ext_authz: added support for the append_action in gRPC ExtAuthz

changelogs/current.yaml

@@ -123,6 +123,12 @@ minor_behavior_changes:
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
+- area: ext_authz
+  change: |
+    Added support for the ``append_action`` enum in gRPC ExtAuthz ``OkHttpResponse.headers`` for upstream request header
+    mutations. Previously, only the deprecated ``append`` boolean was checked. Now ``APPEND_IF_EXISTS_OR_ADD``,
+    ``ADD_IF_ABSENT``, ``OVERWRITE_IF_EXISTS``, and ``OVERWRITE_IF_EXISTS_OR_ADD`` actions are fully supported,
+    providing parity with ``response_headers_to_add`` handling.
 - area: adaptive concurrency
   change: |
     Fixed a race condition in the gradient controller that allowed more outstanding requests than the concurrency limit,

source/extensions/filters/common/ext_authz/ext_authz.h

@@ -97,6 +97,12 @@ struct Response {
   // (using "addCopy") to the request to the upstream server.
   UnsafeHeaderVector headers_to_add{};
   // A set of HTTP headers returned by the authorization server, will be optionally added
+  // (using "addCopy") to the request to the upstream server only if the headers were not present.
+  UnsafeHeaderVector headers_to_add_if_absent{};
+  // A set of HTTP headers returned by the authorization server, will be optionally set (using
+  // "setCopy") to the request to the upstream server only if the headers were present.
+  UnsafeHeaderVector headers_to_overwrite_if_exists{};
+  // A set of HTTP headers returned by the authorization server, will be optionally added
   // (using "addCopy") to the response sent back to the downstream client on OK auth
   // responses.
   UnsafeHeaderVector response_headers_to_add{};

source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc

@@ -16,55 +16,62 @@ namespace Filters {
 namespace Common {
 namespace ExtAuthz {
 
-void copyHeaderFieldIntoResponse(
-    ResponsePtr& response,
-    const Protobuf::RepeatedPtrField<envoy::config::core::v3::HeaderValueOption>& headers) {
-  for (const auto& header : headers) {
-    if (header.append().value()) {
-      response->headers_to_append.emplace_back(header.header().key(), header.header().value());
-    } else {
-      response->headers_to_set.emplace_back(header.header().key(), header.header().value());
-    }
-  }
-}
-
-void copyOkResponseMutations(ResponsePtr& response,
-                             const envoy::service::auth::v3::OkHttpResponse& ok_response) {
-  copyHeaderFieldIntoResponse(response, ok_response.headers());
+namespace {
 
-  for (const auto& header : ok_response.response_headers_to_add()) {
+void processHeaderMutations(
+    const Protobuf::RepeatedPtrField<envoy::config::core::v3::HeaderValueOption>& headers,
+    UnsafeHeaderVector& to_append, UnsafeHeaderVector& to_set, UnsafeHeaderVector& to_add,
+    UnsafeHeaderVector& to_add_if_absent, UnsafeHeaderVector& to_overwrite_if_exists,
+    bool& saw_invalid_append_actions) {
+  for (const auto& header : headers) {
     if (header.has_append()) {
       if (header.append().value()) {
-        response->response_headers_to_add.emplace_back(header.header().key(),
-                                                       header.header().value());
+        to_append.emplace_back(header.header().key(), header.header().value());
       } else {
-        response->response_headers_to_set.emplace_back(header.header().key(),
-                                                       header.header().value());
+        to_set.emplace_back(header.header().key(), header.header().value());
       }
     } else {
       switch (header.append_action()) {
       case Router::HeaderValueOption::APPEND_IF_EXISTS_OR_ADD:
-        response->response_headers_to_add.emplace_back(header.header().key(),
-                                                       header.header().value());
+        to_add.emplace_back(header.header().key(), header.header().value());
         break;
       case Router::HeaderValueOption::ADD_IF_ABSENT:
-        response->response_headers_to_add_if_absent.emplace_back(header.header().key(),
-                                                                 header.header().value());
+        to_add_if_absent.emplace_back(header.header().key(), header.header().value());
         break;
       case Router::HeaderValueOption::OVERWRITE_IF_EXISTS:
-        response->response_headers_to_overwrite_if_exists.emplace_back(header.header().key(),
-                                                                       header.header().value());
+        to_overwrite_if_exists.emplace_back(header.header().key(), header.header().value());
         break;
       case Router::HeaderValueOption::OVERWRITE_IF_EXISTS_OR_ADD:
-        response->response_headers_to_set.emplace_back(header.header().key(),
-                                                       header.header().value());
+        to_set.emplace_back(header.header().key(), header.header().value());
         break;
       default:
-        response->saw_invalid_append_actions = true;
+        saw_invalid_append_actions = true;
         break;
       }
     }
   }
+}
+
+} // namespace
+
+void copyHeaderFieldIntoResponse(
+    ResponsePtr& response,
+    const Protobuf::RepeatedPtrField<envoy::config::core::v3::HeaderValueOption>& headers) {
+  processHeaderMutations(headers, response->headers_to_append, response->headers_to_set,
+                         response->headers_to_add, response->headers_to_add_if_absent,
+                         response->headers_to_overwrite_if_exists,
+                         response->saw_invalid_append_actions);
+}
+
+void copyOkResponseMutations(ResponsePtr& response,
+                             const envoy::service::auth::v3::OkHttpResponse& ok_response) {
+  copyHeaderFieldIntoResponse(response, ok_response.headers());
+
+  processHeaderMutations(ok_response.response_headers_to_add(), response->response_headers_to_add,
+                         response->response_headers_to_set, response->response_headers_to_add,
+                         response->response_headers_to_add_if_absent,
+                         response->response_headers_to_overwrite_if_exists,
+                         response->saw_invalid_append_actions);
 
   response->headers_to_remove = std::vector<std::string>{ok_response.headers_to_remove().begin(),
                                                          ok_response.headers_to_remove().end()};

source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc

@@ -43,6 +43,8 @@ const Response& errorResponse() {
                                             UnsafeHeaderVector{},
                                             UnsafeHeaderVector{},
                                             UnsafeHeaderVector{},
+                                            UnsafeHeaderVector{},
+                                            UnsafeHeaderVector{},
                                             false,
                                             {{}},
                                             Http::Utility::QueryParamsVector{},
@@ -423,6 +425,8 @@ ResponsePtr RawHttpClientImpl::toResponse(Http::ResponseMessagePtr message) {
                                 UnsafeHeaderVector{},
                                 UnsafeHeaderVector{},
                                 UnsafeHeaderVector{},
+                                UnsafeHeaderVector{},
+                                UnsafeHeaderVector{},
                                 false,
                                 std::move(headers_to_remove),
                                 Http::Utility::QueryParamsVector{},
@@ -447,6 +451,8 @@ ResponsePtr RawHttpClientImpl::toResponse(Http::ResponseMessagePtr message) {
                                   UnsafeHeaderVector{},
                                   UnsafeHeaderVector{},
                                   UnsafeHeaderVector{},
+                                  UnsafeHeaderVector{},
+                                  UnsafeHeaderVector{},
                                   false,
                                   {{}},
                                   Http::Utility::QueryParamsVector{},