Skip to content
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ Bug Fixes
---------
*Changes expected to improve the state of the world and are unlikely to have negative effects*

* ext_authz: fix the ext_authz network filter to correctly set response flag and code details to ``UAEX`` when a connection is denied.
* listener: fixed the crash when updating listeners that do not bind to port.
* thrift_proxy: fix the thrift_proxy connection manager to correctly report success/error response metrics when performing :ref:`payload passthrough <envoy_v3_api_field_extensions.filters.network.thrift_proxy.v3.ThriftProxy.payload_passthrough>`.

Expand Down
12 changes: 12 additions & 0 deletions source/extensions/filters/network/ext_authz/ext_authz.cc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,13 @@ namespace Extensions {
namespace NetworkFilters {
namespace ExtAuthz {

// Response code details when the check method gets a denied response from the external auth
// service.
constexpr absl::string_view AuthzDenied = "ext_authz_denied";

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please de-duplicate these and move to source/extensions/filters/common/ext_authz/ext_authz.h

// Response code details when the check method experiences (network) failure in a fail-close
// (failure_mode_allow is true) setup.
constexpr absl::string_view AuthzError = "ext_authz_error";

InstanceStats Config::generateStats(const std::string& name, Stats::Scope& scope) {
const std::string final_prefix = fmt::format("ext_authz.{}.", name);
return {ALL_TCP_EXT_AUTHZ_STATS(POOL_COUNTER_PREFIX(scope, final_prefix),
Expand Down Expand Up @@ -94,6 +101,11 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
!config_->failureModeAllow())) {
config_->stats().cx_closed_.inc();
filter_callbacks_->connection().close(Network::ConnectionCloseType::NoFlush);
filter_callbacks_->connection().streamInfo().setResponseFlag(
StreamInfo::ResponseFlag::UnauthorizedExternalService);
filter_callbacks_->connection().streamInfo().setResponseCodeDetails(
response->status == Filters::Common::ExtAuthz::CheckStatus::Denied ? AuthzDenied
: AuthzError);
} else {
// Let the filter chain continue.
filter_return_ = FilterReturn::Continue;
Expand Down
13 changes: 12 additions & 1 deletion test/extensions/filters/network/ext_authz/ext_authz_test.cc
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,10 @@ TEST_F(ExtAuthzFilterTest, DeniedWithOnData) {
stats_store_.gauge("ext_authz.name.active", Stats::Gauge::ImportMode::Accumulate).value());

EXPECT_CALL(filter_callbacks_.connection_, close(Network::ConnectionCloseType::NoFlush));
EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
setResponseFlag(StreamInfo::ResponseFlag::UnauthorizedExternalService));
EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
setResponseCodeDetails("ext_authz_denied"));
EXPECT_CALL(*client_, cancel()).Times(0);
request_callbacks_->onComplete(makeAuthzResponse(Filters::Common::ExtAuthz::CheckStatus::Denied));

Expand Down Expand Up @@ -276,6 +280,10 @@ TEST_F(ExtAuthzFilterTest, FailClose) {

EXPECT_CALL(filter_callbacks_.connection_, close(_));
EXPECT_CALL(filter_callbacks_, continueReading()).Times(0);
EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
setResponseFlag(StreamInfo::ResponseFlag::UnauthorizedExternalService));
EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
setResponseCodeDetails("ext_authz_error"));
request_callbacks_->onComplete(makeAuthzResponse(Filters::Common::ExtAuthz::CheckStatus::Error));

EXPECT_EQ(0U, stats_store_.counter("ext_authz.name.disabled").value());
Expand Down Expand Up @@ -429,7 +437,10 @@ TEST_F(ExtAuthzFilterTest, ImmediateNOK) {
EXPECT_EQ(ns, NetworkFilterNames::get().ExtAuthorization);
EXPECT_TRUE(TestUtility::protoEqual(returned_dynamic_metadata, dynamic_metadata));
}));

EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
setResponseFlag(StreamInfo::ResponseFlag::UnauthorizedExternalService));
EXPECT_CALL(filter_callbacks_.connection_.stream_info_,
setResponseCodeDetails("ext_authz_denied"));
EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection());
Buffer::OwnedImpl data("hello");
EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false));
Expand Down