-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TT-12741] Looped ap is wrongfully inherit the caller's authentication key when using url rewrite #6778
Conversation
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
API Changes --- prev.txt 2024-12-19 12:34:28.081919637 +0000
+++ current.txt 2024-12-19 12:34:23.616824756 +0000
@@ -6847,6 +6847,7 @@
// CacheOptions holds cache options required for cache writer middleware.
CacheOptions
OASDefinition
+ SelfLooping
)
# Package: ./dlpython
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
gateway/api.go
Outdated
|
||
return false | ||
} | ||
|
||
func ctxLoopingEnabled(r *http.Request) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this also can be moved to httpctx if the usage is low (complete looping context global funcs).
Adding this comment here for future reference. With the changes related to quota limits not respected while self looping, we added the same check |
3b08d1e
to
cd0965a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
approving despite the race on tests, considering this comment
https://github.com/TykTechnologies/tyk/blob/master/gateway/looping_test.go#L4
gateway/api.go
Outdated
@@ -3177,7 +3177,7 @@ func ctxSetCheckLoopLimits(r *http.Request, b bool) { | |||
// Should we check Rate limits and Quotas? | |||
func ctxCheckLimits(r *http.Request) bool { | |||
// If looping disabled, allow all | |||
if !ctxLoopingEnabled(r) { | |||
if ctxLoopLevel(r) == 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Behaviour 1: Limits are checked on first (root) request, and not on subsequent children.
ctxLoopingEnabled => ctxLoopLevel(r) > 0
It unwraps the function and makes it clearer to read without the negation.
gateway/api_loader.go
Outdated
@@ -649,6 +649,10 @@ func (d *DummyProxyHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { | |||
|
|||
d.SH.Spec.SanitizeProxyPaths(r) | |||
ctxSetVersionInfo(r, nil) | |||
|
|||
loopLevelLimit, _ := strconv.Atoi(r.URL.Query().Get("loop_limit")) //nolint | |||
ctxIncLoopLevel(r, loopLevelLimit) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missed code path for internal routing requests.
As a request is invoked with tyk://
schema it falls into two code branches; this branch didn't consider incrementing the loop level checks; copied from slightly above.
Naming of this service object is severely misfortunate: DummyProxyHandler
(nothing dummy about it).
ef8ae44
to
4613b56
Compare
…t-the-caller's-Authentication-key-when-using-URL-rewrite
Quality Gate passedIssues Measures |
/release to release-5.3 |
Working on it! Note that it can take a few minutes. |
…n key when using url rewrite (#6778) <details open> <summary><a href="https://tyktech.atlassian.net/browse/TT-12741" title="TT-12741" target="_blank">TT-12741</a></summary> <br /> <table> <tr> <th>Summary</th> <td>Looped APIs wrongfully inherit the caller's Authentication key when using URL rewrite</td> </tr> <tr> <th>Type</th> <td> <img alt="Bug" src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium" /> Bug </td> </tr> <tr> <th>Status</th> <td>In Dev</td> </tr> <tr> <th>Points</th> <td>N/A</td> </tr> <tr> <th>Labels</th> <td><a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20'24Bugsmash%20ORDER%20BY%20created%20DESC" title="'24Bugsmash">'24Bugsmash</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20customer_bug%20ORDER%20BY%20created%20DESC" title="customer_bug">customer_bug</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC" title="jira_escalated">jira_escalated</a></td> </tr> </table> </details> <!-- do not remove this marker as it will break jira-lint's functionality. added_by_jira_lint --> --- PR to see CI/CD result, please don't merge it. ___ Bug fix, Tests ___ - Introduced a new context constant `SelfLooping` and methods `ctxSetSelfLooping` and `ctxSelfLooping` to manage self-looping state in requests. - Updated `ctxCheckLimits` to bypass rate limits and quotas for self-looping requests. - Modified API loader to set self-looping state for self-referencing requests. - Enhanced the test `TestQuotaNotAppliedWithURLRewrite` to include scenarios for self-looping and URL rewrite, ensuring proper behavior. ___ <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>ctx.go</strong><dd><code>Add support for managing self-looping state in context</code> </dd></summary> <hr> ctx/ctx.go <li>Added a new constant <code>SelfLooping</code> to the context.<br> <li> Introduced new methods <code>ctxSetSelfLooping</code> and <code>ctxSelfLooping</code> for <br>managing self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-600f5f552779994b15324fda108549eec7e7be30b1d8a1a16ee8344243e0cbc7">+1/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Bug fix</strong></td><td><table> <tr> <td> <details> <summary><strong>api.go</strong><dd><code>Update rate limit and quota checks for self-looping requests</code></dd></summary> <hr> gateway/api.go <li>Modified <code>ctxCheckLimits</code> to skip rate limits and quotas for <br>self-looping requests.