envoyproxy · ggreenway · Oct 28, 2021 · Oct 25, 2021 · Oct 25, 2021 · Oct 26, 2021
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -20,6 +20,7 @@ Bug Fixes
 ---------
 *Changes expected to improve the state of the world and are unlikely to have negative effects*
 
+* ext_authz: fix the ext_authz network filter to correctly set response flag to ``UAEX`` when a connection is denied.
 * listener: fixed the crash when updating listeners that do not bind to port.
 * thrift_proxy: fix the thrift_proxy connection manager to correctly report success/error response metrics when performing :ref:`payload passthrough <envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.payload_passthrough>`.
 

@@ -88,26 +88,34 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
         NetworkFilterNames::get().ExtAuthorization, response->dynamic_metadata);
   }
 
+  bool denied = false;
   // Fail open only if configured to do so and if the check status was a error.
   if (response->status == Filters::Common::ExtAuthz::CheckStatus::Denied ||
       (response->status == Filters::Common::ExtAuthz::CheckStatus::Error &&
        !config_->failureModeAllow())) {
     config_->stats().cx_closed_.inc();
     filter_callbacks_->connection().close(Network::ConnectionCloseType::NoFlush);
+    denied = true;
   } else {
     // Let the filter chain continue.
     filter_return_ = FilterReturn::Continue;
     if (config_->failureModeAllow() &&
         response->status == Filters::Common::ExtAuthz::CheckStatus::Error) {
       // Status is Error and yet we are configured to allow traffic. Click a counter.
       config_->stats().failure_mode_allowed_.inc();
+      denied = true;
     }
 
     // We can get completion inline, so only call continue if that isn't happening.
     if (!calling_check_) {
       filter_callbacks_->continueReading();
     }
   }
+
+  if (denied) {
+    filter_callbacks_->connection().streamInfo().setResponseFlag(
+        StreamInfo::ResponseFlag::UnauthorizedExternalService);
+  }
 }
 
 } // namespace ExtAuthz

@@ -206,6 +206,8 @@ TEST_F(ExtAuthzFilterTest, DeniedWithOnData) {
       stats_store_.gauge("ext_authz.name.active", Stats::Gauge::ImportMode::Accumulate).value());
 
   EXPECT_CALL(filter_callbacks_.connection_, close(Network::ConnectionCloseType::NoFlush));
+  EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
+              setResponseFlag(StreamInfo::ResponseFlag::UnauthorizedExternalService));
   EXPECT_CALL(*client_, cancel()).Times(0);
   request_callbacks_->onComplete(makeAuthzResponse(Filters::Common::ExtAuthz::CheckStatus::Denied));
 
@@ -429,7 +431,8 @@ TEST_F(ExtAuthzFilterTest, ImmediateNOK) {
         EXPECT_EQ(ns, NetworkFilterNames::get().ExtAuthorization);
         EXPECT_TRUE(TestUtility::protoEqual(returned_dynamic_metadata, dynamic_metadata));
       }));
-
+  EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
+              setResponseFlag(StreamInfo::ResponseFlag::UnauthorizedExternalService));
   EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection());
   Buffer::OwnedImpl data("hello");
   EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false));