fix jwt impacting lds cache

allegro · Jul 25, 2024 · b8167dd · b8167dd
1 parent 875069b
commit b8167dd
Showing 1 changed file with 33 additions and 27 deletions.
diff --git a/...gro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt b/...gro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt
@@ -25,29 +25,27 @@ class JwtFilterFactory(
     private val properties: JwtFilterProperties
 ) {
 
-    private val jwtProviderBuilders: Map<ProviderName, JwtProvider.Builder> = getJwtProviderBuilders()
+    private val jwtProviders: Map<ProviderName, JwtProvider> = getJwtProviders(failedStatusInMetadataEnabled = false)
+    private val jwtProvidersWithJwtStatusMetadata: Map<ProviderName, JwtProvider> =
+        getJwtProviders(failedStatusInMetadataEnabled = true)
     private val clientToOAuthProviderName: Map<String, String> =
         properties.providers.entries.flatMap { (providerName, provider) ->
             provider.matchings.keys.map { client -> client to providerName }
         }.toMap()
 
     fun createJwtFilter(group: Group): HttpFilter? {
-        val configuredJwtProviders =
-            if (group.listenersConfig?.addJwtFailureStatus != false && properties.failedStatusInMetadataEnabled) {
-                jwtProviderBuilders.mapValues {
-                    it.value.setFailedStatusInMetadata(properties.failedStatusInMetadata).build()
-                }
-            } else {
-                jwtProviderBuilders.mapValues { it.value.clearFailedStatusInMetadata().build() }
-            }
+        val selectedJwtProviders =
+            if (group.listenersConfig?.addJwtFailureStatus != false && properties.failedStatusInMetadataEnabled)
+                jwtProvidersWithJwtStatusMetadata
+            else jwtProviders
 
         return if (shouldCreateFilter(group)) {
             HttpFilter.newBuilder()
                 .setName("envoy.filters.http.jwt_authn")
                 .setTypedConfig(
                     Any.pack(
                         JwtAuthentication.newBuilder().putAllProviders(
-                            configuredJwtProviders
+                            selectedJwtProviders
                         )
                             .addAllRules(createRules(group.proxySettings.incoming.endpoints))
                             .build()
@@ -68,26 +66,34 @@ class JwtFilterFactory(
     private fun containsClientsWithSelector(it: IncomingEndpoint) =
         clientToOAuthProviderName.keys.intersect(it.clients.map { it.name }).isNotEmpty()
 
-    private fun getJwtProviderBuilders(): Map<ProviderName, JwtProvider.Builder> =
+    private fun getJwtProviders(failedStatusInMetadataEnabled: Boolean): Map<ProviderName, JwtProvider> =
         properties.providers.entries.associate {
-            it.key to createProviderBuilder(it.value)
+            it.key to createProvider(it.value, failedStatusInMetadataEnabled)
         }
 
-    private fun createProviderBuilder(provider: OAuthProvider) = JwtProvider.newBuilder()
-        .setRemoteJwks(
-            RemoteJwks.newBuilder().setHttpUri(
-                HttpUri.newBuilder()
-                    .setUri(provider.jwksUri.toString())
-                    .setCluster(provider.clusterName)
-                    .setTimeout(
-                        Durations.fromMillis(provider.connectionTimeout.toMillis())
-                    ).build()
+    private fun createProvider(provider: OAuthProvider, failedStatusInMetadataEnabled: Boolean): JwtProvider {
+        val jwtProvider = JwtProvider.newBuilder()
+            .setRemoteJwks(
+                RemoteJwks.newBuilder().setHttpUri(
+                    HttpUri.newBuilder()
+                        .setUri(provider.jwksUri.toString())
+                        .setCluster(provider.clusterName)
+                        .setTimeout(
+                            Durations.fromMillis(provider.connectionTimeout.toMillis())
+                        ).build()
+                )
+                    .setCacheDuration(Durations.fromMillis(provider.cacheDuration.toMillis()))
             )
-                .setCacheDuration(Durations.fromMillis(provider.cacheDuration.toMillis()))
-        )
-        .setForward(properties.forwardJwt)
-        .setForwardPayloadHeader(properties.forwardPayloadHeader)
-        .setPayloadInMetadata(properties.payloadInMetadata)
+            .setForward(properties.forwardJwt)
+            .setForwardPayloadHeader(properties.forwardPayloadHeader)
+            .setPayloadInMetadata(properties.payloadInMetadata)
+
+        if (failedStatusInMetadataEnabled) {
+            jwtProvider.setFailedStatusInMetadata(properties.failedStatusInMetadata)
+        }
+
+        return jwtProvider.build()
+    }
 
     private fun createRules(endpoints: List<IncomingEndpoint>): Set<RequirementRule> {
         return endpoints.mapNotNull(this::createRuleForEndpoint).toSet()
@@ -144,7 +150,7 @@ class JwtFilterFactory(
     }
 
     private val requirementsForProviders: Map<ProviderName, JwtRequirement> =
-        jwtProviderBuilders.keys.associateWith { JwtRequirement.newBuilder().setProviderName(it).build() }
+        jwtProviders.keys.associateWith { JwtRequirement.newBuilder().setProviderName(it).build() }
 
     private val allowMissingOrFailedRequirement =
         JwtRequirement.newBuilder().setAllowMissingOrFailed(Empty.getDefaultInstance()).build()