ext_authz: perform request header checks progressively (#41766)

Commit Message: ext_authz: perform request header checks progressively
Additional Description:

No behavior change. This pr just makes it so that the ext authz filter
checks to make sure header limits (size, count) have not been violated
as the mutations are added rather than once at the end. This prevents
this filter from hogging the worker thread's time adding a bunch of
headers when it will ultimately send a local reply.

Risk Level: low
Testing: unit tests updated for each case
Docs Changes: none necessary
Release Notes: none necessary (no externally visible behavior change)

---------

Signed-off-by: antoniovleonti <[email protected]>

Author: antoniovleonti

source/extensions/filters/http/ext_authz/ext_authz.cc

@@ -67,6 +67,11 @@ const envoy::extensions::filters::http::ext_authz::v3::CheckSettings& defaultChe
   CONSTRUCT_ON_FIRST_USE(envoy::extensions::filters::http::ext_authz::v3::CheckSettings);
 }
 
+bool headersWithinLimits(const Http::HeaderMap& headers) {
+  return headers.size() <= headers.maxHeadersCount() &&
+         headers.byteSize() <= headers.maxHeadersKb() * 1024;
+}
+
 } // namespace
 
 FilterConfig::FilterConfig(const envoy::extensions::filters::http::ext_authz::v3::ExtAuthz& config,
@@ -688,6 +693,11 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
       case CheckResult::OK:
         ENVOY_STREAM_LOG(trace, "'{}':'{}'", *decoder_callbacks_, key, value);
         request_headers_->setCopy(Http::LowerCaseString(key), value);
+        if (!headersWithinLimits(*request_headers_)) {
+          stats_.request_header_limits_reached_.inc();
+          rejectResponse();
+          return;
+        }
         break;
       case CheckResult::IGNORE:
         ENVOY_STREAM_LOG(trace, "Ignoring invalid header to set '{}':'{}'.", *decoder_callbacks_,
@@ -707,6 +717,11 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
       case CheckResult::OK:
         ENVOY_STREAM_LOG(trace, "'{}':'{}'", *decoder_callbacks_, key, value);
         request_headers_->addCopy(Http::LowerCaseString(key), value);
+        if (!headersWithinLimits(*request_headers_)) {
+          stats_.request_header_limits_reached_.inc();
+          rejectResponse();
+          return;
+        }
         break;
       case CheckResult::IGNORE:
         ENVOY_STREAM_LOG(trace, "Ignoring invalid header to add '{}':'{}'.", *decoder_callbacks_,
@@ -742,6 +757,11 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
           // into one entry. The value of that combined entry is separated by ",".
           // TODO(dio): Consider to use addCopy instead.
           request_headers_->appendCopy(lowercase_key, value);
+          if (!headersWithinLimits(*request_headers_)) {
+            stats_.request_header_limits_reached_.inc();
+            rejectResponse();
+            return;
+          }
         }
         break;
       }
@@ -781,6 +801,11 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
       case CheckResult::OK:
         ENVOY_STREAM_LOG(trace, "'{}'", *decoder_callbacks_, key);
         request_headers_->remove(lowercase_key);
+        if (!headersWithinLimits(*request_headers_)) {
+          stats_.request_header_limits_reached_.inc();
+          rejectResponse();
+          return;
+        }
         break;
       case CheckResult::IGNORE:
         ENVOY_STREAM_LOG(trace, "Ignoring disallowed header removal '{}'.", *decoder_callbacks_,
@@ -903,12 +928,11 @@ void Filter::onComplete(Filters::Common::ExtAuthz::ResponsePtr&& response) {
           trace, "ext_authz filter modified query parameter(s), using new path for request: {}",
           *decoder_callbacks_, new_path);
       request_headers_->setPath(new_path);
-    }
-
-    if (request_headers_->size() > request_headers_->maxHeadersCount() ||
-        request_headers_->byteSize() > request_headers_->maxHeadersKb() * 1024) {
-      rejectResponse();
-      return;
+      if (!headersWithinLimits(*request_headers_)) {
+        stats_.request_header_limits_reached_.inc();
+        rejectResponse();
+        return;
+      }
     }
 
     if (cluster_) {

source/extensions/filters/http/ext_authz/ext_authz.h

@@ -47,7 +47,8 @@ namespace ExtAuthz {
   COUNTER(invalid)                                                                                 \
   COUNTER(ignored_dynamic_metadata)                                                                \
   COUNTER(filter_state_name_collision)                                                             \
-  COUNTER(omitted_response_headers)
+  COUNTER(omitted_response_headers)                                                                \
+  COUNTER(request_header_limits_reached)
 
 /**
  * Wrapper struct for ext_authz filter stats. @see stats_macros.h

test/extensions/filters/http/ext_authz/ext_authz_test.cc

@@ -2105,17 +2105,47 @@ TEST_F(HttpFilterTest, DeniedResponseWithBodyNotTruncatedWhenLimitIsZero) {
   EXPECT_EQ(1U, config_->stats().denied_.value());
 }
 
-// Verifies that the downstream request fails when the ext_authz response
-// would cause the request headers to exceed their limit.
-TEST_F(HttpFilterTest, DownstreamRequestFailsOnHeaderLimit) {
-  InSequence s;
+class RequestHeaderLimitTest : public HttpFilterTest {
+public:
+  RequestHeaderLimitTest() = default;
 
-  initialize(R"EOF(
-      grpc_service:
-        envoy_grpc:
-          cluster_name: "ext_authz_server"
-      )EOF");
+  void runTest(Http::RequestHeaderMap& request_headers,
+               Filters::Common::ExtAuthz::Response response) {
+    InSequence s;
+
+    initialize(R"EOF(
+        grpc_service:
+          envoy_grpc:
+            cluster_name: "ext_authz_server"
+        )EOF");
+
+    prepareCheck();
+
+    EXPECT_CALL(*client_, check(_, _, _, _))
+        .WillOnce(Invoke(
+            [&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks,
+                const envoy::service::auth::v3::CheckRequest&, Tracing::Span&,
+                const StreamInfo::StreamInfo&) -> void { request_callbacks_ = &callbacks; }));
+
+    EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark,
+              filter_->decodeHeaders(request_headers, false));
+
+    // Now the test should fail, since we expect the downstream request to fail.
+    EXPECT_CALL(decoder_filter_callbacks_.stream_info_,
+                setResponseFlag(Envoy::StreamInfo::CoreResponseFlag::UnauthorizedExternalService));
+    EXPECT_CALL(decoder_filter_callbacks_, encodeHeaders_(_, _))
+        .WillOnce(Invoke([&](const Http::ResponseHeaderMap& headers, bool) -> void {
+          EXPECT_EQ(headers.getStatusValue(),
+                    std::to_string(enumToInt(Http::Code::InternalServerError)));
+        }));
+    EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0);
 
+    request_callbacks_->onComplete(std::make_unique<Filters::Common::ExtAuthz::Response>(response));
+    EXPECT_EQ(1U, config_->stats().request_header_limits_reached_.value());
+  }
+};
+
+TEST_F(RequestHeaderLimitTest, HeadersToSetCount) {
   // The total number of headers in the request header map is not allowed to
   // exceed the limit.
   Http::TestRequestHeaderMapImpl request_headers({}, /*max_headers_kb=*/99999,
@@ -2124,32 +2154,77 @@ TEST_F(HttpFilterTest, DownstreamRequestFailsOnHeaderLimit) {
   request_headers.addCopy(Http::Headers::get().Path, "/");
   request_headers.addCopy(Http::Headers::get().Method, "GET");
 
-  prepareCheck();
+  Filters::Common::ExtAuthz::Response response{};
+  response.status = Filters::Common::ExtAuthz::CheckStatus::OK;
+  response.headers_to_set = {{"foo", "bar"}, {"foo2", "bar2"}};
 
-  EXPECT_CALL(*client_, check(_, _, _, _))
-      .WillOnce(
-          Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks,
-                     const envoy::service::auth::v3::CheckRequest&, Tracing::Span&,
-                     const StreamInfo::StreamInfo&) -> void { request_callbacks_ = &callbacks; }));
+  runTest(request_headers, response);
+}
 
-  EXPECT_EQ(Http::FilterHeadersStatus::StopAllIterationAndWatermark,
-            filter_->decodeHeaders(request_headers, false));
+TEST_F(RequestHeaderLimitTest, HeadersToSetSize) {
+  // The total number of headers in the request header map is not allowed to
+  // exceed the limit.
+  Http::TestRequestHeaderMapImpl request_headers({}, /*max_headers_kb=*/1,
+                                                 /*max_headers_count=*/9999);
+  request_headers.addCopy(Http::Headers::get().Host, "host");
+  request_headers.addCopy(Http::Headers::get().Path, "/");
+  request_headers.addCopy(Http::Headers::get().Method, "GET");
 
   Filters::Common::ExtAuthz::Response response{};
   response.status = Filters::Common::ExtAuthz::CheckStatus::OK;
-  response.headers_to_set = {{"foo", "bar"}, {"foo2", "bar2"}};
+  response.headers_to_set = {{"foo", "bar"}, {"foo2", std::string(9999, 'a')}};
 
-  // Now the test should fail, since we expect the downstream request to fail.
-  EXPECT_CALL(decoder_filter_callbacks_.stream_info_,
-              setResponseFlag(Envoy::StreamInfo::CoreResponseFlag::UnauthorizedExternalService));
-  EXPECT_CALL(decoder_filter_callbacks_, encodeHeaders_(_, _))
-      .WillOnce(Invoke([&](const Http::ResponseHeaderMap& headers, bool) -> void {
-        EXPECT_EQ(headers.getStatusValue(),
-                  std::to_string(enumToInt(Http::Code::InternalServerError)));
-      }));
-  EXPECT_CALL(decoder_filter_callbacks_, continueDecoding()).Times(0);
+  runTest(request_headers, response);
+}
 
-  request_callbacks_->onComplete(std::make_unique<Filters::Common::ExtAuthz::Response>(response));
+// (headers to append can't add new headers, so it won't ever violate the count limit)
+TEST_F(RequestHeaderLimitTest, HeadersToAppendSize) {
+  // The total number of headers in the request header map is not allowed to
+  // exceed the limit.
+  Http::TestRequestHeaderMapImpl request_headers({}, /*max_headers_kb=*/1,
+                                                 /*max_headers_count=*/9999);
+  request_headers.addCopy(Http::Headers::get().Host, "host");
+  request_headers.addCopy(Http::Headers::get().Path, "/");
+  request_headers.addCopy(Http::Headers::get().Method, "GET");
+  request_headers.addCopy("foo", "original value");
+
+  Filters::Common::ExtAuthz::Response response{};
+  response.status = Filters::Common::ExtAuthz::CheckStatus::OK;
+  response.headers_to_append = {{"foo", std::string(9999, 'a')}};
+
+  runTest(request_headers, response);
+}
+
+TEST_F(RequestHeaderLimitTest, HeadersToAddCount) {
+  // The total number of headers in the request header map is not allowed to
+  // exceed the limit.
+  Http::TestRequestHeaderMapImpl request_headers({}, /*max_headers_kb=*/99999,
+                                                 /*max_headers_count=*/4);
+  request_headers.addCopy(Http::Headers::get().Host, "host");
+  request_headers.addCopy(Http::Headers::get().Path, "/");
+  request_headers.addCopy(Http::Headers::get().Method, "GET");
+
+  Filters::Common::ExtAuthz::Response response{};
+  response.status = Filters::Common::ExtAuthz::CheckStatus::OK;
+  response.headers_to_add = {{"foo", "bar"}, {"foo2", "bar2"}};
+
+  runTest(request_headers, response);
+}
+
+TEST_F(RequestHeaderLimitTest, HeadersToAddSize) {
+  // The total number of headers in the request header map is not allowed to
+  // exceed the limit.
+  Http::TestRequestHeaderMapImpl request_headers({}, /*max_headers_kb=*/1,
+                                                 /*max_headers_count=*/9999);
+  request_headers.addCopy(Http::Headers::get().Host, "host");
+  request_headers.addCopy(Http::Headers::get().Path, "/");
+  request_headers.addCopy(Http::Headers::get().Method, "GET");
+
+  Filters::Common::ExtAuthz::Response response{};
+  response.status = Filters::Common::ExtAuthz::CheckStatus::OK;
+  response.headers_to_add = {{"foo2", std::string(9999, 'a')}};
+
+  runTest(request_headers, response);
 }
 
 // Verifies that the downstream request fails when the ext_authz response