Skip to content

oauth2 filter: Make OAuth scopes configurable.#14034

Closed
andreyprezotto wants to merge 75 commits intoenvoyproxy:masterfrom
andreyprezotto:oauth_scope_enhanc
Closed

oauth2 filter: Make OAuth scopes configurable.#14034
andreyprezotto wants to merge 75 commits intoenvoyproxy:masterfrom
andreyprezotto:oauth_scope_enhanc

Conversation

@andreyprezotto
Copy link
Contributor

@andreyprezotto andreyprezotto commented Nov 16, 2020

Commit Message: Makes OAuth scopes configurable.
New optional parameter 'auth_scopes' added to the filter. The default value is 'user' (if not provided) to avoid breaking changes to users updating to the latest version.

Additional Description: Added log line to help debugging.
Risk Level: Low
Testing: Unit tests updated to match and cover the new parameter. Locally tested the generated docker image.
Docs Changes: Added the new parameter to the docs
Release Notes: Updated current.rst file
Platform Specific Features:
Fixes #13766

andreyprezotto and others added 25 commits November 16, 2020 08:24
@andreyprezotto
Add scope to oauth2 filter proto file
80acc89 
Signed-off-by: andreyprezotto <andreypp@gmail.com>

Signed-off-by: andreyprezotto <andreyprezotto@iheartmedia.com>
@andreyprezotto
Use configured scopes in authorizarion request
c276e54 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Initialize member in the correct order
d26dd3a 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Update proto files after proto_format.sh
1577ed6 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Fix oauth filter tests
47f1fa4 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix semicolon
906a91f 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix tests
94fa8b1 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix tests
2fdf64a 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix tests after rebase
7c689b9 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Add debug log for test
6549060 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Add debug log for test
5e709f9 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Auth_scope default value if config wasn't set
c2567ec 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
add config test for default user
657e21f 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
add config test for default user
a7acd87 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Revert "Auth_scope default value if config wasn't set"
5381f74 
This reverts commit 73d3ce1f343f36690b4a995c885fe0035f176b9e.

Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Revert "Revert "Auth_scope default value if config wasn't set""
4d9eab9 
This reverts commit a421de1628d5ae6591958fe1f2e61768927d4271.

Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
revert implementation
5e126b9 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
change defaul value implementation
b64e322 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix with .empty
7359ad3 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix semicolon
62f1ff4 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix property name
b3c2071 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
semicolon
a18a184 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
fix tests
2aa7274 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Add auth_scopes to the docs
a097339 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Update Release Notes
47598a2 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Nov 16, 2020

Hi @andreyprezotto, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #14034 was opened by andreyprezotto.

see: more, trace.

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Nov 16, 2020

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #14034 was opened by andreyprezotto.

see: more, trace.

@andreyprezotto
Fix colon in docs
6cca203 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Fix release notes
a5d64d0 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
kyessenov and others added 18 commits November 24, 2020 16:46
@kyessenov @andreyprezotto
wasm: fix network leak (envoyproxy#13836)
0026696 
Signed-off-by: Kuat Yessenov <kuat@google.com>
@adisuissa @andreyprezotto
http2: fixing upstream sending metadata after ending the stream (envo…
b1d1fc0 
…yproxy#14061)

Signed-off-by: Adi Suissa-Peleg <adip@google.com>
@htuch @andreyprezotto
test: improve docs and robustness of coverage script. (envoyproxy#14021)
c72c15c 
I ended up burning several hours dealing with issues around this the
other day, I'm hoping others don't :)

Signed-off-by: Harvey Tuch <htuch@google.com>
@PiotrSikora @andreyprezotto
tls: update BoringSSL to 1ce6682c (4280). (envoyproxy#14072)
783b773 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
@antoniovicente @andreyprezotto
test: avoid use after free in oauth_integration_test (envoyproxy#14103)
21a81cf 
The client request stream can be deleted under the call stack of Envoy::IntegrationCodecClient::startRequest if the proxy replies quickly enough. Attempts to send an end stream on that request result in use-after-free on the client stream in cases where the client processed the full reply inside startRequest.

Fixes envoyproxy#12960

Signed-off-by: Antonio Vicente <avd@google.com>
@ggreenway @andreyprezotto
buffer: add a method for getting only the first slice (envoyproxy#14050)
22a820b 
Signed-off-by: Greg Greenway <ggreenway@apple.com>
@andreyprezotto
[Level Events] manage level events registration mask (envoyproxy#13787)
e73172e 
Signed-off-by: Sotiris Nanopoulos <sonanopo@microsoft.com>
@JaredTan95 @andreyprezotto
examples: Update SkyWalking version (envoyproxy#13938)
e0a80c4 
Signed-off-by: JaredTan95 <jian.tan@daocloud.io>
@htuch @andreyprezotto
examples: add VRP runtime validation to verify_examples. (envoyproxy#…
723475a 
…14099)

This is a regression test to cover the issue underlying
envoyproxy#14066.

Risk level: Low
Testing: Validating manually verify.sh passes, CI.

Signed-off-by: Harvey Tuch <htuch@google.com>
@cpakulski @mattklein123 @andreyprezotto
udp: properly handle truncated/dropped datagrams (envoyproxy#14122)
ab6e2ff 
Signed-off-by: Matt Klein <mklein@lyft.com>
Signed-off-by: Christoph Pakulski <christoph@tetrate.io>
Co-authored-by: Matt Klein <mklein@lyft.com>
Co-authored-by: Christoph Pakulski <christoph@tetrate.io>
@andreyprezotto
mongo: swap cx destroy metrics (envoyproxy#13991)
ca66519 
Signed-off-by: Bill Chung <bill@mercari.com>
@sunjayBhatia @wrowe @andreyprezotto
Windows CI: Upload test results to AZP (envoyproxy#14083)
51185ab 
- Requires removing --output_base flag to Bazel startup options
- The TEST_TMPDIR and BUILD_DIR bind mounts from the host are where
  Bazel will place build output etc.
- Allowing Bazel to place build and test output there will give the host
  access to the data to upload

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
Co-authored-by: William A Rowe Jr <wrowe@vmware.com>
@ggreenway @andreyprezotto
proxy protocol: set downstreamRemoteAddress on StreamInfo (envoyproxy…
59945aa 
…#14131)

This fixes a regression which resulted in the downstreamRemoteAddress
on the StreamInfo for a connection not having the address supplied by
the proxy protocol filter, but instead having the address of the
directly connected peer.

This issue does not affect HTTP filters.

Fixes envoyproxy#14087

Signed-off-by: Greg Greenway <ggreenway@apple.com>
@MarcinFalkowski @andreyprezotto
lua: reset downstream_ssl_connection in StreamInfoWrapper when object…
ce172b7 
… is marked dead by Lua GC (envoyproxy#14092)

Fixes envoyproxy#14091

The problem and fix is similiar to envoyproxy#4312

Risk Level: Low
Testing: regression test, manual testing
Docs Changes: N/A
Release Notes: N/A

Signed-off-by: Marcin Falkowski <marcin.falkowski@allegro.pl>
@andreyprezotto
Fix release notes
40aaf60 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Fix formatting
c8d39ea 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Fix documentation
446df5e 
Signed-off-by: andreyprezotto <andreypp@gmail.com>
@andreyprezotto
Code review changes
57cfd34 
- auth_scopes is now repeated string
- scope values are now URL encoded in the request

Signed-off-by: andreyprezotto <andreypp@gmail.com>
@repokitteh-read-only repokitteh-read-only bot added the deps Approval required for changes to Envoy's external dependencies label Nov 24, 2020
@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Nov 24, 2020

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #14034 was synchronize by andreyprezotto.

see: more, trace.

@andreyprezotto
Copy link
Contributor Author

andreyprezotto commented Nov 24, 2020

Closing this PR as I pushed my rebased branch into it, and the changes are now messy.
I will issue a new PR to replace this one.

@andreyprezotto andreyprezotto mentioned this pull request Nov 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adisuissa adisuissa adisuissa left review comments

@alyssawilk alyssawilk Awaiting requested review from alyssawilk

@asraa asraa Awaiting requested review from asraa

@dio dio Awaiting requested review from dio

@ggreenway ggreenway Awaiting requested review from ggreenway

@lizan lizan Awaiting requested review from lizan

@mattklein123 mattklein123 Awaiting requested review from mattklein123

@PiotrSikora PiotrSikora Awaiting requested review from PiotrSikora

+4 more reviewers

@ja30278 ja30278 ja30278 left review comments

@snowp snowp snowp left review comments

@derekargueta derekargueta derekargueta left review comments

@htuch htuch htuch left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@snowp snowp

Labels

api deps Approval required for changes to Envoy's external dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Make OAuth scopes configurable