Merge pull request #1613 from datawire/envoy-upstream

External auth bug-fix and new Envoy image update

Makefile

@@ -130,16 +130,16 @@ NETLIFY_SITE=datawire-ambassador
 # IF YOU MESS WITH ANY OF THESE VALUES, YOU MUST UPDATE THE VERSION NUMBERS
 # BELOW AND THEN RUN make docker-update-base
 ENVOY_REPO ?= git://github.com/datawire/envoy.git
-ENVOY_COMMIT ?= a484da25f765a28546b0f312115a8a346959f15c
+ENVOY_COMMIT ?= 59b502c0a8e723aa262335de49f737c305eb1521
 AMBASSADOR_DOCKER_TAG ?= $(GIT_VERSION)
 AMBASSADOR_DOCKER_IMAGE ?= $(AMBASSADOR_DOCKER_REPO):$(AMBASSADOR_DOCKER_TAG)
 AMBASSADOR_EXTERNAL_DOCKER_IMAGE ?= $(AMBASSADOR_EXTERNAL_DOCKER_REPO):$(AMBASSADOR_DOCKER_TAG)
 
 # UPDATE THESE VERSION NUMBERS IF YOU UPDATE ANY OF THE VALUES ABOVE, THEN
 # RUN make docker-update-base.
-ENVOY_BASE_IMAGE ?= quay.io/datawire/ambassador-base:envoy-11
-AMBASSADOR_DOCKER_IMAGE_CACHED ?= quay.io/datawire/ambassador-base:go-12
-AMBASSADOR_BASE_IMAGE ?= quay.io/datawire/ambassador-base:ambassador-12
+ENVOY_BASE_IMAGE ?= quay.io/datawire/ambassador-base:envoy-12
+AMBASSADOR_DOCKER_IMAGE_CACHED ?= quay.io/datawire/ambassador-base:go-13
+AMBASSADOR_BASE_IMAGE ?= quay.io/datawire/ambassador-base:ambassador-13
 
 # Default to _NOT_ using Kubernaut. At Datawire, we can set this to true,
 # but outside, it works much better to assume that user has set up something

ambassador/tests/t_extauth.py

@@ -89,6 +89,76 @@ def check(self):
         assert self.results[3].headers["Server"] == ["envoy"]
         assert self.results[3].headers["Authorization"] == ["foo-11111"]
 
+
+class AuthenticationHTTPPartialBufferTest(AmbassadorTest):
+
+    target: ServiceType
+    auth: ServiceType
+
+    def init(self):
+        self.target = HTTP()
+        self.auth = HTTP(name="auth")
+
+    def config(self):
+        yield self, self.format("""
+---
+apiVersion: ambassador/v1
+kind: TLSContext
+name: {self.name}-same-context-1
+secret: same-secret-1.secret-namespace
+
+---
+apiVersion: ambassador/v1
+kind: AuthService
+name:  {self.auth.path.k8s}
+auth_service: "{self.auth.path.fqdn}"
+path_prefix: "/extauth"
+timeout_ms: 5000
+tls: {self.name}-same-context-1
+
+allowed_request_headers:
+- Requested-Status
+- Requested-Header
+
+allowed_authorization_headers:
+- Auth-Request-Body
+
+include_body:
+  max_bytes: 7
+  allow_partial: true
+""")
+        yield self, self.format("""
+---
+apiVersion: ambassador/v0
+kind:  Mapping
+name:  {self.target.path.k8s}
+prefix: /target/
+service: {self.target.path.fqdn}
+""")
+
+    def queries(self):
+        # [0]
+        yield Query(self.url("target/"), headers={"Requested-Status": "200"}, body="message_body", expected=200)
+
+        # [1]
+        yield Query(self.url("target/"), headers={"Requested-Status": "200"}, body="body", expected=200)
+
+    def check(self):
+        # [0] Verifies that the authorization server received the partial message body.
+        extauth_res1 = json.loads(self.results[0].headers["Extauth"][0])
+        assert self.results[0].backend.request.headers["requested-status"] == ["200"]
+        assert self.results[0].status == 200
+        assert self.results[0].headers["Server"] == ["envoy"]
+        assert extauth_res1["request"]["headers"]["auth-request-body"] == ["message"]
+
+        # [1] Verifies that the authorization server received the full message body.
+        extauth_res2 = json.loads(self.results[1].headers["Extauth"][0])
+        assert self.results[1].backend.request.headers["requested-status"] == ["200"]
+        assert self.results[1].status == 200
+        assert self.results[1].headers["Server"] == ["envoy"]
+        assert extauth_res2["request"]["headers"]["auth-request-body"] == ["body"]
+
+
 class AuthenticationHTTPBufferedTest(AmbassadorTest):
 
     target: ServiceType
@@ -133,7 +203,7 @@ def config(self):
 
 allowed_authorization_headers:
 - X-Foo
-- Set-Cookie
+- Set-Cookie 
 
 include_body:
   max_bytes: 4096

kat/kat/manifests.py

@@ -29,7 +29,7 @@
 spec:
   containers:
   - name: backend
-    image: quay.io/datawire/kat-backend:12
+    image: quay.io/datawire/kat-backend:13
     imagePullPolicy: Always
     ports:
     - containerPort: 8080
@@ -56,7 +56,7 @@
     spec:
       containers:
       - name: backend
-        image: quay.io/datawire/kat-backend:12
+        image: quay.io/datawire/kat-backend:13
         imagePullPolicy: Always
         # ports:
         # {ports}
@@ -94,7 +94,7 @@
 spec:
   containers:
   - name: backend
-    image: quay.io/datawire/kat-backend:12
+    image: quay.io/datawire/kat-backend:13
     imagePullPolicy: Always
     ports:
     - containerPort: 8080
@@ -133,7 +133,7 @@
 spec:
   containers:
   - name: backend
-    image: quay.io/datawire/kat-backend:12
+    image: quay.io/datawire/kat-backend:13
     imagePullPolicy: Always
     ports:
     - containerPort: 8080
@@ -172,7 +172,7 @@
 spec:
   containers:
   - name: backend
-    image: quay.io/datawire/kat-backend:12
+    image: quay.io/datawire/kat-backend:13
     imagePullPolicy: Always
     ports:
     - containerPort: 8080