google-cloud-armorrecaptcha-enterprise

how to make Google Cloud Armor interpret recaptcha score


I have GKE applications in following setup:

I expose those loads via Ingress and all looks cool. I want to protect application with Cloud Armor. I added annotation to api service. I can confirm that if policy has just one rule "deny all IPs" I cannot reach backend endpoints and if I change rule to "allow all IPs" I can. So GCA itself works ok.

I tried to connect reCaptcha Enterprise and interpret it's score with Google Cloud Armor but I cannot make it work. I created following rules but whatever values I add token.recaptcha.score doesn't seem to be interpreted at all.

rules

So in presented example I will always be blocked even if I make rule ridiculously small like "> 0.1". Front sends X-Recaptcha-Token to backend so it looks like I did everything correctly.

Only thing I'm not sure about is if this allow rule is correctly defined. GCP Logging shows that policy was applied but I don't know exactly which rule:

{
  "insertId": "uxxxv",
  "jsonPayload": {
    "enforcedSecurityPolicy": {
      "outcome": "DENY",
      "configuredAction": "DENY",
      "priority": 2147483647,
      "name": "login-security-policy"
    },
    "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
    "statusDetails": "denied_by_security_policy"
  },
  "httpRequest": {
    "requestMethod": "OPTIONS",
    "requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AXXXXXXE",
    "requestSize": "330",
    "status": 403,
    "responseSize": "228",
    "userAgent": "XXX",
    "remoteIp": "XX.XX.XX.XX",
    "referer": "https://example.com/",
    "latency": "0.220009s"
  },
  "resource": {
    "type": "http_load_balancer",
    "labels": {
      "zone": "global",
      "target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
      "backend_service_name": "k8s-be-3xxx9--9xxx9",
      "forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
      "project_id": "xxx",
      "url_map_name": "k8s2-um-dxxxd-default-main-ixxxq"
    }
  },
  "timestamp": "2021-12-21T12:22:28.505728Z",
  "severity": "WARNING",
  "logName": "projects/xxx/logs/requests",
  "trace": "projects/xxx/traces/bxxx4",
  "receiveTimestamp": "2021-12-21T12:22:28.925285233Z",
  "spanId": "cxxx4"
}

I just assume that field jsonPayload.enforcedSecurityPolicy.priority is pointing to default rule which means that Allow rule doesn't work.

Also reCaptcha key has been enabled by emailing Google according to documentation.


Solution

  • The HTTP method that is falling through to the default rule is OPTIONS. The OPTIONS method is often used by CORS, so you normally want those requests to get through.

    Add a rule that allows HTTP method OPTIONS based upon request.method == 'OPTIONS'.

    Or modify your existing rule to to only check if the method is GET, PUT, POST (specify the methods you need to validate reCaptcha).

    Cloud Armor Rule Attributes