Skip to content

ext_authz: respect keep_empty_value in HeaderValueOption#45103

Open
404SkillNotFound wants to merge 14 commits into
envoyproxy:mainfrom
404SkillNotFound:fix/ext-authz-keep-empty-value
Open

ext_authz: respect keep_empty_value in HeaderValueOption#45103
404SkillNotFound wants to merge 14 commits into
envoyproxy:mainfrom
404SkillNotFound:fix/ext-authz-keep-empty-value

Conversation

@404SkillNotFound
Copy link
Copy Markdown

@404SkillNotFound 404SkillNotFound commented May 17, 2026
edited
Loading

Commit Message: ext_authz: respect keep_empty_value in HeaderValueOption

Additional Description:
ext_authz was ignoring the keep_empty_value field in HeaderValueOption
and blindly adding all headers from auth responses, including empty-valued
ones. Added a check in copyHeaderFieldIntoResponse and copyOkResponseMutations
to skip empty-valued headers when keep_empty_value is false (default).

Risk Level: low
Testing: CI
Docs Changes: none
Release Notes: added changelog entry for ext_authz keep_empty_value fix

I used AI to help navigate the codebase for this change. I own the change.

Fixes #45003

@404SkillNotFound
ext_authz: respect keep_empty_value in HeaderValueOption
acf2f97 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only Bot commented May 17, 2026

Hi @404SkillNotFound, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #45103 was opened by 404SkillNotFound.

see: more, trace.

wbpcode
wbpcode reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the contribution. This requires a test case to cover the new code.

@404SkillNotFound
test: update keep_empty_value test to assert correct behavior
9dfd7ad 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
test: add positive case for keep_empty_value=true in ext_authz
5f84300 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
Copy link
Copy Markdown
Author

404SkillNotFound commented May 18, 2026

Added test cases covering both branches, when keep_empty_value is false (header dropped) and when it's true (header kept). Let me know if anything else is needed!

@paul-r-gall
Copy link
Copy Markdown
Contributor

paul-r-gall commented May 18, 2026

So even though this is a bugfix, it's also a behavior change, and needs to be protected by a runtime flag please.

@404SkillNotFound
ext_authz: guard keep_empty_value behind runtime flag
343e152 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only Bot commented May 18, 2026

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #45103 was synchronize by 404SkillNotFound.

see: more, trace.

@404SkillNotFound
Copy link
Copy Markdown
Author

404SkillNotFound commented May 18, 2026

Done, guarded behind a runtime flag.

wbpcode
wbpcode reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@wbpcode wbpcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall with only single comment.

Comment thread source/common/runtime/runtime_features.cc Outdated
Comment on lines +242 to +243
// TODO(404SkillNotFound): Flip to true to enforce keep_empty_value in ext_authz by default.
FALSE_RUNTIME_GUARD(envoy_reloadable_features_ext_authz_respect_keep_empty_value);
Copy link
Copy Markdown
Member

@wbpcode wbpcode May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change is pretty safe and only affects the empty header value. I inclined you can use the normal runtime guard rather than the false runtime guard. Thanks.

Copy link
Copy Markdown
Author

@404SkillNotFound 404SkillNotFound May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, switched to RUNTIME_GUARD. Also added a changelog entry.

@404SkillNotFound
fix: move ext_authz_respect_keep_empty_value to RUNTIME_GUARD
d161585 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
changelog: add entry for ext_authz keep_empty_value fix
16d1eb7 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
changelog: add entry for ext_authz keep_empty_value fix
8bf78fc 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
Merge branch 'main' into fix/ext-authz-keep-empty-value
6a7a54e 
Signed-off-by: Shivang Upadhyay <shivang.upadhyay1@gmail.com>
@404SkillNotFound 404SkillNotFound temporarily deployed to external-contributors May 19, 2026 10:18 — with GitHub Actions Inactive
@404SkillNotFound 404SkillNotFound requested a review from wbpcode May 19, 2026 10:31
wbpcode
wbpcode previously approved these changes May 19, 2026
View reviewed changes
@404SkillNotFound
test: fix AuthzOkResponse matcher to check headers_to_set
c63c525 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
Merge branch 'fix/ext-authz-keep-empty-value' of https://github.com/4…
82b9a01 
…04SkillNotFound/envoy into fix/ext-authz-keep-empty-value

Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound 404SkillNotFound requested a review from wbpcode May 19, 2026 12:07
phlax
phlax reviewed May 19, 2026
View reviewed changes
Comment thread changelogs/current.yaml Outdated
HMAC secret validity.

- area: ext_authz
change: |
Copy link
Copy Markdown
Member

@phlax phlax May 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs to use new changelog layout - see #45095

/wait

Copy link
Copy Markdown
Author

@404SkillNotFound 404SkillNotFound May 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@404SkillNotFound
changelog: migrate ext_authz keep_empty_value entry to new file-per-e…
162a5ed 
…ntry layout

Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound
merge: resolve current.yaml conflict by taking upstream version
7f4086b 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound 404SkillNotFound temporarily deployed to external-contributors May 20, 2026 06:35 — with GitHub Actions Inactive
@404SkillNotFound 404SkillNotFound requested a review from phlax May 20, 2026 06:36
@404SkillNotFound
test: fix AuthzOkResponse matcher to check headers_to_set
04c0808 
Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound 404SkillNotFound temporarily deployed to external-contributors May 21, 2026 04:37 — with GitHub Actions Inactive
@404SkillNotFound
test: isolate strict header checks to grpc tests to prevent integrati…
44154bc 
…on timeouts

Signed-off-by: 404SkillNotFound <shivang.upadhyay1@gmail.com>
@404SkillNotFound 404SkillNotFound requested a deployment to external-contributors May 21, 2026 06:15 — with GitHub Actions Waiting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbpcode wbpcode Awaiting requested review from wbpcode

@phlax phlax Awaiting requested review from phlax

At least 1 approving review is required to merge this pull request.

Assignees

@agrawroh agrawroh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ext_authz does not respect keep_empty_value configuration in HeaderValueOption

5 participants

@404SkillNotFound @paul-r-gall @phlax @wbpcode @agrawroh