Add explicit header mutation validation ext_authz (#33244)

* Validate headers & percent-encode query parameters in ext_authz Signed-off-by: Antonio Leonti <leonti@google.com> * move-- not copy-- header mutations in grpc client Signed-off-by: antoniovleonti <leonti@google.com> * move validation to clients Signed-off-by: antoniovleonti <leonti@google.com> * clean up diff Signed-off-by: antoniovleonti <leonti@google.com> * oops, add query param percent encoding to grpc client Signed-off-by: antoniovleonti <leonti@google.com> * clean up unnecessary diff and remove unused function declaration Signed-off-by: antoniovleonti <leonti@google.com> * remove unnecessary diff from ext_authz_test Signed-off-by: antoniovleonti <leonti@google.com> * final clean up Signed-off-by: antoniovleonti <leonti@google.com> * split ext_authz_test change into own PR (#33709) Signed-off-by: antoniovleonti <leonti@google.com> * fix asan error Signed-off-by: antoniovleonti <leonti@google.com> * add note in changelog Signed-off-by: antoniovleonti <leonti@google.com> * move http validation to own PR Signed-off-by: antoniovleonti <leonti@google.com> * Drop client request on invalid mutations Signed-off-by: antoniovleonti <leonti@google.com> * formatting & changelog Signed-off-by: antoniovleonti <leonti@google.com> * remove debug logs Signed-off-by: antoniovleonti <leonti@google.com> * remove done todo Signed-off-by: antoniovleonti <leonti@google.com> * remove comment about precent encoding query params Signed-off-by: antoniovleonti <leonti@google.com> * add Rejected to exhaustive status switch statement Signed-off-by: antoniovleonti <leonti@google.com> * handle rejected case in the network ext_authz filter Signed-off-by: antoniovleonti <leonti@google.com> * move validation to http filter Signed-off-by: antoniovleonti <leonti@google.com> * fix incorrectly numbered proto field Signed-off-by: antoniovleonti <leonti@google.com> * remove unused runtime feature flag Signed-off-by: antoniovleonti <leonti@google.com> * remove unnecessary comma Signed-off-by: antoniovleonti <leonti@google.com> * fix inconsistent HeaderVector constructor call fmt Signed-off-by: antoniovleonti <leonti@google.com> * remove unnecessary diff Signed-off-by: antoniovleonti <leonti@google.com> * remove unnecessary dependency Signed-off-by: antoniovleonti <leonti@google.com> * remove unnecessary diff Signed-off-by: antoniovleonti <leonti@google.com> * fix spelling Signed-off-by: antoniovleonti <leonti@google.com> * Update api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto Co-authored-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> * Update api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto Co-authored-by: Greg Greenway <ggreenway@apple.com> Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> * config guard remove-header change & make fmting consistent Signed-off-by: antoniovleonti <leonti@google.com> * remove using decls from ext_authz_test Signed-off-by: antoniovleonti <leonti@google.com> * remove unnecessary diff Signed-off-by: antoniovleonti <leonti@google.com> * add stat check to integration test Signed-off-by: antoniovleonti <leonti@google.com> * remove using decl from grpc_impl_test Signed-off-by: antoniovleonti <leonti@google.com> * formatting changes Signed-off-by: antoniovleonti <leonti@google.com> * replace unused using decl with a needed one Signed-off-by: antoniovleonti <leonti@google.com> * remove unused counter Signed-off-by: antoniovleonti <leonti@google.com> --------- Signed-off-by: Antonio Leonti <leonti@google.com> Signed-off-by: antoniovleonti <leonti@google.com> Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com> Co-authored-by: Greg Greenway <ggreenway@apple.com> Mirrored from https://github.com/envoyproxy/envoy @ 1c6eba59dbcced94c9974dc69d1bfcfa9ee3107d
10 months ago · 449c956946
parent 4a688d5f52
commit 449c956946
1 changed files with 16 additions and 1 deletions
--- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@ -28,7 +28,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]

-// [#next-free-field: 24]
+// [#next-free-field: 25]
 message ExtAuthz {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@ -92,6 +92,21 @@ message ExtAuthz {
  // or cannot be reached. The default status is HTTP 403 Forbidden.
  type.v3.HttpStatus status_on_error = 7;

+  // When this is set to true, the filter will check the :ref:`ext_authz response
+  // <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header &
+  // query parameter mutations. If the side stream response is invalid, it will send a local reply
+  // to the downstream request with status HTTP 500 Internal Server Error.
+  //
+  // Note that headers_to_remove & query_parameters_to_remove are validated, but invalid elements in
+  // those fields should not affect any headers & thus will not cause the filter to send a local
+  // reply.
+  //
+  // When set to false, any invalid mutations will be visible to the rest of envoy and may cause
+  // unexpected behavior.
+  //
+  // If you are using ext_authz with an untrusted ext_authz server, you should set this to true.
+  bool validate_mutations = 24;
+
  // Specifies a list of metadata namespaces whose values, if present, will be passed to the
  // ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
  // is passed as an opaque ``protobuf::Struct``.