ext_authz: support response headers on OK authorization checks #14514
Conversation
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
I'm pulling this out of draft to start getting feedback. I still need to take a pass at the docs and see if/how we can document this feature. |
|
/lgtm api |
…-on-success Signed-off-by: John Esmet <john.esmet@gmail.com>
|
@dio CI is green and this is now ready for your critical review, if you don't mind :) |
| @@ -70,6 +70,7 @@ New Features | |||
| * config: added ability to flush stats when the admin's :ref:`/stats endpoint <operations_admin_interface_stats>` is hit instead of on a timer via :ref:`stats_flush_on_admin <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.stats_flush_on_admin>`. | |||
| * config: added new runtime feature `envoy.features.enable_all_deprecated_features` that allows the use of all deprecated features. | |||
| * crash support: added the ability to dump L4 connection data on crash. | |||
| * ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. | |||
There was a problem hiding this comment.
While it is in the same spirit, seems like we have two changes here, for gRPC and HTTP implementation. I'm OK to have this in the same PR. For completeness, we need integration tests, since it involves response from the "external service". WDYT?
There was a problem hiding this comment.
I'll add another changelog line to capture both the HTTP and gRPC service changes.
I'll look into what it'll take to add an integration test 👍
There was a problem hiding this comment.
I took a look and there seems to be an established precedent that other similar features (e.g. allowed_client_headers for HTTP, request_headers_to_add for gRPC, and others) are tested using unit tests and appropriate mocks. I think that if unit tests are OK for those features, they should be good for this one as well. Do you agree?
Having said that, I don't think there are any integration tests for ext_authz (or if there are, I can't find them) so maybe I should look into following up with some work to add those tests down the road. Maybe I'll look at the coverage report to decide if that's worth it.
There was a problem hiding this comment.
I think we need to have an integration test to make sure that, for gRPC implementation, when we do sendExtAuthzResponse (this is done by the authorization service) with this response_headers_to_add set, the downstream client receives it.
The same applies to the HTTP one, waitForExtAuthzRequest should provide response header entries that are allowed to be forwarded, and are inserted to response_->headers().
There was a problem hiding this comment.
Ok I'll give that a try
There was a problem hiding this comment.
I now see the integration test for ext_authz - don't know how I missed that before.
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
…success Signed-off-by: John Esmet <john.esmet@gmail.com>
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
…success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
I added an integration test. Please take a look and let me know what you think. |
| @@ -626,6 +640,38 @@ TEST_P(ExtAuthzGrpcIntegrationTest, DenyAtDisableWithMetadata) { | |||
| expectFilterDisableCheck(/*deny_at_disable=*/true, /*disable_with_metadata=*/true, "403"); | |||
| } | |||
|
|
|||
| TEST_P(ExtAuthzGrpcIntegrationTest, DownstreamHeadersOnSuccess) { | |||
| XDS_DEPRECATED_FEATURE_TEST_SKIP; | |||
| // Set up ext_authz filter | |||
There was a problem hiding this comment.
Super nit: Some comment lines missing "." at the end.
| const auto expected_headers = TestCommon::makeHeaderValueOption( | ||
| {{":status", "200", false}, {"x-downstream-ok", "1", false}, {"x-upstream-ok", "1", false}}); | ||
| const auto authz_response = TestCommon::makeAuthzResponse( | ||
| CheckStatus::OK, Http::Code::OK, "", TestCommon::makeHeaderValueOption({}), |
Signed-off-by: John Esmet <john.esmet@gmail.com>
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
/retest |
|
Retrying Azure Pipelines: |
…proxy#14514) Support adding response headers on OK authorization checks from ext_authz Commit Message: ext_authz: support response headers on OK authorization checks Additional Description: Risk Level: low (opt-in feature, does nothing by default) Testing: Added code to existing unit tests Docs Changes: API protos documented Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. Platform Specific Features: Fixes envoyproxy#7986 Signed-off-by: John Esmet <john.esmet@gmail.com>
…proxy#14514) Support adding response headers on OK authorization checks from ext_authz Commit Message: ext_authz: support response headers on OK authorization checks Additional Description: Risk Level: low (opt-in feature, does nothing by default) Testing: Added code to existing unit tests Docs Changes: API protos documented Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. Platform Specific Features: Fixes envoyproxy#7986 Signed-off-by: John Esmet <john.esmet@gmail.com>
…proxy#14514) Support adding response headers on OK authorization checks from ext_authz Commit Message: ext_authz: support response headers on OK authorization checks Additional Description: Risk Level: low (opt-in feature, does nothing by default) Testing: Added code to existing unit tests Docs Changes: API protos documented Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. Platform Specific Features: Fixes envoyproxy#7986 Signed-off-by: John Esmet <john.esmet@gmail.com>
Support adding response headers on OK authorization checks from ext_authz
Commit Message: ext_authz: support response headers on OK authorization checks
Additional Description:
Risk Level: low (opt-in feature, does nothing by default)
Testing: Added code to existing unit tests
Docs Changes: API protos documented
Release Notes: ext_authz: added :ref:
response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>to support sending response headers to downstream clients on OK external authorization checks.Platform Specific Features:
Fixes #7986