repo-sync-2024-03-15T15:17:19+0800 (#9)

* repo-sync-2024-03-15T15:17:19+0800

* git reset

Makefile

@@ -38,6 +38,7 @@ endef
 build-envoy:
 	@$(call start_docker)
 	docker exec -it ${CONTAINER_NAME} make build-envoy-local
+	docker exec -it ${CONTAINER_NAME} strip -s /home/admin/dev/bazel-bin/envoy
 	mkdir -p output/bin
 	mkdir -p output/conf
 	docker cp ${CONTAINER_NAME}:/home/admin/dev/bazel-bin/envoy output/bin

kuscia/source/filters/http/kuscia_common/kuscia_header.cc

@@ -22,17 +22,23 @@ namespace KusciaCommon {
 constexpr absl::string_view InterConnProtocolBFIA{"bfia"};
 constexpr absl::string_view InterConnProtocolKuscia{"kuscia"};
 
-absl::optional<absl::string_view> KusciaHeader::getSource(const Http::RequestHeaderMap& headers) {
-    auto protocol = headers.getByKey(KusciaCommon::HeaderKeyInterConnProtocol);
-    if (protocol && protocol.value() == InterConnProtocolBFIA) {
-        auto ptpSource = headers.getByKey(HeaderKeyBFIAPTPSource);
-        return ptpSource ? ptpSource : headers.getByKey(HeaderKeyBFIAScheduleSource);
-    }
-    return  headers.getByKey(HeaderKeyKusciaSource);
+absl::optional<absl::string_view>
+KusciaHeader::getSource(const Http::RequestHeaderMap &headers) {
+  auto kusciaSource = headers.getByKey(HeaderKeyKusciaSource);
+  if (kusciaSource) {
+    return kusciaSource;
+  }
+  // BFIA protocol
+  auto protocol = headers.getByKey(KusciaCommon::HeaderKeyInterConnProtocol);
+  if (protocol && protocol.value() == InterConnProtocolBFIA) {
+    auto ptpSource = headers.getByKey(HeaderKeyBFIAPTPSource);
+    return ptpSource ? ptpSource
+                     : headers.getByKey(HeaderKeyBFIAScheduleSource);
+  }
+  return kusciaSource;
 }
 
 } // namespace KusciaCommon
 } // namespace HttpFilters
 } // namespace Extensions
 } // namespace Envoy
-

kuscia/source/filters/http/kuscia_common/kuscia_header.h

@@ -34,6 +34,7 @@ const Http::LowerCaseString HeaderKeyOriginSource("Kuscia-Origin-Source");
 
 
 const Http::LowerCaseString HeaderKeyErrorMessage("Kuscia-Error-Message");
+const Http::LowerCaseString HeaderKeyFmtError("Kuscia-Error-Formatted");
 const Http::LowerCaseString HeaderKeyErrorMessageInternal("Kuscia-Error-Message-Internal");
 const Http::LowerCaseString HeaderKeyRecordBody("Kuscia-Record-Body");
 

kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.cc

@@ -42,20 +42,20 @@ Http::FilterHeadersStatus TokenAuthFilter::decodeHeaders(Http::RequestHeaderMap&
 
     auto source = KusciaHeader::getSource(headers).value_or("");
     auto token = headers.getByKey(KusciaCommon::HeaderKeyKusciaToken).value_or("");
-    bool is_valid = config_->validateSource(source, token);
-    if (!is_valid) {
+    auto status = config_->validateSource(source, token);
+    if (status != Http::Code::OK) {
         ENVOY_LOG(warn, "Check Kuscia Source Token fail, {}: {}, {}: {}",
                   KusciaCommon::HeaderKeyKusciaSource, source,
                   KusciaCommon::HeaderKeyKusciaToken, token);
-        sendUnauthorizedResponse();
+        sendAuthorizeFailedResponse(status);
         return Http::FilterHeadersStatus::StopIteration;
     }
 
     return Http::FilterHeadersStatus::Continue;
 }
 
-void TokenAuthFilter::sendUnauthorizedResponse() {
-    decoder_callbacks_->sendLocalReply(Http::Code::Unauthorized, UnauthorizedBodyMessage, nullptr,
+void TokenAuthFilter::sendAuthorizeFailedResponse(Http::Code status) {
+    decoder_callbacks_->sendLocalReply(status, UnauthorizedBodyMessage, nullptr,
                                        absl::nullopt, Envoy::EMPTY_STRING);
 }
 
@@ -70,19 +70,19 @@ TokenAuthConfig::TokenAuthConfig(const TokenAuthPbConfig& config) {
     }
 }
 
-bool TokenAuthConfig::validateSource(absl::string_view source, absl::string_view token) const {
+Http::Code TokenAuthConfig::validateSource(absl::string_view source, absl::string_view token) const {
     static const std::string NoopToken = "noop";
 
     auto iter = source_token_map_.find(source);
     if (iter == source_token_map_.end()) {
-        return false;
+        return Http::Code::NotFound;
     }
     for (const auto& disired_token : iter->second) {
         if (token == disired_token || disired_token == NoopToken) {
-            return true;
+            return Http::Code::OK;
         }
     }
-    return false;
+    return Http::Code::Unauthorized;
 }
 
 } // namespace KusciaTokenAuth

kuscia/source/filters/http/kuscia_token_auth/token_auth_filter.h

@@ -20,6 +20,7 @@
 
 #include "source/common/buffer/buffer_impl.h"
 #include "source/common/common/logger.h"
+#include "source/common/http/utility.h"
 #include "source/extensions/filters/http/common/pass_through_filter.h"
 
 #include "kuscia/api/filters/http/kuscia_token_auth/v3/token_auth.pb.h"
@@ -43,7 +44,7 @@ class TokenAuthFilter : public Http::PassThroughDecoderFilter,
                                             bool) override;
 
   private:
-    void sendUnauthorizedResponse();
+    void sendAuthorizeFailedResponse(Http::Code status);
 
     TokenAuthConfigSharedPtr config_;
 };
@@ -52,7 +53,7 @@ class TokenAuthConfig {
   public:
     explicit TokenAuthConfig(const TokenAuthPbConfig& config);
 
-    bool validateSource(absl::string_view source, absl::string_view token) const;
+    Http::Code validateSource(absl::string_view source, absl::string_view token) const;
 
   private:
     std::map<std::string, std::vector<std::string>, std::less<>> source_token_map_;