ext_authz: do the authentication even the direct response is set #17546
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/wait waiting for #17449 merged |
dmitri-d
reviewed
Jul 30, 2021
| @@ -374,7 +374,10 @@ void Filter::continueDecoding() { | |||
| } | |||
|
|
|||
| Filter::PerRouteFlags Filter::getPerRouteFlags(const Router::RouteConstSharedPtr& route) const { | |||
| if (route == nullptr || route->routeEntry() == nullptr) { | |||
| if (route == nullptr || | |||
| (!Runtime::runtimeFeatureEnabled( | |||
There was a problem hiding this comment.
Wouldn't this affect redirects too? Not sure if these be passed to ext_authz?
There was a problem hiding this comment.
thanks for the good point, I tested the redirect case, this change affect it.
@mattklein123 WDYT?
There was a problem hiding this comment.
Yeah I think it's correct to fix redirect also. You might want to rename the runtime flag and update the release notes?
/wait
mattklein123
requested changes
Aug 6, 2021
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com> Signed-off-by: He Jie Xu <hejie.xu@intel.com> Signed-off-by: xuhj <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
I added integration test for redirect and direct response case. The unittest cover those two cases since both of them return empty routeEntry |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
mattklein123
requested changes
Aug 9, 2021
| @@ -42,6 +42,7 @@ Bug Fixes | |||
| * access log: fix ``%UPSTREAM_CLUSTER%`` when used in http upstream access logs. Previously, it was always logging as an unset value. | |||
| * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentaion <https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html>`_. | |||
| * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false. | |||
| * ext_authz: fixed skipping authentication when using returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. | |||
There was a problem hiding this comment.
Suggested change
| * ext_authz: fixed skipping authentication when using returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. | |
| * ext_authz: fixed skipping authentication when returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
|
Sorry I think you need another main merge. :( /wait |
haha, no worries, let me do a main merge |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
mattklein123
approved these changes
Aug 10, 2021
ggreenway
reviewed
Aug 10, 2021
| @@ -42,6 +42,7 @@ Bug Fixes | |||
| * access log: fix ``%UPSTREAM_CLUSTER%`` when used in http upstream access logs. Previously, it was always logging as an unset value. | |||
| * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentaion <https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html>`_. | |||
| * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false. | |||
| * ext_authz: fixed skipping authentication when returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. | |||
There was a problem hiding this comment.
I think this should also be mentioned in "incompatible behavior changes". This behavior has been present for at least a few years, and I know some people are relying on the old behavior.
There was a problem hiding this comment.
that make sense, I can move it.
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 11, 2021
* main: (687 commits) ci: set build debug information from env (envoyproxy#17635) ext_authz: do the authentication even the direct response is set (envoyproxy#17546) upstream: various cleanups in connection pool code (envoyproxy#17644) owners: promote Dmitry to maintainer (envoyproxy#17642) quiche: client session supports creating bidi stream (envoyproxy#17543) Update HTTP/2 METADATA documentation. (envoyproxy#17637) ext_proc: Check validity of the :status header (envoyproxy#17596) test: add ASSERT indicating that gRPC stream has not been started yet (envoyproxy#17614) ensure that the inline cookie header will be folded correctly (envoyproxy#17560) cluster_manager: Make ClusterEntry a class instead of a struct (envoyproxy#17616) owners: make Raúl a Thrift senior extension maintainer (envoyproxy#17641) quiche: update QUICHE dependency (envoyproxy#17618) Delete mock for removed RouteEntry::perFilterConfig() method (envoyproxy#17623) REPO_LAYOUT.md: fix outdated link (envoyproxy#17626) hcm: forbid use of detection extensions with use_remote_addr/xff_num_trusted_hops (envoyproxy#17558) thrift proxy: add request shadowing support (envoyproxy#17544) ext_proc: Ensure that timer is always cancelled (envoyproxy#17569) Proposal: Add CachePolicy interface to allow for custom cache behavior (envoyproxy#17362) proto: fix verify to point at v3 only (envoyproxy#17622) api: move generic matcher proto to its own package (envoyproxy#17096) ...
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 16, 2021
* main: (687 commits) ci: set build debug information from env (envoyproxy#17635) ext_authz: do the authentication even the direct response is set (envoyproxy#17546) upstream: various cleanups in connection pool code (envoyproxy#17644) owners: promote Dmitry to maintainer (envoyproxy#17642) quiche: client session supports creating bidi stream (envoyproxy#17543) Update HTTP/2 METADATA documentation. (envoyproxy#17637) ext_proc: Check validity of the :status header (envoyproxy#17596) test: add ASSERT indicating that gRPC stream has not been started yet (envoyproxy#17614) ensure that the inline cookie header will be folded correctly (envoyproxy#17560) cluster_manager: Make ClusterEntry a class instead of a struct (envoyproxy#17616) owners: make Raúl a Thrift senior extension maintainer (envoyproxy#17641) quiche: update QUICHE dependency (envoyproxy#17618) Delete mock for removed RouteEntry::perFilterConfig() method (envoyproxy#17623) REPO_LAYOUT.md: fix outdated link (envoyproxy#17626) hcm: forbid use of detection extensions with use_remote_addr/xff_num_trusted_hops (envoyproxy#17558) thrift proxy: add request shadowing support (envoyproxy#17544) ext_proc: Ensure that timer is always cancelled (envoyproxy#17569) Proposal: Add CachePolicy interface to allow for custom cache behavior (envoyproxy#17362) proto: fix verify to point at v3 only (envoyproxy#17622) api: move generic matcher proto to its own package (envoyproxy#17096) ... Signed-off-by: Michael Puncel <mpuncel@squareup.com>
leyao-daily
pushed a commit
to leyao-daily/envoy
that referenced
this pull request
Sep 30, 2021
…oyproxy#17546) Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Message: ext_authz: do the authentication even the direct response is set
Additional Description:
This PR fixed the case the authentication will be skipped when the direct response is set.
And add the runtime flag
envoy.reloadable_features.http_ext_authz_do_not_skip_direct_responseto enable therevert of this behavior.
Also fix the merge config behavior, ensure the virtual host's typed config will be merged when
the direct response is set.
Risk Level: low
Testing: unittest
Docs Changes: n/a
Release Notes: bug fixes note
Runtime guard: envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response
Fixes #17502
Related to #17377
Signed-off-by: He Jie Xu hejie.xu@intel.com