http.ext_authz.v3.ExtAuthz doesn't work as described

[alex-sorochkin]

Title: Authorization filter doesn't work with http auth

Description:
I want some my requests to be authorized. I have simple auth server, that can reply 200/403. I'd also like to use http requests instead of grpc. My auth server receives wrong-prepared urls, so it can't reply properly. Seems envoy brakes this auth url.

Repro steps:
I have 2 containers runned: envoy + auth. envoyproxy/envoy:contrib-dev image is used.
Auth server exposes 12346 port and provides /api/v1/idm/auth/auth_request url for auth requests.
Envoy exposes 10000 port and is configured for /hi url to be authed first and then passed to another server.
And I run such curl request to make this work:
curl -i -X POST --header 'Content-Type: application/json' localhost:10000/hi

In auth logs I see malformed request:

2024-09-13T17:26:52.436+0300	INFO	new client request{"reqid": "cpp8KSlfJUgkM93TcS5AoVbfSpRjteHM", "ip": "10.32.0.99", "method": "POST", "uri": "/api/v1/idm/auth/auth_request/hi", "user-agent": "", "time": "463.369µs", "bytes-in": "0", "bytes-out": 24, "status": 404, "json-status": 0}

For some reasons "hi" is added to auth endpoint.

Config:

static_resources:
  listeners:
    - name: listener_grpc
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 10000
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: grpc_json
                codec_type: AUTO
                route_config:
                  name: route
                  virtual_hosts:
                    - name: vh
                      domains: ["*"]
                      routes:
                        - match: { prefix: "/hi" }
                          route: { cluster: grpc_greet, timeout: { seconds: 60 } }

                http_filters:
                  - name: envoy.filters.http.ext_authz
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                      http_service:
                        path_prefix: /api/v1/idm/auth/auth_request
                        server_uri:
                          uri: " "
                          cluster: ext_authz-http-service
                          timeout: 4s
                      failure_mode_allow: false
                      status_on_error:
                        code: 511

                  - name: envoy.filters.http.router
                    typed_config:
                      '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

  clusters:
    - name: ext_authz-http-service
      type: LOGICAL_DNS
      lb_policy: ROUND_ROBIN
      load_assignment:
        cluster_name: ext_authz-http-service
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: auth-1
                      port_value: 12346

    - name: grpc_greet
      type: STATIC
      dns_lookup_family: V4_ONLY
      lb_policy: round_robin
      load_assignment:
        cluster_name: grpc_greet
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: "127.0.0.1"
                      port_value: 9090

please don't refer for some blocks named grpc, this is a copy from examples

Logs:

envoy                    | [2024-09-13 14:42:06.606][49][trace][http] [source/common/http/filter_manager.cc:900] [Tags: "ConnectionId":"0","StreamId":"9155965156219784014"] commonEncodePrefix end_stream: false, isHalfCloseEnabled: false
envoy                    | [2024-09-13 14:42:06.606][49][trace][router] [source/common/router/upstream_request.cc:269] [Tags: "ConnectionId":"0","StreamId":"9155965156219784014"] end_stream: false, upstream response headers:
envoy                    | ':status', '404'
envoy                    | 'content-type', 'application/json; charset=UTF-8'
envoy                    | 'x-request-id', 'gG86eweFTxt1PQDRci4cUD3llfrczHcV'
envoy                    | 'date', 'Fri, 13 Sep 2024 14:42:06 GMT'
envoy                    | 'content-length', '24'
envoy                    |
envoy                    | [2024-09-13 14:42:06.606][49][debug][router] [source/common/router/router.cc:1559] [Tags: "ConnectionId":"0","StreamId":"9155965156219784014"] upstream headers complete: end_stream=false
envoy                    | [2024-09-13 14:42:06.606][49][debug][http] [source/common/http/async_client_impl.cc:151] async http request response headers (end_stream=false):
envoy                    | ':status', '404'
envoy                    | 'content-type', 'application/json; charset=UTF-8'
envoy                    | 'x-request-id', 'gG86eweFTxt1PQDRci4cUD3llfrczHcV'
envoy                    | 'date', 'Fri, 13 Sep 2024 14:42:06 GMT'
envoy                    | 'content-length', '24'
envoy                    | 'x-envoy-upstream-service-time', '1'
envoy                    |
envoy                    | [2024-09-13 14:42:06.606][49][trace][http] [source/common/http/http1/codec_impl.cc:943] [Tags: "ConnectionId":"1"] message complete
envoy                    | [2024-09-13 14:42:06.606][49][trace][http] [source/common/http/filter_manager.cc:900] [Tags: "ConnectionId":"0","StreamId":"9155965156219784014"] commonEncodePrefix end_stream: false, isHalfCloseEnabled: false
envoy                    | [2024-09-13 14:42:06.606][49][trace][http] [source/common/http/async_client_impl.cc:169] async http request response data (length=24 end_stream=false)

Before submitting this issue I tried different compositions of cluster and http_service.path_prefix|uri, all without any success. Please help.

[ravenblackx]

This appears to be the expected behavior of path_prefix, given that the path of your request is /hi, the auth request path becomes path_prefix plus path == /api/v1/idm/auth/auth_request/hi

So I think the expectation here is that your auth server would match /api/v1/idm/auth/auth_request/(.*) so as to be able to know what the intended path is that the user is trying to access.

If you want to be able to auth using an http service and that model doesn't work for you, I think you'd have to modify the ext_authz filter - it's almost certainly easier to modify your auth service to accommodate these expectations.

cc @esmet or @tyxia in case I'm wrong since this isn't really my area.

[alex-sorochkin]

Hi @ravenblackx ! Thanks for your reply.

As I understand there is no way to keep auth url fixed? Even if I set path_prefix = "" , auth url becomes /hi?

Thanks for your advice to modify the ext_authz filter. I prefer to keep evnoy a kind of black box ) I'm new to it, and the auth server is inside our infrastructure. So for me it's easier to manipulate with it in case there is no way not to modify auth url - I mean just using the config.

[alex-sorochkin]

And one more question, please: in my test env I can configure cluster like

                      address: auth-1
                      port_value: 12346

but prod one looks like https://auth-server.comp-cluster.com. How can I put on cluster config in envoy?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.