ext_authz: Check for cluster before sending HTTP request (envoyproxy#…

…8144) Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
danzh2010 · Sep 24, 2019 · 30382fc · 30382fc
1 parent 22b3a0d
commit 30382fc
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc
@@ -202,9 +202,20 @@ void RawHttpClientImpl::check(RequestCallbacks& callbacks,
         std::make_unique<Buffer::OwnedImpl>(request.attributes().request().http().body());
   }
 
-  request_ = cm_.httpAsyncClientForCluster(config_->cluster())
-                 .send(std::move(message), *this,
-                       Http::AsyncClient::RequestOptions().setTimeout(config_->timeout()));
+  const std::string& cluster = config_->cluster();
+
+  // It's possible that the cluster specified in the filter configuration no longer exists due to a
+  // CDS removal.
+  if (cm_.get(cluster) == nullptr) {
+    // TODO(dio): Add stats and tracing related to this.
+    ENVOY_LOG(debug, "ext_authz cluster '{}' does not exist", cluster);
+    callbacks_->onComplete(std::make_unique<Response>(errorResponse()));
+    callbacks_ = nullptr;
+  } else {
+    request_ = cm_.httpAsyncClientForCluster(cluster).send(
+        std::move(message), *this,
+        Http::AsyncClient::RequestOptions().setTimeout(config_->timeout()));
+  }
 }
 
 void RawHttpClientImpl::onSuccess(Http::MessagePtr&& message) {

diff --git a/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_http_impl_test.cc
@@ -16,6 +16,8 @@
 
 using testing::_;
 using testing::AllOf;
+using testing::Eq;
+using testing::InSequence;
 using testing::Invoke;
 using testing::Return;
 using testing::ReturnRef;
@@ -374,6 +376,18 @@ TEST_F(ExtAuthzHttpClientTest, CancelledAuthorizationRequest) {
   client_.cancel();
 }
 
+// Test the client when the configured cluster is missing/removed.
+TEST_F(ExtAuthzHttpClientTest, NoCluster) {
+  InSequence s;
+
+  EXPECT_CALL(cm_, get(Eq("ext_authz"))).WillOnce(Return(nullptr));
+  EXPECT_CALL(cm_, httpAsyncClientForCluster("ext_authz")).Times(0);
+  EXPECT_CALL(request_callbacks_,
+              onComplete_(WhenDynamicCastTo<ResponsePtr&>(AuthzErrorResponse(CheckStatus::Error))));
+  client_.check(request_callbacks_, envoy::service::auth::v2::CheckRequest{},
+                Tracing::NullSpan::instance());
+}
+
 } // namespace
 } // namespace ExtAuthz
 } // namespace Common