Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug determining jwt validity due to incorrect computation of system timestamp and provide configuration option to allow for timely slack in token validity #10753

Closed
wants to merge 16 commits into from

Conversation

fscz
Copy link

@fscz fscz commented Apr 13, 2020

Please see the following issue in istio:

istio/istio#22750

@fscz fscz requested a review from lizan as a code owner April 13, 2020 19:24
// (for another 1 seconds), forwards the request to Istio Ingressgateway and subsequently
// to some pod with an envoy sidecar. Meanwhile, 0.1 seconds have passed and when envoy checks
// the token it finds that it has expired.
const uint64_t unix_timestamp = absl::ToUnixSeconds(absl::Now()) - 5;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with change to use absl::ToUnixSeconds(absl::Now()).

But I don't like "- 5" part, it seems like a hack to solve your particular problem

BTW, even you passed this check, there is another check in verifyJwt which is calling this code here
https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc#L163

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The specific amount of slack is debatable. However, I don't think there is any doubt that there is a general need for some slack. Whatever part of an authn system (be it AWS ALB or https://istio.io/blog/2019/app-identity-and-access-adapter/) that refreshes access tokens has to check if the current token is still valid. Finally, istio-proxy validates the token again and the time between these two validation events is the time needed as slack.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we make the amount configurable?

Copy link
Contributor

@qiwzhang qiwzhang Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I like this idea. Let us make it configurable from filter config. Please see my other comments.

@@ -100,6 +100,10 @@ class AuthenticatorImpl : public Logger::Loggable<Logger::Id::jwt>,
const bool is_allow_failed_;
const bool is_allow_missing_;
TimeSource& time_source_;

// allow 5 seconds of slack when determining token expery
const uint64_t jwt_exp_slack = 5;
Copy link
Contributor

@qiwzhang qiwzhang Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is better to config this slack time from filter config. If default is 0, it will not change existing behaviors.

We can add two fields:

exp_slack: // now <= exp + exp_slack
bnf_slack: // now >= bnf - bnf_slack

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do I use filter config?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. add new fields in Provider

  2. you can get provider() as

jwks_data_->getJwtProvider()

as in line

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working on it. Think I need a proper build environment. Is there some documentation to set it up?
Can't find it in https://github.com/envoyproxy/envoy/

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can check out this developer doc

The easiest way is to use docker

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah. Good. Will do the docker thingy.


// allow 5 seconds of slack when determining token expery
const uint64_t jwt_exp_slack = 5;
uint64_t now;
Copy link
Contributor

@qiwzhang qiwzhang Apr 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not need to add anything to class members.

@@ -239,7 +243,7 @@ void AuthenticatorImpl::onDestroy() {

// Verify with a specific public key.
void AuthenticatorImpl::verifyKey() {
const Status status = ::google::jwt_verify::verifyJwt(*jwt_, *jwks_data_->getJwksObj());
const Status status = ::google::jwt_verify::verifyJwt(*jwt_, *jwks_data_->getJwksObj(), now - jwt_exp_slack);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to double check the exp an bnf here. My suggestion is:

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Err. Are you sure? jwt_verify_lib isn't an Istio thing, is it?

@repokitteh-read-only
Copy link

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/.

🐱

Caused by: #10753 was synchronize by fscz.

see: more, trace.

// The two below fields define the amount of slack in seconds that will be used
// when determining if a JWT is valid or has expired. Validity is determined by
// the formula: VALID_FROM("iat") - nbf_slack_slack <= NOW <= VALID_TO("exp") + exp_slack.
int64 nbf_slack = 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can use int32. Please check out this protobuf guide

default value for int32 is 0 in protobuf, not need to specify it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, in Envoy we override Google style and prefer uint32 :)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless there are absolute high-performance needs (which we don't have here) you should always make values explicit. This is clear to anyone without further poking any documentation.

// Consider the following case:
// AWS ALB receives a request and determines that the existing access token is valid
// (for another 1 seconds), forwards the request to Istio Ingressgateway and subsequently
// to some pod with an envoy sidecar. Meanwhile, 0.1 seconds have passed and when envoy checks
// the token it finds that it has expired.
now = absl::ToUnixSeconds(absl::Now());
const uint64_t now = absl::ToUnixSeconds(absl::Now());
const int64_t nbf_slack = jwks_data_->getJwtProvider().nbf_slack();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jwks_data_ is only assigned in line 186, you have to move this code after that.

