Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix jwt impacting lds cache #425

Merged
merged 3 commits into from
Jul 25, 2024
Merged

fix jwt impacting lds cache #425

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
12f0b4f
fix jwt impacting lds cache
kozjan Jul 25, 2024
4c732e0
update CHANGELOG.md
kozjan Jul 25, 2024
d2bffad
Merge branch 'master' into fix-jwt-cache
kozjan Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ Lists all changes with user impact.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).

## [0.20.17]
### Changed
### Fixed
- Fix JWT provider configuration to not impact lds cache
- Add missing methods in lua scripts to remove logs about it

## [0.20.16]
Expand Down
56 changes: 32 additions & 24 deletions ...gro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/JwtFilterFactory.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,20 +25,20 @@ class JwtFilterFactory(
private val properties: JwtFilterProperties
) {

private val jwtProviderBuilders: Map<ProviderName, JwtProvider.Builder> = getJwtProviderBuilders()
private val jwtProviders: Map<ProviderName, JwtProvider> = getJwtProviders(failedStatusInMetadataEnabled = false)
private val jwtProvidersWithJwtStatusMetadata: Map<ProviderName, JwtProvider> =
getJwtProviders(failedStatusInMetadataEnabled = true)
private val clientToOAuthProviderName: Map<String, String> =
properties.providers.entries.flatMap { (providerName, provider) ->
provider.matchings.keys.map { client -> client to providerName }
}.toMap()

fun createJwtFilter(group: Group): HttpFilter? {
val configuredJwtProviders =
val selectedJwtProviders =
if (group.listenersConfig?.addJwtFailureStatus != false && properties.failedStatusInMetadataEnabled) {
jwtProviderBuilders.mapValues {
it.value.setFailedStatusInMetadata(properties.failedStatusInMetadata).build()
}
jwtProvidersWithJwtStatusMetadata
} else {
jwtProviderBuilders.mapValues { it.value.clearFailedStatusInMetadata().build() }
jwtProviders
}

return if (shouldCreateFilter(group)) {
Expand All @@ -47,7 +47,7 @@ class JwtFilterFactory(
.setTypedConfig(
Any.pack(
JwtAuthentication.newBuilder().putAllProviders(
configuredJwtProviders
selectedJwtProviders
)
.addAllRules(createRules(group.proxySettings.incoming.endpoints))
.build()
Expand All @@ -68,26 +68,34 @@ class JwtFilterFactory(
private fun containsClientsWithSelector(it: IncomingEndpoint) =
clientToOAuthProviderName.keys.intersect(it.clients.map { it.name }).isNotEmpty()

private fun getJwtProviderBuilders(): Map<ProviderName, JwtProvider.Builder> =
private fun getJwtProviders(failedStatusInMetadataEnabled: Boolean): Map<ProviderName, JwtProvider> =
properties.providers.entries.associate {
it.key to createProviderBuilder(it.value)
it.key to createProvider(it.value, failedStatusInMetadataEnabled)
}

private fun createProviderBuilder(provider: OAuthProvider) = JwtProvider.newBuilder()
.setRemoteJwks(
RemoteJwks.newBuilder().setHttpUri(
HttpUri.newBuilder()
.setUri(provider.jwksUri.toString())
.setCluster(provider.clusterName)
.setTimeout(
Durations.fromMillis(provider.connectionTimeout.toMillis())
).build()
private fun createProvider(provider: OAuthProvider, failedStatusInMetadataEnabled: Boolean): JwtProvider {
val jwtProvider = JwtProvider.newBuilder()
.setRemoteJwks(
RemoteJwks.newBuilder().setHttpUri(
HttpUri.newBuilder()
.setUri(provider.jwksUri.toString())
.setCluster(provider.clusterName)
.setTimeout(
Durations.fromMillis(provider.connectionTimeout.toMillis())
).build()
)
.setCacheDuration(Durations.fromMillis(provider.cacheDuration.toMillis()))
)
.setCacheDuration(Durations.fromMillis(provider.cacheDuration.toMillis()))
)
.setForward(properties.forwardJwt)
.setForwardPayloadHeader(properties.forwardPayloadHeader)
.setPayloadInMetadata(properties.payloadInMetadata)
.setForward(properties.forwardJwt)
.setForwardPayloadHeader(properties.forwardPayloadHeader)
.setPayloadInMetadata(properties.payloadInMetadata)

if (failedStatusInMetadataEnabled) {
jwtProvider.setFailedStatusInMetadata(properties.failedStatusInMetadata)
}

return jwtProvider.build()
}

private fun createRules(endpoints: List<IncomingEndpoint>): Set<RequirementRule> {
return endpoints.mapNotNull(this::createRuleForEndpoint).toSet()
Expand Down Expand Up @@ -144,7 +152,7 @@ class JwtFilterFactory(
}

private val requirementsForProviders: Map<ProviderName, JwtRequirement> =
jwtProviderBuilders.keys.associateWith { JwtRequirement.newBuilder().setProviderName(it).build() }
jwtProviders.keys.associateWith { JwtRequirement.newBuilder().setProviderName(it).build() }

private val allowMissingOrFailedRequirement =
JwtRequirement.newBuilder().setAllowMissingOrFailed(Empty.getDefaultInstance()).build()
Expand Down
Loading