Allow validate_cookie.lua bypassing if endpoint has CP_EDGE_JWT_NO_AUTH

deploy/docker/cp-edge/endpoints-config/route.template.loc.conf

@@ -4,6 +4,7 @@ location {edge_route_location} {
     set $shared_with_groups "{edge_route_shared_groups}";
     set $route_location_root "{edge_route_location}";
     set $run_id "{run_id}";
+    set $edge_jwt_auth "{edge_jwt_auth}";
     default_type text/html;
     access_by_lua_file /etc/nginx/validate_cookie.lua;
     proxy_cookie_path {edge_cookie_location} {edge_cookie_location};

deploy/docker/cp-edge/sync-routes.py

@@ -54,6 +54,7 @@
 EDGE_ROUTE_NO_PATH_CROP = 'CP_EDGE_NO_PATH_CROP'
 EDGE_ROUTE_CREATE_DNS = 'CP_EDGE_ROUTE_CREATE_DNS'
 EDGE_COOKIE_NO_REPLACE = 'CP_EDGE_COOKIE_NO_REPLACE'
+EDGE_JWT_NO_AUTH = 'CP_EDGE_JWT_NO_AUTH'
 EDGE_DNS_RECORD_FORMAT = os.getenv('CP_EDGE_DNS_RECORD_FORMAT', '{job_name}.{region_name}')
 EDGE_DISABLE_NAME_SUFFIX_FOR_DEFAULT_ENDPOINT = os.getenv('EDGE_DISABLE_NAME_SUFFIX_FOR_DEFAULT_ENDPOINT', 'True').lower() == 'true'
 EDGE_EXTERNAL_APP = 'CP_EDGE_EXTERNAL_APP'
@@ -646,6 +647,13 @@ def get_service_list(active_runs_list, pod_id, pod_run_id, pod_ip):
                                         else:
                                                 edge_cookie_location = None
 
+                                        # This parameter will be passed to the respective lua auth script
+                                        # Only applied for the non-sensitive jobs
+                                        edge_jwt_auth = True
+                                        if EDGE_JWT_NO_AUTH in additional:
+                                                additional = additional.replace(EDGE_JWT_NO_AUTH, "")
+                                                edge_jwt_auth = False
+
                                         is_external_app = False
                                         if EDGE_EXTERNAL_APP in additional:
                                                 additional = additional.replace(EDGE_EXTERNAL_APP, "")
@@ -678,7 +686,8 @@ def get_service_list(active_runs_list, pod_id, pod_run_id, pod_ip):
                                                 "create_dns_record": create_dns_record,
                                                 "cloudRegionId": cloud_region_id,
                                                 "external_app": is_external_app,
-                                                "cookie_location": edge_cookie_location
+                                                "cookie_location": edge_cookie_location,
+                                                "edge_jwt_auth": edge_jwt_auth
                                         }
                 else:
                         do_log('No endpoints required for the tool {}'.format(docker_image))
@@ -785,6 +794,7 @@ def create_service_location(service_spec, service_url_dict, edge_region_id):
                 .replace('{edge_route_shared_groups}', service_spec["shared_groups_sids"]) \
                 .replace('{edge_route_schema}', 'https' if service_spec["is_ssl_backend"] else 'http') \
                 .replace('{additional}', service_spec["additional"]) \
+                .replace('{edge_jwt_auth}', str(service_spec["edge_jwt_auth"])) \
                 .replace('{edge_cookie_location}', service_spec["cookie_location"] if service_spec["cookie_location"] else service_location)
         nginx_sensitive_route_definitions = []
         if service_spec["sensitive"]:

deploy/docker/cp-edge/validate_cookie.lua

@@ -65,6 +65,13 @@ local function split_str(inputstr, sep)
     return t
 end
 
+-- If edge_jwt_auth is set to true - it is requested to bypass authentication
+if ngx.var.edge_jwt_auth == "False" then
+    ngx.log(ngx.WARN,"[SECURITY] Application: " .. ngx.var.route_location_root ..
+            "; User: bypass; Status: Successfully authenticated.")
+    return
+end
+
 -- Check if request alread contains a cookie or a header named "bearer"
 local token = ngx.var.cookie_bearer or ngx.var.http_bearer
 if token then