jwt_authn: Support extraction of JWT from Cookies in JWT Extension

[theshubhamp]

Support extraction of JWT from Cookies in JWT Extension

Added "from_cookies" config directive to jwt_authn that enables JWT extraction from request cookies.

Risk Level: low
Testing: unit tests
Docs Changes: Updated docs/root/configuration/http/http_filters/jwt_authn_filter.rst
Release Notes: Updated docs/root/version_history/current.rst
Platform Specific Features: None

Fixes #17424

Signed-off-by: Shubham Patil theshubhamp@gmail.com

[repokitteh-read-only]

Hi @theshubhamp, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #17721 was opened by theshubhamp.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @adisuissa
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #17721 was opened by theshubhamp.

see: more, trace.

[theshubhamp]

Running tools/code_format/check_format.py fix made a few formatting changes related to my change. I have left them out of this PR.

	modified:   api/envoy/config/filter/http/jwt_authn/v2alpha/config.proto
	modified:   api/envoy/extensions/filters/http/jwt_authn/v3/config.proto
	modified:   api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto
	modified:   generated_api_shadow/envoy/config/filter/http/jwt_authn/v2alpha/config.proto
	modified:   generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto
	modified:   generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto
	modified:   test/common/http/header_map_impl_test.cc

Example:

LMK if these should be included.

[theshubhamp]

This is very similar to the existing code in source/common/http/utility.cc #L257-L282

Could not use it as-is because that'd scan over cookies multiple times. Any suggestions on merging them together ?

[rojkov]

Perhaps you could introduce something like void forEachCookie(const Http::HeaderMap::GetResult cookie_headers, std::function<bool(...)> fn) where fn is a closure dealing with a cookie and returning false to stop iteration.

[theshubhamp]

Thanks for the suggestion! Was able to get this working locally 👍

I would prefer to do this change in a follow-up PR. I hope that's okay.

[rojkov]

Yes, a follow-up would be Ok. Just put a TODO note to the function.

[lizan]

The other places using parseCookieValue would be benefit from this logic if you see how oauth2 filter use it.

https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/http/oauth2/filter.cc#L141-L143

I would suggest you to land the refactoring before this PR.

[theshubhamp]

Cool, I'll do that first

[rojkov]

Thank you! Added a couple of suggestions.

[rojkov]

Perhaps you could introduce something like void forEachCookie(const Http::HeaderMap::GetResult cookie_headers, std::function<bool(...)> fn) where fn is a closure dealing with a cookie and returning false to stop iteration.

[qiwzhang]

LGTM on jwt_authn extractor code . Thanks.

[theshubhamp]

Thanks @rojkov for your review! Commented on your suggestions, PTAL.

Thanks @qiwzhang for your approval! Unfortunately it got reset because of a small test data change I just pushed. PTAL again.

[rojkov]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17721 (comment) was created by @rojkov.

see: more, trace.

[theshubhamp]

Pushed a commit ^ that adds TODO for cookie iterator improvements suggested in the review.

[theshubhamp]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17721 (comment) was created by @theshubhamp.

see: more, trace.

[rojkov]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17721 (comment) was created by @rojkov.

see: more, trace.

[rojkov]

Thanks! Looks good to me

[theshubhamp]

cc: @lizan, this PR requires a mandatory review from you. PTAL whenever you can!

[lizan]

/wait

[lizan]

Move this block after from_params.

This doesn't have to be ordered by field tag.

[theshubhamp]

Done, thanks for pointing this out

[lizan]

The other places using parseCookieValue would be benefit from this logic if you see how oauth2 filter use it.

https://github.com/envoyproxy/envoy/blob/main/source/extensions/filters/http/oauth2/filter.cc#L141-L143

I would suggest you to land the refactoring before this PR.

[lizan]

Use NOT_IMPLEMENTED_GCOVR_EXCL_LINE

[theshubhamp]

Added below the comment

[theshubhamp]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #17721 (comment) was created by @theshubhamp.

see: more, trace.

[adisuissa]

/lgtm api

[lizan]

can you resolve conflicts?

[theshubhamp]

Merged in master and resolved conflicts. PTAL!

[rojkov]

Thank you! Looks good to me.