Description: modifies jwt_authn filter's ExtractorImpl extract method to use the from_headers's value_prefix tag more precisely, allowing syntax like "tag=<JWT>,other=xxx" rather than simply taking the remainder of the string as the JWT candidate.
See Issue #6355 for full description. Should be backwards-compatible with existing uses of jwt_authn.
Risk Level: Medium (scope: affects JWT authentication)
Testing: Unit testing was added to test/.../jwt_authn/extractor_test.cc. Since Extractor itself does not validate the JWT, only the parsing is tested.
Docs Changes: see "Further header options" section added to api/envoy/config/filter/http/jwt_authn/v2alpha/README.md
Release Notes:
Adds enhancement per Issue #6355, so that deployments can use a wider variety of HTTP header syntaxes to pass JWTs and have them authenticated by the jwt_authn filter. Backwards-compatible with existing usage.
JWT authentication with the jwt_authn HTTP filter now permits header syntax like the following:
Authorization: Bespoke jwt=eyJhbGciOiJS...ZFnFIw,extra=7,realm=123
Signed-off-by: Larry West <Larry_West@intuit.com>
Mirrored from https://github.com/envoyproxy/envoy @ 03cf28658399a7e411e49f9718782c919578d099
- Redis requests are now redirected to a new upstream connection
upon receipt of an MOVED or ASK error response. If the request
cannot be redirected, then the error is passed downstream unmodified.
The redirection IP (IPv4 or IPv6) address and TCP port specified
in the Redis server error does not need to reference a known host of
the cluster associated with the redis_proxy filter.
- added an enable_redirection boolean to the redis proxy connection
pool settings to control whether or not server redirection errors are
honored or passed downstream unchanged.
- RespValue copy constructor, copy assignment, and equality testing
methods for easier manipulation of RespValues.
- added cluster statistics, upstream_internal_redirect_succeeded_total
and upstream_internal_redirect_failed_total in ClientImpl::onRespValue()
callback
- extended unit tests for Redis connection pool, client, command
splitter, and RespValue copying and equallity testing.
- new basic integration test for redis_proxy: simple request
and response, and invalid request testing (enable_redirection
enabled).
Signed-off-by: Mitch Sukalski <mitch.sukalski@workday.com>
Mirrored from https://github.com/envoyproxy/envoy @ 378d59b43e71e07c36c9ef60b0ee7318ca7f510f
Provide the HTTP path normalization per RFC 3986 (sans case normalization). This addresses CVE-2019-9901.
The config HttpConnectionManager.normalize_path needs to be set for each HCM configuration to enable (default is off). There is also a runtime optione http_connection_manager.normalize_path
to change this default when not set in HCM.
Risk level: Low
Testing: New unit and integration tests added.
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7ed6d2187df94c4cb96f7dccb8643bf764af2ccb
This PR adds support to `ext_authz` filter for buffering the request data. This is useful when the authorization server needs to check the request body, e.g. HMAC validation.
Fixes#5676
*Risk Level*: low
*Testing*: unit
*Docs Changes*: yes
*Release Notes*: yes
Signed-off-by: Gabriel <gsagula@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 075edf802b9ef94bdf26fddc9e775f8bb89df92d
This is not implemented yet.
Fixes#6405.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4ed3afebe9801e40095a68fa135ccf10a474818a
* docs: more snapping fixes
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ c949a8144cf3b0162133dde0c489dea8a4078a47
The change breaks the existing Redis operation, for example redis-cli -p
[WHATEVER] GET 1 crashes Envoy.
This reverts commit 046e98904f6df60f0c548ffe77ffb5f5f980179d.
Signed-off-by: Nicolas Flacco <nflacco@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ bacd89e866b4d81dd316613ce11c0b9c678cc421
This filter decodes the ZooKeeper wire protocol and emits
stats & metadata about requests, responses and events.
This wire protocol parsing is based on:
https://github.com/twitter/zktraffichttps://github.com/rgs1/zktraffic-cpp
The actual filter structure is based on the Mysql proxy filter.
Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>
Mirrored from https://github.com/envoyproxy/envoy @ b771f99f53142bbb1496dbcddccc5defaaaa8dd8
Using proto.MarshalAny results in unstable output due to non-deterministic map ordering. This in turn causes Envoy's diff to reload a config since the hash of the structure changes.
Enable stable marshaler for gogoproto to avoid this problem. See #6252
Risk Level: low
Testing: n/a
Signed-off-by: Kuat Yessenov <kuat@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 15a19b9cb1cc8bd5a5ec71d125177b3f6c9a3cf5
1) Add stat to track number of active injected faults
2) Add config/runtime control over how many concurrent
faults can be injected. This is useful in cases where
we want to allow 100% fault injection, but want to
protect against too many concurrent requests using too
many resources.
3) Add stat for faults that overflowed.
4) Misc code cleanup / modernization.
Part of https://github.com/envoyproxy/envoy/issues/5942.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 191c8b02b4908f212f800ed0185f6ee689ba8126
Bump up max configurable max_request_headers_kb to 96 KiB.
Add a check to http1/codec_impl.cc for headers size.
Raise the default library limits in http_parser nghttp2 so we'll rely on our own codec check.
Risk Level: Medium.
Testing: Moved all the large request headers tests to ProtocolIntegrationTest.
Part of #5626.
