From 6675cab8834a4d0acb3beb136431e543b30c8649 Mon Sep 17 00:00:00 2001 From: Adam Cattermole Date: Fri, 20 Sep 2024 10:56:53 +0100 Subject: [PATCH] Process auth CheckResponse Signed-off-by: Adam Cattermole --- src/envoy/mod.rs | 2 +- src/filter/http_context.rs | 78 ++++++++++++++++++++++++++--------- src/service/auth.rs | 22 +--------- src/service/grpc_message.rs | 39 ++++++------------ utils/deploy/envoy-notls.yaml | 2 +- utils/deploy/envoy-tls.yaml | 2 +- 6 files changed, 77 insertions(+), 68 deletions(-) diff --git a/src/envoy/mod.rs b/src/envoy/mod.rs index 6195cfae..60810273 100644 --- a/src/envoy/mod.rs +++ b/src/envoy/mod.rs @@ -37,7 +37,7 @@ pub use { AttributeContext_Request, }, base::Metadata, - external_auth::{CheckRequest, DeniedHttpResponse, OkHttpResponse}, + external_auth::{CheckRequest, CheckResponse, CheckResponse_oneof_http_response}, ratelimit::{RateLimitDescriptor, RateLimitDescriptor_Entry}, rls::{RateLimitRequest, RateLimitResponse, RateLimitResponse_Code}, }; diff --git a/src/filter/http_context.rs b/src/filter/http_context.rs index fe4832a2..a658b8b0 100644 --- a/src/filter/http_context.rs +++ b/src/filter/http_context.rs @@ -1,5 +1,5 @@ use crate::configuration::{ExtensionType, FailureMode, FilterConfig}; -use crate::envoy::{RateLimitResponse, RateLimitResponse_Code}; +use crate::envoy::{CheckResponse_oneof_http_response, RateLimitResponse, RateLimitResponse_Code}; use crate::operation_dispatcher::OperationDispatcher; use crate::policy::Policy; use crate::service::grpc_message::GrpcMessageResponse; @@ -45,14 +45,11 @@ impl Filter { if let Some(operation) = self.operation_dispatcher.next() { match operation.get_result() { Ok(call_id) => { - debug!( - "#{} initiated gRPC call (id# {}) to Limitador", - self.context_id, call_id - ); + debug!("#{} initiated gRPC call (id# {})", self.context_id, call_id); Action::Pause } Err(e) => { - warn!("gRPC call to Limitador failed! {e:?}"); + warn!("gRPC call failed! {e:?}"); if let FailureMode::Deny = operation.get_failure_mode() { self.send_http_response(500, vec![], Some(b"Internal Server Error.\n")) } @@ -110,6 +107,52 @@ impl Filter { } self.operation_dispatcher.next(); } + + fn process_auth_grpc_response( + &mut self, + auth_resp: GrpcMessageResponse, + failure_mode: &FailureMode, + ) { + if let GrpcMessageResponse::Auth(check_response) = auth_resp { + match check_response.http_response { + Some(CheckResponse_oneof_http_response::ok_response(ok_response)) => { + debug!("Handling OkHttpResponse..."); + + ok_response + .get_response_headers_to_add() + .iter() + .for_each(|header| { + self.add_http_response_header( + header.get_header().get_key(), + header.get_header().get_value(), + ) + }); + } + Some(CheckResponse_oneof_http_response::denied_response(denied_response)) => { + debug!("Handling DeniedHttpResponse..."); + + let mut response_headers = vec![]; + denied_response.get_headers().iter().for_each(|header| { + response_headers.push(( + header.get_header().get_key(), + header.get_header().get_value(), + )) + }); + self.send_http_response( + denied_response.get_status().code as u32, + response_headers, + Some(denied_response.get_body().as_ref()), + ); + return; + } + None => { + self.handle_error_on_grpc_response(failure_mode); + return; + } + } + } + self.operation_dispatcher.next(); + } } impl HttpContext for Filter { @@ -168,22 +211,19 @@ impl Context for Filter { return; } }; - let res = match GrpcMessageResponse::new( - operation.get_extension_type(), - &res_body_bytes, - status_code, - ) { - Ok(res) => res, - Err(e) => { - warn!