Skip to content

Commit

Permalink
Process auth CheckResponse
Browse files Browse the repository at this point in the history 
Signed-off-by: Adam Cattermole <[email protected]>
  • Loading branch information
@adam-cattermole
adam-cattermole committed Sep 20, 2024
1 parent a852236 commit 6675cab
Show file tree
Hide file tree
Showing 6 changed files with 77 additions and 68 deletions.
2 changes: 1 addition & 1 deletion src/envoy/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ pub use {
AttributeContext_Request,
},
base::Metadata,
external_auth::{CheckRequest, DeniedHttpResponse, OkHttpResponse},
external_auth::{CheckRequest, CheckResponse, CheckResponse_oneof_http_response},
ratelimit::{RateLimitDescriptor, RateLimitDescriptor_Entry},
rls::{RateLimitRequest, RateLimitResponse, RateLimitResponse_Code},
};
Expand Down
78 changes: 59 additions & 19 deletions src/filter/http_context.rs
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
use crate::configuration::{ExtensionType, FailureMode, FilterConfig};
use crate::envoy::{RateLimitResponse, RateLimitResponse_Code};
use crate::envoy::{CheckResponse_oneof_http_response, RateLimitResponse, RateLimitResponse_Code};
use crate::operation_dispatcher::OperationDispatcher;
use crate::policy::Policy;
use crate::service::grpc_message::GrpcMessageResponse;
Expand Down Expand Up @@ -45,14 +45,11 @@ impl Filter {
if let Some(operation) = self.operation_dispatcher.next() {
match operation.get_result() {
Ok(call_id) => {
debug!(
"#{} initiated gRPC call (id# {}) to Limitador",
self.context_id, call_id
);
debug!("#{} initiated gRPC call (id# {})", self.context_id, call_id);
Action::Pause
}
Err(e) => {
warn!("gRPC call to Limitador failed! {e:?}");
warn!("gRPC call failed! {e:?}");
if let FailureMode::Deny = operation.get_failure_mode() {
self.send_http_response(500, vec![], Some(b"Internal Server Error.\n"))
}
Expand Down Expand Up @@ -110,6 +107,52 @@ impl Filter {
}
self.operation_dispatcher.next();
}

fn process_auth_grpc_response(
&mut self,
auth_resp: GrpcMessageResponse,
failure_mode: &FailureMode,
) {
if let GrpcMessageResponse::Auth(check_response) = auth_resp {
match check_response.http_response {
Some(CheckResponse_oneof_http_response::ok_response(ok_response)) => {
debug!("Handling OkHttpResponse...");

ok_response
.get_response_headers_to_add()
.iter()
.for_each(|header| {
self.add_http_response_header(
header.get_header().get_key(),
header.get_header().get_value(),
)
});
}
Some(CheckResponse_oneof_http_response::denied_response(denied_response)) => {
debug!("Handling DeniedHttpResponse...");

let mut response_headers = vec![];
denied_response.get_headers().iter().for_each(|header| {
response_headers.push((
header.get_header().get_key(),
header.get_header().get_value(),
))
});
self.send_http_response(
denied_response.get_status().code as u32,
response_headers,
Some(denied_response.get_body().as_ref()),
);
return;
}
None => {
self.handle_error_on_grpc_response(failure_mode);
return;
}
}
}
self.operation_dispatcher.next();
}
}

impl HttpContext for Filter {
Expand Down Expand Up @@ -168,22 +211,19 @@ impl Context for Filter {
return;
}
};
let res = match GrpcMessageResponse::new(
operation.get_extension_type(),
&res_body_bytes,
status_code,
) {
Ok(res) => res,
Err(e) => {
warn!(
let res =
match GrpcMessageResponse::new(operation.get_extension_type(), &res_body_bytes) {
Ok(res) => res,
Err(e) => {
warn!(
"failed to parse grpc response body into GrpcMessageResponse message: {e}"
);
self.handle_error_on_grpc_response(failure_mode);
return;
}
};
self.handle_error_on_grpc_response(failure_mode);
return;
}
};
match operation.get_extension_type() {
ExtensionType::Auth => {} // TODO(didierofrivia): Process auth grpc response.
ExtensionType::Auth => self.process_auth_grpc_response(res, failure_mode),
ExtensionType::RateLimit => self.process_ratelimit_grpc_response(res, failure_mode),
}

