Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merging to release-5.3: [TT-12741] Looped ap is wrongfully inherit the caller's authentication key when using url rewrite (#6778) #6793

Merged
merged 4 commits into from
Dec 19, 2024
Merged

Merging to release-5.3: [TT-12741] Looped ap is wrongfully inherit the caller's authentication key when using url rewrite (#6778) #6793

merged 4 commits into from
Dec 19, 2024

Conversation

buger
Copy link
Member

@buger buger commented Dec 19, 2024
edited by github-actions bot
Loading

User description

TT-12741 Looped ap is wrongfully inherit the caller's authentication key when using url rewrite (#6778)

User description

TT-12741
Summary Looped APIs wrongfully inherit the caller's Authentication key when using URL rewrite
Type Bug Bug
Status In Dev
Points N/A
Labels '24Bugsmash, customer_bug, jira_escalated

PR to see CI/CD result, please don't merge it.

PR Type

Bug fix, Tests

Description

  • Introduced a new context constant SelfLooping and methods
    ctxSetSelfLooping and ctxSelfLooping to manage self-looping state in
    requests.
  • Updated ctxCheckLimits to bypass rate limits and quotas for
    self-looping requests.
  • Modified API loader to set self-looping state for self-referencing
    requests.
  • Enhanced the test TestQuotaNotAppliedWithURLRewrite to include
    scenarios for self-looping and URL rewrite, ensuring proper behavior.

Changes walkthrough 📝

Relevant files
Enhancement
ctx.go
Add support for managing self-looping state in context     

ctx/ctx.go

  • Added a new constant SelfLooping to the context.
  • Introduced new methods ctxSetSelfLooping and ctxSelfLooping for
    managing self-looping state in requests.
    		•  +1/-0     
    Bug fix
    api.go
    Update rate limit and quota checks for self-looping requests

    gateway/api.go

  • Modified ctxCheckLimits to skip rate limits and quotas for
    self-looping requests.
  • Added logic to check and set self-looping state in requests.
    		•  +20/-1   
    api_loader.go
    Set self-looping state for self-referencing requests         

    gateway/api_loader.go

    • Added logic to set self-looping state when the hostname is "self".
    		 +1/-0     
    Tests
    middleware_test.go
    Enhance tests to cover self-looping and URL rewrite scenarios

    gateway/middleware_test.go

  • Updated TestQuotaNotAppliedWithURLRewrite to include extended paths
    and self-looping scenarios.
  • Added a loader to create a merged API spec for testing.
    		•  +7/-1     

    💡 PR-Agent usage: Comment /help "your question" on any pull
    request to receive relevant information

    Co-authored-by: Tit Petric tit.petric@monotek.net
    Co-authored-by: Tit Petric tit@tyk.io

    PR Type

    Bug fix, Tests

    Description

    • Introduced a new context constant SelfLooping and methods ctxSetSelfLooping and ctxSelfLooping to manage self-looping state in requests.
    • Updated ctxCheckLimits to bypass rate limits and quotas for self-looping requests.
    • Modified API loader to set self-looping state for self-referencing requests.
    • Enhanced tests to validate self-looping behavior, including scenarios with authentication tokens and URL rewrites.
    • Added utilities and unit tests for managing and checking self-looping state in requests.

    Changes walkthrough 📝

    Relevant files
    Enhancement
    ctx.go
    Add support for managing self-looping state in context     

    ctx/ctx.go

  • Added a new constant SelfLooping to the context.
  • Introduced methods ctxSetSelfLooping and ctxSelfLooping for managing
    self-looping state in requests.
    		•  +1/-0     
    looping.go
    Add utilities for managing self-looping state in requests

    internal/httpctx/looping.go

  • Introduced SetSelfLooping and IsSelfLooping methods to manage and
    check self-looping state in requests.
    		•  +19/-0   
    Bug fix
    api.go
    Update rate limit and quota checks for self-looping requests

    gateway/api.go

  • Updated ctxCheckLimits to bypass rate limits and quotas for
    self-looping requests.
  • Integrated logic to check and set self-looping state in requests.
    		•  +7/-0     
    api_loader.go
    Set self-looping state for self-referencing requests         

    gateway/api_loader.go

    • Added logic to set self-looping state when the hostname is "self".
    		 +2/-0     
    mw_auth_key.go
    Skip auth key checks for self-looping requests                     

    gateway/mw_auth_key.go

  • Updated logic to skip authentication key checks for self-looping
    requests.
    		•  +6/-7     
    Tests
    looping_test.go
    Add test for self-looping with authentication tokens         

    gateway/looping_test.go

  • Added a new test TestLooping_AnotherAPIWithAuthTokens to validate
    self-looping behavior with authentication tokens.
    		•  +95/-0   
    middleware_test.go
    Enhance tests to cover self-looping and URL rewrite scenarios

    gateway/middleware_test.go

  • Enhanced TestQuotaNotAppliedWithURLRewrite to include extended paths
    and self-looping scenarios.
    		•  +2/-1     
    looping_test.go
    Add tests for self-looping state management utilities       

    internal/httpctx/looping_test.go

    • Added unit tests for SetSelfLooping and IsSelfLooping methods.
    		 +19/-0   

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    @buraksezer
    [TT-12741] Looped ap is wrongfully inherit the caller's authenticatio…
    1627ae6 
    …n key when using url rewrite (#6778)

