Jwt_authn: first draft of Http filter implementation.

[qiwzhang]

Signed-off-by: Wayne Zhang qiwzhang@google.com

Description:
This is first draft of porting jwt authentication filter from istio/proxy to Envoy.

• jwt_verify repo code PR (Initial code google/jwt_verify_lib#4) is under review.
• test code will be added later into this PR. This PR is for people to review design.

Risk Level: Low

[qiwzhang]

@lizan @htuch Please help to review this design.

[htuch]

Some initial comments, nice to see this coming together.

[htuch]

Can you import (or export) these under some prefixed path?

[qiwzhang]

Done

[htuch]

This seems a general HTTP or core utility to have in Envoy.

[qiwzhang]

Done

[htuch]

Is there an RFC for canonical URI parsing to reference?

[qiwzhang]

Added RFC

[htuch]

Is the assumption here that the cluster will be configured for TLS? I'd be interesting in seeing some way to validate or warn if this isn't the case, since it would be a pretty bad misconfiguration to fetch certs or public keys without TLS.

[qiwzhang]

Normally, public key servers only support TLS. Users have to config cluster with TLS.

[htuch]

I'm OK with saying this, but I think it would make sense to document with a strong warning here. It would be pretty scary to get this one wrong.

[htuch]

Is the cache only for preconfigured keys or is there an ability to dynamically add to it? Please clarify in comments, thanks.

[qiwzhang]

Added comment

[htuch]

Nit: any chance we can drop the include/ part of this? It's just aesthetics, but yeah..

[qiwzhang]

Done

[htuch]

Nit: make these temporary variables const.

[qiwzhang]

Done

[htuch]

Just a thought; would a regex possibly be clearer?

[qiwzhang]

I think regex is much slower than string.find()

[htuch]

Maybe; but if you precompile the regex it could be fairly reasonable, see the ongoing discussion in #3269 (comment).

[htuch]

Needs a bunch of test covering expected and corner cases.

[qiwzhang]

Added test

[htuch]

tokens.empty()?

[qiwzhang]

Done

[htuch]

TODO(qiwzhang):

[qiwzhang]

Done

[htuch]

Nit: const

[qiwzhang]

Done

[htuch]

Given the above cache check is only for pre-configured JWKS, should we have a TODO here to add a cache for the fetchRemoteJwks() result? If we have two back-to-back requests for the same remote JWKS, I imagine we don't want to make two HTTP calls?

[qiwzhang]

Added TODO

[htuch]

I'm OK with saying this, but I think it would make sense to document with a strong warning here. It would be pretty scary to get this one wrong.

[htuch]

Nit: const

[htuch]

Nit: You can bring std::string body into here and make it a const std::string

[qiwzhang]

Done

[htuch]

@saumoh this is similar to what you do in ext_authz. Is there a bug here or is this a simpler way of looking at the side-call state?

[htuch]

Envoy doesn't allow static non-POD (like Google3), consider using ConstSingleton or the like.

[qiwzhang]

Done

[htuch]

Prefer constexpr and Envoy style naming such as PubKeyCacheExpirationSec for constant scalars.

[qiwzhang]

Done

[htuch]

Who is a qualified person to review this JWKS specific logic?

[qiwzhang]

This is NOT the JWKS specific. This is just our implementation based on the experience from Google cloud endpoint.
Updated the comment.

[htuch]

Nit: please use explicit sized types, e.g. uint32_t as per Envoy style, or if you're being compatible with an existing API, something like size_t as determined by the STL API.

[qiwzhang]

Done

[htuch]

Can you confirm that you've verified full test coverage on the new code?

[qiwzhang]

No, I did not have full test converge for the new code yet. I am still adding new tests into this PR.

[lizan]

I think you should push almost all of this code to jwt_verifier_lib, it doesn't have to belong to Envoy code base. The only dependency seems to be the configuration, but it is only audiences (vector) and jwks (string) so you should be able to pass by parameter.

[lizan]

ping

[qiwzhang]

I thought about it. It is NOT just a pure cache. It is a cached Jwks + issuer_config. For each request, we need to access per-issuer config, such as payload_header, and we also need to access cached Jwks. We only need to do one map lookup by issuer if we combine jwks with issuer_config. That is the current JwksCache design.

If we split into a separate pure JwksCache, then, I agree with you, it can be moved into Jwt_verify_lib.
Current design is try to reduce a map lookup by issuer.

[lizan]

issue config is just audience + jwks, no?

[qiwzhang]

also "forward_jwt" and "payload_header".
On second throught, I may go with your suggestion, it is cleaner. I will create a config_map to lookup config by issuer, and jwks_cache. If we use unorderred_map, lookup is O(1), it is OK to lookup twice.

[qiwzhang]

I tried, but decided to keep the current shape as: with new JwtAuthn config change (#3381), audience checking may not be in JwksCache object. Further re-factory is needed to support the config change.

[htuch]

Another round of feedback, looking like it's in good shape @qiwzhang. Can you ping me on this PR when you're done with this feedback and you have full test coverage? Thanks.

[htuch]

You probably want to test more corner cases, e.g. scheme://adf-scheme://adf, :// or /:/adsfetc. How do you handle invalid URIs as user input?

[qiwzhang]

Added some corner cases. Also updated the header file to say this function will NOT validate URI.

[htuch]

Should this be bool okToBypass() const; ?

[qiwzhang]

Done

[htuch]

Nit:s/jwks/JWKS/

[qiwzhang]

Done

[htuch]

How is in-progress fetching possible given we only get here via decodeHeaders? Should this just be an ASSERT?

[qiwzhang]

Updated the comment

[htuch]

Nit: const

[qiwzhang]

Done

[htuch]

Nit: != nullptr

[qiwzhang]

Done

[htuch]

Nit: std::make_unique

[qiwzhang]

Done

[htuch]

Nit: Unnecessary blank line.

[qiwzhang]

Removed

[htuch]

Nit: Be consistent in using : as a separator between these lines.

[qiwzhang]

Done

[htuch]

Is there a better name than factory here? E.g. ThreadLocalDataStore?

[qiwzhang]

Rename it to Config

[htuch]

Great, I think this is looking pretty good now, I would be interesting in @saumoh take.

[htuch]

What about URIs with ports in them, e.g. http://foo.com:1234/foo? I think in general URIs get pretty complicated, for example you can encode usernames and passwords in them. This is kind of why I was in favor of having some standard library for this. If the limitations here are acceptable for your needs, that's fine, just document them.

[qiwzhang]

returned host and path are used for message->headers() Host() and Path() field for http async client->Send() call. It is OK for host to have port. Updated comment for it

[htuch]

Nit: remove gratuitous blank line.

[qiwzhang]

Done

[htuch]

@saumoh can you comment on how this relates to the state machine and handling done for ext authz?

[htuch]

Is this RBAC?

[qiwzhang]

Sorry, copy & paste error. changed.

[htuch]

Probably cleaner to work with proto DurationUtil, e.g. DurationUtil::durationToMilliseconds.

[qiwzhang]

Done

[htuch]

Please add a one-liner // This test validates foo and bar. above each TEST_F.

[qiwzhang]

Done

[htuch]

Can you recommend someone who can review the JWT business logic in these tests?

[qiwzhang]

Actually these two tests are covered by jwt_verify_lib. So remove them here.

[htuch]

I can't spot this on the CI coverage report (https://53860-65214191-gh.circle-artifacts.com/0/build/envoy/generated/coverage/coverage.html), do you know why?

[qiwzhang]

Your coverage maybe from other PR coverage tests. I don't know how to check show coverage from PR coverage test. But from the test log it has jwks_cache.html which should reflect jwks_cache code coverage.

[qiwzhang]

@htuch please hold for another round of review. I am going to add filter_test and integration_test. After that will ping you for another round of review.

[qiwzhang]

@lizan @htuch This PR is ready for review. It only misses documentation which will be added as a separate PR. PTAL

[lizan]

Use HeaderMapImpl::appendToHeader?

[qiwzhang]

Sorry, this is not my change. I may "rebase" wrong change. Will fix it.

[lizan]

can we make this part an utility function for HttpUri, similar to Grpc::Common::prepareHeaders.

[qiwzhang]

Done

[lizan]

ping

[htuch]

@qiwzhang I'm taking another look. FYI for the future, it would be super helpful to reviewers if you avoided doing forced pushes, which it looks like you have been doing, since it's hard to spot the delta since the last round of comments.