Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rbac: Add support for specifying a HTTP status code for RBAC denial responses #34126

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

rbac: Add support for specifying a HTTP status code for RBAC denial responses #34126

wants to merge 4 commits into from

Conversation

jacobneiltaylor
Copy link
Contributor

@jacobneiltaylor jacobneiltaylor commented May 14, 2024
edited by ravenblackx

Commit Message: "rbac: Add support for specifying a HTTP status code for RBAC denial responses"
Additional Description: Added deny_status field to extensions.filters.http.rbac.v3.RBAC to allow the HTTP status code for the RBAC denial response to be configured.
Risk Level: low
Testing: Added unit and integration tests
Docs Changes: Updated comments in proto file.
Release Notes: Added :ref:deny_status <envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBAC.deny_status> to allow the HTTP status code for the RBAC denial response to be configured.
Platform Specific Features: N/A
Fixes: #34127

@jacobneiltaylor
rbac: Add support for specifying a HTTP status code for RBAC denial r…
ff67fab 
…esponses

Signed-off-by: Jacob Neil Taylor <jacobneiltaylor@canva.com>
@repokitteh-read-only RepoKitteh - Read Only
Copy link

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #34126 was opened by jacobneiltaylor.

see: more, trace.

@jacobneiltaylor jacobneiltaylor mentioned this pull request May 14, 2024
Open
@jacobneiltaylor
Fix formatting and Sphinx
cbae640 
Signed-off-by: Jacob Neil Taylor <jacobneiltaylor@canva.com>
@jacobneiltaylor
Copy link
Contributor Author

jacobneiltaylor commented May 14, 2024
edited

Rationale for this change is documented in the associated issue.

@jacobneiltaylor
Fix proto validation
7559d11 
Signed-off-by: Jacob Neil Taylor <jacobneiltaylor@canva.com>
@jacobneiltaylor
Fix proto format
988d9b9 
Signed-off-by: Jacob Neil Taylor <jacobneiltaylor@canva.com>
@ravenblackx
Copy link
Contributor

Ping @markdroth for api shepherding

@markdroth
Copy link
Contributor

/lgtm api

@jacobneiltaylor
Copy link
Contributor Author

Does this need to be assigned to @yanavlasov ?

kyessenov
kyessenov reviewed May 29, 2024
View reviewed changes
source/extensions/filters/http/rbac/rbac_filter.cc
if (deny_status == 0) {
return Http::Code::Forbidden;
}
return static_cast<Http::Code>(deny_status);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is undefined behavior since you're casting from uint32_t to enum class over uint16_t. Maybe use

envoy/api/envoy/type/v3/http_status.proto

Line 138 in e543e1c

message HttpStatus {
?

kyessenov
kyessenov reviewed May 29, 2024
View reviewed changes
source/extensions/filters/http/rbac/rbac_filter.cc
@@ -65,6 +72,7 @@ RoleBasedAccessControlFilterConfig::RoleBasedAccessControlFilterConfig(
proto_config.shadow_rules_stat_prefix(), scope)),
shadow_rules_stat_prefix_(proto_config.shadow_rules_stat_prefix()),
per_rule_stats_(proto_config.track_per_rule_stats()),
deny_status_(getDenyStatus(proto_config.deny_status())),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe explicitly do a static cast to uint16_t for the argument? I think the overflow never really happens but the sanitizers will probably complain if you implicitly convert values.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kyessenov kyessenov kyessenov left review comments

@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@kyessenov kyessenov

@markdroth markdroth

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow for custom HTTP response codes from RBAC denials
4 participants
@jacobneiltaylor @ravenblackx @markdroth @kyessenov