// If the nbf claim does *not* appear in the JWT, then the nbf field is defaulted
// to 0.
if (jwt_->nbf_ > now) {
if (jwt_->nbf_ - nbf_slack > now) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

be careful about signed and unsigned comparison here. Normally, nbf_ is 0.
change it to

if (nbf_ > now + nbf_clack) will avoid the sign integer issue

doneWithStatus(Status::JwtNotYetValid);
return;
}
// If the exp claim does *not* appear in the JWT then the exp field is defaulted
// to 0.
if (jwt_->exp_ > 0 && jwt_->exp_ < now - jwt_exp_slack) {
if (jwt_->exp_ > 0 && jwt_->exp_ - exp_slack < now) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change it to .... && exp_ < now - exp_slack
is easier to read

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do I get exp_slack and nbf_slack from the 'jwks_data_' that I have?

Copy link
Member

@htuch htuch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. This change looks pretty gnarly from a security perspective, glad to have @qiwzhang doing first pass (appreciated). Can you also update to a more meaningful title?

// The two below fields define the amount of slack in seconds that will be used
// when determining if a JWT is valid or has expired. Validity is determined by
// the formula: VALID_FROM("iat") - nbf_slack_slack <= NOW <= VALID_TO("exp") + exp_slack.
int64 nbf_slack = 0;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, in Envoy we override Google style and prefer uint32 :)


// The two below fields define the amount of slack in seconds that will be used
// when determining if a JWT is valid or has expired. Validity is determined by
// the formula: VALID_FROM("iat") - nbf_slack_slack <= NOW <= VALID_TO("exp") + exp_slack.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where does this formula come from? RFC?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This formula is about token validity and it is not mentioned in https://tools.ietf.org/html/rfc6749. But let me make my case:
///////////////////////////////////////////////////
Some load balancer performinc OIDC authentication receives a request and determines that the existing access token is valid (for another 1 second). It forwards the request to Istio Ingressgateway and subsequently to some pod with an envoy sidecar. Meanwhile,
1 second has passed and when envoy checks the token it finds that it has expired.
///////////////////////////////////////////////////

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

About int32/uint32: I think we should use int32 since what we are trying to do here is provide a configuration option to users. If someone f.e. wants to use nbf_slack = -60 in order to ensure that tokens are valid, starting one minute into the future after their time of issue - why not?

@@ -9,6 +9,8 @@
#include "jwt_verify_lib/check_audience.h"
#include "jwt_verify_lib/status.h"

#include "absl/time/clock.h"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any regression or unit/integration tests for this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests? Jeeze. What roughnecked thinking. No, seriously. This is my first contribution here and I wasn't actually planning on going through by myself. Anyways, I don't mind at all doing it but need to get set up with a proper build environment to do real work. The coming weekend seems a good time to do so.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah heck, here I am working already.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This header is not needed any more. please remove it

@fscz fscz changed the title check jwt exp using abseil Fix bug determining jwt validity due to incorrect computation of system timestamp and provide configuration option to allow for timely slack in token validity Apr 16, 2020
// existing access token is valid (for another 1 second). It forwards the request to Istio Ingressgateway
// and subsequently to some pod with an envoy sidecar. Meanwhile, 1 second has passed and when envoy checks
// the token it finds that it has expired.
uint32 nbf_slack = 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In protobuf: it is

type field_name = field_index;

field_index has to be unique for all fields in a message.

There is not way to default default value in protobuf. default value is determined by the type


// If the nbf claim does *not* appear in the JWT, then the nbf field is defaulted
// to 0.
if (jwt_->nbf_ - nbf_slack > now) {
if (now < jwt_->nbf_ + nbf_slack) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should it be

now < nbf_ - nbf_slack

you want the jwt to be ready ahead of nbf time. Is that right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reflecting on that idea, I think that any use cases for this come down to machines running with incorrect system time and I don't see why we should account for that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, then

@@ -16,7 +16,7 @@ envoy_cc_library(
":context_lib",
"//source/common/http:utility_lib",
"//source/common/protobuf",
"@com_google_cel_cpp//eval/public:builtin_func_registrar",
#"@com_google_cel_cpp//eval/public:builtin_func_registrar",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why this change?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

never mind. was accidental. has been changed back.

