diff --git a/envoy/COMMIT b/envoy/COMMIT index 534b2db77..1c0ad23c3 100644 --- a/envoy/COMMIT +++ b/envoy/COMMIT @@ -1 +1 @@ -857107b72abdf62690b7a1c69f9a3684d57f5f3e +b9c4ff2da2a91feb263eda5f39bc7e8307a669ee diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go index 01cf73180..4174d6739 100755 --- a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go +++ b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go @@ -588,7 +588,6 @@ func (x *JwtCacheConfig) GetJwtCacheSize() uint32 { } // This message specifies how to fetch JWKS from remote and how to cache it. -// [#next-free-field: 6] type RemoteJwks struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -648,21 +647,6 @@ type RemoteJwks struct { // // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background. RetryPolicy *v31.RetryPolicy `protobuf:"bytes,4,opt,name=retry_policy,json=retryPolicy,proto3" json:"retry_policy,omitempty"` - // Refetch JWKS if extracted JWT has no KID or a KID that does not match any cached JWKS's KID. - // - // In envoy, if :ref:`async JWKS fetching ` - // is enabled along with this field, then KID mismatch will trigger a new async fetch after appropriate backoff delay. - // - // If async fetching is disabled, new JWKS is fetched on demand and the cache is isolated to the fetched worker thread. - // - // There is exponential backoff built into this retrieval system for two cases to avoid DoS on JWKS Server: - // - // - If there is a request containing a JWT with no KID, a new fetch will be made for this request. Upon retrieval, - // a backoff will be triggered. - // - If there is a fetch due to KID mismatch, which results in a failed fetch or verification, a backoff will be triggered. - // - // During a backoff, no further fetches will be made due to KID mismatch. - RefetchJwksOnKidMismatch bool `protobuf:"varint,5,opt,name=refetch_jwks_on_kid_mismatch,json=refetchJwksOnKidMismatch,proto3" json:"refetch_jwks_on_kid_mismatch,omitempty"` } func (x *RemoteJwks) Reset() { @@ -725,13 +709,6 @@ func (x *RemoteJwks) GetRetryPolicy() *v31.RetryPolicy { return nil } -func (x *RemoteJwks) GetRefetchJwksOnKidMismatch() bool { - if x != nil { - return x.RefetchJwksOnKidMismatch - } - return false -} - // Fetch Jwks asynchronously in the main thread when the filter config is parsed. // The listener is activated only after the Jwks is fetched. // When the Jwks is expired in the cache, it is fetched again in the main thread. @@ -1940,7 +1917,7 @@ var file_envoy_extensions_filters_http_jwt_authn_v3_config_proto_rawDesc = []byt 0x72, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x22, 0x36, 0x0a, 0x0e, 0x4a, 0x77, 0x74, 0x43, 0x61, 0x63, 0x68, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0e, 0x6a, 0x77, 0x74, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, - 0x52, 0x0c, 0x6a, 0x77, 0x74, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x22, 0xc9, + 0x52, 0x0c, 0x6a, 0x77, 0x74, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x22, 0x89, 0x03, 0x0a, 0x0a, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b, 0x73, 0x12, 0x42, 0x0a, 0x08, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, @@ -1961,11 +1938,7 @@ var file_envoy_extensions_filters_http_jwt_authn_v3_config_proto_rawDesc = []byt 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x52, 0x65, 0x74, 0x72, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, - 0x0b, 0x72, 0x65, 0x74, 0x72, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x3e, 0x0a, 0x1c, - 0x72, 0x65, 0x66, 0x65, 0x74, 0x63, 0x68, 0x5f, 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x6f, 0x6e, 0x5f, - 0x6b, 0x69, 0x64, 0x5f, 0x6d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x05, 0x20, 0x01, - 0x28, 0x08, 0x52, 0x18, 0x72, 0x65, 0x66, 0x65, 0x74, 0x63, 0x68, 0x4a, 0x77, 0x6b, 0x73, 0x4f, - 0x6e, 0x4b, 0x69, 0x64, 0x4d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x3a, 0x3c, 0x9a, 0xc5, + 0x0b, 0x72, 0x65, 0x74, 0x72, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3c, 0x9a, 0xc5, 0x88, 0x1e, 0x37, 0x0a, 0x35, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x2e, diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go index d6c19e4e9..63b67162a 100755 --- a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go +++ b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go @@ -703,8 +703,6 @@ func (m *RemoteJwks) validate(all bool) error { } } - // no validation rules for RefetchJwksOnKidMismatch - if len(errors) > 0 { return RemoteJwksMultiError(errors) } diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go b/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go index 86f990249..cdb61288e 100755 --- a/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go +++ b/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go @@ -431,16 +431,6 @@ func (m *RemoteJwks) MarshalToSizedBufferVTStrict(dAtA []byte) (int, error) { i -= len(m.unknownFields) copy(dAtA[i:], m.unknownFields) } - if m.RefetchJwksOnKidMismatch { - i-- - if m.RefetchJwksOnKidMismatch { - dAtA[i] = 1 - } else { - dAtA[i] = 0 - } - i-- - dAtA[i] = 0x28 - } if m.RetryPolicy != nil { if vtmsg, ok := interface{}(m.RetryPolicy).(interface { MarshalToSizedBufferVTStrict([]byte) (int, error) @@ -1560,9 +1550,6 @@ func (m *RemoteJwks) SizeVT() (n int) { } n += 1 + l + protohelpers.SizeOfVarint(uint64(l)) } - if m.RefetchJwksOnKidMismatch { - n += 2 - } n += len(m.unknownFields) return n }