diff --git a/api/v1alpha1/ext_auth_types.go b/api/v1alpha1/ext_auth_types.go index 671d235180d..c683656acc2 100644 --- a/api/v1alpha1/ext_auth_types.go +++ b/api/v1alpha1/ext_auth_types.go @@ -33,7 +33,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. @@ -89,3 +89,6 @@ type HTTPExtAuthService struct { // +optional HeadersToBackend []string `json:"headersToBackend,omitempty"` } + +// BodyToExtAuth defines the Body to Ext Auth configuration +type BodyToExtAuth struct{} diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index e2d490fa901..f6fdc0e4737 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -888,7 +888,6 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso extAuth := &ir.ExtAuth{ Name: irConfigName(policy), HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, - BodyToExtAuth: policy.Spec.ExtAuth.BodyToExtAuth, FailOpen: policy.Spec.ExtAuth.FailOpen, Traffic: traffic, RecomputeRoute: policy.Spec.ExtAuth.RecomputeRoute, @@ -907,6 +906,11 @@ func (t *Translator) buildExtAuth(policy *egv1a1.SecurityPolicy, resources *reso Authority: authority, } } + + if policy.Spec.ExtAuth.BodyToExtAuth != nil { + extAuth.BodyToExtAuth = &ir.BodyToExtAuth{} + } + return extAuth, nil } diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml index 424ce583e79..a33f1c72964 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.in.yaml @@ -99,7 +99,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} grpc: backendRefs: - name: service-2 diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml index f4872425e6c..03eb8fd7af5 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-body.out.yaml @@ -179,7 +179,7 @@ securityPolicies: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} targetRef: group: gateway.networking.k8s.io kind: HTTPRoute @@ -263,7 +263,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-1/rule/1 @@ -308,7 +308,7 @@ xdsIR: headersToExtAuth: - header1 - header2 - bodyToExtAuth: true + bodyToExtAuth: {} name: securitypolicy/default/policy-for-http-route-1 - destination: name: httproute/default/httproute-2/rule/0 diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 533b1550ada..73d7a3a325b 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -994,7 +994,7 @@ type ExtAuth struct { // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` - BodyToExtAuth *bool `json:"bodyToExtAuth,omitempty"` + BodyToExtAuth *BodyToExtAuth `json:"bodyToExtAuth,omitempty"` // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. // If FailOpen is set to true, the system allows the traffic to pass through. @@ -1012,6 +1012,10 @@ type ExtAuth struct { RecomputeRoute *bool `json:"recomputeRoute,omitempty"` } +// BodyToExtAuth defines the Body to Ext Auth configuration +// +k8s:deepcopy-gen=true +type BodyToExtAuth struct{} + // HTTPExtAuthService defines the HTTP External Authorization service // +k8s:deepcopy-gen=true type HTTPExtAuthService struct { diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 89c95709b13..e8641cf2a6e 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -117,8 +117,9 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { }) } - if extAuth.BodyToExtAuth != nil && *extAuth.BodyToExtAuth { + if extAuth.BodyToExtAuth != nil { config.WithRequestBody = &extauthv3.BufferSettings{ + MaxRequestBytes: 1024, AllowPartialMessage: false, PackAsBytes: false, } diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml index 2a86bf2da0c..771aed13805 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth-body.yaml @@ -106,7 +106,7 @@ http: extAuth: name: securitypolicy/default/policy-for-gateway-1 failOpen: true - bodyToExtAuth: true + bodyToExtAuth: {} http: authority: primary.foo.com destination: diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml index bf11fae6dd5..f3f20c57082 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth-body.listeners.yaml @@ -35,6 +35,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz withRequestBody: + maxRequestBytes: 1024 allowPartialMessage: false packAsBytes: false failureModeAllow: true