From 0800a1dbe33f42e42794742674aa7d487b6b7e36 Mon Sep 17 00:00:00 2001 From: "jan.kozlowski" Date: Mon, 22 Jul 2024 13:42:08 +0200 Subject: [PATCH] set failedStatusInMetadata only for envoys >v1.25.x --- .../servicemesh/envoycontrol/groups/Groups.kt | 1 + .../envoycontrol/groups/MetadataNodeGroup.kt | 5 ++++ .../listeners/filters/JwtFilterFactory.kt | 25 +++++++++---------- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt index 44e00d836..8caf656c0 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/Groups.kt @@ -48,6 +48,7 @@ data class ListenersConfig( val accessLogPath: String = defaultAccessLogPath, val addUpstreamExternalAddressHeader: Boolean = defaultAddUpstreamExternalAddressHeader, val addUpstreamServiceTags: AddUpstreamServiceTagsCondition = AddUpstreamServiceTagsCondition.NEVER, + val addJwtFailureStatus: Boolean = false, val accessLogFilterSettings: AccessLogFilterSettings, val hasStaticSecretsDefined: Boolean = defaultHasStaticSecretsDefined, val useTransparentProxy: Boolean = defaultUseTransparentProxy diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt index b60a06edb..70680e3f4 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/groups/MetadataNodeGroup.kt @@ -12,6 +12,8 @@ import io.envoyproxy.envoy.config.core.v3.Node as NodeV3 @Suppress("MagicNumber") val MIN_ENVOY_VERSION_SUPPORTING_UPSTREAM_METADATA = envoyVersion(1, 24) +@Suppress("MagicNumber") +val MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS = envoyVersion(1, 26) class MetadataNodeGroup( val properties: SnapshotProperties @@ -133,6 +135,8 @@ class MetadataNodeGroup( val useTransparentProxy = metadata.fieldsMap["use_transparent_proxy"]?.boolValue ?: ListenersConfig.defaultUseTransparentProxy + val addJwtFailureStatus = envoyVersion.version >= MIN_ENVOY_VERSION_SUPPORTING_JWT_FAILURE_STATUS + return ListenersConfig( listenersHostPort.ingressHost, listenersHostPort.ingressPort, @@ -146,6 +150,7 @@ class MetadataNodeGroup( accessLogPath, addUpstreamExternalAddressHeader, addUpstreamServiceTags, + addJwtFailureStatus, accessLogFilterSettings, hasStaticSecretsDefined, useTransparentProxy diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt index e99dbc798..a1d8d6d13 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt @@ -25,20 +25,27 @@ class JwtFilterFactory( private val properties: JwtFilterProperties ) { - private val jwtProviders: Map = getJwtProviders() + private val jwtProviders: Map = getJwtProviders() private val clientToOAuthProviderName: Map = properties.providers.entries.flatMap { (providerName, provider) -> provider.matchings.keys.map { client -> client to providerName } }.toMap() fun createJwtFilter(group: Group): HttpFilter? { - return if (shouldCreateFilter(group)) { + val finalizedJwtProviders = + if (group.listenersConfig?.addJwtFailureStatus == true && properties.failedStatusInMetadataEnabled) { + jwtProviders.mapValues { it.value.setFailedStatusInMetadata(properties.failedStatusInMetadata).build() } + } else { + jwtProviders.mapValues { it.value.clearFailedStatusInMetadata().build() } + } + + return if (shouldCreateFilter(group)) { HttpFilter.newBuilder() .setName("envoy.filters.http.jwt_authn") .setTypedConfig( Any.pack( JwtAuthentication.newBuilder().putAllProviders( - jwtProviders + finalizedJwtProviders ) .addAllRules(createRules(group.proxySettings.incoming.endpoints)) .build() @@ -59,13 +66,12 @@ class JwtFilterFactory( private fun containsClientsWithSelector(it: IncomingEndpoint) = clientToOAuthProviderName.keys.intersect(it.clients.map { it.name }).isNotEmpty() - private fun getJwtProviders(): Map = + private fun getJwtProviders(): Map = properties.providers.entries.associate { it.key to createProvider(it.value) } - private fun createProvider(provider: OAuthProvider): JwtProvider { - val jwtProvider = JwtProvider.newBuilder() + private fun createProvider(provider: OAuthProvider) = JwtProvider.newBuilder() .setRemoteJwks( RemoteJwks.newBuilder().setHttpUri( HttpUri.newBuilder() @@ -81,13 +87,6 @@ class JwtFilterFactory( .setForwardPayloadHeader(properties.forwardPayloadHeader) .setPayloadInMetadata(properties.payloadInMetadata) - if (properties.failedStatusInMetadataEnabled) { - jwtProvider.setFailedStatusInMetadata(properties.failedStatusInMetadata) - } - - return jwtProvider.build() - } - private fun createRules(endpoints: List): Set { return endpoints.mapNotNull(this::createRuleForEndpoint).toSet() }