@@ -30,7 +30,7 @@ envoy_cc_library(
"//source/common/common:minimal_logger_lib",
"//source/common/config:datasource_lib",
"//source/common/protobuf:utility_lib",
"@envoy_api//envoy/extensions/filters/http/jwt_authn/v3:pkg_cc_proto",
"@envoy_api//envoy/extensions/filters/http/jwt_authn/v3:pkg_cc_proto",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove trailing space

@@ -237,7 +244,7 @@ void AuthenticatorImpl::onDestroy() {

// Verify with a specific public key.
void AuthenticatorImpl::verifyKey() {
const Status status = ::google::jwt_verify::verifyJwt(*jwt_, *jwks_data_->getJwksObj());
const Status status = ::google::jwt_verify::verifyJwtWithoutTimeChecking(*jwt_, *jwks_data_->getJwksObj());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to get the latest jwt_verify_lib here:

By change its SHA, and sha256.

the sha256 sum is by: downloading that .tar.gz file, and run sha256sum on the file.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do I get the current .tar.gz file. As I understand, the file
https://github.com/google/jwt_verify_lib/archive/40e2cc938f4bcd059a97dc6c73f59ecfa5a71bac.tar.gz

is outdated. But how do I get the new one?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the new sha is: b5b3b4ed8611b1eea8764845381e60becc7b0b43

the file is https://github.com/google/jwt_verify_lib/archive/b5b3b4ed8611b1eea8764845381e60becc7b0b43.tar.gz

sha256 is: 21b9fd9fb8714cb199a823a4c01cf6665bdd42b62137348707dee51714797dfc

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please also update the date in the comment field

@fscz
Copy link
Author

fscz commented Apr 16, 2020

I am using
./ci/run_envoy_docker.sh 'ci/do_circle_ci.sh bazel.coverage'

to build/test locally but it takes ages. Is that correct? See log below

./ci/run_envoy_docker.sh 'ci/do_circle_ci.sh bazel.coverage'
disk space at beginning of build:
Filesystem Size Used Avail Use% Mounted on
overlay 59G 51G 5.3G 91% /
tmpfs 64M 0 64M 0% /dev
tmpfs 995M 0 995M 0% /sys/fs/cgroup
shm 64M 0 64M 0% /dev/shm
osxfs 1.6T 637G 883G 42% /source
osxfs 1.6T 637G 883G 42% /build
/dev/sda1 59G 51G 5.3G 91% /etc/hosts
overlay 995M 1012K 994M 1% /run/docker.sock
tmpfs 995M 0 995M 0% /proc/acpi
tmpfs 995M 0 995M 0% /sys/firmware
No remote cache bucket is set, skipping setup remote cache.
ENVOY_SRCDIR=/source
ENVOY_BUILD_TARGET=//source/exe:envoy-static
2020/04/16 21:48:07 Downloading https://releases.bazel.build/2.2.0/release/bazel-2.2.0-linux-x86_64...
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Starting local Bazel server and connecting to it...
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
HEAD is now at c6c986c... http: fix types (#118)
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
building using 8 CPUs
clang toolchain with libc++ configured
bazel coverage build with tests //test/...
Starting run_envoy_bazel_coverage.sh...
PWD=/source
SRCDIR=/source
VALIDATE_COVERAGE=true
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 1 packages loaded
currently loading: test/extensions/filters/udp/udp_proxy ... (198 packages)
Loading: 199 packages loaded
Loading: 199 packages loaded
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Loading: 0 packages loaded
Loading: 1 packages loaded
Loading: 2 packages loaded
Loading: 2 packages loaded
Generated coverage BUILD file at: /source/test/coverage/BUILD
$TEST_TMPDIR defined: output root default is '/build/tmp' and max_idle_secs default is '15'.
WARNING: The following rc files are no longer being read, please transfer their contents or import their path into one of the standard rc files:
/source/tools/bazel.rc
Analyzing: target //test/coverage:coverage_tests (1021 packages loaded, 26065 targets configured)
curren