( + let res = + match GrpcMessageResponse::new(operation.get_extension_type(), &res_body_bytes) { + Ok(res) => res, + Err(e) => { + warn!( "failed to parse grpc response body into GrpcMessageResponse message: {e}" ); - self.handle_error_on_grpc_response(failure_mode); - return; - } - }; + self.handle_error_on_grpc_response(failure_mode); + return; + } + }; match operation.get_extension_type() { - ExtensionType::Auth => {} // TODO(didierofrivia): Process auth grpc response. + ExtensionType::Auth => self.process_auth_grpc_response(res, failure_mode), ExtensionType::RateLimit => self.process_ratelimit_grpc_response(res, failure_mode), } diff --git a/src/service/auth.rs b/src/service/auth.rs index ece695cb..b2261ac1 100644 --- a/src/service/auth.rs +++ b/src/service/auth.rs @@ -22,27 +22,9 @@ impl AuthService { AuthService::build_check_req(ce_host) } - pub fn response_message( - res_body_bytes: &Bytes, - status_code: u32, - ) -> GrpcMessageResult { - if status_code % 2 == 0 { - AuthService::response_message_ok(res_body_bytes) - } else { - AuthService::response_message_denied(res_body_bytes) - } - } - - fn response_message_ok(res_body_bytes: &Bytes) -> GrpcMessageResult { - match Message::parse_from_bytes(res_body_bytes) { - Ok(res) => Ok(GrpcMessageResponse::AuthOk(res)), - Err(e) => Err(e), - } - } - - fn response_message_denied(res_body_bytes: &Bytes) -> GrpcMessageResult { + pub fn response_message(res_body_bytes: &Bytes) -> GrpcMessageResult { match Message::parse_from_bytes(res_body_bytes) { - Ok(res) => Ok(GrpcMessageResponse::AuthDenied(res)), + Ok(res) => Ok(GrpcMessageResponse::Auth(res)), Err(e) => Err(e), } } diff --git a/src/service/grpc_message.rs b/src/service/grpc_message.rs index 0a6f514f..6396c5f5 100644 --- a/src/service/grpc_message.rs +++ b/src/service/grpc_message.rs @@ -1,7 +1,6 @@ use crate::configuration::ExtensionType; use crate::envoy::{ - CheckRequest, DeniedHttpResponse, OkHttpResponse, RateLimitDescriptor, RateLimitRequest, - RateLimitResponse, + CheckRequest, CheckResponse, RateLimitDescriptor, RateLimitRequest, RateLimitResponse, }; use crate::service::auth::AuthService; use crate::service::rate_limit::RateLimitService; @@ -143,8 +142,7 @@ impl GrpcMessageRequest { #[derive(Clone, Debug)] pub enum GrpcMessageResponse { - AuthOk(OkHttpResponse), - AuthDenied(DeniedHttpResponse), + Auth(CheckResponse), RateLimit(RateLimitResponse), } @@ -163,80 +161,70 @@ impl Clear for GrpcMessageResponse { impl Message for GrpcMessageResponse { fn descriptor(&self) -> &'static MessageDescriptor { match self { - GrpcMessageResponse::AuthOk(res) => res.descriptor(), - GrpcMessageResponse::AuthDenied(res) => res.descriptor(), + GrpcMessageResponse::Auth(res) => res.descriptor(), GrpcMessageResponse::RateLimit(res) => res.descriptor(), } } fn is_initialized(&self) -> bool { match self { - GrpcMessageResponse::AuthOk(res) => res.is_initialized(), - GrpcMessageResponse::AuthDenied(res) => res.is_initialized(), + GrpcMessageResponse::Auth(res) => res.is_initialized(), GrpcMessageResponse::RateLimit(res) => res.is_initialized(), } } fn merge_from(&mut self, is: &mut CodedInputStream) -> ProtobufResult<()> { match self { - GrpcMessageResponse::AuthOk(res) => res.merge_from(is), - GrpcMessageResponse::AuthDenied(res) => res.merge_from(is), + GrpcMessageResponse::Auth(res) => res.merge_from(is), GrpcMessageResponse::RateLimit(res) => res.merge_from(is), } } fn write_to_with_cached_sizes(&self, os: &mut CodedOutputStream) -> ProtobufResult<()> { match self { - GrpcMessageResponse::AuthOk(res) => res.write_to_with_cached_sizes(os), - GrpcMessageResponse::AuthDenied(res) => res.write_to_with_cached_sizes(os), + GrpcMessageResponse::Auth(res) => res.write_to_with_cached_sizes(os), GrpcMessageResponse::RateLimit(res) => res.write_to_with_cached_sizes(os), } } fn write_to_bytes(&self) -> ProtobufResult> { match self { - GrpcMessageResponse::AuthOk(res) => res.write_to_bytes(), - GrpcMessageResponse::AuthDenied(res) => res.write_to_bytes(), + GrpcMessageResponse::Auth(res) => res.write_to_bytes(), GrpcMessageResponse::RateLimit(res) => res.write_to_bytes(), } } fn compute_size(&self) -> u32 { match self { - GrpcMessageResponse::AuthOk(res) => res.compute_size(), - GrpcMessageResponse::AuthDenied(res) => res.compute_size(), + GrpcMessageResponse::Auth(res) => res.compute_size(), GrpcMessageResponse::RateLimit(res) => res.compute_size(), } } fn get_cached_size(&self) -> u32 { match self { - GrpcMessageResponse::AuthOk(res) => res.get_cached_size(), - GrpcMessageResponse::AuthDenied(res) => res.get_cached_size(), + GrpcMessageResponse::Auth(res) => res.get_cached_size(), GrpcMessageResponse::RateLimit(res) => res.get_cached_size(), } } fn get_unknown_fields(&self) -> &UnknownFields { match self { - GrpcMessageResponse::AuthOk(res) => res.get_unknown_fields(), - GrpcMessageResponse::AuthDenied(res) => res.get_unknown_fields(), + GrpcMessageResponse::Auth(res) => res.get_unknown_fields(), GrpcMessageResponse::RateLimit(res) => res.get_unknown_fields(), } } fn mut_unknown_fields(&mut self) -> &mut UnknownFields { match self { - GrpcMessageResponse::AuthOk(res) => res.mut_unknown_fields(), - GrpcMessageResponse::AuthDenied(res) => res.mut_unknown_fields(), + GrpcMessageResponse::Auth(res) => res.mut_unknown_fields(), GrpcMessageResponse::RateLimit(res) => res.mut_unknown_fields(), } } fn as_any(&self) -> &dyn Any { match self { - GrpcMessageResponse::AuthOk(res) => res.as_any(), - GrpcMessageResponse::AuthDenied(res) => res.as_any(), + GrpcMessageResponse::Auth(res) => res.as_any(), GrpcMessageResponse::RateLimit(res) => res.as_any(), } } @@ -263,11 +251,10 @@ impl GrpcMessageResponse { pub fn new( extension_type: &ExtensionType, res_body_bytes: &Bytes, - status_code: u32, ) -> GrpcMessageResult { match extension_type { ExtensionType::RateLimit => RateLimitService::response_message(res_body_bytes), - ExtensionType::Auth => AuthService::response_message(res_body_bytes, status_code), + ExtensionType::Auth => AuthService::response_message(res_body_bytes), } } } diff --git a/utils/deploy/envoy-notls.yaml b/utils/deploy/envoy-notls.yaml index e3f8146c..6c4cc277 100644 --- a/utils/deploy/envoy-notls.yaml +++ b/utils/deploy/envoy-notls.yaml @@ -150,7 +150,7 @@ data: "policies": [ { "name": "auth-ns-A/auth-name-A", - "domain": "auth-ns-A/auth-name-A", + "domain": "effective-route-1", "hostnames": [ "*.a.auth.com" ], diff --git a/utils/deploy/envoy-tls.yaml b/utils/deploy/envoy-tls.yaml index dbdd4500..faba5e26 100644 --- a/utils/deploy/envoy-tls.yaml +++ b/utils/deploy/envoy-tls.yaml @@ -159,7 +159,7 @@ data: "policies": [ { "name": "auth-ns-A/auth-name-A", - "domain": "auth-ns-A/auth-name-A", + "domain": "effective-route-1", "hostnames": [ "*.a.auth.com" ],