Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Success response headers are not added to the response #164

Open
averevki opened this issue Feb 4, 2025 · 3 comments · May be fixed by #165
Open

Success response headers are not added to the response #164

averevki opened this issue Feb 4, 2025 · 3 comments · May be fixed by #165
Assignees
@adam-cattermole

Comments

@averevki
Copy link

averevki commented Feb 4, 2025

Describe the bug
Since kuadrant-operator-catalog nightly builds from 28-29.01.25 our tests that should return custom success response headers started failing. They don't add these headers into the response anymore. Here is the most simple test for responses we got that is failing with AssertionError: Header from response (Header) is missing; assert None is not None

We were experiencing the same failures a few months ago, which ended up being a bug inside the wasm-shim, and was fixed by this PR.

Help us Reproduce it

AuthPolicy:

spec:
  rules:
    authentication:
      default:
        credentials:
          authorizationHeader:
            prefix: Bearer
        jwt:
          issuerUrl: 'http://1.2.3.4:8080/realms/realm-averevki--eyt7'
          ttl: 0
        metrics: false
        priority: 0
    response:
      success:
        headers:
          header:
            json:
              properties:
                anything:
                  value: one
            metrics: false
            priority: 0
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: route-averevki--obnu
Gateway 
spec:
  gatewayClassName: istio
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      hostname: '*.apps.kua.redhat.com'
      name: api
      port: 80
      protocol: HTTP
HTTPRoute 
spec:
  hostnames:
    - hostname-averevki--nbep-kuadrant.apps.kua.redhat.com
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: gw-averevki--ljiu
  rules:
    - backendRefs:
        - group: ''
          kind: Service
          name: httpbin-averevki--ihex
          namespace: kuadrant
          port: 8080
          weight: 1
      matches:
        - path:
            type: PathPrefix
            value: /

Expected behavior

Return headers I specify inside AuthPolicy with a successful response

Environment (please complete the following information):

kuadrant-operator image: nightly-04-02-2025
authorino-operator image: e1dc399c6bcb2fb6d28b2f3e94ce49bb5b63e06c
authorino image: b2bde91bfc64b1d140f740069ba36ce81a3f3349
wasm-shim image: 751af05ea5e6c440d6254480d669bc5861f457eb
@adam-cattermole
Copy link
Member

This may be related to the recent wasm-shim refactor (dates look to match) - I'll take a look

@guicassolato guicassolato transferred this issue from Kuadrant/authorino Feb 4, 2025
@adam-cattermole adam-cattermole self-assigned this Feb 4, 2025
@adam-cattermole adam-cattermole moved this to In Progress in Kuadrant Feb 5, 2025
@adam-cattermole
Copy link
Member

adam-cattermole commented Feb 5, 2025
edited
Loading

I'm not sure I can reproduce this in the wasm-shim actually, even though the dates match up it seems to be working perfectly:

apiVersion: authorino.kuadrant.io/v1beta3
kind: AuthConfig
metadata:
  name: talker-api-protection
spec:
  hosts:
    - effective-route-1
  authentication:
    "api-key-users":
      apiKey:
        selector:
          matchLabels:
            app: toystore
      credentials:
        authorizationHeader:
          prefix: APIKEY
  response:
    success:
      headers:
        header:
          json:
            properties:
              "anything":
                value: false

This authconfig returns:

$ curl -H "Host: test.a.auth.com" -H "Authorization: APIKEY IAMALICE" http://127.0.0.1:8000/get -i
HTTP/1.1 200 OK
content-type: application/json
server: envoy
date: Wed, 05 Feb 2025 11:27:54 GMT
content-length: 507
x-envoy-upstream-service-time: 21
header: {"anything":false}

{
  "method": "GET",
  "path": "/get",
  "query_string": null,
  "body": "",
  "headers": {
    "Host": "test.a.auth.com",
    "User-Agent": "curl/8.7.1",
    "Accept": "*/*",
    "Authorization": "APIKEY IAMALICE",
    "X-Forwarded-For": "10.244.0.10",
    "X-Forwarded-Proto": "http",
    "X-Envoy-Internal": "true",
    "X-Request-Id": "cb37d20d-bbae-417a-9f64-312e49ec4dfe",
    "X-Envoy-Expected-Rq-Timeout-Ms": "15000",
    "Version": "HTTP/1.1"
  },
  "uuid": "0eaaa277-197d-4d1f-a936-552d52adf9a8"
}

edit: perhaps it response vs request headers, I'll continue to investigate

@adam-cattermole
Copy link
Member

I'm not sure I can reproduce this in the wasm-shim actually, even though the dates match up it seems to be working perfectly
edit: perhaps it response vs request headers, I'll continue to investigate

Yep the headers are incorrectly added to the response instead of the request. I'll have a look what it takes to fix this

@adam-cattermole adam-cattermole linked a pull request Feb 5, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adam-cattermole adam-cattermole

Labels
None yet
Projects
Kuadrant
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add HeaderKind to enable setting request headers Kuadrant/wasm-shim
2 participants
@adam-cattermole @averevki