@@ -187,7 +187,7 @@ REPOSITORY_LOCATIONS = dict(
strip_prefix = "jwt_verify_lib-40e2cc938f4bcd059a97dc6c73f59ecfa5a71bac",
# 2020-02-11
urls = ["https://github.com/google/jwt_verify_lib/archive/40e2cc938f4bcd059a97dc6c73f59ecfa5a71bac.tar.gz"],
),
)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

// existing access token is valid (for another 1 second). It forwards the request to Istio Ingressgateway
// and subsequently to some pod with an envoy sidecar. Meanwhile, 1 second has passed and when envoy checks
// the token it finds that it has expired.
const uint64_t now = absl::ToUnixSeconds(absl::Now());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use absl::Now but use time from timeSource().systemTime(), this will make test easier by providing mock time.

@lizan
Copy link
Member

lizan commented Apr 17, 2020

coverage CI are a bit flaky now so don't worry for now, can you fix format to see if other CI is green?


// The two below fields define the amount of slack in seconds that will be used
// when determining if a JWT is valid or has expired. Validity is determined by
// the formula: VALID_FROM("iat") + nbf_slack <= NOW <= VALID_TO("exp") + exp_slack
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/iat/nbf

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still seeing this:

source/extensions/filters/http/jwt_authn/authenticator.cc:172:59: error: no member named 'nbf_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t nbf_slack = jwks_data_->getJwtProvider().nbf_slack();
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
source/extensions/filters/http/jwt_authn/authenticator.cc:173:59: error: no member named 'exp_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t exp_slack = jwks_data_->getJwtProvider().exp_slack();

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, make sure this modified proto files are compiled. by

bazel build //api/...

for docker run: you need to run this command "bazel.api"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@@ -9,6 +9,8 @@
#include "jwt_verify_lib/check_audience.h"
#include "jwt_verify_lib/status.h"

#include "absl/time/clock.h"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This header is not needed any more. please remove it

@fscz
Copy link
Author

fscz commented Apr 27, 2020

Bump:
I get a compilation error

source/extensions/filters/http/jwt_authn/authenticator.cc:172:59: error: no member named 'nbf_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t nbf_slack = jwks_data_->getJwtProvider().nbf_slack();

source/extensions/filters/http/jwt_authn/authenticator.cc:173:59: error: no member named 'exp_slack' in 'envoy::extensions::filters::http::jwt_authn::v3::JwtProvider'
const uint32_t exp_slack = jwks_data_->getJwtProvider().exp_slack();

as output from https://circleci.com/gh/envoyproxy/envoy/338165?utm_campaign=workflow-failed&utm_medium=email&utm_source=notification

@lizan
Copy link
Member

lizan commented Apr 27, 2020

Please fix the format, the format check including api_shadow generation, if api_shadow is not reflecting your change, it results the compilation error you see.

@stale
Copy link

stale bot commented May 6, 2020

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label May 6, 2020
@fscz
Copy link
Author

fscz commented May 6, 2020

Please fix the format, the format check including api_shadow generation, if api_shadow is not reflecting your change, it results the compilation error you see.

How do I fix the format? Is there some guide that I can follow?

@stale stale bot removed the stale stalebot believes this issue/PR has not been touched recently label May 6, 2020
@qiwzhang
Copy link
Contributor

qiwzhang commented May 6, 2020

I think you can run "fix_format" command

@repokitteh-read-only
Copy link

CC @envoyproxy/api-watchers: FYI only for changes made to api/.

🐱

Caused by: #10753 was synchronize by fscz.

see: more, trace.

