ext_authz: added ability to detect partial request body data#6583
Conversation
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
|
As I continue testing with this, I am doubting that my simple solution to the issue in #6487 will be sufficient now that 1.10 is out the door and this PR would go in 1.11. @htuch @gsagula - could use advice here. Here is where I am having issues... I'm building my gRPC service (in go) to be 1.11 compatible with this field and so I can call (in go)
This is generally an issue with the new Im now realizing I should have been testing this more as #5824 was progressing. It may have been better to do something similar to the tap filter where the body is not a scalar type and thus not subject to this problem (i.e., it can be nil). Perhaps better is to swap out This would allow (in go) |
| // :ref:`allow_partial_message | ||
| // <envoy_api_field_config.filter.http.ext_authz.v2.BufferSettings.allow_partial_message>` | ||
| // is true. | ||
| bool partial_body = 12; |
There was a problem hiding this comment.
I was wondering if we should make it available for the HTTP client too. If not, can we add a comment somewhere in the docs that this is gRPC only?
There was a problem hiding this comment.
Ah, yeah, I totally missed this. This complicates things as it seems this extra field does not translate to a plain HTTP request. I suppose it could be added as a header (x-envoy-partial-body: 0|1)?
@brectanus-sigsci We could add it as header metadata, something like |
@gsagula Yes. Just came to that conclusion responding to your other comment. I am not sure a length adds anything here as you can get the length from body. Maybe just |
|
Sure. I thought about passing the size because it's useful info I guess, but either works. Up to you :) |
Would the size in the metadata ever be different than the string length of |
|
Sure, thanks for tackling it :) |
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
…ial data Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
… message Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
brectanus-sigsci
changed the title
gsagula
left a comment
gsagula
left a comment
There was a problem hiding this comment.
@brectanus-sigsci Overall looks pretty good. One small comment.
| buffer->copyOut(0, length, &data[0]); | ||
| httpreq.set_body(std::move(data)); | ||
|
|
||
| // Add in a header to detect when a partial body is used. |
There was a problem hiding this comment.
We may also want to check that this header does not exist when the request is not a partial message. WDYT?
There was a problem hiding this comment.
Not exactly sure what you mean here. Only send the header if the body was actually truncated? Or only send the header if the allow_partial_message option is set...
The metadata header is currently only there if max_request_bytes is set. In order to detect if this feature is available, I needed to send it with a bool (0|1) value (vs only sending the header if the body is partial). This way, in the gRPC service, you can use the logic "if the header is there, then it is coming from an envoy with this feature (v1.11+) and the value indicates partial or not. In this case the work is done for you, otherwise this is an older envoy and you need to detect this on your own using C-L header or other means."
Now, if you mean only write the header if the config option allow_partial_message: true, then yeah, that could be done, but I did not want to add another parameter to CheckRequestUtils::setHttpRequest to expose a check for this. I did not think it was worth it as it meant it was harder to determine from the gRPC service if the new partial flag feature was available. That is, if the header is not sent when allow_partial_message: false, then the gRPC service cannot tell if it is envoy v1.10 or the partial feature is disabled in v1.11.
If you think that the metadata header may get in people's way when allow_partial_message: false, then I can expose the config option as a parameter to CheckRequestUtils::setHttpRequest. Unless maybe you see another way to get access to the config option without it as a parameter?
There was a problem hiding this comment.
What happens if the client request contains x-envoy-auth-partial-body: 1 header? Not sure if we should trust the client.
There was a problem hiding this comment.
Good point. I'll skip that header during the copy.
gsagula
left a comment
gsagula
left a comment
There was a problem hiding this comment.
Awesome! Just one small comment about preventing x-envoy-auth-partial-body to be added outside the filter.
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
OK. Fix for this pushed with updated tests. |
gsagula
left a comment
gsagula
left a comment
There was a problem hiding this comment.
Just one last comment. Thank you!
docs/root/intro/version_history.rst
Outdated
| * http: mitigated a race condition with the :ref:`delayed_close_timeout<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.delayed_close_timeout>` where it could trigger while actively flushing a pending write buffer for a downstream connection. | ||
| * redis: add support for zpopmax and zpopmin commands. | ||
| * upstream: added :ref:`upstream_cx_pool_overflow <config_cluster_manager_cluster_stats>` for the connection pool circuit breaker. | ||
| * ext_authz: added a `x-envoy-auth-partial-body` metadata header set to `0|1` indicating if there is a partial body sent in the authorization request message. |
There was a problem hiding this comment.
Can you use alphabetical order here, please?
There was a problem hiding this comment.
ok, and also merged with master to fix the conflict
There was a problem hiding this comment.
lol, and that merge destroyed the alpha order I just fixed, so fixed it again. Sigh.
@gsagula Looks like that invalidated your review, too. Sorry.
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
|
🔨 rebuilding |
gsagula
left a comment
gsagula
left a comment
There was a problem hiding this comment.
@mattklein123 Would like to give it a final blessing? Thanks!
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
LGTM but I have a design question/comment. Thank you!
/wait-any
| bool use_alpha = 4 [deprecated = true]; | ||
|
|
||
| // Enables filter to buffer the client request body and send it within the authorization request. | ||
| // A ``x-envoy-auth-partial-body: 0|1`` metadata header will be added to the authorization |
There was a problem hiding this comment.
Personally I would do "true" and "false" here vs. "0" and "1" to clearly indicate boolean, but I don't feel strongly about it. WDYT? A more general question would be why use a header at all vs. adding a boolean field to the request proto?
There was a problem hiding this comment.
I suggested using headers here for a couple of reasons. Please see #6583 (comment) for details.
There was a problem hiding this comment.
@mattklein123 true|false vs 0|1 - I have no preference. The bool values are much clearer, so I can change that.
There was a problem hiding this comment.
If you have all already discussed headers vs. field and determined header is better that's fine with me, but yeah let's change to true/false if you don't mind. Thank you!
/wait
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
|
/retest |
|
🔨 rebuilding |
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
|
@brectanus-sigsci sorry needs a master merge. /wait |
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
Signed-off-by: Brian Rectanus <brectanus@signalsciences.com>
|
@mattklein123 conflict resolved. Hopefully checks pass the first time :) |
* master: docs: add extension policy (envoyproxy#6678) ext_authz: added ability to detect partial request body data (envoyproxy#6583) version_history.rst: jwt_authn change missed 1.10.0 (envoyproxy#6684) docs: fix link in pull request template (envoyproxy#6679) Explicitly convert absl::string_view to std::string. (envoyproxy#6687) docs: improving watermark docs/comments (envoyproxy#6683) http filter: add CSRF filter (envoyproxy#6470) event: reintroduce dispatcher stats (envoyproxy#6659) security: postmortem for CVE-2019-990[01] (envoyproxy#6597) Improve build rules for (test only) library quic_port_utils. (envoyproxy#6672) spell check: skip unsupported extensions when called with a file (envoyproxy#6648) Changed TestHooks to ListenerHooks (envoyproxy#6642) proto: move extension-specific linking validation into extensions (envoyproxy#6657) stats: add/test heterogenous set of StatNameStorage objects. (envoyproxy#6504) docs: move xds protocol to rst (envoyproxy#6670) fix version history order (envoyproxy#6671) Signed-off-by: Michael Puncel <mpuncel@squareup.com>
4 participants
This adds a
x-envoy-auth-partial-body: false|truemetadata header to the CheckRequest call (see #6487). This header is set totruewhen partial body data is sent in the call when themax_request_bytessetting has been exceeded and theallow_partial_dataoption is set.Fixes #6487
Risk Level: low
Testing: unit
Docs Changes: yes
Release Notes: yes