Add the support of bypassing JWT authn for CORS requests#2139
Merged
istio-testing merged 4 commits intoistio:masterfrom Mar 5, 2019
Merged
Add the support of bypassing JWT authn for CORS requests#2139istio-testing merged 4 commits intoistio:masterfrom
istio-testing merged 4 commits intoistio:masterfrom
Conversation
googlebot
added
the
cla: yes
qiwzhang
reviewed
Mar 5, 2019
| // Per the spec | ||
| // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0, CORS | ||
| // pre-flight requests shouldn't include user credentials. | ||
| if (headers_->Method() && |
Contributor
There was a problem hiding this comment.
how about bail out earlier, like in line 63?
qiwzhang
reviewed
Mar 5, 2019
| // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0, CORS | ||
| // pre-flight requests shouldn't include user credentials. | ||
| if (headers_->Method() && | ||
| LowerCaseString(kOptionsHttpMethod) == |
Contributor
There was a problem hiding this comment.
I think Envoy has fixed string for OPTIONS
Contributor
There was a problem hiding this comment.
I prefer to do this check in Fitler.cc right inside the decodeHeaders().
Contributor
Author
There was a problem hiding this comment.
decodeHeaders() does not have tests. Placing the check in Verify() will enable tests. Plus, placing the check in Verify() is equivalent to placing the check in decodeHeaders().
Contributor
Author
There was a problem hiding this comment.
Done: changed to use the OPTIONS fixed string from Envoy.
Contributor
|
Could you help to add this for Envoy one too? It is here |
Contributor
Author
|
Sure, I can add this PR to Envoy repo after this PR is merged. The PR for the Envoy repo is at: envoyproxy/envoy#6181. |
qiwzhang
reviewed
Mar 5, 2019
| // pre-flight requests shouldn't include user credentials. | ||
| if (headers_->Method() && | ||
| LowerCaseString(kOptionsHttpMethod) == | ||
| LowerCaseString(Http::Headers::get().MethodValues.Options) == |
Contributor
There was a problem hiding this comment.
Why do we need to lower case the method? I thought http methods are pre-defined, they are always upper case.
Contributor
Author
There was a problem hiding this comment.
Done: lowercase method has been removed.
Collaborator
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lei-tang, qiwzhang The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
lizan
reviewed
Mar 6, 2019
| // Per the spec | ||
| // http://www.w3.org/TR/cors/#cross-origin-request-with-preflight-0, CORS | ||
| // pre-flight requests shouldn't include user credentials. | ||
| if (headers_->Method() && Http::Headers::get().MethodValues.Options == |
Contributor
There was a problem hiding this comment.
This bypasses too many requests, e.g. WebDAV uses OPTIONS for different purpose and those shouldn't be bypassed.
Contributor
Author
There was a problem hiding this comment.
#2140 is created to add more checks for CORS requests.
lei-tang
added a commit
to lei-tang/proxy
that referenced
this pull request
Apr 10, 2019
* Add the support of bypassing JWT authn for CORS requests * Bail out earlier for CORS preflight requests * Use OPTIONS constant value from Envoy * Remove changing to lowercase
lei-tang
added a commit
to lei-tang/proxy
that referenced
this pull request
Apr 12, 2019
* Add the support of bypassing JWT authn for CORS requests * Bail out earlier for CORS preflight requests * Use OPTIONS constant value from Envoy * Remove changing to lowercase
istio-testing
pushed a commit
that referenced
this pull request
May 1, 2019
* Forwarded attributes override statically configured Local Attributes (#2097) * WIP * add local and override tests * revert attributes_builder * white list forward attributes * add tests with whitelist * fix builder test for white listed attributes * ignore istio.mixer in report (#2098) Signed-off-by: Lizan Zhou <lizan@tetrate.io> * whitelist kSourceNamespace attribute (#2100) * Update software in the build image used by CircleCI. (#2110) Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Add flag indicating current semantics of report batch (#2111) * Add flag indicating current semantics of report batch * Fix Unit Test * Update Envoy SHA to latest with deterministic hash (master). (#2108) * Update Envoy SHA to latest with deterministic hash (master). Signed-off-by: Piotr Sikora <piotrsikora@google.com> * review: use lld linker for clang-asan and clang-tsan. Signed-off-by: Piotr Sikora <piotrsikora@google.com> * review: export PATH. Signed-off-by: Piotr Sikora <piotrsikora@google.com> * Update Envoy SHA to latest with deterministic hash (release-1.1). (#2109) * Update Envoy SHA to latest with deterministic hash (release-1.1). Signed-off-by: Piotr Sikora <piotrsikora@google.com> * review: use lld linker for clang-asan and clang-tsan. Signed-off-by: Piotr Sikora <piotrsikora@google.com> * review: export PATH. Signed-off-by: Piotr Sikora <piotrsikora@google.com> * remove unused bytestring include from sni_verifier for openssl (#2112) * Added client/server load test framework to find mixer faults. (#2105) This is a load generator client + origin server I created to test the Mixer filter under various fault conditions using Envoy's client and server stacks. This work falls under [istio/istio#8224](istio/istio#8224) @PiotrSikora @jplevyak would love your feedback because it could be used for the wasm work and especially because this is the first >=C++11 code I've written See