fix tests for "disable ext_auth when upgrading to HTTPS"

Signed-off-by: Saman Mahdanian <saman@mahdanian.xyz>

internal/envoy/v3/route.go

@@ -596,6 +596,19 @@ func UpgradeHTTPS() *envoy_config_route_v3.Route_Redirect {
 	}
 }
 
+// DisabledExtAuthConfig returns a route TypedPerFilterConfig that disables ExtAuth
+func DisabledExtAuthConfig() map[string]*anypb.Any {
+	return map[string]*anypb.Any{
+		ExtAuthzFilterName: protobuf.MustMarshalAny(
+			&envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{
+				Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{
+					Disabled: true,
+				},
+			},
+		),
+	}
+}
+
 // headerValueList creates a list of Envoy HeaderValueOptions from the provided map.
 func headerValueList(hvm map[string]string, app bool) []*envoy_config_core_v3.HeaderValueOption {
 	var hvs []*envoy_config_core_v3.HeaderValueOption

internal/featuretests/v3/authorization_test.go

@@ -267,13 +267,6 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 	// same authorization enablement as the root proxy, and
 	// the other path should have the opposite enablement.
 
-	disabledConfig := withFilterConfig(envoy_v3.ExtAuthzFilterName,
-		&envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{
-			Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{
-				Disabled: true,
-			},
-		})
-
 	c.Request(routeType).Equals(&envoy_service_discovery_v3.DiscoveryResponse{
 		TypeUrl: routeType,
 		Resources: resources(t,
@@ -287,7 +280,7 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 					&envoy_config_route_v3.Route{
 						Match:                routePrefix("/default"),
 						Action:               routeCluster("default/app-server/80/da39a3ee5e"),
-						TypedPerFilterConfig: disabledConfig,
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -297,7 +290,7 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 					&envoy_config_route_v3.Route{
 						Match:                routePrefix("/disabled"),
 						Action:               routeCluster("default/app-server/80/da39a3ee5e"),
-						TypedPerFilterConfig: disabledConfig,
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
 						Match:  routePrefix("/default"),
@@ -309,24 +302,26 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 				"ingress_http",
 				envoy_v3.VirtualHost(disabled,
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/enabled"),
-						Action: withRedirect(),
+						Match:                routePrefix("/enabled"),
+						Action:               withRedirect(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
 						Match:                routePrefix("/default"),
 						Action:               withRedirect(),
-						TypedPerFilterConfig: disabledConfig,
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 				envoy_v3.VirtualHost(enabled,
 					&envoy_config_route_v3.Route{
 						Match:                routePrefix("/disabled"),
 						Action:               withRedirect(),
-						TypedPerFilterConfig: disabledConfig,
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/default"),
-						Action: withRedirect(),
+						Match:                routePrefix("/default"),
+						Action:               withRedirect(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -408,16 +403,9 @@ func authzMergeRouteContext(t *testing.T, rh ResourceEventHandlerWrapper, c *Con
 				"ingress_http",
 				envoy_v3.VirtualHost(fqdn,
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/"),
-						Action: withRedirect(),
-						TypedPerFilterConfig: withFilterConfig(envoy_v3.ExtAuthzFilterName,
-							&envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute{
-								Override: &envoy_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
-									CheckSettings: &envoy_filter_http_ext_authz_v3.CheckSettings{
-										ContextExtensions: context,
-									},
-								},
-							}),
+						Match:                routePrefix("/"),
+						Action:               withRedirect(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),

internal/featuretests/v3/envoy.go

@@ -166,8 +166,9 @@ func routeHostRewriteHeader(cluster, hostnameHeader string) *envoy_config_route_
 
 func upgradeHTTPS(match *envoy_config_route_v3.RouteMatch) *envoy_config_route_v3.Route {
 	return &envoy_config_route_v3.Route{
-		Match:  match,
-		Action: envoy_v3.UpgradeHTTPS(),
+		Match:                match,
+		Action:               envoy_v3.UpgradeHTTPS(),
+		TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 	}
 }
 

internal/featuretests/v3/global_authorization_test.go

@@ -382,7 +382,7 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc
 					&envoy_config_route_v3.Route{
 						Match:                routePrefix("/"),
 						Action:               withRedirect(),
-						TypedPerFilterConfig: expectedAuthContext,
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),

