Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(kuma-dp): tolerate endline in token file #5591

Merged
merged 1 commit into from
Jan 16, 2023

Conversation

lahabana
Copy link
Contributor

@lahabana lahabana commented Jan 6, 2023

This is overly strict validation is causing more problems than it is solving. We now simply trim the token data

Fix #4567

Signed-off-by: Charly Molter charly.molter@konghq.com

Checklist prior to review

  • Link to docs PR or issue --
  • Link to UI issue or PR --
  • Is the issue worked on linked? --
  • The PR does not hardcode values that might break projects that depend on kuma (e.g. "kumahq" as a image registry) --
  • The PR will work for both Linux and Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Unit Tests --
  • E2E Tests --
  • Manual Universal Tests --
  • Manual Kubernetes Tests --
  • Do you need to update UPGRADE.md? --
  • Does it need to be backported according to the backporting policy? --
  • Do you need to explicitly set a > Changelog: entry here or add a ci/ label to run fewer/more tests?

@lahabana lahabana requested review from a team, slonka and jakubdyszkiewicz and removed request for a team January 6, 2023 15:12
@jakubdyszkiewicz
Copy link
Contributor

The problem was that Envoy is very strict about this token format and it's failing with "cryptic" message. That's why we were trying to be strict in kuma-dp to instruct user how to solve this.

Did you see a case where this change helps?

michaelbeaumont
michaelbeaumont previously approved these changes Jan 9, 2023
@michaelbeaumont michaelbeaumont dismissed their stale review January 9, 2023 09:06

ok, not sure about Envoy behavior here

@lahabana
Copy link
Contributor Author

lahabana commented Jan 9, 2023

Did you see a case where this change helps?
We now trim the token so what Envoy gets is the same. The reason why I'm changing this is folks complaining very often that they can't copy paste a token (likely their editor is configured with auto endline). This happened to @slonka on his on-boarding tasks and I've seen it a few times with customers too. @svenwal also mentioned it to me.

So to me it seems that the overly restrictive policy is causing more trouble than not having it and trimming seems to solve the most common problem

@jakubdyszkiewicz
Copy link
Contributor

Let me try to rephrase my question.

Did you see a case where this validation was too restrictive? Meaning, if kuma-dp validation was gone, Envoy would have no problem with the token?
I just don't want to end up in the situation we were in before when Envoy was producing cryptic messages that the token is invalid without any hint of action. That was more troubling for users.

What I think may happened in the meantime before we created this validation and now is that by default we switched from Google gRPC to Envoy gRPC. I think that because we are embedding the token in metadata, all invalid characters are gone. I think it was Google gRPC that was the most restrictive part. However, we still let user use Google gRPC when kuma_dp_server_auth_use_token_path is true to support rotation (projected SATs)

@slonka
Copy link
Contributor

slonka commented Jan 11, 2023

I just don't want to end up in the situation we were in before when Envoy was producing cryptic messages that the token is invalid without any hint of action.

I totally agree with Jakub here.

Meaning, if kuma-dp validation was gone, Envoy would have no problem with the token?

Maybe we could have some test with Envoy and "mode=validate" to see if lifting this validation would cause problems with Envoy?

Copy link
Contributor

@slonka slonka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As said in the thread, I'm ok with approving this if there is a test case showing that lifting the newline check at the end does not cause any trouble.

@lahabana
Copy link
Contributor Author

I'll check again but from my local tests the endline wasn't a problem for envoy

@lahabana
Copy link
Contributor Author

I've checked removing the validation the error is only on the CP and shows:

 "error": "Envoy bootstrap config is not valid: invalid Bootstrap.DynamicResources: embedded message failed validation | caused by: invalid Bootstrap_DynamicResources.AdsConfig: embedded message failed validation | caused by: invalid ApiConfigSource.GrpcServices[0]: embedded message failed validation | caused by: invalid GrpcService.InitialMetadata[0]: embedded message failed validation | caused by: invalid HeaderValue.Value: value does not match regex pattern \"^[^\\x00\\n\\r]*$\"", "errorVerbose": "invalid Bootstrap.DynamicResources: embedded message failed validation | caused by: invalid Bootstrap_DynamicResources.AdsConfig: embedded message failed validation | caused by: invalid ApiConfigSource.GrpcServices[0]: embedded message failed validation | caused by: invalid GrpcService.InitialMetadata[0]: embedded message failed validation | caused by: invalid HeaderValue.Value: value does not match regex pattern \"^[^\\x00\\n\\r]*$\"\nEnvoy bootstrap config is not valid\ngh.neting.cc/kumahq/kuma/pkg/xds/bootstrap.(*bootstrapGenerator).Generate\n\t/Users/charly.molter@konghq.com/code/kuma/pkg/xds/bootstrap/generator.go:170\ngh.neting.cc/kumahq/kuma/pkg/xds/bootstrap.(*BootstrapHandler).Handle\n\t/Users/charly.molter@konghq.com/code/kuma/pkg/xds/bootstrap/handler.go:52\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2084\nnet/http.(*ServeMux).ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2462\ngh.neting.cc/slok/go-http-metrics/middleware/std.Handler.func1.1\n\t/Users/charly.molter@konghq.com/go/pkg/mod/github.com/slok/go-http-metrics@v0.10.0/middleware/std/std.go:27\ngh.neting.cc/slok/go-http-metrics/middleware.Middleware.Measure\n\t/Users/charly.molter@konghq.com/go/pkg/mod/github.com/slok/go-http-metrics@v0.10.0/middleware/middleware.go:117\ngh.neting.cc/slok/go-http-metrics/middleware/std.Handler.func1\n\t/Users/charly.molter@konghq.com/go/pkg/mod/github.com/slok/go-http-metrics@v0.10.0/middleware/std/std.go:26\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2084\ngh.neting.cc/kumahq/kuma/pkg/dp-server/server.(*DpServer).handle\n\t/Users/charly.molter@konghq.com/code/kuma/pkg/dp-server/server/server.go:122\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2084\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2916\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1966\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_arm64.s:1270"

What's shown here is really that the token is validated as an header. So I've added the same regex and I also trim the token for validation and when we send it that way people can still have endlines in their token file.

This is overly strict validation is causing more problems than it is
solving. We now simply trim the token data because envoy won't support
tokens with spaces

Fix kumahq#4567

Signed-off-by: Charly Molter <charly.molter@konghq.com>
Copy link
Contributor

@slonka slonka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've checked removing the validation the error is only on the CP

If it's only in CP then 👍 from my side.

@lahabana lahabana merged commit 2192a20 into kumahq:master Jan 16, 2023
@lahabana lahabana deleted the fix4567 branch May 2, 2023 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

passing in token as file seems to always fail
4 participants