@fscz
Copy link
Author

fscz commented May 7, 2020

Ok. After fix format coverage tests still fail.
See https://circleci.com/gh/envoyproxy/envoy/343381?utm_campaign=workflow-failed&utm_medium=email&utm_source=notification

I think the most relevant part is:
`
[----------] 1 test from ExtractorTest
[ RUN ] ExtractorTest.TestPrefixHeaderNotMatch
#0 Envoy::SignalAction::sigHandler() [0x10ccb5b4]
#1 __restore_rt [0x7f7bfea51390]
#2 Envoy::Config::(anonymous namespace)::annotateWithOriginalType()::TypeAnnotatingProtoVisitor::onField() [0x1180e588]
#3 Envoy::ProtobufMessage::traverseMutableMessage() [0x11b69aad]
#4 Envoy::ProtobufMessage::traverseMutableMessage() [0x11b69be4]
#5 Envoy::ProtobufMessage::traverseMutableMessage() [0x11b69b6b]
#6 Envoy::Config::(anonymous namespace)::annotateWithOriginalType() [0x1180d883]
#7 Envoy::Config::VersionConverter::upgrade() [0x1180d6e6]
#8 Envoy::(anonymous namespace)::tryWithApiBoosting() [0x10cd0756]
#9 Envoy::MessageUtil::loadFromJson() [0x10cd05bb]
#10 Envoy::(anonymous namespace)::jsonConvertInternal() [0x10cd105e]
#11 Envoy::MessageUtil::loadFromYaml() [0x10cd09bc]
#12 Envoy::TestUtility::loadFromYaml() [0x62071bf]
#13 Envoy::Extensions::HttpFilters::JwtAuthn::(anonymous namespace)::ExtractorTest::SetUp() [0xa22fbc2]
#14 testing::internal::HandleSehExceptionsInMethodIfSupported<>() [0x12108f66]
#15 testing::internal::HandleExceptionsInMethodIfSupported<>() [0x120f5531]
#16 testing::Test::Run() [0x120dfd85]
#17 testing::TestInfo::Run() [0x120e0908]
#18 testing::TestSuite::Run() [0x120e1079]
#19 testing::internal::UnitTestImpl::RunAllTests() [0x120ee086]
#20 testing::internal::HandleSehExceptionsInMethodIfSupported<>() [0x1210de06]
#21 testing::internal::HandleExceptionsInMethodIfSupported<>() [0x120f8351]
#22 testing::UnitTest::Run() [0x120edad0]
#23 RUN_ALL_TESTS() [0x10671e45]
#24 Envoy::TestRunner::RunTests() [0x10671546]
#25 main [0x1066f877]
#26 __libc_start_main [0x7f7bfe696830]
external/bazel_tools/tools/test/collect_coverage.sh: line 131: 23945 Segmentation fault (core dumped) "$@"

  • TEST_STATUS=139
  • touch /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/5345/execroot/envoy/bazel-out/k8-fastbuild/testlogs/test/coverage/coverage_tests/shard_26_of_50/coverage.dat
  • [[ 139 -ne 0 ]]
  • echo --
    --
  • echo Coverage runner: Not collecting coverage for failed test.
    Coverage runner: Not collecting coverage for failed test.
  • echo The following commands failed with status 139
    The following commands failed with status 139
  • echo /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/5345/execroot/envoy/bazel-out/k8-fastbuild/bin/test/coverage/coverage_tests.runfiles/envoy/test/coverage/coverage_tests --gmock_default_mock_behavior=2 '--log-path /dev/null' '-l trace'
    /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/sandbox/processwrapper-sandbox/5345/execroot/envoy/bazel-out/k8-fastbuild/bin/test/coverage/coverage_tests.runfiles/envoy/test/coverage/coverage_tests --gmock_default_mock_behavior=2 --log-path /dev/null -l trace
  • exit 139
    ================================================================================
    FAIL: //test/coverage:coverage_tests (shard 25 of 50) (see /build/tmp/_bazel_bazel/b570b5ccd0454dc9af9f65ab1833764d/execroot/envoy/bazel-out/k8-fastbuild/testlogs/test/coverage/coverage_tests/shard_25_of_50/test.log)

FAILED: //test/coverage:coverage_tests (Summary)`

@stale
Copy link

stale bot commented May 15, 2020

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label May 15, 2020
@fscz
Copy link
Author

fscz commented May 15, 2020

Bump. Come on guys. Let's get this through. This should really be fixed.

@stale stale bot removed the stale stalebot believes this issue/PR has not been touched recently label May 15, 2020
@stale
Copy link

stale bot commented May 22, 2020

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label May 22, 2020
@stale
Copy link

stale bot commented May 30, 2020

This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

@stale stale bot closed this May 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants