From 6c7be0cc9a676bc2ce651a202afb32c58753e6b4 Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Tue, 1 Jun 2021 11:23:54 -0700 Subject: [PATCH 01/11] Add completePadding Signed-off-by: Xuyang Tao --- .../filters/http/jwt_authn/v3/config.proto | 7 ++++++- .../filters/http/jwt_authn/v4alpha/config.proto | 7 ++++++- docs/root/version_history/current.rst | 1 + .../filters/http/jwt_authn/v3/config.proto | 7 ++++++- .../filters/http/jwt_authn/v4alpha/config.proto | 7 ++++++- .../filters/http/jwt_authn/authenticator.cc | 13 +++++++++++-- .../http/jwt_authn/authenticator_test.cc | 17 +++++++++++++++++ .../filters/http/jwt_authn/test_common.h | 5 +++++ 8 files changed, 58 insertions(+), 6 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index afc761c07c7e1..eaff29c3dce76 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // cache_duration: // seconds: 300 // -// [#next-free-field: 11] +// [#next-free-field: 12] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; @@ -211,6 +211,11 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + + // If true, complete the padding in the forwarded JWT payload binary if needed. + // By default, it is false and the JWT payload binary will be directly forwarded + // without adding padding. + bool complete_padding_in_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 442ba7df061ee..5472d55941412 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // cache_duration: // seconds: 300 // -// [#next-free-field: 11] +// [#next-free-field: 12] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; @@ -211,6 +211,11 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + + // If true, complete the padding in the forwarded JWT payload binary if needed. + // By default, it is false and the JWT payload binary will be directly forwarded + // without adding padding. + bool complete_padding_in_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 27a50d16838cc..28ef3fd418cac 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -81,6 +81,7 @@ New Features * http: added the ability to :ref:`unescape slash sequences` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime variable. * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options ` for downstream and the new http3_protocol_options in :ref:`http_protocol_options ` for upstream HTTP/3. * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch `. +* jwt_authn: added support to enable standard padding in the forwarded JWT payload specified by :ref:`async_fetch `. * listener: added ability to change an existing listener's address. * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection ` field to true. * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels ` field to true. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index afc761c07c7e1..eaff29c3dce76 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // cache_duration: // seconds: 300 // -// [#next-free-field: 11] +// [#next-free-field: 12] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; @@ -211,6 +211,11 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + + // If true, complete the padding in the forwarded JWT payload binary if needed. + // By default, it is false and the JWT payload binary will be directly forwarded + // without adding padding. + bool complete_padding_in_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 442ba7df061ee..5472d55941412 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // cache_duration: // seconds: 300 // -// [#next-free-field: 11] +// [#next-free-field: 12] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; @@ -211,6 +211,11 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + + // If true, complete the padding in the forwarded JWT payload binary if needed. + // By default, it is false and the JWT payload binary will be directly forwarded + // without adding padding. + bool complete_padding_in_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index fd960636ac41d..cf00b93681b45 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -3,6 +3,7 @@ #include "envoy/http/async_client.h" #include "common/common/assert.h" +#include "common/common/base64.h" #include "common/common/enum_to_int.h" #include "common/common/logger.h" #include "common/http/message_impl.h" @@ -252,9 +253,17 @@ void AuthenticatorImpl::verifyKey() { // Forward the payload const auto& provider = jwks_data_->getJwtProvider(); + if (!provider.forward_payload_header().empty()) { - headers_->addCopy(Http::LowerCaseString(provider.forward_payload_header()), - jwt_->payload_str_base64url_); + if (provider.complete_padding_in_payload()) { + std::string payload_with_padding = jwt_->payload_str_base64url_; + Base64::completePadding(payload_with_padding); + headers_->addCopy(Http::LowerCaseString(provider.forward_payload_header()), + payload_with_padding); + } else { + headers_->addCopy(Http::LowerCaseString(provider.forward_payload_header()), + jwt_->payload_str_base64url_); + } } if (!provider.forward()) { diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index 41d7d2253cbd3..71948ef3522d5 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -113,6 +113,23 @@ TEST_F(AuthenticatorTest, TestOkJWTandCache) { EXPECT_EQ(0U, filter_config_->stats().jwks_fetch_failed_.value()); } +TEST_F(AuthenticatorTest, TestCompletePaddingInJwtPayload) { + (*proto_config_.mutable_providers())[std::string(ProviderName)].set_complete_padding_in_payload( + true); + createAuthenticator(); + EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)) + .WillOnce(Invoke([this](const envoy::config::core::v3::HttpUri&, Tracing::Span&, + JwksFetcher::JwksReceiver& receiver) { + receiver.onJwksSuccess(std::move(jwks_)); + })); + + Http::TestRequestHeaderMapImpl headers{{"Authorization", "Bearer " + std::string(GoodToken)}}; + + expectVerifyStatus(Status::Ok, headers); + + EXPECT_EQ(headers.get_("sec-istio-auth-userinfo"), ExpectedPayloadValueWithPadding); +} + // This test verifies the Jwt is forwarded if "forward" flag is set. TEST_F(AuthenticatorTest, TestForwardJwt) { // Config forward_jwt flag diff --git a/test/extensions/filters/http/jwt_authn/test_common.h b/test/extensions/filters/http/jwt_authn/test_common.h index 0f2478ee2a73b..13c083163eb14 100644 --- a/test/extensions/filters/http/jwt_authn/test_common.h +++ b/test/extensions/filters/http/jwt_authn/test_common.h @@ -178,6 +178,11 @@ const char ExpectedPayloadValue[] = "eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3V "xlLmNvbSIsImV4cCI6MjAwMTAwMTAwMSwiYXVkIjoiZXhhbXBsZV9zZXJ2" "aWNlIn0"; +const char ExpectedPayloadValueWithPadding[] = + "eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoidGVzdEBleGFtcG" + "xlLmNvbSIsImV4cCI6MjAwMTAwMTAwMSwiYXVkIjoiZXhhbXBsZV9zZXJ2" + "aWNlIn0="; + // Base64 decoded Payload JSON const char ExpectedPayloadJSON[] = R"( { From 0ddcd1cf32e1e0cece06cb7768f1f64250dab7d8 Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Tue, 1 Jun 2021 11:30:00 -0700 Subject: [PATCH 02/11] NA Signed-off-by: Xuyang Tao --- source/common/common/base64.cc | 7 ++++ source/common/common/base64.h | 6 +++ test/common/common/base64_test.cc | 41 ++++++++++++++++++++ test/extensions/filters/http/jwt_authn/BUILD | 1 + 4 files changed, 55 insertions(+) diff --git a/source/common/common/base64.cc b/source/common/common/base64.cc index fc4cd599c20d3..ea215b85b9ee9 100644 --- a/source/common/common/base64.cc +++ b/source/common/common/base64.cc @@ -234,6 +234,13 @@ std::string Base64::encode(const char* input, uint64_t length, bool add_padding) return ret; } +void Base64::completePadding(std::string& encoded) { + if (encoded.length() % 4 != 0) { + std::string trailing_padding(4 - encoded.length() % 4, '='); + encoded.append(trailing_padding); + } +} + std::string Base64Url::decode(const std::string& input) { if (input.empty()) { return EMPTY_STRING; diff --git a/source/common/common/base64.h b/source/common/common/base64.h index 13beff40b64ab..a69ffbf910a3b 100644 --- a/source/common/common/base64.h +++ b/source/common/common/base64.h @@ -54,6 +54,12 @@ class Base64 { * bytes. */ static std::string decodeWithoutPadding(absl::string_view input); + + /** + * Add the padding in the base64 encoded binary if the padding is missing. + * @param encoded is the target to complete the padding. + */ + static void completePadding(std::string& encoded); }; /** diff --git a/test/common/common/base64_test.cc b/test/common/common/base64_test.cc index 04ad1dfb24b9e..ff9382191e896 100644 --- a/test/common/common/base64_test.cc +++ b/test/common/common/base64_test.cc @@ -132,6 +132,47 @@ TEST(Base64Test, BinaryBufferEncode) { EXPECT_EQ("AAECAwgKCQCqvN4=", Base64::encode(buffer, 30)); } +TEST(Base64Test, CompletePadding) { + struct CompletePaddingBase64UrlTestCases { + std::string base64, base64_with_padding; + }; + + // For base64 encoding, there are only three length needed to test + // - 3n bytes => 4n bytes, no padding needed + // - 3n + 1 bytes => 4n + 2 bytes, 2 padding needed + // - 3n + 2 bytes => 4n + 3 bytes, 1 padding needed + CompletePaddingBase64UrlTestCases testCases[3] = { + // Payload text(3n bytes): + {"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG8iLCJpYXQiOjE1MTYyMzkwMjJ" + "9", + // No padding added. + "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG8iLCJpYXQiOjE1MTYyMzkwMjJ" + "9"}, + // Payload text(3n + 1 bytes): + {"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2" + "MjM5MDIyfQ", + // 2 padding added. + "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2" + "MjM5MDIyfQ=="}, + // Payload text(3n + 2 bytes): + {"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lZSIsImlhdCI6MTUx" + "NjIzOTAyMn0", + // 1 padding added. + "eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lZSIsImlhdCI6MTUx" + "NjIzOTAyMn0="}}; + for (auto& tc : testCases) { + // Ensure these two base64 binaries are equivalent after decoding. + EXPECT_EQ(Base64::decodeWithoutPadding(tc.base64), + Base64::decodeWithoutPadding(tc.base64_with_padding)); + // Ensure the `base64_with_padding` is correctly padded. + EXPECT_NE(Base64::decode(tc.base64_with_padding), ""); + + std::string base64_padded = tc.base64; + Base64::completePadding(base64_padded); + EXPECT_EQ(base64_padded, tc.base64_with_padding); + } +} + TEST(Base64UrlTest, EncodeString) { EXPECT_EQ("", Base64Url::encode("", 0)); EXPECT_EQ("AAA", Base64Url::encode("\0\0", 2)); diff --git a/test/extensions/filters/http/jwt_authn/BUILD b/test/extensions/filters/http/jwt_authn/BUILD index e224b781035a9..b2ecffb6f36de 100644 --- a/test/extensions/filters/http/jwt_authn/BUILD +++ b/test/extensions/filters/http/jwt_authn/BUILD @@ -112,6 +112,7 @@ envoy_extension_cc_test( extension_name = "envoy.filters.http.jwt_authn", deps = [ ":mock_lib", + "//source/common/common:base64_lib", "//source/extensions/filters/http/common:jwks_fetcher_lib", "//source/extensions/filters/http/jwt_authn:authenticator_lib", "//source/extensions/filters/http/jwt_authn:filter_config_lib", From 513300e711fe59df2973643f203846f5c693c94f Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Tue, 1 Jun 2021 13:55:40 -0700 Subject: [PATCH 03/11] Fix comments Signed-off-by: Xuyang Tao --- api/envoy/extensions/filters/http/jwt_authn/v3/config.proto | 3 ++- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 3 ++- docs/root/version_history/current.rst | 2 +- .../envoy/extensions/filters/http/jwt_authn/v3/config.proto | 3 ++- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 3 ++- source/extensions/filters/http/jwt_authn/authenticator.cc | 2 +- test/extensions/filters/http/jwt_authn/authenticator_test.cc | 4 ++-- 7 files changed, 12 insertions(+), 8 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index eaff29c3dce76..7d8517e882aea 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -212,10 +212,11 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + // This field is effective only when `forward_payload_header` is specified. // If true, complete the padding in the forwarded JWT payload binary if needed. // By default, it is false and the JWT payload binary will be directly forwarded // without adding padding. - bool complete_padding_in_payload = 11; + bool complete_padding_in_forward_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 5472d55941412..d1307c9ac6f11 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -212,10 +212,11 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + // This field is effective only when `forward_payload_header` is specified. // If true, complete the padding in the forwarded JWT payload binary if needed. // By default, it is false and the JWT payload binary will be directly forwarded // without adding padding. - bool complete_padding_in_payload = 11; + bool complete_padding_in_forward_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 28ef3fd418cac..9ca58d29ccbf3 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -81,7 +81,7 @@ New Features * http: added the ability to :ref:`unescape slash sequences` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime variable. * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options ` for downstream and the new http3_protocol_options in :ref:`http_protocol_options ` for upstream HTTP/3. * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch `. -* jwt_authn: added support to enable standard padding in the forwarded JWT payload specified by :ref:`async_fetch `. +* jwt_authn: added support to enable standard padding in the forwarded JWT payload specified by :ref:`async_fetch `. * listener: added ability to change an existing listener's address. * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection ` field to true. * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels ` field to true. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index eaff29c3dce76..7d8517e882aea 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -212,10 +212,11 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + // This field is effective only when `forward_payload_header` is specified. // If true, complete the padding in the forwarded JWT payload binary if needed. // By default, it is false and the JWT payload binary will be directly forwarded // without adding padding. - bool complete_padding_in_payload = 11; + bool complete_padding_in_forward_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 5472d55941412..d1307c9ac6f11 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -212,10 +212,11 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; + // This field is effective only when `forward_payload_header` is specified. // If true, complete the padding in the forwarded JWT payload binary if needed. // By default, it is false and the JWT payload binary will be directly forwarded // without adding padding. - bool complete_padding_in_payload = 11; + bool complete_padding_in_forward_payload = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index cf00b93681b45..f0033538b53c9 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -255,7 +255,7 @@ void AuthenticatorImpl::verifyKey() { const auto& provider = jwks_data_->getJwtProvider(); if (!provider.forward_payload_header().empty()) { - if (provider.complete_padding_in_payload()) { + if (provider.complete_padding_in_forward_payload()) { std::string payload_with_padding = jwt_->payload_str_base64url_; Base64::completePadding(payload_with_padding); headers_->addCopy(Http::LowerCaseString(provider.forward_payload_header()), diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index 71948ef3522d5..165b8a5b17392 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -114,8 +114,8 @@ TEST_F(AuthenticatorTest, TestOkJWTandCache) { } TEST_F(AuthenticatorTest, TestCompletePaddingInJwtPayload) { - (*proto_config_.mutable_providers())[std::string(ProviderName)].set_complete_padding_in_payload( - true); + (*proto_config_.mutable_providers())[std::string(ProviderName)] + .set_complete_padding_in_forward_payload(true); createAuthenticator(); EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)) .WillOnce(Invoke([this](const envoy::config::core::v3::HttpUri&, Tracing::Span&, From b43cfb04d1e8b541d2f37f02466fda87865b24a4 Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Sat, 5 Jun 2021 16:03:01 -0700 Subject: [PATCH 04/11] Fix comments Signed-off-by: Xuyang Tao --- .../extensions/filters/http/jwt_authn/v3/config.proto | 11 ++++++----- .../filters/http/jwt_authn/v4alpha/config.proto | 11 ++++++----- docs/root/version_history/current.rst | 2 +- .../extensions/filters/http/jwt_authn/v3/config.proto | 11 ++++++----- .../filters/http/jwt_authn/v4alpha/config.proto | 11 ++++++----- .../filters/http/jwt_authn/authenticator.cc | 2 +- .../filters/http/jwt_authn/authenticator_test.cc | 2 +- 7 files changed, 27 insertions(+), 23 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 7d8517e882aea..54b7089bf3e0b 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -212,11 +212,12 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field is effective only when `forward_payload_header` is specified. - // If true, complete the padding in the forwarded JWT payload binary if needed. - // By default, it is false and the JWT payload binary will be directly forwarded - // without adding padding. - bool complete_padding_in_forward_payload = 11; + // This field only applies to :ref:`forward_payload_header . + // + // When it is specified, the base64 encoded payload will be added to the + // header. Normally JWT based64 encode doesn't add padding. If this field is + // true, the padding will be added to the header. + bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index d1307c9ac6f11..7f69a67e215a7 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -212,11 +212,12 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field is effective only when `forward_payload_header` is specified. - // If true, complete the padding in the forwarded JWT payload binary if needed. - // By default, it is false and the JWT payload binary will be directly forwarded - // without adding padding. - bool complete_padding_in_forward_payload = 11; + // This field only applies to :ref:`forward_payload_header . + // + // When it is specified, the base64 encoded payload will be added to the + // header. Normally JWT based64 encode doesn't add padding. If this field is + // true, the padding will be added to the header. + bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 9ca58d29ccbf3..ad09adec123af 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -81,7 +81,7 @@ New Features * http: added the ability to :ref:`unescape slash sequences` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime variable. * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options ` for downstream and the new http3_protocol_options in :ref:`http_protocol_options ` for upstream HTTP/3. * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch `. -* jwt_authn: added support to enable standard padding in the forwarded JWT payload specified by :ref:`async_fetch `. +* jwt_authn: added support to add padding in the forwarded JWT payload specified by :ref:`add_padding_in_forward_payload_header `. * listener: added ability to change an existing listener's address. * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection ` field to true. * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels ` field to true. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 7d8517e882aea..54b7089bf3e0b 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -212,11 +212,12 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field is effective only when `forward_payload_header` is specified. - // If true, complete the padding in the forwarded JWT payload binary if needed. - // By default, it is false and the JWT payload binary will be directly forwarded - // without adding padding. - bool complete_padding_in_forward_payload = 11; + // This field only applies to :ref:`forward_payload_header . + // + // When it is specified, the base64 encoded payload will be added to the + // header. Normally JWT based64 encode doesn't add padding. If this field is + // true, the padding will be added to the header. + bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index d1307c9ac6f11..7f69a67e215a7 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -212,11 +212,12 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field is effective only when `forward_payload_header` is specified. - // If true, complete the padding in the forwarded JWT payload binary if needed. - // By default, it is false and the JWT payload binary will be directly forwarded - // without adding padding. - bool complete_padding_in_forward_payload = 11; + // This field only applies to :ref:`forward_payload_header . + // + // When it is specified, the base64 encoded payload will be added to the + // header. Normally JWT based64 encode doesn't add padding. If this field is + // true, the padding will be added to the header. + bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index f0033538b53c9..9c711afea2f0f 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -255,7 +255,7 @@ void AuthenticatorImpl::verifyKey() { const auto& provider = jwks_data_->getJwtProvider(); if (!provider.forward_payload_header().empty()) { - if (provider.complete_padding_in_forward_payload()) { + if (provider.add_padding_in_forward_payload_header()) { std::string payload_with_padding = jwt_->payload_str_base64url_; Base64::completePadding(payload_with_padding); headers_->addCopy(Http::LowerCaseString(provider.forward_payload_header()), diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index 165b8a5b17392..ad1734a5c01af 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -115,7 +115,7 @@ TEST_F(AuthenticatorTest, TestOkJWTandCache) { TEST_F(AuthenticatorTest, TestCompletePaddingInJwtPayload) { (*proto_config_.mutable_providers())[std::string(ProviderName)] - .set_complete_padding_in_forward_payload(true); + .set_add_padding_in_forward_payload_header(true); createAuthenticator(); EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)) .WillOnce(Invoke([this](const envoy::config::core::v3::HttpUri&, Tracing::Span&, From 537843c3902907bcbfb9486d19641101ea793d3d Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Sat, 5 Jun 2021 18:24:45 -0700 Subject: [PATCH 05/11] fix comments Signed-off-by: Xuyang Tao --- api/envoy/extensions/filters/http/jwt_authn/v3/config.proto | 2 +- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 54b7089bf3e0b..917a0041d8d7e 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -212,7 +212,7 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field only applies to :ref:`forward_payload_header . + // This field only applies to :ref:`forward_payload_header `. // // When it is specified, the base64 encoded payload will be added to the // header. Normally JWT based64 encode doesn't add padding. If this field is diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 7f69a67e215a7..ded195c9d6e70 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -212,7 +212,7 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field only applies to :ref:`forward_payload_header . + // This field only applies to :ref:`forward_payload_header `. // // When it is specified, the base64 encoded payload will be added to the // header. Normally JWT based64 encode doesn't add padding. If this field is From 07ab076afe31c409afbfbb011088ceef9a1794c5 Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Sat, 5 Jun 2021 21:52:50 -0700 Subject: [PATCH 06/11] fix comments Signed-off-by: Xuyang Tao --- .../envoy/extensions/filters/http/jwt_authn/v3/config.proto | 2 +- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 54b7089bf3e0b..917a0041d8d7e 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -212,7 +212,7 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field only applies to :ref:`forward_payload_header . + // This field only applies to :ref:`forward_payload_header `. // // When it is specified, the base64 encoded payload will be added to the // header. Normally JWT based64 encode doesn't add padding. If this field is diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 7f69a67e215a7..ded195c9d6e70 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -212,7 +212,7 @@ message JwtProvider { // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - // This field only applies to :ref:`forward_payload_header . + // This field only applies to :ref:`forward_payload_header `. // // When it is specified, the base64 encoded payload will be added to the // header. Normally JWT based64 encode doesn't add padding. If this field is From 133c03cdb805aabfc3da2bea79410cbc612c9d5f Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Tue, 8 Jun 2021 11:21:13 -0700 Subject: [PATCH 07/11] fix comments Signed-off-by: Xuyang Tao --- .../filters/http/jwt_authn/v3/config.proto | 17 ++++++++++------- .../filters/http/jwt_authn/v4alpha/config.proto | 17 ++++++++++------- docs/root/version_history/current.rst | 2 +- .../filters/http/jwt_authn/v3/config.proto | 17 ++++++++++------- .../filters/http/jwt_authn/v4alpha/config.proto | 17 ++++++++++------- .../filters/http/jwt_authn/authenticator.cc | 2 +- .../http/jwt_authn/authenticator_test.cc | 4 ++-- 7 files changed, 44 insertions(+), 32 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 917a0041d8d7e..be3f0d50e01cd 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -190,6 +190,16 @@ message JwtProvider { string forward_payload_header = 8 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + // When :ref:`forward_payload_header ` + // is specified, the base64 encoded payload will be added to the headers. + // Normally JWT based64 encode doesn't add padding. If this field is true, + // the padding will be added to the header. + // + // When :ref:`forward_payload_header ` + // is unspecified, nothing will be added into the headers and this field is + // ineffective. + bool pad_forward_payload_header = 11; + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* @@ -211,13 +221,6 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - - // This field only applies to :ref:`forward_payload_header `. - // - // When it is specified, the base64 encoded payload will be added to the - // header. Normally JWT based64 encode doesn't add padding. If this field is - // true, the padding will be added to the header. - bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index ded195c9d6e70..d5f060521dd4c 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -190,6 +190,16 @@ message JwtProvider { string forward_payload_header = 8 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + // When :ref:`forward_payload_header ` + // is specified, the base64 encoded payload will be added to the headers. + // Normally JWT based64 encode doesn't add padding. If this field is true, + // the padding will be added to the header. + // + // When :ref:`forward_payload_header ` + // is unspecified, nothing will be added into the headers and this field is + // ineffective. + bool pad_forward_payload_header = 11; + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* @@ -211,13 +221,6 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - - // This field only applies to :ref:`forward_payload_header `. - // - // When it is specified, the base64 encoded payload will be added to the - // header. Normally JWT based64 encode doesn't add padding. If this field is - // true, the padding will be added to the header. - bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 65489e86f693b..11221b215ac80 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -86,7 +86,7 @@ New Features * http: added the ability to :ref:`unescape slash sequences` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime variable. * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options ` for downstream and the new http3_protocol_options in :ref:`http_protocol_options ` for upstream HTTP/3. * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch `. -* jwt_authn: added support to add padding in the forwarded JWT payload specified by :ref:`add_padding_in_forward_payload_header `. +* jwt_authn: added support to add padding in the forwarded JWT payload specified by :ref:`pad_forward_payload_header `. * listener: added ability to change an existing listener's address. * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection ` field to true. * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels ` field to true. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 917a0041d8d7e..be3f0d50e01cd 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -190,6 +190,16 @@ message JwtProvider { string forward_payload_header = 8 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + // When :ref:`forward_payload_header ` + // is specified, the base64 encoded payload will be added to the headers. + // Normally JWT based64 encode doesn't add padding. If this field is true, + // the padding will be added to the header. + // + // When :ref:`forward_payload_header ` + // is unspecified, nothing will be added into the headers and this field is + // ineffective. + bool pad_forward_payload_header = 11; + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* @@ -211,13 +221,6 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - - // This field only applies to :ref:`forward_payload_header `. - // - // When it is specified, the base64 encoded payload will be added to the - // header. Normally JWT based64 encode doesn't add padding. If this field is - // true, the padding will be added to the header. - bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index ded195c9d6e70..d5f060521dd4c 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -190,6 +190,16 @@ message JwtProvider { string forward_payload_header = 8 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + // When :ref:`forward_payload_header ` + // is specified, the base64 encoded payload will be added to the headers. + // Normally JWT based64 encode doesn't add padding. If this field is true, + // the padding will be added to the header. + // + // When :ref:`forward_payload_header ` + // is unspecified, nothing will be added into the headers and this field is + // ineffective. + bool pad_forward_payload_header = 11; + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata // in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn** // The value is the *protobuf::Struct*. The value of this field will be the key for its *fields* @@ -211,13 +221,6 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10; - - // This field only applies to :ref:`forward_payload_header `. - // - // When it is specified, the base64 encoded payload will be added to the - // header. Normally JWT based64 encode doesn't add padding. If this field is - // true, the padding will be added to the header. - bool add_padding_in_forward_payload_header = 11; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index 092c7b3f6b781..151d6a7fa1286 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -255,7 +255,7 @@ void AuthenticatorImpl::verifyKey() { const auto& provider = jwks_data_->getJwtProvider(); if (!provider.forward_payload_header().empty()) { - if (provider.add_padding_in_forward_payload_header()) { + if (provider.pad_forward_payload_header()) { std::string payload_with_padding = jwt_->payload_str_base64url_; Base64::completePadding(payload_with_padding); headers_->addCopy(Http::LowerCaseString(provider.forward_payload_header()), diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index f78a9f0d65b8b..0168f1ce58aab 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -113,8 +113,8 @@ TEST_F(AuthenticatorTest, TestOkJWTandCache) { } TEST_F(AuthenticatorTest, TestCompletePaddingInJwtPayload) { - (*proto_config_.mutable_providers())[std::string(ProviderName)] - .set_add_padding_in_forward_payload_header(true); + (*proto_config_.mutable_providers())[std::string(ProviderName)].set_pad_forward_payload_header( + true); createAuthenticator(); EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)) .WillOnce(Invoke([this](const envoy::config::core::v3::HttpUri&, Tracing::Span&, From e65edc9412f091ae9fc703aa61174aed08a99f7f Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Tue, 8 Jun 2021 21:57:20 -0700 Subject: [PATCH 08/11] fix comments Signed-off-by: Xuyang Tao --- .../extensions/filters/http/jwt_authn/v3/config.proto | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index be3f0d50e01cd..a79e3382d6334 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -193,11 +193,10 @@ message JwtProvider { // When :ref:`forward_payload_header ` // is specified, the base64 encoded payload will be added to the headers. // Normally JWT based64 encode doesn't add padding. If this field is true, - // the padding will be added to the header. + // the header will be padded. // - // When :ref:`forward_payload_header ` - // is unspecified, nothing will be added into the headers and this field is - // ineffective. + // This field is only relevant if :ref:`forward_payload_header ` + // is specified. bool pad_forward_payload_header = 11; // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata From 2c24e3b849e6f01374d9193ca247e3bd6014958c Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Wed, 9 Jun 2021 11:22:55 -0700 Subject: [PATCH 09/11] fix comments Signed-off-by: Xuyang Tao --- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 7 +++---- .../extensions/filters/http/jwt_authn/v4alpha/config.proto | 7 +++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index d5f060521dd4c..82f6bef04eae4 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -193,11 +193,10 @@ message JwtProvider { // When :ref:`forward_payload_header ` // is specified, the base64 encoded payload will be added to the headers. // Normally JWT based64 encode doesn't add padding. If this field is true, - // the padding will be added to the header. + // the header will be padded. // - // When :ref:`forward_payload_header ` - // is unspecified, nothing will be added into the headers and this field is - // ineffective. + // This field is only relevant if :ref:`forward_payload_header ` + // is specified. bool pad_forward_payload_header = 11; // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index d5f060521dd4c..82f6bef04eae4 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -193,11 +193,10 @@ message JwtProvider { // When :ref:`forward_payload_header ` // is specified, the base64 encoded payload will be added to the headers. // Normally JWT based64 encode doesn't add padding. If this field is true, - // the padding will be added to the header. + // the header will be padded. // - // When :ref:`forward_payload_header ` - // is unspecified, nothing will be added into the headers and this field is - // ineffective. + // This field is only relevant if :ref:`forward_payload_header ` + // is specified. bool pad_forward_payload_header = 11; // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata From 1064833244cd1ee7ca643fcdfd20b273acb7359a Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Wed, 9 Jun 2021 15:01:50 -0700 Subject: [PATCH 10/11] fix comments Signed-off-by: Xuyang Tao --- .../extensions/filters/http/jwt_authn/v3/config.proto | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index be3f0d50e01cd..a79e3382d6334 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -193,11 +193,10 @@ message JwtProvider { // When :ref:`forward_payload_header ` // is specified, the base64 encoded payload will be added to the headers. // Normally JWT based64 encode doesn't add padding. If this field is true, - // the padding will be added to the header. + // the header will be padded. // - // When :ref:`forward_payload_header ` - // is unspecified, nothing will be added into the headers and this field is - // ineffective. + // This field is only relevant if :ref:`forward_payload_header ` + // is specified. bool pad_forward_payload_header = 11; // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata From 59005bf394982eac96a7c4a9e849dd1f2d286a07 Mon Sep 17 00:00:00 2001 From: Xuyang Tao Date: Sat, 26 Jun 2021 13:27:07 -0700 Subject: [PATCH 11/11] use strAppend Signed-off-by: Xuyang Tao --- source/common/common/base64.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/common/common/base64.cc b/source/common/common/base64.cc index a2d000400398c..9eab86b1c48bc 100644 --- a/source/common/common/base64.cc +++ b/source/common/common/base64.cc @@ -7,6 +7,7 @@ #include "source/common/common/empty_string.h" #include "absl/container/fixed_array.h" +#include "absl/strings/str_cat.h" namespace Envoy { namespace { @@ -237,7 +238,7 @@ std::string Base64::encode(const char* input, uint64_t length, bool add_padding) void Base64::completePadding(std::string& encoded) { if (encoded.length() % 4 != 0) { std::string trailing_padding(4 - encoded.length() % 4, '='); - encoded.append(trailing_padding); + absl::StrAppend(&encoded, trailing_padding); } }