From 9704236d3f4031b5878505ec06ed69795a78ac63 Mon Sep 17 00:00:00 2001 From: Andrzej Wawrzyniak Date: Tue, 15 Dec 2020 12:55:04 +0100 Subject: [PATCH] Do not add ('not trusted') to untrusted client name --- .../src/main/resources/lua/ingress_rbac_logging.lua | 3 --- .../permissions/IncomingPermissionsLoggingModeTest.kt | 4 ++-- .../src/main/resources/lua_spec/ingress_rbac_logging_spec.lua | 4 ++-- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua index 9652cd505..8be34e17d 100644 --- a/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua +++ b/envoy-control-core/src/main/resources/lua/ingress_rbac_logging.lua @@ -18,9 +18,6 @@ function envoy_on_request(handle) if client_name == "" then client_name = first_header_value_from_list(client_identity_header_names, handle) - if trusted_header_name ~= "" and client_name ~= "" and handle:connection():ssl() ~= nil then - client_name = client_name .. " (not trusted)" - end end metadata:set("envoy.filters.http.lua", "request.info.path", path) diff --git a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt index a1cb2d5e1..ca2c1a8c1 100644 --- a/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt +++ b/envoy-control-tests/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/permissions/IncomingPermissionsLoggingModeTest.kt @@ -683,7 +683,7 @@ internal class IncomingPermissionsLoggingModeTest : EnvoyControlTestConfiguratio } @Test - fun `echo2 should allow unlisted client with client identity header over https and log client name as untrusted`() { + fun `echo2 should allow unlisted client with client identity header over https and log client trusted as false`() { // given val insecureClient = ClientsFactory.createInsecureClient() @@ -703,7 +703,7 @@ internal class IncomingPermissionsLoggingModeTest : EnvoyControlTestConfiguratio protocol = "https", path = "/log-unlisted-clients", method = "GET", - clientName = "service-name-from-header (not trusted)", + clientName = "service-name-from-header", trustedClient = false, clientIp = echo2Envoy.gatewayIp() ) diff --git a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua index 2fd69fbe8..12acac3ff 100644 --- a/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua +++ b/envoy-control-tests/src/main/resources/lua_spec/ingress_rbac_logging_spec.lua @@ -131,7 +131,7 @@ describe("envoy_on_request:", function() end) - it("should add not trusted to client_name if ssl available and name was not from certificate", function() + it("should set trusted client to false if ssl available and name was not from certificate", function() -- given local headers = { [':path'] = '/path', @@ -150,7 +150,7 @@ describe("envoy_on_request:", function() envoy_on_request(handle) -- then - assert.spy(metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.client_name", 'lorem-service (not trusted)') + assert.spy(metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.client_name", 'lorem-service') assert.spy(metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.trusted_client", false) end)