internal/dag: default the authorization response timeout (projectcont…

…our#3026)

If the authorization spec on the virtual host doesn't set the response
timeout, default it from the corresponding `ExtensionService`.

This fixes projectcontour#3025.

Signed-off-by: James Peach <jpeach@vmware.com>

internal/dag/httpproxy_processor.go

@@ -265,11 +265,16 @@ func (p *HTTPProxyProcessor) computeHTTPProxy(proxy *contour_api_v1.HTTPProxy) {
 
 				timeout, err := timeout.Parse(auth.ResponseTimeout)
 				if err != nil {
-					validCond.AddErrorf("AuthError", "AuthReponseTimeoutInvalid",
+					validCond.AddErrorf("AuthError", "AuthResponseTimeoutInvalid",
 						"Spec.Virtualhost.Authorization.ResponseTimeout is invalid: %s", err)
 					return
 				}
-				svhost.AuthorizationResponseTimeout = timeout
+
+				if timeout.UseDefault() {
+					svhost.AuthorizationResponseTimeout = ext.TimeoutPolicy.ResponseTimeout
+				} else {
+					svhost.AuthorizationResponseTimeout = timeout
+				}
 			}
 		}
 	}

internal/featuretests/v2/authorization_test.go

@@ -36,6 +36,8 @@ import (
 	"k8s.io/client-go/tools/cache"
 )
 
+const defaultResponseTimeout = time.Minute * 60
+
 func grpcCluster(name string) *envoy_config_filter_http_ext_authz_v2.ExtAuthz_GrpcService {
 	return &envoy_config_filter_http_ext_authz_v2.ExtAuthz_GrpcService{
 		GrpcService: &envoy_api_v2_core.GrpcService{
@@ -44,6 +46,7 @@ func grpcCluster(name string) *envoy_config_filter_http_ext_authz_v2.ExtAuthz_Gr
 					ClusterName: name,
 				},
 			},
+			Timeout: protobuf.Duration(defaultResponseTimeout),
 		},
 	}
 }
@@ -76,6 +79,7 @@ func authzResponseTimeout(t *testing.T, rh cache.ResourceEventHandler, c *Contou
 		TypeUrl: listenerType,
 		Resources: resources(t,
 			defaultHTTPListener(),
+
 			&envoy_api_v2.Listener{
 				Name:    "ingress_https",
 				Address: envoy_v2.SocketAddress("0.0.0.0", 8443),
@@ -104,6 +108,7 @@ func authzResponseTimeout(t *testing.T, rh cache.ResourceEventHandler, c *Contou
 				},
 				SocketOptions: envoy_v2.TCPKeepaliveSocketOptions(),
 			},
+
 			staticListener()),
 	}).Status(p).Like(contour_api_v1.HTTPProxyStatus{
 		CurrentStatus: string(status.ProxyStatusValid),
@@ -131,13 +136,10 @@ func authzInvalidResponseTimeout(t *testing.T, rh cache.ResourceEventHandler, c
 
 	rh.OnAdd(p)
 
-	cluster := grpcCluster("extension/auth/extension")
-	cluster.GrpcService.Timeout = protobuf.Duration(10 * time.Minute)
-
 	c.Request(listenerType).Equals(&envoy_api_v2.DiscoveryResponse{
 		TypeUrl:   listenerType,
 		Resources: resources(t, staticListener()),
-	}).Status(p).HasError("AuthError", "AuthReponseTimeoutInvalid", `Spec.Virtualhost.Authorization.ResponseTimeout is invalid: unable to parse timeout string "invalid-timeout": time: invalid duration "invalid-timeout"`)
+	}).Status(p).HasError("AuthError", "AuthResponseTimeoutInvalid", `Spec.Virtualhost.Authorization.ResponseTimeout is invalid: unable to parse timeout string "invalid-timeout": time: invalid duration "invalid-timeout"`)
 }
 
 func authzFailOpen(t *testing.T, rh cache.ResourceEventHandler, c *Contour) {
@@ -549,6 +551,9 @@ func TestAuthorization(t *testing.T) {
 					Services: []v1alpha1.ExtensionServiceTarget{
 						{Name: "oidc-server", Port: 8081},
 					},
+					TimeoutPolicy: &contour_api_v1.TimeoutPolicy{
+						Response: defaultResponseTimeout.String(),
+					},
 				},
 			})