Skip to content

gcp_authn: Override any existing value in the request header that includes authn: Bearer id token #22934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yanavlasov merged 4 commits into from
Sep 19, 2022
Merged

gcp_authn: Override any existing value in the request header that includes authn: Bearer id token #22934

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b085955
Overide any existing value in the request header with authn: Bearer i…
tyxia Sep 1, 2022
09d6db7
Merge branch 'main' of https://github.com/envoyproxy/envoy into header
tyxia Sep 15, 2022
aec68ad
add the ttest coverage
tyxia Sep 15, 2022
fc6ce91
fix typo
tyxia Sep 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ namespace GcpAuthn {
namespace {
void addTokenToRequest(Http::RequestHeaderMap& hdrs, absl::string_view token_str) {
std::string id_token = absl::StrCat("Bearer ", token_str);
hdrs.addCopy(authorizationHeaderKey(), id_token);
hdrs.setCopy(authorizationHeaderKey(), id_token);
}
} // namespace

Expand Down
18 changes: 14 additions & 4 deletions test/extensions/filters/http/gcp_authn/gcp_authn_filter_integration_test.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,14 @@ class GcpAuthnFilterIntegrationTest : public testing::TestWithParam<Network::Add
{":method", "POST"}, {":path", "/"}, {":scheme", "http"}, {":authority", "host"}},
"test");
} else {
response_ = codec_client_->makeHeaderOnlyRequest(Http::TestRequestHeaderMapImpl{
{":method", "GET"}, {":path", "/"}, {":scheme", "http"}, {":authority", "host"}});
response_ = codec_client_->makeHeaderOnlyRequest(
Http::TestRequestHeaderMapImpl{{":method", "GET"},
{":path", "/"},
{":scheme", "http"},
{":authority", "host"},
// Add a pair with `Authorization` as the key for
// verification of header map overridden behavior.
{"Authorization", "test"}});
}
}

Expand Down Expand Up @@ -145,8 +151,12 @@ class GcpAuthnFilterIntegrationTest : public testing::TestWithParam<Network::Add
ASSERT_FALSE(upstream_request_->headers().get(authorizationHeaderKey()).empty());
// The expected ID token is in format of `Bearer ID_TOKEN`
std::string id_token = absl::StrCat("Bearer ", MockTokenString);
// Verify the request header modification: the token returned from authentication server
// has been added to the request header that is sent to destination upstream.
// Verify the request header modification:
// 1) Only one entry with authorization header key. i.e., Any existing values should be
// overridden by response from authentication server.
EXPECT_EQ(upstream_request_->headers().get(authorizationHeaderKey()).size(), 1);
// 2) the token returned from authentication server has been added to the request header that
// is sent to destination upstream.
EXPECT_EQ(
upstream_request_->headers().get(authorizationHeaderKey())[0]->value().getStringView(),
id_token);
Expand Down