feat: add support for Envoy proxy#532
Conversation
WalkthroughRoute for /auth/:proxy changed from GET to accept Any method; "envoy" added as a valid proxy. Non-GET requests to non-envoy proxies now return 405 Method Not Allowed; invalid-proxy checks still return 400. Tests added for method/Envoy behaviors. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Possibly related issues
Poem
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: defaults Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
internal/controller/proxy_controller_test.go (1)
102-112: LGTM - Consider adding a GET test for Envoy as well.The test correctly validates that Envoy accepts POST requests and follows the same authentication flow (307 redirect to login) as other proxies. This confirms the method-based access control allows all methods for Envoy.
For completeness, consider adding a test that verifies Envoy also works with GET requests, ensuring parity across all supported methods.
🔎 Optional: Add GET test for Envoy
// Test logged out user (envoy) with GET recorder = httptest.NewRecorder() req = httptest.NewRequest("GET", "/api/auth/envoy", nil) req.Header.Set("X-Forwarded-Proto", "https") req.Header.Set("X-Forwarded-Host", "example.com") req.Header.Set("X-Forwarded-Uri", "/somepath") req.Header.Set("Accept", "text/html") router.ServeHTTP(recorder, req) assert.Equal(t, 307, recorder.Code) assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
📜 Review details
Configuration used: defaults
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
internal/controller/proxy_controller.go(2 hunks)internal/controller/proxy_controller_test.go(2 hunks)
🔇 Additional comments (3)
internal/controller/proxy_controller.go (2)
42-42: LGTM - Route now accepts all HTTP methods for Envoy support.The change from GET to Any is correct. Envoy forwards the original request method when contacting external authorizers, so the endpoint must accept all methods. The subsequent method validation at lines 58-65 ensures that only Envoy can use non-GET methods.
67-67: Verify Envoy ext_authz configuration includes necessary headers to authorization service.Envoy's ext_authz filter automatically forwards the original HTTP method (as
:method). However, X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Uri headers are not automatically included in authorization requests—they must be explicitly configured via theheaders_to_addfield in the authorization request settings. If your code at lines 84-86 depends on these headers being present, ensure the external authorization service is properly configured to provide them in its response, or configure Envoy to explicitly send them to the authorization service.internal/controller/proxy_controller_test.go (1)
83-88: LGTM - Test validates method restriction for non-Envoy proxies.The test correctly verifies that POST requests to non-Envoy proxies (traefik in this case) return 405 Method Not Allowed, which validates the new method-based access control.
|
Closing in favor of #538. |
2 participants
Summary
Implements: #527
Adds support for Envoy Proxy so Tinyauth can be used an external authroizer with
ext_authzin Envoy filters and IstioAuthorizationPolicy.Changes
/api/auth/envoyas Envoy uses the original method when contacting Tinyauth.Summary by CodeRabbit
New Features
Bug Fixes
✏️ Tip: You can customize this high-level summary in your review settings.