From 21ad3df292a7e756da0492d2d7aed39ad95f29f0 Mon Sep 17 00:00:00 2001 From: Quanjie Lin Date: Fri, 27 Apr 2018 18:23:09 -0700 Subject: [PATCH 1/2] ignore verfication if peer/origin optional fields are set --- src/envoy/http/authn/http_filter.cc | 4 +++- src/envoy/http/authn/http_filter_test.cc | 28 ++++++++++++++++++++---- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/src/envoy/http/authn/http_filter.cc b/src/envoy/http/authn/http_filter.cc index 75e172ef87b..e8fe41be1d2 100644 --- a/src/envoy/http/authn/http_filter.cc +++ b/src/envoy/http/authn/http_filter.cc @@ -51,12 +51,14 @@ FilterHeadersStatus AuthenticationFilter::decodeHeaders(HeaderMap& headers, Payload payload; - if (!createPeerAuthenticator(filter_context_.get())->run(&payload)) { + if (!filter_config_.policy().peer_is_optional() && + !createPeerAuthenticator(filter_context_.get())->run(&payload)) { rejectRequest("Peer authentication failed."); return FilterHeadersStatus::StopIteration; } bool success = + filter_config_.policy().origin_is_optional() || createOriginAuthenticator(filter_context_.get())->run(&payload); // After Istio authn, the JWT headers consumed by Istio authn should be diff --git a/src/envoy/http/authn/http_filter_test.cc b/src/envoy/http/authn/http_filter_test.cc index 0c82a5e6959..89fab92b200 100644 --- a/src/envoy/http/authn/http_filter_test.cc +++ b/src/envoy/http/authn/http_filter_test.cc @@ -35,12 +35,19 @@ using testing::NiceMock; using testing::StrictMock; using testing::_; +namespace iaapi = istio::authentication::v1alpha1; + namespace Envoy { namespace Http { namespace Istio { namespace AuthN { namespace { +const char ingoreBothPolicy[] = R"( + peer_is_optional: true + origin_is_optional: true +)"; + // Create a fake authenticator for test. This authenticator do nothing except // making the authentication fail. std::unique_ptr createAlwaysFailAuthenticator( @@ -74,8 +81,9 @@ class MockAuthenticationFilter : public AuthenticationFilter { public: // We'll use fake authenticator for test, so policy is not really needed. Use // default config for simplicity. - MockAuthenticationFilter() - : AuthenticationFilter(FilterConfig::default_instance()) {} + MockAuthenticationFilter(const FilterConfig& filter_config) + : AuthenticationFilter(filter_config) {} + ~MockAuthenticationFilter(){}; MOCK_METHOD1(createPeerAuthenticator, @@ -95,9 +103,12 @@ class AuthenticationFilterTest : public testing::Test { } protected: - StrictMock filter_; - NiceMock decoder_callbacks_; + FilterConfig filter_config_ = FilterConfig::default_instance(); + iaapi::Policy policy_; + Http::TestHeaderMapImpl request_headers_; + StrictMock filter_{filter_config_}; + NiceMock decoder_callbacks_; }; TEST_F(AuthenticationFilterTest, PeerFail) { @@ -151,6 +162,15 @@ TEST_F(AuthenticationFilterTest, AllPass) { TestUtilities::AuthNResultFromString(R"(peer_user: "foo")"), authn)); } +TEST_F(AuthenticationFilterTest, IgnoreBothFail) { + ASSERT_TRUE( + Protobuf::TextFormat::ParseFromString(ingoreBothPolicy, &policy_)); + filter_config_.set_allocated_policy(&policy_); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, + filter_.decodeHeaders(request_headers_, true)); + filter_config_.clear_policy(); +} + } // namespace } // namespace AuthN } // namespace Istio From 58c6507f26f1e365c922eed84bb9fae8f903ad64 Mon Sep 17 00:00:00 2001 From: Quanjie Lin Date: Mon, 30 Apr 2018 18:36:02 -0700 Subject: [PATCH 2/2] get rid of set_allocated_policy --- src/envoy/http/authn/http_filter_test.cc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/envoy/http/authn/http_filter_test.cc b/src/envoy/http/authn/http_filter_test.cc index 89fab92b200..79b39d7e76a 100644 --- a/src/envoy/http/authn/http_filter_test.cc +++ b/src/envoy/http/authn/http_filter_test.cc @@ -104,7 +104,6 @@ class AuthenticationFilterTest : public testing::Test { protected: FilterConfig filter_config_ = FilterConfig::default_instance(); - iaapi::Policy policy_; Http::TestHeaderMapImpl request_headers_; StrictMock filter_{filter_config_}; @@ -163,12 +162,12 @@ TEST_F(AuthenticationFilterTest, AllPass) { } TEST_F(AuthenticationFilterTest, IgnoreBothFail) { + iaapi::Policy policy_; ASSERT_TRUE( Protobuf::TextFormat::ParseFromString(ingoreBothPolicy, &policy_)); - filter_config_.set_allocated_policy(&policy_); + *filter_config_.mutable_policy() = policy_; EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_.decodeHeaders(request_headers_, true)); - filter_config_.clear_policy(); } } // namespace