Skip to content

Commit

Permalink
set failedStatusInMetadata only for envoys >v1.25.x
Browse files Browse the repository at this point in the history
  • Loading branch information
kozjan committed Jul 22, 2024
1 parent 6c83109 commit 0800a1d
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ data class ListenersConfig(
val accessLogPath: String = defaultAccessLogPath,
val addUpstreamExternalAddressHeader: Boolean = defaultAddUpstreamExternalAddressHeader,
val addUpstreamServiceTags: AddUpstreamServiceTagsCondition = AddUpstreamServiceTagsCondition.NEVER,
val addJwtFailureStatus: Boolean = false,
val accessLogFilterSettings: AccessLogFilterSettings,
val hasStaticSecretsDefined: Boolean = defaultHasStaticSecretsDefined,
val useTransparentProxy: Boolean = defaultUseTransparentProxy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ import io.envoyproxy.envoy.config.core.v3.Node as NodeV3

@Suppress("MagicNumber")
val MIN_ENVOY_VERSION_SUPPORTING_UPSTREAM_METADATA = envoyVersion(1, 24)
@Suppress("MagicNumber")
val MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS = envoyVersion(1, 26)

class MetadataNodeGroup(
val properties: SnapshotProperties
Expand Down Expand Up @@ -133,6 +135,8 @@ class MetadataNodeGroup(
val useTransparentProxy = metadata.fieldsMap["use_transparent_proxy"]?.boolValue
?: ListenersConfig.defaultUseTransparentProxy

val addJwtFailureStatus = envoyVersion.version >= MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS

return ListenersConfig(
listenersHostPort.ingressHost,
listenersHostPort.ingressPort,
Expand All @@ -146,6 +150,7 @@ class MetadataNodeGroup(
accessLogPath,
addUpstreamExternalAddressHeader,
addUpstreamServiceTags,
addJwtFailureStatus,
accessLogFilterSettings,
hasStaticSecretsDefined,
useTransparentProxy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,27 @@ class JwtFilterFactory(
private val properties: JwtFilterProperties
) {

private val jwtProviders: Map<ProviderName, JwtProvider> = getJwtProviders()
private val jwtProviders: Map<ProviderName, JwtProvider.Builder> = getJwtProviders()
private val clientToOAuthProviderName: Map<String, String> =
properties.providers.entries.flatMap { (providerName, provider) ->
provider.matchings.keys.map { client -> client to providerName }
}.toMap()

fun createJwtFilter(group: Group): HttpFilter? {
return if (shouldCreateFilter(group)) {
val finalizedJwtProviders =
if (group.listenersConfig?.addJwtFailureStatus == true && properties.failedStatusInMetadataEnabled) {
jwtProviders.mapValues { it.value.setFailedStatusInMetadata(properties.failedStatusInMetadata).build() }
} else {
jwtProviders.mapValues { it.value.clearFailedStatusInMetadata().build() }
}

return if (shouldCreateFilter(group)) {
HttpFilter.newBuilder()
.setName("envoy.filters.http.jwt_authn")
.setTypedConfig(
Any.pack(
JwtAuthentication.newBuilder().putAllProviders(
jwtProviders
finalizedJwtProviders
)
.addAllRules(createRules(group.proxySettings.incoming.endpoints))
.build()
Expand All @@ -59,13 +66,12 @@ class JwtFilterFactory(
private fun containsClientsWithSelector(it: IncomingEndpoint) =
clientToOAuthProviderName.keys.intersect(it.clients.map { it.name }).isNotEmpty()

private fun getJwtProviders(): Map<ProviderName, JwtProvider> =
private fun getJwtProviders(): Map<ProviderName, JwtProvider.Builder> =
properties.providers.entries.associate {
it.key to createProvider(it.value)
}

private fun createProvider(provider: OAuthProvider): JwtProvider {
val jwtProvider = JwtProvider.newBuilder()
private fun createProvider(provider: OAuthProvider) = JwtProvider.newBuilder()
.setRemoteJwks(
RemoteJwks.newBuilder().setHttpUri(
HttpUri.newBuilder()
Expand All @@ -81,13 +87,6 @@ class JwtFilterFactory(
.setForwardPayloadHeader(properties.forwardPayloadHeader)
.setPayloadInMetadata(properties.payloadInMetadata)

if (properties.failedStatusInMetadataEnabled) {
jwtProvider.setFailedStatusInMetadata(properties.failedStatusInMetadata)
}

return jwtProvider.build()
}

private fun createRules(endpoints: List<IncomingEndpoint>): Set<RequirementRule> {
return endpoints.mapNotNull(this::createRuleForEndpoint).toSet()
}
Expand Down

0 comments on commit 0800a1d

Please sign in to comment.