zalando · MustafaSaber · Sep 12, 2024 · Aug 26, 2024 · Aug 27, 2024 · Sep 3, 2024
diff --git a/filters/openpolicyagent/internal/envoy/skipperadapter.go b/filters/openpolicyagent/internal/envoy/skipperadapter.go
@@ -12,6 +12,10 @@ import (
 
 func AdaptToExtAuthRequest(req *http.Request, metadata *ext_authz_v3_core.Metadata, contextExtensions map[string]string, rawBody []byte) (*ext_authz_v3.CheckRequest, error) {
 
+	if !utf8.ValidString(req.URL.Path) {
+		return nil, fmt.Errorf("invalid utf8 in path: %q", req.URL.Path)
+	}
+
 	headers := make(map[string]string, len(req.Header))
 	for h, vv := range req.Header {
 		// This makes headers in the input compatible with what Envoy does, i.e. allows to use policy fragments designed for envoy
@@ -25,7 +29,7 @@ func AdaptToExtAuthRequest(req *http.Request, metadata *ext_authz_v3_core.Metada
 				Http: &ext_authz_v3.AttributeContext_HttpRequest{
 					Host:    req.Host,
 					Method:  req.Method,
-					Path:    req.URL.Path,
+					Path:    req.URL.RequestURI(),
 					Headers: headers,
 					RawBody: rawBody,
 				},
@@ -35,9 +39,5 @@ func AdaptToExtAuthRequest(req *http.Request, metadata *ext_authz_v3_core.Metada
 		},
 	}
 
-	if !utf8.ValidString(ereq.Attributes.Request.Http.Path) {
-		return nil, fmt.Errorf("invalid utf8 in path: %q", ereq.Attributes.Request.Http.Path)
-	}
-
 	return ereq, nil
 }
diff --git a/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go b/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest_test.go
@@ -57,6 +57,34 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			backendHeaders:    make(http.Header),
 			removeHeaders:     make(http.Header),
 		},
+		{
+			msg:               "Allow Requests with trailing ? in URL",
+			filterName:        "opaAuthorizeRequest",
+			bundleName:        "somebundle.tar.gz",
+			regoQuery:         "envoy/authz/allow",
+			requestPath:       "/allow?",
+			requestMethod:     "GET",
+			contextExtensions: "",
+			expectedStatus:    http.StatusOK,
+			expectedBody:      "Welcome!",
+			expectedHeaders:   make(http.Header),
+			backendHeaders:    make(http.Header),
+			removeHeaders:     make(http.Header),
+		},
+		{
+			msg:               "Allow Requests with query parameters",
+			filterName:        "opaAuthorizeRequest",
+			bundleName:        "somebundle.tar.gz",
+			regoQuery:         "envoy/authz/allow",
+			requestPath:       "/allow-with-query?pass=yes&id=1&id=2",
+			requestMethod:     "GET",
+			contextExtensions: "",
+			expectedStatus:    http.StatusOK,
+			expectedBody:      "Welcome!",
+			expectedHeaders:   make(http.Header),
+			backendHeaders:    make(http.Header),
+			removeHeaders:     make(http.Header),
+		},
 		{
 			msg:               "Allow Matching Context Extension",
 			filterName:        "opaAuthorizeRequest",
@@ -96,6 +124,19 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			backendHeaders:    make(http.Header),
 			removeHeaders:     make(http.Header),
 		},
+		{
+			msg:               "Simple Forbidden with Query Parameters",
+			filterName:        "opaAuthorizeRequest",
+			bundleName:        "somebundle.tar.gz",
+			regoQuery:         "envoy/authz/allow",
+			requestPath:       "/allow-with-query?tofail=true",
+			requestMethod:     "GET",
+			contextExtensions: "",
+			expectedStatus:    http.StatusForbidden,
+			expectedHeaders:   make(http.Header),
+			backendHeaders:    make(http.Header),
+			removeHeaders:     make(http.Header),
+		},
 		{
 			msg:               "Allow With Structured Rules",
 			filterName:        "opaAuthorizeRequest",
@@ -311,6 +352,12 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 							input.parsed_path = [ "allow" ]
 						}
 
+						allow {
+							input.parsed_path = [ "allow-with-query" ]
+							input.parsed_query.pass == ["yes"]
+							input.parsed_query.id == ["1", "2"]
+						}
+
 						allow_context_extensions {
 							input.attributes.contextExtensions["com.mycompany.myprop"] == "myvalue"
 						}

diff --git a/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go b/filters/openpolicyagent/opaserveresponse/opaserveresponse_test.go
@@ -70,6 +70,16 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 			expectedBody:    "Welcome from policy!",
 			expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}},
 		},
+		{
+			msg:             "Allow With Structured Rules and Query Params",
+			filterName:      "opaServeResponse",
+			bundleName:      "somebundle.tar.gz",
+			regoQuery:       "envoy/authz/allow_object",
+			requestPath:     "/allow/structured/with-query?pass=yes",
+			expectedStatus:  http.StatusOK,
+			expectedBody:    "Welcome from policy!",
+			expectedHeaders: map[string][]string{"X-Ext-Auth-Allow": {"yes"}},
+		},
 		{
 			msg:             "Allow With opa.runtime execution",
 			filterName:      "opaServeResponse",
@@ -164,6 +174,17 @@ func TestAuthorizeRequestFilter(t *testing.T) {
 								"http_status": 200
 							}
 						}
+
+						allow_object = response {
+							input.parsed_path = [ "allow", "structured", "with-query" ]
+							input.parsed_query.pass == ["yes"]
+							response := {
+								"allowed": true,
+								"headers": {"x-ext-auth-allow": "yes"},
+								"body": "Welcome from policy!",
+								"http_status": 200
+							}
+						}
 
 						allow_object = response {
 							input.parsed_path = [ "allow", "production" ]