Skip to content

Add incoming plugin to validate Envoy XFCC (SPIFFE) identities#607

Merged
winhowes merged 8 commits intomainfrom
codex/implement-envoy_xfcc-incoming-auth-plugin
Apr 8, 2026
Merged

Add incoming plugin to validate Envoy XFCC (SPIFFE) identities#607
winhowes merged 8 commits intomainfrom
codex/implement-envoy_xfcc-incoming-auth-plugin

Conversation

@winhowes
Copy link
Copy Markdown
Owner

@winhowes winhowes commented Apr 8, 2026

Motivation

  • Introduce an incoming auth plugin to validate and extract a single SPIFFE URI= identity from Envoy's X-Forwarded-Client-Cert header so callers proxied by a trusted Envoy/Gateway can be authenticated by allow-lists.
  • Make the plugin configurable for allowed identities, allowed prefixes, ignored proxy identities, custom header name and optional header stripping.
  • Register and document the plugin so it appears in the built-in plugin list and configuration reference.

Description

  • Add the envoy_xfcc incoming plugin implementation in app/auth/plugins/envoy_xfcc/incoming.go which parses plugin params (allowed_uris, allowed_uri_prefixes, ignored_uris, header, strip_header), extracts a single caller URI= field from the XFCC header, validates quoting/escaping, and enforces allow/ignore rules.
  • Add unit tests covering expected successes, many failure and edge cases, header stripping, custom header name, decoding/escaping, and config parsing in app/auth/plugins/envoy_xfcc/envoy_xfcc_test.go.
  • Register the plugin in the plugin registry by importing it in app/auth/plugins/plugins.go.
  • Document the new envoy_xfcc plugin and example configuration in docs/auth-plugins.md.

Testing

  • Ran the plugin package tests with go test ./app/auth/plugins/envoy_xfcc -v and all tests passed.
  • Ran repository-level tests with go test ./... and no failures were observed in the modified packages.

Codex Task

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 841e857442

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/auth/plugins/envoy_xfcc/incoming.go Outdated
@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 8, 2026

@codex review

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b8c0992a73

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/auth/plugins/envoy_xfcc/incoming.go
@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 8, 2026

@codex review

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d422518353

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/auth/plugins/envoy_xfcc/incoming.go Outdated
@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 8, 2026

@codex review

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b7e41d5660

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/auth/plugins/envoy_xfcc/incoming.go Outdated
@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 8, 2026

@codex review

Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7aad86ffad

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread app/auth/plugins/envoy_xfcc/incoming.go
@winhowes
Copy link
Copy Markdown
Owner Author

winhowes commented Apr 8, 2026

@codex review

@chatgpt-codex-connector
Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Another round soon, please!

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@winhowes winhowes merged commit ffb97d7 into main Apr 8, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant