From 1a64a5f89196faee3d7c5ada499ec08b6ce1cb83 Mon Sep 17 00:00:00 2001 From: kozjan <138656232+kozjan@users.noreply.github.com> Date: Thu, 25 Jul 2024 14:45:46 +0200 Subject: [PATCH] fix jwt impacting lds cache (#425) * fix jwt impacting lds cache * update CHANGELOG.md --- CHANGELOG.md | 3 +- .../listeners/filters/JwtFilterFactory.kt | 56 +++++++++++-------- 2 files changed, 34 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c8a0576c3..cb20163d8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,8 @@ Lists all changes with user impact. The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ## [0.20.17] -### Changed +### Fixed +- Fix JWT provider configuration to not impact lds cache - Add missing methods in lua scripts to remove logs about it ## [0.20.16] diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt index f91f28e19..d2cd273ce 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt @@ -25,20 +25,20 @@ class JwtFilterFactory( private val properties: JwtFilterProperties ) { - private val jwtProviderBuilders: Map = getJwtProviderBuilders() + private val jwtProviders: Map = getJwtProviders(failedStatusInMetadataEnabled = false) + private val jwtProvidersWithJwtStatusMetadata: Map = + getJwtProviders(failedStatusInMetadataEnabled = true) private val clientToOAuthProviderName: Map = properties.providers.entries.flatMap { (providerName, provider) -> provider.matchings.keys.map { client -> client to providerName } }.toMap() fun createJwtFilter(group: Group): HttpFilter? { - val configuredJwtProviders = + val selectedJwtProviders = if (group.listenersConfig?.addJwtFailureStatus != false && properties.failedStatusInMetadataEnabled) { - jwtProviderBuilders.mapValues { - it.value.setFailedStatusInMetadata(properties.failedStatusInMetadata).build() - } + jwtProvidersWithJwtStatusMetadata } else { - jwtProviderBuilders.mapValues { it.value.clearFailedStatusInMetadata().build() } + jwtProviders } return if (shouldCreateFilter(group)) { @@ -47,7 +47,7 @@ class JwtFilterFactory( .setTypedConfig( Any.pack( JwtAuthentication.newBuilder().putAllProviders( - configuredJwtProviders + selectedJwtProviders ) .addAllRules(createRules(group.proxySettings.incoming.endpoints)) .build() @@ -68,26 +68,34 @@ class JwtFilterFactory( private fun containsClientsWithSelector(it: IncomingEndpoint) = clientToOAuthProviderName.keys.intersect(it.clients.map { it.name }).isNotEmpty() - private fun getJwtProviderBuilders(): Map = + private fun getJwtProviders(failedStatusInMetadataEnabled: Boolean): Map = properties.providers.entries.associate { - it.key to createProviderBuilder(it.value) + it.key to createProvider(it.value, failedStatusInMetadataEnabled) } - private fun createProviderBuilder(provider: OAuthProvider) = JwtProvider.newBuilder() - .setRemoteJwks( - RemoteJwks.newBuilder().setHttpUri( - HttpUri.newBuilder() - .setUri(provider.jwksUri.toString()) - .setCluster(provider.clusterName) - .setTimeout( - Durations.fromMillis(provider.connectionTimeout.toMillis()) - ).build() + private fun createProvider(provider: OAuthProvider, failedStatusInMetadataEnabled: Boolean): JwtProvider { + val jwtProvider = JwtProvider.newBuilder() + .setRemoteJwks( + RemoteJwks.newBuilder().setHttpUri( + HttpUri.newBuilder() + .setUri(provider.jwksUri.toString()) + .setCluster(provider.clusterName) + .setTimeout( + Durations.fromMillis(provider.connectionTimeout.toMillis()) + ).build() + ) + .setCacheDuration(Durations.fromMillis(provider.cacheDuration.toMillis())) ) - .setCacheDuration(Durations.fromMillis(provider.cacheDuration.toMillis())) - ) - .setForward(properties.forwardJwt) - .setForwardPayloadHeader(properties.forwardPayloadHeader) - .setPayloadInMetadata(properties.payloadInMetadata) + .setForward(properties.forwardJwt) + .setForwardPayloadHeader(properties.forwardPayloadHeader) + .setPayloadInMetadata(properties.payloadInMetadata) + + if (failedStatusInMetadataEnabled) { + jwtProvider.setFailedStatusInMetadata(properties.failedStatusInMetadata) + } + + return jwtProvider.build() + } private fun createRules(endpoints: List): Set { return endpoints.mapNotNull(this::createRuleForEndpoint).toSet() @@ -144,7 +152,7 @@ class JwtFilterFactory( } private val requirementsForProviders: Map = - jwtProviderBuilders.keys.associateWith { JwtRequirement.newBuilder().setProviderName(it).build() } + jwtProviders.keys.associateWith { JwtRequirement.newBuilder().setProviderName(it).build() } private val allowMissingOrFailedRequirement = JwtRequirement.newBuilder().setAllowMissingOrFailed(Empty.getDefaultInstance()).build()