<br> <li> Added logic to check and set self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-644cda3aeb4ac7f325359e85fcddb810f100dd5e6fa480b0d9f9363a743c4e05">+20/-1</a> </td> </tr> <tr> <td> <details> <summary><strong>api_loader.go</strong><dd><code>Set self-looping state for self-referencing requests</code> </dd></summary> <hr> gateway/api_loader.go - Added logic to set self-looping state when the hostname is "self". </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68">+1/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>middleware_test.go</strong><dd><code>Enhance tests to cover self-looping and URL rewrite scenarios</code></dd></summary> <hr> gateway/middleware_test.go <li>Updated <code>TestQuotaNotAppliedWithURLRewrite</code> to include extended paths <br>and self-looping scenarios.<br> <li> Added a loader to create a merged API spec for testing.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-6a09a08e3f82cc5e9d8c6b5c8426d75ea1e5d85e15ab008fca1f512e7c49c1e6">+7/-1</a> </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --------- Co-authored-by: Tit Petric <tit.petric@monotek.net> Co-authored-by: Tit Petric <tit@tyk.io> (cherry picked from commit d59ae8c)
@buraksezer Succesfully merged PR |
…e caller's authentication key when using url rewrite (#6778) (#6793) ### **User description** [TT-12741] Looped ap is wrongfully inherit the caller's authentication key when using url rewrite (#6778) ### **User description** <details open> <summary><a href="https://tyktech.atlassian.net/browse/TT-12741" title="TT-12741" target="_blank">TT-12741</a></summary> <br /> <table> <tr> <th>Summary</th> <td>Looped APIs wrongfully inherit the caller's Authentication key when using URL rewrite</td> </tr> <tr> <th>Type</th> <td> <img alt="Bug" src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium" /> Bug </td> </tr> <tr> <th>Status</th> <td>In Dev</td> </tr> <tr> <th>Points</th> <td>N/A</td> </tr> <tr> <th>Labels</th> <td><a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20'24Bugsmash%20ORDER%20BY%20created%20DESC" title="'24Bugsmash">'24Bugsmash</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20customer_bug%20ORDER%20BY%20created%20DESC" title="customer_bug">customer_bug</a>, <a href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC" title="jira_escalated">jira_escalated</a></td> </tr> </table> </details> <!-- do not remove this marker as it will break jira-lint's functionality. added_by_jira_lint --> --- PR to see CI/CD result, please don't merge it. ___ ### **PR Type** Bug fix, Tests ___ ### **Description** - Introduced a new context constant `SelfLooping` and methods `ctxSetSelfLooping` and `ctxSelfLooping` to manage self-looping state in requests. - Updated `ctxCheckLimits` to bypass rate limits and quotas for self-looping requests. - Modified API loader to set self-looping state for self-referencing requests. - Enhanced the test `TestQuotaNotAppliedWithURLRewrite` to include scenarios for self-looping and URL rewrite, ensuring proper behavior. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>ctx.go</strong><dd><code>Add support for managing self-looping state in context</code> </dd></summary> <hr> ctx/ctx.go <li>Added a new constant <code>SelfLooping</code> to the context.<br> <li> Introduced new methods <code>ctxSetSelfLooping</code> and <code>ctxSelfLooping</code> for <br>managing self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-600f5f552779994b15324fda108549eec7e7be30b1d8a1a16ee8344243e0cbc7">+1/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Bug fix</strong></td><td><table> <tr> <td> <details> <summary><strong>api.go</strong><dd><code>Update rate limit and quota checks for self-looping requests</code></dd></summary> <hr> gateway/api.go <li>Modified <code>ctxCheckLimits</code> to skip rate limits and quotas for <br>self-looping requests.<br> <li> Added logic to check and set self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-644cda3aeb4ac7f325359e85fcddb810f100dd5e6fa480b0d9f9363a743c4e05">+20/-1</a> </td> </tr> <tr> <td> <details> <summary><strong>api_loader.go</strong><dd><code>Set self-looping state for self-referencing requests</code> </dd></summary> <hr> gateway/api_loader.go - Added logic to set self-looping state when the hostname is "self". </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68">+1/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>middleware_test.go</strong><dd><code>Enhance tests to cover self-looping and URL rewrite scenarios</code></dd></summary> <hr> gateway/middleware_test.go <li>Updated <code>TestQuotaNotAppliedWithURLRewrite</code> to include extended paths <br>and self-looping scenarios.<br> <li> Added a loader to create a merged API spec for testing.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-6a09a08e3f82cc5e9d8c6b5c8426d75ea1e5d85e15ab008fca1f512e7c49c1e6">+7/-1</a> </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --------- Co-authored-by: Tit Petric <tit.petric@monotek.net> Co-authored-by: Tit Petric <tit@tyk.io> [TT-12741]: https://tyktech.atlassian.net/browse/TT-12741?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ ___ ### **PR Type** Bug fix, Tests ___ ### **Description** - Introduced a new context constant `SelfLooping` and methods `ctxSetSelfLooping` and `ctxSelfLooping` to manage self-looping state in requests. - Updated `ctxCheckLimits` to bypass rate limits and quotas for self-looping requests. - Modified API loader to set self-looping state for self-referencing requests. - Enhanced tests to validate self-looping behavior, including scenarios with authentication tokens and URL rewrites. - Added utilities and unit tests for managing and checking self-looping state in requests. ___ ### **Changes walkthrough** 📝 <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>ctx.go</strong><dd><code>Add support for managing self-looping state in context</code> </dd></summary> <hr> ctx/ctx.go <li>Added a new constant <code>SelfLooping</code> to the context.<br> <li> Introduced methods <code>ctxSetSelfLooping</code> and <code>ctxSelfLooping</code> for managing <br>self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-600f5f552779994b15324fda108549eec7e7be30b1d8a1a16ee8344243e0cbc7">+1/-0</a> </td> </tr> <tr> <td> <details> <summary><strong>looping.go</strong><dd><code>Add utilities for managing self-looping state in requests</code></dd></summary> <hr> internal/httpctx/looping.go <li>Introduced <code>SetSelfLooping</code> and <code>IsSelfLooping</code> methods to manage and <br>check self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-bee59f2b12fc6b5ab219a4f90ef17e4f32c0e0a0015a48cea1400345f3381f5f">+19/-0</a> </td> </tr> </table></td></tr><tr><td><strong>Bug fix</strong></td><td><table> <tr> <td> <details> <summary><strong>api.go</strong><dd><code>Update rate limit and quota checks for self-looping requests</code></dd></summary> <hr> gateway/api.go <li>Updated <code>ctxCheckLimits</code> to bypass rate limits and quotas for <br>self-looping requests.<br> <li> Integrated logic to check and set self-looping state in requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-644cda3aeb4ac7f325359e85fcddb810f100dd5e6fa480b0d9f9363a743c4e05">+7/-0</a> </td> </tr> <tr> <td> <details> <summary><strong>api_loader.go</strong><dd><code>Set self-looping state for self-referencing requests</code> </dd></summary> <hr> gateway/api_loader.go - Added logic to set self-looping state when the hostname is "self". </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68">+2/-0</a> </td> </tr> <tr> <td> <details> <summary><strong>mw_auth_key.go</strong><dd><code>Skip auth key checks for self-looping requests</code> </dd></summary> <hr> gateway/mw_auth_key.go <li>Updated logic to skip authentication key checks for self-looping <br>requests.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-aeba053023a54c723dd9f83837e29ca0b2d9a212bc98fa6ad4bbb062669a1cf0">+6/-7</a> </td> </tr> </table></td></tr><tr><td><strong>Tests</strong></td><td><table> <tr> <td> <details> <summary><strong>looping_test.go</strong><dd><code>Add test for self-looping with authentication tokens</code> </dd></summary> <hr> gateway/looping_test.go <li>Added a new test <code>TestLooping_AnotherAPIWithAuthTokens</code> to validate <br>self-looping behavior with authentication tokens.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-c901365bf00575b31a45f2536c63cbc0c3c31350ce6919214a3647dab90596aa">+95/-0</a> </td> </tr> <tr> <td> <details> <summary><strong>middleware_test.go</strong><dd><code>Enhance tests to cover self-looping and URL rewrite scenarios</code></dd></summary> <hr> gateway/middleware_test.go <li>Enhanced <code>TestQuotaNotAppliedWithURLRewrite</code> to include extended paths <br>and self-looping scenarios.<br> </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-6a09a08e3f82cc5e9d8c6b5c8426d75ea1e5d85e15ab008fca1f512e7c49c1e6">+2/-1</a> </td> </tr> <tr> <td> <details> <summary><strong>looping_test.go</strong><dd><code>Add tests for self-looping state management utilities</code> </dd></summary> <hr> internal/httpctx/looping_test.go - Added unit tests for `SetSelfLooping` and `IsSelfLooping` methods. </details> </td> <td><a href="https://github.com/TykTechnologies/tyk/pull/6793/files#diff-80a9999142896e55eb4ba14795930cec1baae48c016351a4f3d48292787e05b6">+19/-0</a> </td> </tr> </table></td></tr></tr></tbody></table> ___ > 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull request to receive relevant information --------- Co-authored-by: Burak Sezer <burak.sezer.developer@gmail.com>
User description
TT-12741
PR to see CI/CD result, please don't merge it.
PR Type
Bug fix, Tests
Description
SelfLooping
and methodsctxSetSelfLooping
andctxSelfLooping
to manage self-looping state in requests.ctxCheckLimits
to bypass rate limits and quotas for self-looping requests.TestQuotaNotAppliedWithURLRewrite
to include scenarios for self-looping and URL rewrite, ensuring proper behavior.Changes walkthrough 📝
ctx.go
Add support for managing self-looping state in context
ctx/ctx.go
SelfLooping
to the context.ctxSetSelfLooping
andctxSelfLooping
formanaging self-looping state in requests.
api.go
Update rate limit and quota checks for self-looping requests
gateway/api.go
ctxCheckLimits
to skip rate limits and quotas forself-looping requests.
api_loader.go
Set self-looping state for self-referencing requests
gateway/api_loader.go
middleware_test.go
Enhance tests to cover self-looping and URL rewrite scenarios
gateway/middleware_test.go
TestQuotaNotAppliedWithURLRewrite
to include extended pathsand self-looping scenarios.