<details open>
<summary><a href="https://tyktech.atlassian.net/browse/TT-12741"
title="TT-12741" target="_blank">TT-12741</a></summary>
  <br />
  <table>
    <tr>
      <th>Summary</th>
<td>Looped APIs wrongfully inherit the caller's Authentication key when
using URL rewrite</td>
    </tr>
    <tr>
      <th>Type</th>
      <td>
<img alt="Bug"
src="https://tyktech.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium"
/>
        Bug
      </td>
    </tr>
    <tr>
      <th>Status</th>
      <td>In Dev</td>
    </tr>
    <tr>
      <th>Points</th>
      <td>N/A</td>
    </tr>
    <tr>
      <th>Labels</th>
<td><a
href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20'24Bugsmash%20ORDER%20BY%20created%20DESC"
title="'24Bugsmash">'24Bugsmash</a>, <a
href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20customer_bug%20ORDER%20BY%20created%20DESC"
title="customer_bug">customer_bug</a>, <a
href="https://tyktech.atlassian.net/issues?jql=project%20%3D%20TT%20AND%20labels%20%3D%20jira_escalated%20ORDER%20BY%20created%20DESC"
title="jira_escalated">jira_escalated</a></td>
    </tr>
  </table>
</details>
<!--
  do not remove this marker as it will break jira-lint's functionality.
  added_by_jira_lint
-->

---

PR to see CI/CD result, please don't merge it.

___

Bug fix, Tests

___

- Introduced a new context constant `SelfLooping` and methods
`ctxSetSelfLooping` and `ctxSelfLooping` to manage self-looping state in
requests.
- Updated `ctxCheckLimits` to bypass rate limits and quotas for
self-looping requests.
- Modified API loader to set self-looping state for self-referencing
requests.
- Enhanced the test `TestQuotaNotAppliedWithURLRewrite` to include
scenarios for self-looping and URL rewrite, ensuring proper behavior.

___

<table><thead><tr><th></th><th align="left">Relevant
files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>ctx.go</strong><dd><code>Add support for managing
self-looping state in context</code>&nbsp; &nbsp; &nbsp; </dd></summary>
<hr>

ctx/ctx.go

<li>Added a new constant <code>SelfLooping</code> to the context.<br>
<li> Introduced new methods <code>ctxSetSelfLooping</code> and
<code>ctxSelfLooping</code> for <br>managing self-looping state in
requests.<br>

</details>

  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-600f5f552779994b15324fda108549eec7e7be30b1d8a1a16ee8344243e0cbc7">+1/-0</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>
</table></td></tr><tr><td><strong>Bug fix</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>api.go</strong><dd><code>Update rate limit and quota
checks for self-looping requests</code></dd></summary>
<hr>

gateway/api.go

<li>Modified <code>ctxCheckLimits</code> to skip rate limits and quotas
for <br>self-looping requests.<br> <li> Added logic to check and set
self-looping state in requests.<br>

</details>

  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-644cda3aeb4ac7f325359e85fcddb810f100dd5e6fa480b0d9f9363a743c4e05">+20/-1</a>&nbsp;
&nbsp; </td>

</tr>

<tr>
  <td>
    <details>
<summary><strong>api_loader.go</strong><dd><code>Set self-looping state
for self-referencing requests</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></summary>
<hr>

gateway/api_loader.go

- Added logic to set self-looping state when the hostname is "self".

</details>

  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-cdf0b7f176c9d18e1a314b78ddefc2cb3a94b3de66f1f360174692c915734c68">+1/-0</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>
</table></td></tr><tr><td><strong>Tests</strong></td><td><table>
<tr>
  <td>
    <details>
<summary><strong>middleware_test.go</strong><dd><code>Enhance tests to
cover self-looping and URL rewrite scenarios</code></dd></summary>
<hr>

gateway/middleware_test.go

<li>Updated <code>TestQuotaNotAppliedWithURLRewrite</code> to include
extended paths <br>and self-looping scenarios.<br> <li> Added a loader
to create a merged API spec for testing.<br>

</details>

  </td>
<td><a
href="https://github.com/TykTechnologies/tyk/pull/6778/files#diff-6a09a08e3f82cc5e9d8c6b5c8426d75ea1e5d85e15ab008fca1f512e7c49c1e6">+7/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>
</table></td></tr></tr></tbody></table>

___

> 💡 **PR-Agent usage**: Comment `/help "your question"` on any pull
request to receive relevant information

---------

Co-authored-by: Tit Petric <tit.petric@monotek.net>
Co-authored-by: Tit Petric <tit@tyk.io>

(cherry picked from commit d59ae8c)
    @buraksezer
    [TT-12741] Fix merge conflict in the import block.
    72ea370
    @buraksezer buraksezer marked this pull request as ready for review December 19, 2024 13:02
    @github-actions GitHub Actions
    Copy link
    Contributor

    github-actions bot commented Dec 19, 2024
    edited
    Loading

    API Changes

    --- prev.txt	2024-12-19 13:19:49.821970080 +0000
+++ current.txt	2024-12-19 13:19:46.900982308 +0000
@@ -6871,6 +6871,7 @@
 	// CacheOptions holds cache options required for cache writer middleware.
 	CacheOptions
 	OASDefinition
+	SelfLooping
 )
 # Package: ./dlpython

    @github-actions GitHub Actions
    Copy link
    Contributor

    PR Reviewer Guide 🔍

    Here are some key observations to aid the review process:

    🎫 Ticket compliance analysis ✅

    6778 - Fully compliant

    Fully compliant requirements:

    • Introduce a mechanism to identify and manage self-looping requests.
    • Ensure rate limits and quotas are bypassed for self-looping requests.
    • Update API loader to set self-looping state for self-referencing requests.
    • Enhance tests to cover self-looping and URL rewrite scenarios.

    Not compliant requirements:

    ⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
    🧪 PR contains tests
    🔒 No security concerns identified
    ⚡ Recommended focus areas for review

    Code Smell
    The function ctxCheckLimits now includes a conditional check for self-looping requests. Consider adding comments or documentation to clarify the purpose and implications of bypassing rate limits and quotas for self-looping requests.

    Code Smell
    The ProcessRequest method in AuthKey skips authentication checks for self-looping requests. Ensure this behavior is intentional and does not introduce unintended security or logical issues.

    @github-actions GitHub Actions
    Copy link
    Contributor

    PR Code Suggestions ✨

    Explore these optional code suggestions:

    CategorySuggestion                                                                                                                                    Score
    Possible issue
    Add a nil check for the request context to prevent runtime errors

    Ensure that httpctx.IsSelfLooping(r) correctly handles nil or invalid request
    contexts to avoid potential runtime panics.

    gateway/api.go [3224-3226]

    -if httpctx.IsSelfLooping(r) {
+if r == nil || httpctx.IsSelfLooping(r) {
     return false
 }
    Suggestion importance[1-10]: 8

    Why: Adding a nil check for the request context is a critical improvement to prevent potential runtime panics when the request object is nil. This ensures robustness and stability in the code.

    		8
    Add a nil check for the request to avoid runtime errors in session and self-looping checks

    Ensure ctxGetSession(r) and httpctx.IsSelfLooping(r) handle nil or invalid requests
    to prevent runtime errors.

    gateway/mw_auth_key.go [97-98]

    -if ses := ctxGetSession(r); ses != nil && httpctx.IsSelfLooping(r) {
+if r != nil && ses := ctxGetSession(r); ses != nil && httpctx.IsSelfLooping(r) {
     return nil, http.StatusOK
 }
    Suggestion importance[1-10]: 8

    Why: Including a nil check for the request object ensures that the session and self-looping checks do not cause runtime errors. This is a critical improvement for maintaining code stability.

    		8
    General
    Add a check to ensure r.URL is valid before setting the self-looping flag

    Validate that r.URL.Hostname() is not empty or malformed before calling
    httpctx.SetSelfLooping to prevent unexpected behavior.

    gateway/api_loader.go [593-594]

    -if r.URL.Hostname() == "self" {
+if r.URL != nil && r.URL.Hostname() == "self" {
     httpctx.SetSelfLooping(r, true)
 }
    Suggestion importance[1-10]: 7

    Why: Validating r.URL before accessing its Hostname method is a good practice to avoid unexpected behavior or runtime errors. This suggestion enhances the code's reliability.

    		7
    Add error handling for nil requests in the SetSelfLooping function

    Add error handling or logging in SetSelfLooping to ensure that invalid or nil
    requests are not processed silently.

    internal/httpctx/looping.go [13]

    -selfLoopingValue.Set(r, value)
+if r != nil {
+    selfLoopingValue.Set(r, value)
+} else {
+    // Log or handle error for nil request
+}
    Suggestion importance[1-10]: 6

    Why: Adding error handling for nil requests in SetSelfLooping improves the function's robustness and ensures that invalid inputs are not processed silently. However, the suggestion could be more impactful if it included specific logging or error reporting.

    		6

    @sonarqubecloud SonarQubeCloud
    Copy link

    Quality Gate Failed Quality Gate failed

    Failed conditions
    C Reliability Rating on New Code (required ≥ A)

    See analysis details on SonarQube Cloud

    Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

    @buraksezer buraksezer merged commit 3680034 into release-5.3 Dec 19, 2024
    34 of 38 checks passed
    @buraksezer buraksezer deleted the merge/release-5.3/d59ae8cebcafbd9ad16fead19e3ceaeba469f7a5 branch December 19, 2024 13:44
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers
    No reviews
    Assignees
    No one assigned
    Labels
    bug Review effort [1-5]: 4 Tyk Product Development
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    2 participants
    @buger @buraksezer