envoyproxy · ggreenway · May 13, 2024 · Apr 1, 2024 · May 9, 2024
@@ -95,13 +95,14 @@ envoy_proto_library(
         "//test/fuzz:common_proto",
         "@envoy_api//envoy/config/core/v3:pkg",
         "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg",
+        "@envoy_api//envoy/service/auth/v3:pkg",
     ],
 )
 
 envoy_cc_fuzz_test(
     name = "ext_authz_grpc_fuzz_test",
     srcs = ["ext_authz_grpc_fuzz_test.cc"],
-    corpus = "ext_authz_corpus",
+    corpus = "ext_authz_grpc_corpus",
     deps = [
         ":ext_authz_fuzz_lib",
         ":ext_authz_fuzz_proto_cc_proto",
@@ -110,14 +111,15 @@ envoy_cc_fuzz_test(
         "//test/extensions/filters/common/ext_authz:ext_authz_test_common",
         "//test/extensions/filters/http/common/fuzz:http_filter_fuzzer_lib",
         "//test/mocks/grpc:grpc_mocks",
+        "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg_cc_proto",
         "@envoy_api//envoy/service/auth/v3:pkg_cc_proto",
     ],
 )
 
 envoy_cc_fuzz_test(
     name = "ext_authz_http_fuzz_test",
     srcs = ["ext_authz_http_fuzz_test.cc"],
-    corpus = "ext_authz_corpus",
+    corpus = "ext_authz_http_corpus",
     deps = [
         ":ext_authz_fuzz_lib",
         ":ext_authz_fuzz_proto_cc_proto",
@@ -128,6 +130,7 @@ envoy_cc_fuzz_test(
         "//test/mocks/network:network_mocks",
         "//test/mocks/server:server_factory_context_mocks",
         "//test/mocks/upstream:cluster_manager_mocks",
+        "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg_cc_proto",
         "@envoy_api//envoy/service/auth/v3:pkg_cc_proto",
     ],
 )
@@ -144,6 +147,5 @@ envoy_cc_test_library(
         "//test/mocks/network:network_mocks",
         "//test/mocks/server:server_factory_context_mocks",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
-        "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg_cc_proto",
     ],
 )
@@ -1,29 +1,44 @@
 syntax = "proto3";
 package envoy.extensions.filters.http.ext_authz;
 
+import "envoy/config/core/v3/base.proto";
 import "envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto";
+import "envoy/service/auth/v3/external_auth.proto";
 import "test/fuzz/common.proto";
-import "envoy/config/core/v3/base.proto";
 import "validate/validate.proto";
 
 // We only fuzz a single request per iteration.
-message ExtAuthzTestCase {
+message ExtAuthzTestCaseBase {
+  envoy.extensions.filters.http.ext_authz.v3.ExtAuthz config = 1
+      [(validate.rules).message = {required: true}];
+  // HTTP request data.
+  test.fuzz.HttpData request_data = 2 [(validate.rules).message = {required: true}];
+  // Filter metadata.
+  envoy.config.core.v3.Metadata filter_metadata = 4;
+}
+
+message ExtAuthzTestCaseGrpc {
+  ExtAuthzTestCaseBase base = 1 [(validate.rules).message = {required: true}];
+
+  oneof response_or_failure_reason {
+    // Full auth check result. Note it is not validated to simulate an untrusted authz server (i.e.
+    // it can contain garbage mutations).
+    envoy.service.auth.v3.CheckResponse response = 2 [(validate.rules).message.skip = true];
+    // If this is set onFailure will be called instead of onSuccess.
+    string failure_reason = 3;
+  }
+}
+
+message ExtAuthzTestCaseHttp {
+  ExtAuthzTestCaseBase base = 1 [(validate.rules).message = {required: true}];
+
   enum AuthResult {
     // Possible results for a check call. Taken from
     // https://github.com/envoyproxy/envoy/blob/945b5833f094dee31d2971cee8d40553bb0fe714/source/extensions/filters/common/ext_authz/ext_authz.h#L65
     OK = 0;
     DENIED = 1;
     ERROR = 2;
   }
-
-  envoy.extensions.filters.http.ext_authz.v3.ExtAuthz config = 1
-      [(validate.rules).message = {required: true}];
-  // HTTP request data.
-  test.fuzz.HttpData request_data = 2 [(validate.rules).message = {required: true}];
   // Set default auth check result.
   AuthResult result = 3 [(validate.rules).enum.defined_only = true];
-  // Filter metadata.
-  envoy.config.core.v3.Metadata filter_metadata = 4;
-  // TODO: Add headers and data to ExtAuthz::Response and check that the request headers and data
-  // were updated.
 }
@@ -1,13 +1,11 @@
 #include "test/extensions/filters/http/ext_authz/ext_authz_fuzz_lib.h"
 
 #include "envoy/config/core/v3/base.pb.h"
-#include "envoy/extensions/filters/http/ext_authz/v3/ext_authz.pb.validate.h"
 
 #include "source/common/network/address_impl.h"
 #include "source/extensions/filters/http/ext_authz/ext_authz.h"
 
 #include "test/extensions/filters/http/ext_authz/ext_authz_fuzz.pb.h"
-#include "test/extensions/filters/http/ext_authz/ext_authz_fuzz.pb.validate.h"
 #include "test/mocks/network/mocks.h"
 
 #include "gmock/gmock.h"
@@ -43,14 +41,8 @@ ReusableFilterFactory::newFilter(FilterConfigSharedPtr config,
 }
 
 absl::StatusOr<std::unique_ptr<Filter>> ReusableFuzzerUtil::setup(
-    const envoy::extensions::filters::http::ext_authz::ExtAuthzTestCase& input,
+    const envoy::extensions::filters::http::ext_authz::ExtAuthzTestCaseBase& input,
     Filters::Common::ExtAuthz::ClientPtr client) {
-  try {
-    TestUtility::validate(input);
-  } catch (const EnvoyException& e) {
-    ENVOY_LOG_MISC(debug, "EnvoyException during validation: {}", e.what());
-    return absl::InvalidArgumentError(absl::StrCat("EnvoyException during validation: ", e.what()));
-  }
 
   // Prepare filter.
   const envoy::extensions::filters::http::ext_authz::v3::ExtAuthz proto_config = input.config();

@@ -43,7 +43,7 @@ class ReusableFuzzerUtil {
 public:
   // Validate input, then create a filter using the input.config() & the provided client.
   absl::StatusOr<std::unique_ptr<Filter>>
-  setup(const envoy::extensions::filters::http::ext_authz::ExtAuthzTestCase& input,
+  setup(const envoy::extensions::filters::http::ext_authz::ExtAuthzTestCaseBase& input,
         Filters::Common::ExtAuthz::ClientPtr client);
 
 private: