Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not add ('not trusted') to untrusted client name #232

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,6 @@ function envoy_on_request(handle)
if client_name == "" then
client_name = first_header_value_from_list(client_identity_header_names, handle)
allowed_client = is_allowed_client(client_name, clients_allowed_to_all_endpoints)
if trusted_header_name ~= "" and client_name ~= "" and handle:connection():ssl() ~= nil then
client_name = client_name .. " (not trusted)"
end
end

metadata:set("envoy.filters.http.lua", "request.info.path", path)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,7 @@ internal class IncomingPermissionsAllowedClientTest {
protocol = "https",
path = "/log-unlisted-endpoint",
method = "GET",
clientName = "echo3 (not trusted)",
clientName = "echo3",
trustedClient = false,
clientAllowedToAllEndpoints = true,
clientIp = echo2Envoy.container.gatewayIp()
Expand All @@ -256,7 +256,7 @@ internal class IncomingPermissionsAllowedClientTest {
protocol = "https",
path = "/block-and-log-unlisted-endpoint",
method = "GET",
clientName = "echo3 (not trusted)",
clientName = "echo3",
trustedClient = false,
clientAllowedToAllEndpoints = true,
clientIp = echoEnvoy.container.gatewayIp()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -685,7 +685,7 @@ internal class IncomingPermissionsLoggingModeTest : EnvoyControlTestConfiguratio
}

@Test
fun `echo2 should allow unlisted client with client identity header over https and log client name as untrusted`() {
fun `echo2 should allow unlisted client with client identity header over https and log client trusted as false`() {
// given
val insecureClient = ClientsFactory.createInsecureClient()

Expand All @@ -705,7 +705,7 @@ internal class IncomingPermissionsLoggingModeTest : EnvoyControlTestConfiguratio
protocol = "https",
path = "/log-unlisted-clients",
method = "GET",
clientName = "service-name-from-header (not trusted)",
clientName = "service-name-from-header",
trustedClient = false,
clientIp = echo2Envoy.gatewayIp()
)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ describe("envoy_on_request:", function()

end)

it("should add not trusted to client_name if ssl available and name was not from certificate", function()
it("should set trusted client to false if ssl available and name was not from certificate", function()
-- given
local headers = {
[':path'] = '/path',
Expand All @@ -190,7 +190,7 @@ describe("envoy_on_request:", function()
envoy_on_request(handle)

-- then
assert.spy(metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.client_name", 'lorem-service (not trusted)')
assert.spy(metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.client_name", 'lorem-service')
assert.spy(metadata.set).was_called_with(_, "envoy.filters.http.lua", "request.info.trusted_client", false)

end)
Expand Down