Expand Down
22 changes: 2 additions & 20 deletions src/service/auth.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,27 +22,9 @@ impl AuthService {
AuthService::build_check_req(ce_host)
}

pub fn response_message(
res_body_bytes: &Bytes,
status_code: u32,
) -> GrpcMessageResult<GrpcMessageResponse> {
if status_code % 2 == 0 {
AuthService::response_message_ok(res_body_bytes)
} else {
AuthService::response_message_denied(res_body_bytes)
}
}

fn response_message_ok(res_body_bytes: &Bytes) -> GrpcMessageResult<GrpcMessageResponse> {
match Message::parse_from_bytes(res_body_bytes) {
Ok(res) => Ok(GrpcMessageResponse::AuthOk(res)),
Err(e) => Err(e),
}
}

fn response_message_denied(res_body_bytes: &Bytes) -> GrpcMessageResult<GrpcMessageResponse> {
pub fn response_message(res_body_bytes: &Bytes) -> GrpcMessageResult<GrpcMessageResponse> {
match Message::parse_from_bytes(res_body_bytes) {
Ok(res) => Ok(GrpcMessageResponse::AuthDenied(res)),
Ok(res) => Ok(GrpcMessageResponse::Auth(res)),
Err(e) => Err(e),
}
}
Expand Down
39 changes: 13 additions & 26 deletions src/service/grpc_message.rs
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
use crate::configuration::ExtensionType;
use crate::envoy::{
CheckRequest, DeniedHttpResponse, OkHttpResponse, RateLimitDescriptor, RateLimitRequest,
RateLimitResponse,
CheckRequest, CheckResponse, RateLimitDescriptor, RateLimitRequest, RateLimitResponse,
};
use crate::service::auth::AuthService;
use crate::service::rate_limit::RateLimitService;
Expand Down Expand Up @@ -143,8 +142,7 @@ impl GrpcMessageRequest {

#[derive(Clone, Debug)]
pub enum GrpcMessageResponse {
AuthOk(OkHttpResponse),
AuthDenied(DeniedHttpResponse),
Auth(CheckResponse),
RateLimit(RateLimitResponse),
}

Expand All @@ -163,80 +161,70 @@ impl Clear for GrpcMessageResponse {
impl Message for GrpcMessageResponse {
fn descriptor(&self) -> &'static MessageDescriptor {
match self {
GrpcMessageResponse::AuthOk(res) => res.descriptor(),
GrpcMessageResponse::AuthDenied(res) => res.descriptor(),
GrpcMessageResponse::Auth(res) => res.descriptor(),
GrpcMessageResponse::RateLimit(res) => res.descriptor(),
}
}

fn is_initialized(&self) -> bool {
match self {
GrpcMessageResponse::AuthOk(res) => res.is_initialized(),
GrpcMessageResponse::AuthDenied(res) => res.is_initialized(),
GrpcMessageResponse::Auth(res) => res.is_initialized(),
GrpcMessageResponse::RateLimit(res) => res.is_initialized(),
}
}

fn merge_from(&mut self, is: &mut CodedInputStream) -> ProtobufResult<()> {
match self {
GrpcMessageResponse::AuthOk(res) => res.merge_from(is),
GrpcMessageResponse::AuthDenied(res) => res.merge_from(is),
GrpcMessageResponse::Auth(res) => res.merge_from(is),
GrpcMessageResponse::RateLimit(res) => res.merge_from(is),
}
}

