If JwksURI is not set, SNI should not be set

Author: javorszky

pkg/apis/configuration/validation/policy.go

@@ -202,6 +202,17 @@ func validateJWT(jwt *v1.JWTAuth, fieldPath *field.Path) field.ErrorList {
 		return allErrs
 	}
 
+	if jwt.JwksURI == "" {
+		// If JwksURI is not set, then none of the SNI fields should be set.
+		if jwt.SNIEnabled {
+			return append(allErrs, field.Forbidden(fieldPath.Child("sniEnabled"), "sniEnabled can only be set when JwksURI is set"))
+		}
+
+		if jwt.SNIName != "" {
+			return append(allErrs, field.Forbidden(fieldPath.Child("sniName"), "sniName can only be set when JwksURI is set"))
+		}
+	}
+
 	// Verify a case when using JWKS
 	if jwt.JwksURI != "" {
 		allErrs = append(allErrs, validateURL(jwt.JwksURI, fieldPath.Child("JwksURI"))...)

pkg/apis/configuration/validation/policy_test.go

@@ -994,6 +994,31 @@ func TestValidateJWT_FailsOnInvalidInput(t *testing.T) {
 			},
 			msg: "SNI server name passed, SNI not passed",
 		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:      "My Product API",
+				Token:      "$cookie_auth_token",
+				SNIEnabled: true,
+			},
+			msg: "Jwks URI not set, but SNI is enabled",
+		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:   "My Product API",
+				Token:   "$cookie_auth_token",
+				SNIName: "https://idp.com",
+			},
+			msg: "Jwks URI not set, but SNIName is set",
+		},
+		{
+			jwt: &v1.JWTAuth{
+				Realm:      "My Product API",
+				Token:      "$cookie_auth_token",
+				SNIName:    "https://idp.com",
+				SNIEnabled: true,
+			},
+			msg: "Jwks URI not set, but SNIName is set and SNI is enabled",
+		},
 	}
 	for _, test := range tests {
 		test := test