snapp-incubator · SamMHD · Sep 5, 2024 · Sep 5, 2024 · Sep 7, 2024 · Sep 7, 2024
diff --git a/internal/dag/httpproxy_processor.go b/internal/dag/httpproxy_processor.go
@@ -867,12 +867,25 @@ func (p *HTTPProxyProcessor) computeRoutes(
 		// enable it on the route and propagate defaults
 		// downwards.
 		if rootProxy.Spec.VirtualHost.AuthorizationConfigured() || p.GlobalExternalAuthorization != nil {
+			// When global external authorization or authorization at vhost is configured
+			// it is enabled by default unless in some AuthPolicy it gets disabled downward.
+			// so by default disabled is equal to false unless global ext_auth overwrites it
+			// which later can be overwritten by vhost authPolicy per vhost which it self
+			// can be overwritten by route authPolicy per route.
+			disabled := false
+
+			if p.GlobalExternalAuthorization != nil && p.GlobalExternalAuthorization.AuthPolicy != nil {
+				disabled = p.GlobalExternalAuthorization.AuthPolicy.Disabled
+			}
+
 			// When the ext_authz filter is added to a
 			// vhost, it is in enabled state, but we can
 			// disable it per route. We emulate disabling
 			// it at the vhost layer by defaulting the state
 			// from the root proxy.
-			disabled := rootProxy.Spec.VirtualHost.DisableAuthorization()
+			if rootProxy.Spec.VirtualHost.AuthorizationConfigured() {
+				disabled = rootProxy.Spec.VirtualHost.DisableAuthorization()
+			}
 
 			// Take the default for enabling authorization
 			// from the virtual host. If this route has a

diff --git a/internal/envoy/v3/route.go b/internal/envoy/v3/route.go
@@ -131,6 +131,13 @@ func buildRoute(dagRoute *dag.Route, vhostName string, secure bool) *envoy_route
 		// envoy.RouteRoute. Currently the DAG processor adds any HTTP->HTTPS
 		// redirect routes to *both* the insecure and secure vhosts.
 		route.Action = UpgradeHTTPS()
+
+		route.TypedPerFilterConfig = map[string]*anypb.Any{}
+		if dagRoute.AuthDisabled {
+			route.TypedPerFilterConfig["envoy.filters.http.ext_authz"] = routeAuthzDisabled()
+		} else if len(dagRoute.AuthContext) > 0 {
+			route.TypedPerFilterConfig["envoy.filters.http.ext_authz"] = routeAuthzContext(dagRoute.AuthContext)
+		}
 	case dagRoute.DirectResponse != nil:
 		route.Action = routeDirectResponse(dagRoute.DirectResponse)
 	case dagRoute.Redirect != nil:

diff --git a/internal/featuretests/v3/authorization_test.go b/internal/featuretests/v3/authorization_test.go
@@ -31,6 +31,8 @@ import (
 	envoy_v3 "github.com/projectcontour/contour/internal/envoy/v3"
 	"github.com/projectcontour/contour/internal/featuretests"
 	"github.com/projectcontour/contour/internal/fixture"
+	"github.com/projectcontour/contour/internal/protobuf"
+	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/durationpb"
 	corev1 "k8s.io/api/core/v1"
 )
@@ -343,14 +345,16 @@ func authzOverrideDisabled(t *testing.T, rh ResourceEventHandlerWrapper, c *Cont
 						Action: withRedirect(),
 					},
 					&envoy_route_v3.Route{
-						Match:  routePrefix("/default"),
-						Action: withRedirect(),
+						Match:                routePrefix("/default"),
+						Action:               withRedirect(),
+						TypedPerFilterConfig: disabledConfig,
 					},
 				),
 				envoy_v3.VirtualHost(enabled,
 					&envoy_route_v3.Route{
-						Match:  routePrefix("/disabled"),
-						Action: withRedirect(),
+						Match:                routePrefix("/disabled"),
+						Action:               withRedirect(),
+						TypedPerFilterConfig: disabledConfig,
 					},
 					&envoy_route_v3.Route{
 						Match:  routePrefix("/default"),
@@ -439,6 +443,19 @@ func authzMergeRouteContext(t *testing.T, rh ResourceEventHandlerWrapper, c *Con
 					&envoy_route_v3.Route{
 						Match:  routePrefix("/"),
 						Action: withRedirect(),
+						TypedPerFilterConfig: map[string]*anypb.Any{
+							"envoy.filters.http.ext_authz": protobuf.MustMarshalAny(&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
+								Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
+									CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{
+										ContextExtensions: map[string]string{
+											"common-element": "leaf",
+											"leaf-element":   "leaf",
+											"root-element":   "root",
+										},
+									},
+								},
+							}),
+						},
 					},
 				),
 			),

diff --git a/internal/featuretests/v3/global_authorization_test.go b/internal/featuretests/v3/global_authorization_test.go
@@ -357,39 +357,42 @@ func globalExternalAuthorizationWithMergedAuthPolicyTLS(t *testing.T, rh Resourc
 			statsListener()),
 	}).Status(p).IsValid()
 
+	expectedContext := map[string]*anypb.Any{
+		"envoy.filters.http.ext_authz": protobuf.MustMarshalAny(
+			&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
+				Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
+					CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{
+						ContextExtensions: map[string]string{
+							"header_type": "proxy_config",
+							"header_1":    "message_1",
+							"header_2":    "message_2",
+						},
+					},
+				},
+			},
+		),
+	}
+
 	c.Request(routeType).Equals(&envoy_discovery_v3.DiscoveryResponse{
 		TypeUrl: routeType,
 		Resources: resources(t,
 			envoy_v3.RouteConfiguration(
 				"https/foo.com",
 				envoy_v3.VirtualHost("foo.com",
 					&envoy_route_v3.Route{
-						Match:  routePrefix("/"),
-						Action: routeCluster("default/s1/80/da39a3ee5e"),
-						TypedPerFilterConfig: map[string]*anypb.Any{
-							"envoy.filters.http.ext_authz": protobuf.MustMarshalAny(
-								&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
-									Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
-										CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{
-											ContextExtensions: map[string]string{
-												"header_type": "proxy_config",
-												"header_1":    "message_1",
-												"header_2":    "message_2",
-											},
-										},
-									},
-								},
-							),
-						},
+						Match:                routePrefix("/"),
+						Action:               routeCluster("default/s1/80/da39a3ee5e"),
+						TypedPerFilterConfig: expectedContext,
 					},
 				),
 			),
 			envoy_v3.RouteConfiguration(
 				"ingress_http",
 				envoy_v3.VirtualHost("foo.com",
 					&envoy_route_v3.Route{
-						Match:  routePrefix("/"),
-						Action: withRedirect(),
+						Match:                routePrefix("/"),
+						Action:               withRedirect(),
+						TypedPerFilterConfig: expectedContext,
 					},
 				),
 			),

diff --git a/internal/xdscache/v3/route_test.go b/internal/xdscache/v3/route_test.go
@@ -3662,6 +3662,19 @@ func TestRouteVisit_GlobalExternalAuthorization(t *testing.T) {
 									},
 								},
 							},
+							TypedPerFilterConfig: map[string]*anypb.Any{
+								"envoy.filters.http.ext_authz": protobuf.MustMarshalAny(&envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute{
+									Override: &envoy_config_filter_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
+										CheckSettings: &envoy_config_filter_http_ext_authz_v3.CheckSettings{
+											ContextExtensions: map[string]string{
+												"header_1": "message_1",
+												"header_2": "new_message_2",
+												"header_3": "message_3",
+											},
+										},
+									},
+								}),
+							},
 						},
 					),
 				),