From 546ddbcbd427ba5ebf7156bfa708f5165719234d Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Mon, 21 May 2018 16:55:22 +0000 Subject: [PATCH 1/3] Update envoy sha to bb6762a058 --- WORKSPACE | 2 +- istio.deps | 2 +- src/envoy/alts/alts_socket_factory.cc | 4 +- src/envoy/alts/alts_socket_factory.h | 4 +- src/envoy/http/authn/http_filter.cc | 4 +- .../authn/http_filter_integration_test.cc | 40 ++++++++++--------- src/envoy/http/jwt_auth/http_filter.cc | 4 +- .../http_filter_integration_test.cc | 13 +++--- src/envoy/http/mixer/filter.cc | 4 +- 9 files changed, 40 insertions(+), 37 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index b864fa6513a..d2b14189fd8 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -38,7 +38,7 @@ git_repository( ) # When updating envoy sha manually please update the sha in istio.deps file also -ENVOY_SHA = "2b2c299144600fb9e525d21aabf39bf48e64fb1f" +ENVOY_SHA = "bb6762a058de653b4aebbe7901d455854482b07c" http_archive( name = "envoy", diff --git a/istio.deps b/istio.deps index 9287d5c106e..0a03d8ba76d 100644 --- a/istio.deps +++ b/istio.deps @@ -11,6 +11,6 @@ "name": "ENVOY_SHA", "repoName": "envoyproxy/envoy", "file": "WORKSPACE", - "lastStableSHA": "2b2c299144600fb9e525d21aabf39bf48e64fb1f" + "lastStableSHA": "bb6762a058de653b4aebbe7901d455854482b07c" } ] \ No newline at end of file diff --git a/src/envoy/alts/alts_socket_factory.cc b/src/envoy/alts/alts_socket_factory.cc index 824be574eea..a4e24ab43d8 100644 --- a/src/envoy/alts/alts_socket_factory.cc +++ b/src/envoy/alts/alts_socket_factory.cc @@ -107,8 +107,8 @@ UpstreamAltsTransportSocketConfigFactory::createTransportSocketFactory( Network::TransportSocketFactoryPtr DownstreamAltsTransportSocketConfigFactory::createTransportSocketFactory( - const std::string &, const std::vector &, bool, - const Protobuf::Message &message, TransportSocketFactoryContext &) { + const Protobuf::Message &message, TransportSocketFactoryContext &, + const std::vector &) { auto config = MessageUtil::downcastAndValidate( message); diff --git a/src/envoy/alts/alts_socket_factory.h b/src/envoy/alts/alts_socket_factory.h index 85f3004bdc6..797f5d87787 100644 --- a/src/envoy/alts/alts_socket_factory.h +++ b/src/envoy/alts/alts_socket_factory.h @@ -39,8 +39,8 @@ class DownstreamAltsTransportSocketConfigFactory public DownstreamTransportSocketConfigFactory { public: Network::TransportSocketFactoryPtr createTransportSocketFactory( - const std::string &, const std::vector &, bool, - const Protobuf::Message &, TransportSocketFactoryContext &) override; + const Protobuf::Message &, TransportSocketFactoryContext &, + const std::vector &) override; }; } // namespace Configuration } // namespace Server diff --git a/src/envoy/http/authn/http_filter.cc b/src/envoy/http/authn/http_filter.cc index e8fe41be1d2..2767ad39baf 100644 --- a/src/envoy/http/authn/http_filter.cc +++ b/src/envoy/http/authn/http_filter.cc @@ -114,8 +114,8 @@ void AuthenticationFilter::rejectRequest(const std::string& message) { return; } state_ = State::REJECTED; - Utility::sendLocalReply(*decoder_callbacks_, false, Http::Code::Unauthorized, - message); + decoder_callbacks_->sendLocalReply(Http::Code::Unauthorized, message, + nullptr); } std::unique_ptr diff --git a/src/envoy/http/authn/http_filter_integration_test.cc b/src/envoy/http/authn/http_filter_integration_test.cc index 5690ef7766c..a86759265c7 100644 --- a/src/envoy/http/authn/http_filter_integration_test.cc +++ b/src/envoy/http/authn/http_filter_integration_test.cc @@ -62,16 +62,17 @@ TEST_P(AuthenticationFilterIntegrationTest, EmptyPolicy) { createTestServer("src/envoy/http/authn/testdata/envoy_empty.conf", {"http"}); codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest(default_request_headers_, *response_); + auto response = + codec_client_->makeHeaderOnlyRequest(default_request_headers_); // Wait for request to upstream[0] (backend) waitForNextUpstreamRequest(0); // Send backend response. upstream_request_->encodeHeaders(Http::TestHeaderMapImpl{{":status", "200"}}, true); - response_->waitForEndStream(); - EXPECT_TRUE(response_->complete()); - EXPECT_STREQ("200", response_->headers().Status()->value().c_str()); + response->waitForEndStream(); + EXPECT_TRUE(response->complete()); + EXPECT_STREQ("200", response->headers().Status()->value().c_str()); } TEST_P(AuthenticationFilterIntegrationTest, SourceMTlsFail) { @@ -82,13 +83,14 @@ TEST_P(AuthenticationFilterIntegrationTest, SourceMTlsFail) { // would be rejected. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest(default_request_headers_, *response_); + auto response = + codec_client_->makeHeaderOnlyRequest(default_request_headers_); // Request is rejected, there will be no upstream request (thus no // waitForNextUpstreamRequest). - response_->waitForEndStream(); - EXPECT_TRUE(response_->complete()); - EXPECT_STREQ("401", response_->headers().Status()->value().c_str()); + response->waitForEndStream(); + EXPECT_TRUE(response->complete()); + EXPECT_STREQ("401", response->headers().Status()->value().c_str()); } // TODO (diemtvu/lei-tang): add test for MTls success. @@ -102,13 +104,14 @@ TEST_P(AuthenticationFilterIntegrationTest, OriginJwtRequiredHeaderNoJwtFail) { // would be rejected. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest(default_request_headers_, *response_); + auto response = + codec_client_->makeHeaderOnlyRequest(default_request_headers_); // Request is rejected, there will be no upstream request (thus no // waitForNextUpstreamRequest). - response_->waitForEndStream(); - EXPECT_TRUE(response_->complete()); - EXPECT_STREQ("401", response_->headers().Status()->value().c_str()); + response->waitForEndStream(); + EXPECT_TRUE(response->complete()); + EXPECT_STREQ("401", response->headers().Status()->value().c_str()); } TEST_P(AuthenticationFilterIntegrationTest, CheckValidJwtPassAuthentication) { @@ -120,7 +123,8 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckValidJwtPassAuthentication) { // the authentication should succeed. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_, *response_); + auto response = + codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_); // Wait for request to upstream[0] (backend) waitForNextUpstreamRequest(0); @@ -128,9 +132,9 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckValidJwtPassAuthentication) { upstream_request_->encodeHeaders(Http::TestHeaderMapImpl{{":status", "200"}}, true); - response_->waitForEndStream(); - EXPECT_TRUE(response_->complete()); - EXPECT_STREQ("200", response_->headers().Status()->value().c_str()); + response->waitForEndStream(); + EXPECT_TRUE(response->complete()); + EXPECT_STREQ("200", response->headers().Status()->value().c_str()); } TEST_P(AuthenticationFilterIntegrationTest, CheckConsumedJwtHeadersAreRemoved) { @@ -165,7 +169,7 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckConsumedJwtHeadersAreRemoved) { codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); codec_client_->makeHeaderOnlyRequest( - request_headers_with_jwt_at_specified_location, *response_); + request_headers_with_jwt_at_specified_location); // Wait for request to upstream[0] (backend) waitForNextUpstreamRequest(0); @@ -185,7 +189,7 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckAuthnResultIsExpected) { // should be generated. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_, *response_); + codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_); // Wait for request to upstream[0] (backend) waitForNextUpstreamRequest(0); diff --git a/src/envoy/http/jwt_auth/http_filter.cc b/src/envoy/http/jwt_auth/http_filter.cc index f964f93cda5..1b7c35b621a 100644 --- a/src/envoy/http/jwt_auth/http_filter.cc +++ b/src/envoy/http/jwt_auth/http_filter.cc @@ -70,8 +70,8 @@ void JwtVerificationFilter::onDone(const JwtAuth::Status& status) { // verification failed Code code = Code(401); // Unauthorized // return failure reason as message body - Utility::sendLocalReply(*decoder_callbacks_, false, code, - JwtAuth::StatusToString(status)); + decoder_callbacks_->sendLocalReply(code, JwtAuth::StatusToString(status), + nullptr); return; } diff --git a/src/envoy/http/jwt_auth/integration_test/http_filter_integration_test.cc b/src/envoy/http/jwt_auth/integration_test/http_filter_integration_test.cc index 5d53ba3cff3..d606ee1b9c5 100644 --- a/src/envoy/http/jwt_auth/integration_test/http_filter_integration_test.cc +++ b/src/envoy/http/jwt_auth/integration_test/http_filter_integration_test.cc @@ -116,8 +116,7 @@ class JwtVerificationFilterIntegrationTest IntegrationCodecClientPtr codec_client; FakeHttpConnectionPtr fake_upstream_connection_issuer; FakeHttpConnectionPtr fake_upstream_connection_backend; - IntegrationStreamDecoderPtr response( - new IntegrationStreamDecoder(*dispatcher_)); + IntegrationStreamDecoderPtr response; FakeStreamPtr request_stream_issuer; FakeStreamPtr request_stream_backend; @@ -125,12 +124,12 @@ class JwtVerificationFilterIntegrationTest // Send a request to Envoy. if (!request_body.empty()) { - Http::StreamEncoder& encoder = - codec_client->startRequest(request_headers, *response); + auto encoder_decoder = codec_client->startRequest(request_headers); Buffer::OwnedImpl body(request_body); - codec_client->sendData(encoder, body, true); + codec_client->sendData(encoder_decoder.first, body, true); + response = std::move(encoder_decoder.second); } else { - codec_client->makeHeaderOnlyRequest(request_headers, *response); + response = codec_client->makeHeaderOnlyRequest(request_headers); } // Empty issuer_response_body indicates issuer will not be called. @@ -372,7 +371,7 @@ TEST_P(JwtVerificationFilterIntegrationTestWithInjectedJwtResult, FakeStreamPtr request_stream_backend; codec_client = makeHttpConnection(lookupPort("http")); // Send a request to Envoy. - codec_client->makeHeaderOnlyRequest(headers, *response); + response = codec_client->makeHeaderOnlyRequest(headers); fake_upstream_connection_backend = fake_upstreams_[0]->waitForHttpConnection(*dispatcher_); request_stream_backend = diff --git a/src/envoy/http/mixer/filter.cc b/src/envoy/http/mixer/filter.cc index 597ec5af51c..35dd2a09d0a 100644 --- a/src/envoy/http/mixer/filter.cc +++ b/src/envoy/http/mixer/filter.cc @@ -186,8 +186,8 @@ void Filter::completeCheck(const Status& status) { if (!status.ok() && state_ != Responded) { state_ = Responded; int status_code = ::istio::utils::StatusHttpCode(status.error_code()); - Utility::sendLocalReply(*decoder_callbacks_, false, Code(status_code), - status.ToString()); + decoder_callbacks_->sendLocalReply(Code(status_code), status.ToString(), + nullptr); return; } From bf5f3c62af262c731e17919e231b99ecc1982dae Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Mon, 21 May 2018 21:39:31 +0000 Subject: [PATCH 2/3] update envoy sha to 12c470e666d23f1cedaea92cdae6c747d6081dfe --- WORKSPACE | 2 +- istio.deps | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/WORKSPACE b/WORKSPACE index d2b14189fd8..6c349d8d3be 100644 --- a/WORKSPACE +++ b/WORKSPACE @@ -38,7 +38,7 @@ git_repository( ) # When updating envoy sha manually please update the sha in istio.deps file also -ENVOY_SHA = "bb6762a058de653b4aebbe7901d455854482b07c" +ENVOY_SHA = "12c470e666d23f1cedaea92cdae6c747d6081dfe" http_archive( name = "envoy", diff --git a/istio.deps b/istio.deps index 0a03d8ba76d..4e6f2307fb1 100644 --- a/istio.deps +++ b/istio.deps @@ -11,6 +11,6 @@ "name": "ENVOY_SHA", "repoName": "envoyproxy/envoy", "file": "WORKSPACE", - "lastStableSHA": "bb6762a058de653b4aebbe7901d455854482b07c" + "lastStableSHA": "12c470e666d23f1cedaea92cdae6c747d6081dfe" } ] \ No newline at end of file From 39099b3fd018a68402ab0e69fb96836f11b724be Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Mon, 21 May 2018 21:38:20 +0000 Subject: [PATCH 3/3] fix authn/integration tasn issue --- src/envoy/http/authn/http_filter_integration_test.cc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/envoy/http/authn/http_filter_integration_test.cc b/src/envoy/http/authn/http_filter_integration_test.cc index a86759265c7..6bcd32445a1 100644 --- a/src/envoy/http/authn/http_filter_integration_test.cc +++ b/src/envoy/http/authn/http_filter_integration_test.cc @@ -168,11 +168,12 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckConsumedJwtHeadersAreRemoved) { // should be generated. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest( + auto response = codec_client_->makeHeaderOnlyRequest( request_headers_with_jwt_at_specified_location); // Wait for request to upstream[0] (backend) waitForNextUpstreamRequest(0); + response->waitForEndStream(); // After Istio authn, the JWT headers consumed by Istio authn should have // been removed. @@ -189,10 +190,12 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckAuthnResultIsExpected) { // should be generated. codec_client_ = makeHttpConnection(makeClientConnection((lookupPort("http")))); - codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_); + auto response = + codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_); // Wait for request to upstream[0] (backend) waitForNextUpstreamRequest(0); + response->waitForEndStream(); // Authn result should be as expected const Envoy::Http::HeaderString &header_value =