Signed-off-by: Auni Ahsan <auni@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ df3d47f478c29188d22b517d1a0d05793dfe2c62
This PR replaces deprecated HTTP links by HTTPS links for security and consistency.
Signed-off-by: Vu Cong Tuan <tuanvc@vn.fujitsu.com>
Mirrored from https://github.com/envoyproxy/envoy @ b47112f62b5186bb087bdf335f6df6fb072e2a46
Updates the health check filter to treat degraded hosts as healthy for
the purpose of computing the "health" of each cluster. This captures the
idea that these hosts are still available for routing: if the upstream
cluster is fully degraded it's still available, so there shouldn't be a
need for Envoy to declare itself unhealthy.
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2e6bd24617f9c9c7085353095e196008370821c6
Co-Authored-By: Nguyen Phuong An <AnNP@vn.fujitsu.com>
Signed-off-by: Kim Bao Long <longkb@vn.fujitsu.com>
Mirrored from https://github.com/envoyproxy/envoy @ 15f1c56397ff404fc98fb3381725bbe48c205234
This adds a new response flag SI that is set when the request is
canceled due to a stream idle timeout.
_Risk Level_: Low
_Testing_: Updated existing access log UTs, added test for setting flag
_Docs Changes_: Updated list of response flags
_Release Notes_: Added release note
Signed-off-by: Snow Pettersen <snowp@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ a22d983cc87170677243d4aeba6457a4972d7980
This commit refactors the tap transport socket to use the common
tap extension configuration and tap matching infrastructure. More
match conditions will be added in a future PR as well as additional
cleanups that have been marked with TODOs.
One result of this PR is that the HTTP tap filter can now have a static
configuration as well as write to a file per tap sink.
All future tap PRs should be smaller and more targeted after this one.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ f37ebdc14f4c0adf0e90aabddae833355c0cec1b
Renaming max_request_headers_size_kb to max_request_headers_kb.
It just merged so hopefully no one is using it yet.
Risk Level: Low.
Testing/docs: Updated docs and config test from #5654.
Signed-off-by: Auni Ahsan <auni@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 71afb134c528ded99510172a65e30cac6503d213
Description: Add a field to http conn manager, max_request_headers_size_kb. Currently you can set the field from 1 to 63, to stay under both http1 (~80K) and http2 (64K) codec limits. I'm experimenting with how high I can configure the codecs to accept, so the limit will likely change.
Risk Level: High. Incorrectly configured max size can cause requests to be rejected.
Testing: Integration and unit testing.
Docs Changes: added release notes and .proto comments
Part of #5626.
Signed-off-by: Auni Ahsan <auni@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 0fb9325f7716294b465003fca852065d9c36d016
Configuration of the TCP proxy's deprecated source ip and port
feature comes up periodically and since it was non-trivial for
me to figure out how to even configure it, I thought I'd add
a README with an example.
*Risk Level*: low, docs only
*Testing*: manually tested example
*Docs Changes*: added example for TCP proxy deprecated_v1
*Release Notes*: n/a
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ fb47139b8f1e4d47f649c39ddee1a1e04e6e62f8
This is a rename PR only. It renames the capture transport socket
and associated tools to the tap transport socket. It also updates
some documentation. In a subsequent PR I'm going to refactor the
tap transport socket to use the new common tap framework so that
the tap transport socket can be configured via admin, the HTTP
tap filter can write to a file, the tap transport socket can have
matching, etc.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7a5849f2a8bcc55fa16da3eaee94d9c99a11147c
This is a MVP for the HTTP tap filter. It includes minimal
infrastructure for the following:
1. Generic tap configuration which in the future will be used for
static config, XDS config, etc. In this MVP the tap can be
configured via a /tap admin endpoint.
2. Generic output configuration which in the future will be used for
different output sinks such as files, gRPC API, etc. In this MVP
the tap results are streamed back out the /tap admin endpoint.
3. Matching infrastructure. In this MVP only matching on request and
response headers are implemented. Both logical AND and logical OR
matches are possible.
4. In this MVP request/response body is not considered at all.
5. All docs are included and with all the caveats the filter is ready
to use for the limited cases it supports (which are likely still to
be useful).
There is a lot of follow on work which I will do in subsequent PRs.
This includes:
1. Merging the existing capture transport socket into this framework.
2. Implementing body support, both for matching on body contents as
well as outputting body data.
3. Tap rate limiting so too many streams do not get tapped.
4. gRPC matching. Using reflection and loaded proto definitions, it will
be possible to match on gRPC fields.
5. JSON matching. If the body parses as JSON, we can allow matching on
JSON fields.
Part of https://github.com/envoyproxy/envoy/issues/1413.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ cf80045587240d494e54e9772949bc9af5eda61f
This filter contains the logic to decode the mysql wire protocol and SQL queries (SQL99 only).
The code is based on our internal version at VMware. The SQL parser can be found at https://github.com/rshriram/sql-parser. Its a cleaned up version of Hyrise SQL parser. I am keeping the code as a separate library as importing the sources into envoy will cause a lot of changes to the code.
Signed-off-by: Giorgio Valentini <gvalentini@vmware.com>
Signed-off-by: Deepa Kalani <dkalani@vmware.com>
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
Signed-off-by: Venil Noronha <veniln@vmware.com>
Mirrored from https://github.com/envoyproxy/envoy @ b3be5713f2100ab5c40316e73ce34581245bd26a