fn write_to_with_cached_sizes(&self, os: &mut CodedOutputStream) -> ProtobufResult<()> {
match self {
GrpcMessageResponse::AuthOk(res) => res.write_to_with_cached_sizes(os),
GrpcMessageResponse::AuthDenied(res) => res.write_to_with_cached_sizes(os),
GrpcMessageResponse::Auth(res) => res.write_to_with_cached_sizes(os),
GrpcMessageResponse::RateLimit(res) => res.write_to_with_cached_sizes(os),
}
}

fn write_to_bytes(&self) -> ProtobufResult<Vec<u8>> {
match self {
GrpcMessageResponse::AuthOk(res) => res.write_to_bytes(),
GrpcMessageResponse::AuthDenied(res) => res.write_to_bytes(),
GrpcMessageResponse::Auth(res) => res.write_to_bytes(),
GrpcMessageResponse::RateLimit(res) => res.write_to_bytes(),
}
}

fn compute_size(&self) -> u32 {
match self {
GrpcMessageResponse::AuthOk(res) => res.compute_size(),
GrpcMessageResponse::AuthDenied(res) => res.compute_size(),
GrpcMessageResponse::Auth(res) => res.compute_size(),
GrpcMessageResponse::RateLimit(res) => res.compute_size(),
}
}

fn get_cached_size(&self) -> u32 {
match self {
GrpcMessageResponse::AuthOk(res) => res.get_cached_size(),
GrpcMessageResponse::AuthDenied(res) => res.get_cached_size(),
GrpcMessageResponse::Auth(res) => res.get_cached_size(),
GrpcMessageResponse::RateLimit(res) => res.get_cached_size(),
}
}

fn get_unknown_fields(&self) -> &UnknownFields {
match self {
GrpcMessageResponse::AuthOk(res) => res.get_unknown_fields(),
GrpcMessageResponse::AuthDenied(res) => res.get_unknown_fields(),
GrpcMessageResponse::Auth(res) => res.get_unknown_fields(),
GrpcMessageResponse::RateLimit(res) => res.get_unknown_fields(),
}
}

fn mut_unknown_fields(&mut self) -> &mut UnknownFields {
match self {
GrpcMessageResponse::AuthOk(res) => res.mut_unknown_fields(),
GrpcMessageResponse::AuthDenied(res) => res.mut_unknown_fields(),
GrpcMessageResponse::Auth(res) => res.mut_unknown_fields(),
GrpcMessageResponse::RateLimit(res) => res.mut_unknown_fields(),
}
}

fn as_any(&self) -> &dyn Any {
match self {
GrpcMessageResponse::AuthOk(res) => res.as_any(),
GrpcMessageResponse::AuthDenied(res) => res.as_any(),
GrpcMessageResponse::Auth(res) => res.as_any(),
GrpcMessageResponse::RateLimit(res) => res.as_any(),
}
}
Expand All @@ -263,11 +251,10 @@ impl GrpcMessageResponse {
pub fn new(
extension_type: &ExtensionType,
res_body_bytes: &Bytes,
status_code: u32,
) -> GrpcMessageResult<GrpcMessageResponse> {
match extension_type {
ExtensionType::RateLimit => RateLimitService::response_message(res_body_bytes),
ExtensionType::Auth => AuthService::response_message(res_body_bytes, status_code),
ExtensionType::Auth => AuthService::response_message(res_body_bytes),
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion utils/deploy/envoy-notls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,7 @@ data:
"policies": [
{
"name": "auth-ns-A/auth-name-A",
"domain": "auth-ns-A/auth-name-A",
"domain": "effective-route-1",
"hostnames": [
"*.a.auth.com"
],
Expand Down
2 changes: 1 addition & 1 deletion utils/deploy/envoy-tls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ data:
"policies": [
{
"name": "auth-ns-A/auth-name-A",
"domain": "auth-ns-A/auth-name-A",
"domain": "effective-route-1",
"hostnames": [
"*.a.auth.com"
],
Expand Down

0 comments on commit 6675cab

Please sign in to comment.