how to make Google Cloud Armor interpret recaptcha score

Question

I have GKE applications in following setup:

front app works on example.com
backend app works on api.example.com

I expose those loads via Ingress and all looks cool. I want to protect application with Cloud Armor. I added annotation to api service. I can confirm that if policy has just one rule "deny all IPs" I cannot reach backend endpoints and if I change rule to "allow all IPs" I can. So GCA itself works ok.

I tried to connect reCaptcha Enterprise and interpret it's score with Google Cloud Armor but I cannot make it work. I created following rules but whatever values I add token.recaptcha.score doesn't seem to be interpreted at all.

So in presented example I will always be blocked even if I make rule ridiculously small like "> 0.1". Front sends X-Recaptcha-Token to backend so it looks like I did everything correctly.

Only thing I'm not sure about is if this allow rule is correctly defined. GCP Logging shows that policy was applied but I don't know exactly which rule:

{
  "insertId": "uxxxv",
  "jsonPayload": {
    "enforcedSecurityPolicy": {
      "outcome": "DENY",
      "configuredAction": "DENY",
      "priority": 2147483647,
      "name": "login-security-policy"
    },
    "@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
    "statusDetails": "denied_by_security_policy"
  },
  "httpRequest": {
    "requestMethod": "OPTIONS",
    "requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AXXXXXXE",
    "requestSize": "330",
    "status": 403,
    "responseSize": "228",
    "userAgent": "XXX",
    "remoteIp": "XX.XX.XX.XX",
    "referer": "https://example.com/",
    "latency": "0.220009s"
  },
  "resource": {
    "type": "http_load_balancer",
    "labels": {
      "zone": "global",
      "target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
      "backend_service_name": "k8s-be-3xxx9--9xxx9",
      "forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
      "project_id": "xxx",
      "url_map_name": "k8s2-um-dxxxd-default-main-ixxxq"
    }
  },
  "timestamp": "2021-12-21T12:22:28.505728Z",
  "severity": "WARNING",
  "logName": "projects/xxx/logs/requests",
  "trace": "projects/xxx/traces/bxxx4",
  "receiveTimestamp": "2021-12-21T12:22:28.925285233Z",
  "spanId": "cxxx4"
}

I just assume that field jsonPayload.enforcedSecurityPolicy.priority is pointing to default rule which means that Allow rule doesn't work.

Also reCaptcha key has been enabled by emailing Google according to documentation.

score 2 · Accepted Answer · answered Dec 21 '21 at 18:02

2

The HTTP method that is falling through to the default rule is OPTIONS. The OPTIONS method is often used by CORS, so you normally want those requests to get through.

Add a rule that allows HTTP method OPTIONS based upon request.method == 'OPTIONS'.

Or modify your existing rule to to only check if the method is GET, PUT, POST (specify the methods you need to validate reCaptcha).

Cloud Armor Rule Attributes

answered Dec 21 '21 at 18:02

John Hanley

74,467
6
95
159

That is correct observation I don't know why I didn't think about OPTIONS in the first place. That helped a bit, but it just makes OPTIONS pass. Main GET operation still doesn't pass. I'll update question. – Mateusz Dec 21 '21 at 18:38
@Mateusz Do not create serially growing questions. Post a question, get an answer. Post a new question instead of modifying a question with the next problem. – John Hanley Dec 21 '21 at 18:41
Ok, you're right. I will add new one. – Mateusz Dec 21 '21 at 18:52

how to make Google Cloud Armor interpret recaptcha score

1 Answers1

Linked