-
-
Notifications
You must be signed in to change notification settings - Fork 362
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Authorizer "remote" throws exception #1138
Conversation
…ed Body" if request body is present in request
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #1138 +/- ##
==========================================
- Coverage 77.90% 77.60% -0.31%
==========================================
Files 80 79 -1
Lines 3929 4014 +85
==========================================
+ Hits 3061 3115 +54
- Misses 595 618 +23
- Partials 273 281 +8 ☔ View full report in Codecov by Sentry. |
// 3. Assign the new request to the original request pointer | ||
// | ||
// The change below implements option 3 | ||
*r = *(r.WithContext(ctx)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm probably wrong but this looks odd to me. WithContext
creates a shallow clone of the request which might be the actual issue, given how r
is used below. Have you tried r = r.Clone(ctx)
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi taishp.. Yes I tried Clone() also. Using either function r.WithContext(ctx) or r.Clone(ctx) create a new request message which gets assigned to r (HTTP Request ). The calling function to Authorizer expects r it passed to persist throughout the pipeline as it will use the context and payload for further processing. Once we assign r (via WithContext or Clone) in the Authorize function, it's pointing to a new HTTP Request * which goes out of scope when the Authorize function returns.
It appears this issue was introduced in #1079 when adding tracing improvements.
While testing, if we remove the lines added from #1079:
ctx, span := a.tracer.Start(r.Context(), "authz.remote")
defer otelx.End(span, &err)
r = r.WithContext(ctx)
The issue does not occur as the scope of r does not change.
As another test, I added a function SetContext(ctx) to http.request to assign the context to the request messaeg but not create a new http.http request. This also worked as again the scope of r persisted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To address the syntax looking odd, here is another datapoint that follows the same pattern as this code change. Line 133 calls HandleRequest which calls the remote::Authorize function where the fix was made. In the below code snippet we confirm that the r.Out scope must be retained throughout the message processing.
proxy.go
132 *r.Out = *r.Out.WithContext(context.WithValue(r.Out.Context(), ContextKeyMatchedRule, rl))
133 s, err := d.r.ProxyRequestHandler().HandleRequest(r.Out, rl)
134 if err != nil {
135 *r.Out = *r.Out.WithContext(context.WithValue(r.Out.Context(), director, err))
136 return
137 }
138 *r.Out = *r.Out.WithContext(context.WithValue(r.Out.Context(), ContextKeySession, s))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just enhanced and added to pull the unit testing in remote_test.go. To test this failure the message body sent to the authorize function is compared to the message body after the authorize pipeline completes. There are two tests that already pass a message body into the Authorize function and these were both verified to fail without 1136 fix and pass after 1136 fix.
Thanks for the PR! Would you mind adding a failing test case as a first step? That way we're sure to catch any regressions in the future. Also, it makes it easier to understand the problem and convince ourselves the fix is correct. |
…ad on closed Body" if request body is present in request
@timthornton-avid Really nice of you to fix this. Could you get the branch up-to-date with the base branch and try to resolve the failing "Docker Image Scanners"? We would really love to have this issue fixed. |
Any progress on this pull? We would really love to have this issue fixed. |
Hi, I'll try to get this branch up to date and retest this week or next. As per the docker image failure, there was nothing I added that would impact docker image. There was a 1 line code change + comments and a unit test added. I don't recall the docker image scan failure but they would have existed prior to my changes. Lets see what it looks like after I rebase. |
Ok, had a few minutes to rebase code and test. Looks like everything in pipeline has passed. Should be good to go :) |
Hey Guys, |
Hi any plans on releasing patch for this issue? |
Also wanted to chime in, would be great if this could be resolved and merged :) |
Fixed in #1185. Thanks for the PR and your patience. |
…ed Body" if request body is present in request
#1136
Related issue(s)
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments