT",
+		"cookie":                   "cookieA=aaa_pomerium=123; cookieb=bbb; _pomerium=ey;_pomerium_test1=stillhere ; _pomerium_test2=stillhere",
 	}
 	metadata := map[string]interface{}{
 		"remove_pomerium_authorization": true,
+		"remove_pomerium_cookie":        "_pomerium",
 	}
 	dynamicMetadata := map[string]map[string]interface{}{}
 	handle := newLuaResponseHandle(L, headers, metadata, dynamicMetadata)
@@ -40,6 +42,7 @@ func TestLuaCleanUpstream(t *testing.T) {
 
 	assert.Equal(t, map[string]string{
 		"context-type": "text/plain",
+		"cookie":       "cookieA=aaa_pomerium=123; cookieb=bbb; _pomerium_test1=stillhere ; _pomerium_test2=stillhere",
 	}, headers)
 }
 

config/envoyconfig/luascripts/clean-upstream.lua

@@ -1,15 +1,23 @@
-function remove_pomerium_cookie(cookie_name, cookie)
-    -- lua doesn't support optional capture groups
-    -- so we replace twice to handle pomerium=xyz at the end of the string
-    cookie = cookie:gsub(cookie_name .. "=[^;]+; ", "")
-    cookie = cookie:gsub(cookie_name .. "=[^;]+", "")
-    return cookie
-end
-
 function has_prefix(str, prefix)
     return str ~= nil and str:sub(1, #prefix) == prefix
 end
 
+function remove_pomerium_cookie(cookie_name, cookie)
+    local result = ""
+    for c in cookie:gmatch("([^;]+)") do
+        c = c:gsub("^ +","")
+        local name = c:match("^([^=]+)")
+        if name ~= cookie_name then
+            if string.len(result) > 0 then
+                result = result .. "; " .. c
+            else
+                result = result .. c
+            end
+        end
+    end
+    return result
+end
+
 function envoy_on_request(request_handle)
     local headers = request_handle:headers()
     local metadata = request_handle:metadata()
@@ -18,7 +26,7 @@ function envoy_on_request(request_handle)
     if remove_cookie_name then
         local cookie = headers:get("cookie")
         if cookie ~= nil then
-            newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)
+            local newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)
             headers:replace("cookie", newcookie)
         end
     end

config/envoyconfig/testdata/main_http_connection_manager_filter.json

@@ -75,7 +75,7 @@
         "typedConfig": {
           "@type": "type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua",
           "defaultSourceCode": {
-            "inlineString": "function remove_pomerium_cookie(cookie_name, cookie)\n    -- lua doesn't support optional capture groups\n    -- so we replace twice to handle pomerium=xyz at the end of the string\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+; \", \"\")\n    cookie = cookie:gsub(cookie_name .. \"=[^;]+\", \"\")\n    return cookie\nend\n\nfunction has_prefix(str, prefix)\n    return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n    if remove_cookie_name then\n        local cookie = headers:get(\"cookie\")\n        if cookie ~= nil then\n            newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n            headers:replace(\"cookie\", newcookie)\n        end\n    end\n\n    local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n    if remove_authorization then\n        local authorization = headers:get(\"authorization\")\n        local authorization_prefix = \"Pomerium \"\n        if has_prefix(authorization, authorization_prefix) then\n            headers:remove(\"authorization\")\n        end\n\n        headers:remove('x-pomerium-authorization')\n    end\nend\n\nfunction envoy_on_response(response_handle) end\n"
+            "inlineString": "function has_prefix(str, prefix)\n    return str ~= nil and str:sub(1, #prefix) == prefix\nend\n\nfunction remove_pomerium_cookie(cookie_name, cookie)\n    local result = \"\"\n    for c in cookie:gmatch(\"([^;]+)\") do\n        c = c:gsub(\"^ +\",\"\")\n        local name = c:match(\"^([^=]+)\")\n        if name ~= cookie_name then\n            if string.len(result) \u003e 0 then\n                result = result .. \"; \" .. c\n            else\n                result = result .. c\n            end\n        end\n    end\n    return result\nend\n\nfunction envoy_on_request(request_handle)\n    local headers = request_handle:headers()\n    local metadata = request_handle:metadata()\n\n    local remove_cookie_name = metadata:get(\"remove_pomerium_cookie\")\n    if remove_cookie_name then\n        local cookie = headers:get(\"cookie\")\n        if cookie ~= nil then\n            local newcookie = remove_pomerium_cookie(remove_cookie_name, cookie)\n            headers:replace(\"cookie\", newcookie)\n        end\n    end\n\n    local remove_authorization = metadata:get(\"remove_pomerium_authorization\")\n    if remove_authorization then\n        local authorization = headers:get(\"authorization\")\n        local authorization_prefix = \"Pomerium \"\n        if has_prefix(authorization, authorization_prefix) then\n            headers:remove(\"authorization\")\n        end\n\n        headers:remove('x-pomerium-authorization')\n    end\nend\n\nfunction envoy_on_response(response_handle) end\n"
           }
         }
       },