diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 0d9dcd8fa1d65..aa15a1a0c365b 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -24,6 +24,7 @@ Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* +* ext_authz: fix the ext_authz http filter to correctly set response flags to ``UAEX`` when a connection is denied. * ext_authz: fix the ext_authz network filter to correctly set response flag and code details to ``UAEX`` when a connection is denied. * listener: fixed the crash when updating listeners that do not bind to port. * thrift_proxy: fix the thrift_proxy connection manager to correctly report success/error response metrics when performing :ref:`payload passthrough `. diff --git a/source/extensions/filters/http/ext_authz/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc index 976f90786755e..9dbb86c015630 100644 --- a/source/extensions/filters/http/ext_authz/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -346,6 +346,9 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) { config_->httpContext().codeStats().chargeResponseStat(info, false); } + // setResponseFlag must be called before sendLocalReply + decoder_callbacks_->streamInfo().setResponseFlag( + StreamInfo::ResponseFlag::UnauthorizedExternalService); decoder_callbacks_->sendLocalReply( response->status_code, response->body, [&headers = response->headers_to_set, @@ -365,8 +368,6 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) { } }, absl::nullopt, Filters::Common::ExtAuthz::ResponseCodeDetails::get().AuthzDenied); - decoder_callbacks_->streamInfo().setResponseFlag( - StreamInfo::ResponseFlag::UnauthorizedExternalService); break; } diff --git a/test/extensions/filters/http/ext_authz/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc index 8f3033bd225a9..20ecd4331a11a 100644 --- a/test/extensions/filters/http/ext_authz/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -1916,14 +1916,15 @@ TEST_P(HttpFilterTestParam, DeniedResponseWith401) { Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, const StreamInfo::StreamInfo&) -> void { request_callbacks_ = &callbacks; })); + + EXPECT_CALL(filter_callbacks_.stream_info_, + setResponseFlag(Envoy::StreamInfo::ResponseFlag::UnauthorizedExternalService)); EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter_->decodeHeaders(request_headers_, false)); Http::TestResponseHeaderMapImpl response_headers{{":status", "401"}}; EXPECT_CALL(filter_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); - EXPECT_CALL(filter_callbacks_.stream_info_, - setResponseFlag(Envoy::StreamInfo::ResponseFlag::UnauthorizedExternalService)); Filters::Common::ExtAuthz::Response response{}; response.status = Filters::Common::ExtAuthz::CheckStatus::Denied; @@ -1948,14 +1949,15 @@ TEST_P(HttpFilterTestParam, DeniedResponseWith403) { Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks, const envoy::service::auth::v3::CheckRequest&, Tracing::Span&, const StreamInfo::StreamInfo&) -> void { request_callbacks_ = &callbacks; })); + + EXPECT_CALL(filter_callbacks_.stream_info_, + setResponseFlag(Envoy::StreamInfo::ResponseFlag::UnauthorizedExternalService)); EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark, filter_->decodeHeaders(request_headers_, false)); Http::TestResponseHeaderMapImpl response_headers{{":status", "403"}}; EXPECT_CALL(filter_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); - EXPECT_CALL(filter_callbacks_.stream_info_, - setResponseFlag(Envoy::StreamInfo::ResponseFlag::UnauthorizedExternalService)); Filters::Common::ExtAuthz::Response response{}; response.status = Filters::Common::ExtAuthz::CheckStatus::Denied;