internal/featuretests/v3/headerpolicy_test.go

@@ -184,14 +184,9 @@ func TestHeaderPolicy_ReplaceHeader_HTTProxy(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("hello.world",
 					&envoy_config_route_v3.Route{
-						Match: routePrefix("/"),
-						Action: &envoy_config_route_v3.Route_Redirect{
-							Redirect: &envoy_config_route_v3.RedirectAction{
-								SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{
-									HttpsRedirect: true,
-								},
-							},
-						},
+						Match:                routePrefix("/"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					}),
 			),
 			envoy_v3.RouteConfiguration("https/hello.world",
@@ -297,14 +292,9 @@ func TestHeaderPolicy_ReplaceHostHeader_HTTProxy(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("hello.world",
 					&envoy_config_route_v3.Route{
-						Match: routePrefix("/"),
-						Action: &envoy_config_route_v3.Route_Redirect{
-							Redirect: &envoy_config_route_v3.RedirectAction{
-								SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{
-									HttpsRedirect: true,
-								},
-							},
-						},
+						Match:                routePrefix("/"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					}),
 			),
 			envoy_v3.RouteConfiguration("https/hello.world",

internal/featuretests/v3/route_test.go

@@ -310,12 +310,14 @@ func TestEditIngressInPlace(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("hello.example.com",
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/whoop"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/whoop"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -364,12 +366,14 @@ func TestEditIngressInPlace(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("hello.example.com",
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/whoop"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/whoop"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -462,8 +466,9 @@ func TestSSLRedirectOverlay(t *testing.T) {
 				Action: routecluster("nginx-ingress/challenge-service/8009/da39a3ee5e"),
 			},
 			&envoy_config_route_v3.Route{
-				Match:  routePrefix("/"), // match all
-				Action: envoy_v3.UpgradeHTTPS(),
+				Match:                routePrefix("/"), // match all
+				Action:               envoy_v3.UpgradeHTTPS(),
+				TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 			},
 		),
 	), virtualhosts(
@@ -707,8 +712,9 @@ func TestRDSFilter(t *testing.T) {
 						Action: routecluster("nginx-ingress/challenge-service/8009/da39a3ee5e"),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/"), // match all
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/"), // match all
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -1126,8 +1132,9 @@ func TestRouteWithTLS(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("test2.test.com",
 					&envoy_config_route_v3.Route{
-						Action: envoy_v3.UpgradeHTTPS(),
-						Match:  routePrefix("/a"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
+						Match:                routePrefix("/a"),
 					},
 				),
 			),
@@ -1203,8 +1210,9 @@ func TestRouteWithTLS_InsecurePaths(t *testing.T) {
 						Action: routecluster("default/kuard/80/da39a3ee5e"),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/secure"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/secure"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -1289,12 +1297,14 @@ func TestRouteWithTLS_InsecurePaths_DisablePermitInsecureTrue(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("test2.test.com",
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/insecure"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/insecure"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/secure"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/secure"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -1482,8 +1492,9 @@ func TestHTTPProxyRouteWithTLS(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("test2.test.com",
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/a"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/a"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -1555,8 +1566,9 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths(t *testing.T) {
 						Action: routecluster("default/kuard/80/da39a3ee5e"),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/secure"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/secure"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -1637,12 +1649,14 @@ func TestHTTPProxyRouteWithTLS_InsecurePaths_DisablePermitInsecureTrue(t *testin
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("test2.test.com",
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/insecure"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/insecure"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 					&envoy_config_route_v3.Route{
-						Match:  routePrefix("/secure"),
-						Action: envoy_v3.UpgradeHTTPS(),
+						Match:                routePrefix("/secure"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),

internal/featuretests/v3/tcpproxy_test.go

@@ -103,14 +103,9 @@ func TestTCPProxy(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("kuard-tcp.example.com",
 					&envoy_config_route_v3.Route{
-						Match: routePrefix("/"),
-						Action: &envoy_config_route_v3.Route_Redirect{
-							Redirect: &envoy_config_route_v3.RedirectAction{
-								SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{
-									HttpsRedirect: true,
-								},
-							},
-						},
+						Match:                routePrefix("/"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),
@@ -276,14 +271,9 @@ func TestTCPProxyTLSPassthrough(t *testing.T) {
 			envoy_v3.RouteConfiguration("ingress_http",
 				envoy_v3.VirtualHost("kuard-tcp.example.com",
 					&envoy_config_route_v3.Route{
-						Match: routePrefix("/"),
-						Action: &envoy_config_route_v3.Route_Redirect{
-							Redirect: &envoy_config_route_v3.RedirectAction{
-								SchemeRewriteSpecifier: &envoy_config_route_v3.RedirectAction_HttpsRedirect{
-									HttpsRedirect: true,
-								},
-							},
-						},
+						Match:                routePrefix("/"),
+						Action:               envoy_v3.UpgradeHTTPS(),
+						TypedPerFilterConfig: envoy_v3.DisabledExtAuthConfig(),
 					},
 				),
 			),