Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle invalid ext_authz request #462

Merged
merged 2 commits into from
Mar 25, 2024
Merged

Handle invalid ext_authz request #462

merged 2 commits into from
Mar 25, 2024

Conversation

guicassolato
Copy link
Collaborator

@guicassolato guicassolato commented Mar 25, 2024
edited
Loading

Improved handler for invalid ext_authz requests errors.

Verification steps

make cluster install run

In a separate shell: (Requires grpcurl)

grpcurl -plaintext -d @ localhost:50051 envoy.service.auth.v3.Authorization.Check <<EOF
{}
EOF

Before:

Authorino panics.

After:

Authorino handles the error nicely and the returns the following response:

{
  "status": {
    "code": 3
  },
  "deniedResponse": {
    "status": {
      "code": "BadRequest"
    },
    "headers": [
      {
        "header": {
          "key": "X-Ext-Auth-Reason",
          "value": "Invalid request"
        }
      }
    ]
  }
}

@guicassolato guicassolato mentioned this pull request Mar 25, 2024
Closed
@guicassolato guicassolato self-assigned this Mar 25, 2024
@guicassolato guicassolato requested a review from a team March 25, 2024 11:15
@guicassolato guicassolato force-pushed the fix-invalid-ext-authz-req branch from 066e996 to aef7ba0 Compare March 25, 2024 11:37
alexsnaps
alexsnaps approved these changes Mar 25, 2024
View reviewed changes
Makefile Show resolved Hide resolved
pkg/service/auth.go
Comment on lines 52 to 58
statusCodeMapping = map[rpc.Code]envoy_type.StatusCode{
rpc.OK: envoy_type.StatusCode_OK,
rpc.FAILED_PRECONDITION: envoy_type.StatusCode_BadRequest,
rpc.INVALID_ARGUMENT: envoy_type.StatusCode_BadRequest,
rpc.NOT_FOUND: envoy_type.StatusCode_NotFound,
rpc.UNAUTHENTICATED: envoy_type.StatusCode_Unauthorized,
rpc.PERMISSION_DENIED: envoy_type.StatusCode_Forbidden,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No related to this PR, just my curiosity... is this recognized by the compiler as a constant expression and optimized away? Or do we really end up with a HashMap on the heap?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would imagine it's implemented as a hashmap on the heap, but really not sure.

Otherwise, the compiler would have to ensure there's no writing to it despite declared as var, but I guess offering var and const is precisely the way it has to say "it's your problem, not mine."

My only comfort is that it's a map of known size upfront. Performance should be acceptable (somewhat near O(1) in Golang.) Of course, not better than a lookup at compilation time.

@guicassolato guicassolato merged commit a376cb6 into main Mar 25, 2024
10 checks passed
@guicassolato guicassolato deleted the fix-invalid-ext-authz-req branch March 25, 2024 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eguzki eguzki eguzki approved these changes

@alexsnaps alexsnaps alexsnaps approved these changes

Assignees

@guicassolato guicassolato

Labels
None yet
Projects
Kuadrant
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@guicassolato @alexsnaps @eguzki