test/integration/int_client_server_test.cc if you want to start with an example for context. Another example that uses this framework to sandwich Envoy+Mixer filter between the load generator and multiple origin servers simulating Mixer servers can be found in [istio/istio#8224](istio/istio#8224) * Warn user of using mTLS PERMISSIVE mode and suggest to upgrade to STRICT mode (#2114) * Warn user of using mTLS PERMISSIVE mode and suggest to upgrade to STRICT mode. Signed-off-by: Yangmin Zhu <ymzhu@google.com> * fix format * check in constructor * Update to latest istio/api on release-1.1 branch (#2115) * Update to latest istio/api on release-1.1 branch * Update istio/api to latest release-1.1 * Added simple logging abstraction so mixer client logs can be relayed to envoy logs. (#2116) * Added simple logging abstraction so mixer client logs can be relayed to envoy logs when running inside envoy, stderr when running standalone. * Log threshold guards that prevent needless serialization of logging arguments are now embedded in the log macros. * Format * Added do/while guards around logging statements. * Coalesce all memory for checks and reports into shared pointers (#2117) * Coalesce all memory for policy check requests and telemetry reports into shared pointers that live as long as a request's mixer filter instance. * A few small fixups for the code review. * Address some minor nits from code review. * Additional counters for mixer policy check (#2118) * Coalesce all memory for policy check requests and telemetry reports into shared pointers that live as long as a request's mixer filter instance. * A few small fixups for the code review. * Added finer-grained counters to mixer policy check * Add retries to policy checks on failed transport error (#2113) * Add configurable retry to policy/quota checks that failed due to transport error. * Added assertions on mixer filter stats to mixer fault test. * Reformat * Fix inaccurate comment. ` * Fix asan warning (thanks @silentdai!) and exclude mixer_fault_test from the asan and tsan sanitizers since it always times out. * Fix bad prefix check * Pull in latest istio/api from release-1.1 branch (#2120) * Add Joshua into proxy OWNER (#2121) * log authn permissive mode only when config is received (#2125) * log authn permissive mode only when config is received Signed-off-by: Yangmin Zhu <ymzhu@google.com> * fix format * fix build * clang-6/gcc: compiler barking fix (#2123) * compiler barking Signed-off-by: Kuat Yessenov <kuat@google.com> * piotrs fix Signed-off-by: Kuat Yessenov <kuat@google.com> * Add additional telemetry report counters (#2128) * Added counters to track telemetry report result. * reformat * replace tabs with spaces * Replace more tab with spaces. * New api sha for proxy (#2130) * API sha just changed, chanign it again for proxy (#2131) * Remove myself from owners add utka instead (#2129) * implement upstream secure bit (#2133) Signed-off-by: Kuat Yessenov <kuat@google.com> * Deflake macos MixerFaultTest by broadening assertion ranges. (#2126) * Deflake macos MixerFaultTest by broadening assertion ranges. Fix flake in macos tests that was introduced by #2113 * Cleanup a few readability issues and add an assertion. * More redability changes. * API sha for proxy (#2136) * Revert "implement upstream secure bit (#2133)" (#2135) This reverts commit d857bdd. * Add the support of bypassing JWT authn for CORS requests (#2139) * Add the support of bypassing JWT authn for CORS requests * Bail out earlier for CORS preflight requests * Use OPTIONS constant value from Envoy * Remove changing to lowercase * Add more checks for CORS preflight requests (#2140) * Rc3. new API sha for proxy. (#2146) * API sha for proxy * API sha for proxy * update envoy with latest build fixes (#2147) * update envoy with latest build fixes Signed-off-by: Lizan Zhou <lizan@tetrate.io> * update protobuf to match envoy Signed-off-by: Lizan Zhou <lizan@tetrate.io> * timeSystem -> timeSource Signed-off-by: Lizan Zhou <lizan@tetrate.io> * requesting to add myself as a reviewer/approver (#2148) I have 39 commits in this repo. * update envoy to pick up TLS logging for HTTP upstream (#2149) Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Building 1.1rc4 (#2150) * fix build Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix format Signed-off-by: Lizan Zhou <lizan@tetrate.io> * fix status match Signed-off-by: Lizan Zhou <lizan@tetrate.io> * Fixes environment-dependent failures in MixerFaultTest (#2156) * Removed explicit log-level setting from tests, as it was interfering with cli '-l' option (#2155) * Update_Dependencies (#2178) * Update envoy sha and fix bulid break (#2179) * update envoy sha * fix build * Remove bazel shutdown from make deb * Ignore error code returned from bazel shutdown
duderino
pushed a commit
that referenced
this pull request
Jun 13, 2019
…ts" to release 1.1 (#2165) * Add the support of bypassing JWT authn for CORS requests (#2139) * Add the support of bypassing JWT authn for CORS requests * Bail out earlier for CORS preflight requests * Use OPTIONS constant value from Envoy * Remove changing to lowercase * Add more checks for CORS preflight requests (#2140)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it: Add the support of bypassing JWT authn for CORS requests
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #651Special notes for your reviewer:
Release note: