Bugfix issue 27877 jwt token with space is valid

[danieldradware]

…non base64 characters

Commit Message:
This PR should fix issue #27877
Additional Description:
New behavior isn't cutting characters after non base64 character
Now expected to get all token and then mark it as invalid jwt
All details in issue #27877
Risk Level:
Medium
Testing:
Added unit test
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
Fixes #27877
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[yanavlasov]

The spell checker is not happy: https://dev.azure.com/cncf/envoy/_build/results?buildId=144417&view=logs&j=c7de00aa-b0fb-52ba-707b-da6afd918eda&t=2ec0901d-43fb-521a-88ec-473706b56eab&l=45

[yanavlasov]

/wait

[nareddyt]

Is a runtime guard warranted for this change? https://github.com/envoyproxy/envoy/blob/main/CONTRIBUTING.md#runtime-guarding

Generally as a community we try to guard [...] most user-visible non-config-guarded changes to protocol processing (for example additions or changes to HTTP headers or how HTTP is serialized out) for non-alpha features. Feel free to tag @envoyproxy/maintainers if you aren't sure if a given change merits runtime guarding.

I'm slightly worried it will break runtime traffic for clients using it (https://www.hyrumslaw.com/). Though this is a very unique corner case and I doubt clients rely on this behavior. Either way, worth asking @envoyproxy/maintainers

[danieldradware]

RFC 7519 implies that adding non-Base64URL characters after a valid JWT token makes it invalid. Thus, if a the JWT is followed by a space and some Base64URL characters or just followed by non Base64URL characters like ### (without any space) it should be considered invalid.

[yanavlasov]

@danieldradware we agree with you that the current behavior is a bug. However there could be Envoy users who relied on this buggy behavior and if we just change it it will affect their system. To prevent this we add runtime override that would bring back old behavior. In 6 months this override is removed.

It is not very hard to add a runtime override. Please see PR #27974 for example.

[danieldradware]

Hi @yanavlasov
CI is pass, someone can review it?
Thanks in advance
Daniel

[yanavlasov]

/wait

[yanavlasov]

@danieldradware we agree with you that the current behavior is a bug. However there could be Envoy users who relied on this buggy behavior and if we just change it it will affect their system. To prevent this we add runtime override that would bring back old behavior. In 6 months this override is removed.

It is not very hard to add a runtime override. Please see PR #27974 for example.

[repokitteh-read-only]

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #28678 was synchronize by danieldradware.

see: more, trace.

[yanavlasov]

@danieldradware the runtime features require alphanumeric order

ERROR: From ./source/common/runtime/runtime_features.cc
ERROR: RUNTIME_GUARD(envoy_reloadable_features_http_reject_path_with_fragment); and RUNTIME_GUARD(envoy_reloadable_features_token_passed_entirely); are out of order

[yanavlasov]

Can you also add a test that check the behavior with the envoy.reloadable_features.token_passed_entirely == false, please? In this was it is certain that old behavior is still working with override. Look good otherwise.

/wait

[phlax]

@yanavlasov i think this is waiting on further review

/wait-any

[danieldradware]

Hi @yanavlasov @phlax
I saw there is a failure in pipeline cause network issue,
Can you please rerun only specific jobs that failures?
Thanks!

[danieldradware]

Hi @yanavlasov @phlax I saw there is a failure in pipeline cause network issue, Can you please rerun only specific jobs that failures? Thanks!

Thanks for rerun it.
Can you please approve the PR and merge it with main?

[yanavlasov]

/wait

[yanavlasov]

These runtime keys looks like result of a bad merge. Please remove them, since they are not part of this change.

[yanavlasov]

I was also looking for a test with the following in it:

      TestScopedRuntime scoped_runtime;
      scoped_runtime.mergeValues({{"envoy.reloadable_features.token_passed_entirely", "false"}});

that tests old behavior. Can you add a test like this please?

[danieldradware]

I was also looking for a test with the following in it:

      TestScopedRuntime scoped_runtime;
      scoped_runtime.mergeValues({{"envoy.reloadable_features.token_passed_entirely", "false"}});

that tests old behavior. Can you add a test like this please?

Hi @yanavlasov
Sure I already added unit test to test the old behavior, you can see it at:test/extensions/filters/http/jwt_authn/extractor_runtime_guard_test.cc and BUILD file that contain: args = ["--runtime-feature-disable-for-tests=envoy.reloadable_features.token_passed_entirely"],

[danieldradware]

Can you please rerun Linux arm64 section?
Thanks!

[zirain]

/retest

[danieldradware]

Hi @yanavlasov
Can you please remove "change requested" action? (I already pushed all changed you asked from me).

BTW who can give to this PR an approval?

Thanks a lot
Daniel