Skip to content

feat: Support ForwardUsernameHeader field in the BasicAuth #5331

Merged
zirain merged 18 commits intoenvoyproxy:mainfrom
surenraju:feat/basic-auth-policy
Mar 4, 2025
Merged

feat: Support ForwardUsernameHeader field in the BasicAuth #5331
zirain merged 18 commits intoenvoyproxy:mainfrom
surenraju:feat/basic-auth-policy

Conversation

@surenraju
Copy link
Copy Markdown
Contributor

@surenraju surenraju commented Feb 22, 2025

What type of PR is this?

Type of PR
Feature

What this PR does / why we need it:
#2947

This PR introduces the ForwardUsernameHeader field in the BasicAuth section of SecurityPolicy. It enables the Envoy to forward the username of a successfully authenticated user to the backend services via a specified HTTP header.
The field is optional. If it's not specified, the username will not be forwarded.

Which issue(s) this PR fixes:
Fixes 2947

User-Facing Changes
Added ForwardUsernameHeader in BasicAuth of SecurityPolicy to enable username forwarding to backend services.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: backend-basic-auth
spec:
  targetRefs:
    - group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: backend
  basicAuth:
    users:
      name: "basic-auth"
    forwardUsernameHeader: "x-username"

Release Notes: No

@surenraju
This PR introduces the ForwardUsernameHeader field in the BasicAuth s…
f72c51a 
…ection of SecurityPolicy. It enables the Envoy to forward the username of a successfully authenticated user to the backend services via a specified HTTP header. The field is optional. If it's not specified, the username will not be forwarded.

Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju surenraju requested a review from a team as a code owner February 22, 2025 21:00
@codecov
Copy link
Copy Markdown

codecov bot commented Feb 22, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 83.33333% with 4 lines in your changes missing coverage. Please review.

Project coverage is 65.11%. Comparing base (5b6a35f) to head (630f18e).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
internal/xds/translator/basicauth.go 80.95% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5331      +/-   ##
==========================================
+ Coverage   65.05%   65.11%   +0.05%     
==========================================
  Files         213      213              
  Lines       33588    33586       -2     
==========================================
+ Hits        21851    21869      +18     
+ Misses      10405    10394      -11     
+ Partials     1332     1323       -9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@arkodg
Copy link
Copy Markdown
Contributor

arkodg commented Feb 22, 2025

Hey can you run 'make testdata' and 'make generate' and commit those changes ?

@surenraju
fix: test case data
f04370b 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
Merge branch 'main' into feat/basic-auth-policy
9d4c457 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
fix: test failures
cf2acfe 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
zirain
zirain reviewed Feb 24, 2025
View reviewed changes
@zirain
Copy link
Copy Markdown
Member

zirain commented Feb 24, 2025
edited
Loading

please send API PR first, otherwise there would be too much rework on conflict and naming.

@surenraju surenraju changed the title feat: Support ForwardUsernameHeader field in the BasicAuth draft: Support ForwardUsernameHeader field in the BasicAuth Feb 24, 2025
@surenraju
Copy link
Copy Markdown
Contributor Author

surenraju commented Feb 24, 2025

@zirain #5342 Please let me.

@surenraju
Merge with master
0338909 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju surenraju changed the title draft: Support ForwardUsernameHeader field in the BasicAuth feat: Support ForwardUsernameHeader field in the BasicAuth Mar 2, 2025
@surenraju
Copy link
Copy Markdown
Contributor Author

surenraju commented Mar 2, 2025

@zirain please review

@zirain
Copy link
Copy Markdown
Member

zirain commented Mar 2, 2025

@surenraju can you make ci happy?

surenraju added 3 commits March 2, 2025 10:13
@surenraju
fix: failing tests
76a685f 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
fix: failing tests
a447da1 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
fix: failing tests
27ad382 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
Copy link
Copy Markdown
Contributor Author

surenraju commented Mar 2, 2025

@zirain tests are passing except conformance-test (v1.30.6) Wondering if this is related to my change.

@zirain
Copy link
Copy Markdown
Member

zirain commented Mar 2, 2025

it just a flaky

@zirain
Copy link
Copy Markdown
Member

zirain commented Mar 2, 2025

/retest

@zhaohuabing
Copy link
Copy Markdown
Member

zhaohuabing commented Mar 3, 2025
edited
Loading

This PR looks great!

@surenraju could you please also modify the e2e test to add the username header and verify it in the forwarded request?

  • Add forwardUsernameHeader: "x-username" to the SecurityPolicy used for the test:

    gateway/test/e2e/testdata/basic-auth.yaml

    Lines 69 to 95 in 52a7970

    apiVersion: gateway.envoyproxy.io/v1alpha1
    kind: SecurityPolicy
    metadata:
    name: basic-auth-1
    namespace: gateway-conformance-infra
    spec:
    targetRefs:
    - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: http-with-basic-auth-1
    basicAuth:
    users:
    name: "basic-auth-users-secret-1"
    ---
    apiVersion: gateway.envoyproxy.io/v1alpha1
    kind: SecurityPolicy
    metadata:
    name: basic-auth-2
    namespace: gateway-conformance-infra
    spec:
    targetRefs:
    - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: http-with-basic-auth-2
    basicAuth:
    users:
    name: "basic-auth-users-secret-2"
  • Verify that the forwarded request contains the forwardUsernameHeader header in the test:

    gateway/test/e2e/tests/basic_auth.go

    Lines 48 to 58 in 52a7970

    expectedResponse := http.ExpectedResponse{
    Request: http.Request{
    Path: "/basic-auth-1",
    Headers: map[string]string{
    "Authorization": "Basic dXNlcjE6dGVzdDE=", // user1:test1
    },
    },
    Response: http.Response{
    StatusCode: 200,
    },
    Namespace: ns,

    You'll need to add an ExpectedRequest in the ExpectedResponse, something similar to:
                               ExpectedRequest: &http.ExpectedRequest{
					Request: http.Request{
						Path: "/basic-auth-1",
						Headers: map[string]string{
							"Authorization": "Basic dXNlcjE6dGVzdDE=", // user1:test1
							"forwardUsernameHeader": "x-username",
						},
					},
				},

surenraju added 2 commits March 3, 2025 08:09
@surenraju
Add integration tests
c00cdd7 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
Merge branch 'main' into feat/basic-auth-policy
229c197 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@zhaohuabing
Copy link
Copy Markdown
Member

zhaohuabing commented Mar 3, 2025

@surenraju Could you please add a line to the release note?

surenraju added 2 commits March 3, 2025 11:12
@surenraju
fix: e2e test cases
481106c 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
Add release note
a194dea 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju surenraju requested review from zhaohuabing and zirain March 3, 2025 07:16
surenraju added 2 commits March 3, 2025 11:30
@surenraju
fix: pipeline
0970b0b 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
fix: faling e2e test
87556c1 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
zhaohuabing
zhaohuabing reviewed Mar 3, 2025
View reviewed changes
surenraju added 3 commits March 3, 2025 13:42
@surenraju
fix: failing e2e tests
06a61ad 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
fix: failing tests
4e5f5bf 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
fix: test case comment
78e3105 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
Copy link
Copy Markdown
Contributor Author

surenraju commented Mar 3, 2025

/retest

@surenraju
Merge branch 'main' into feat/basic-auth-policy
630f18e 
Signed-off-by: Suren Raju <suren.1988@gmail.com>
@surenraju
Copy link
Copy Markdown
Contributor Author

surenraju commented Mar 3, 2025

/retest

1 similar comment
@zirain
Copy link
Copy Markdown
Member

zirain commented Mar 3, 2025

/retest

@surenraju surenraju requested a review from zhaohuabing March 3, 2025 14:52
@surenraju
Copy link
Copy Markdown
Contributor Author

surenraju commented Mar 3, 2025

@zirain @zhaohuabing all checks passed. Please review.

zhaohuabing
zhaohuabing approved these changes Mar 4, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@zirain zirain merged commit a798438 into envoyproxy:main Mar 4, 2025
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zhaohuabing zhaohuabing zhaohuabing approved these changes

@zirain zirain zirain approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Extract username from basic auth and forward it to backends

4 participants

@surenraju @arkodg @zirain @zhaohuabing