check redirect respose filter

Signed-off-by: Huabing Zhao <[email protected]>

Author: zhaohuabing

internal/gatewayapi/filters.go

@@ -70,6 +70,7 @@ type HTTPFilterIR struct {
 var HeaderValueRegexp = regexp.MustCompile(`^[!-~]+([\t ]?[!-~]+)*$`)
 
 const requestMirrorDirectResponseConflictMsg = "RequestMirror filter cannot be used when the rule also configures a DirectResponse filter"
+const requestMirrorRedirectConflictMsg = "RequestMirror filter cannot be used when the rule also configures a RequestRedirect filter"
 
 // ProcessHTTPFilters translates gateway api http filters to IRs.
 func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext,
@@ -116,9 +117,13 @@ func (t *Translator) ProcessHTTPFilters(parentRef *RouteParentContext,
 		}
 	}
 
+	// Check for conflicts between RequestMirror and DirectResponse or RequestRedirect filters
 	if httpFiltersContext.DirectResponse != nil && len(httpFiltersContext.Mirrors) > 0 {
 		updateRouteStatusForFilter(httpFiltersContext, requestMirrorDirectResponseConflictMsg)
 	}
+	if httpFiltersContext.RedirectResponse != nil && len(httpFiltersContext.Mirrors) > 0 {
+		updateRouteStatusForFilter(httpFiltersContext, requestMirrorRedirectConflictMsg)
+	}
 
 	return httpFiltersContext, err
 }

internal/gatewayapi/testdata/httproute-with-mirror-filter-direct-response.in.yaml renamed to internal/gatewayapi/testdata/httproute-with-conflicting-filters.in.yaml

@@ -47,6 +47,34 @@ httpRoutes:
                 group: gateway.envoyproxy.io
                 kind: HTTPRouteFilter
                 name: mirror-direct-response
+  - apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      namespace: default
+      name: mirror-request-redirect
+    spec:
+      hostnames:
+        - gateway.envoyproxy.io
+      parentRefs:
+        - namespace: envoy-gateway
+          name: gateway-1
+          sectionName: http
+      rules:
+        - matches:
+            - path:
+                type: PathPrefix
+                value: /mirror-redirect
+          filters:
+            - type: RequestMirror
+              requestMirror:
+                backendRef:
+                  kind: Service
+                  name: service-1
+                  port: 8080
+            - type: RequestRedirect
+              requestRedirect:
+                scheme: https
+                statusCode: 302
 httpFilters:
   - apiVersion: gateway.envoyproxy.io/v1alpha1
     kind: HTTPRouteFilter

internal/gatewayapi/testdata/httproute-with-mirror-filter-direct-response.out.yaml renamed to internal/gatewayapi/testdata/httproute-with-conflicting-filters.out.yaml

@@ -16,7 +16,7 @@ gateways:
       protocol: HTTP
   status:
     listeners:
-    - attachedRoutes: 1
+    - attachedRoutes: 2
       conditions:
       - lastTransitionTime: null
         message: Sending translated listener configuration to the data plane
@@ -91,6 +91,53 @@ httpRoutes:
         name: gateway-1
         namespace: envoy-gateway
         sectionName: http
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    name: mirror-request-redirect
+    namespace: default
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http
+    rules:
+    - filters:
+      - requestMirror:
+          backendRef:
+            kind: Service
+            name: service-1
+            port: 8080
+        type: RequestMirror
+      - requestRedirect:
+          scheme: https
+          statusCode: 302
+        type: RequestRedirect
+      matches:
+      - path:
+          type: PathPrefix
+          value: /mirror-redirect
+  status:
+    parents:
+    - conditions:
+      - lastTransitionTime: null
+        message: RequestMirror filter cannot be used when the rule also configures
+          a RequestRedirect filter
+        reason: UnsupportedValue
+        status: "False"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Resolved all the Object references for the Route
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      controllerName: gateway.envoyproxy.io/gatewayclass-controller
+      parentRef:
+        name: gateway-1
+        namespace: envoy-gateway
+        sectionName: http
 infraIR:
   envoy-gateway/gateway-1:
     proxy:

internal/gatewayapi/testdata/securitypolicy-with-jwt-and-invalid-oidc.out.yaml

@@ -173,7 +173,8 @@ securityPolicies:
         sectionName: http
       conditions:
       - lastTransitionTime: null
-        message: 'OIDC: secret default/client2-secret does not exist.'
+        message: 'OIDC: Get "https://accounts.google.com/.well-known/openid-configuration":
+          context deadline exceeded (Client.Timeout exceeded while awaiting headers).'
         reason: Invalid
         status: "False"
         type: Accepted
@@ -216,7 +217,8 @@ securityPolicies:
         namespace: envoy-gateway
       conditions:
       - lastTransitionTime: null
-        message: 'OIDC: secret envoy-gateway/client1-secret does not exist.'
+        message: 'OIDC: Get "https://accounts.google.com/.well-known/openid-configuration":
+          context deadline exceeded (Client.Timeout exceeded while awaiting headers).'
         reason: Invalid
         status: "False"
         type: Accepted

internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies-samesite.out.yaml

@@ -132,9 +132,10 @@ securityPolicies:
         namespace: envoy-gateway
       conditions:
       - lastTransitionTime: null
-        message: Policy has been accepted.
-        reason: Accepted
-        status: "True"
+        message: 'OIDC: Get "https://accounts.google.com/.well-known/openid-configuration":
+          context deadline exceeded (Client.Timeout exceeded while awaiting headers).'
+        reason: Invalid
+        status: "False"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
 xdsIR:
@@ -196,6 +197,8 @@ xdsIR:
             name: httproute/default/httproute-1/rule/0/backend/0
             protocol: HTTP
             weight: 1
+        directResponse:
+          statusCode: 500
         hostname: www.example.com
         isHTTP2: false
         metadata:
@@ -207,27 +210,7 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /foo
-        security:
-          oidc:
-            clientID: client1.apps.googleusercontent.com
-            clientSecret: '[redacted]'
-            cookieConfig:
-              sameSite: None
-            cookieNameOverrides:
-              accessToken: CustomAccessTokenCookie
-              idToken: CustomIdTokenCookie
-            cookieSuffix: b0a1b740
-            hmacSecret: '[redacted]'
-            logoutPath: /bar/logout
-            name: securitypolicy/envoy-gateway/policy-for-gateway
-            provider:
-              authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth
-              tokenEndpoint: https://oauth2.googleapis.com/token
-            redirectPath: /bar/oauth2/callback
-            redirectURL: https://www.example.com/bar/oauth2/callback
-            refreshToken: true
-            scopes:
-            - openid
+        security: {}
     readyListener:
       address: 0.0.0.0
       ipFamily: IPv4

internal/gatewayapi/testdata/securitypolicy-with-oidc-custom-cookies.out.yaml

@@ -130,9 +130,10 @@ securityPolicies:
         namespace: envoy-gateway
       conditions:
       - lastTransitionTime: null
-        message: Policy has been accepted.
-        reason: Accepted
-        status: "True"
+        message: 'OIDC: Get "https://accounts.google.com/.well-known/openid-configuration":
+          context deadline exceeded (Client.Timeout exceeded while awaiting headers).'
+        reason: Invalid
+        status: "False"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
 xdsIR:
@@ -194,6 +195,8 @@ xdsIR:
             name: httproute/default/httproute-1/rule/0/backend/0
             protocol: HTTP
             weight: 1
+        directResponse:
+          statusCode: 500
         hostname: www.example.com
         isHTTP2: false
         metadata:
@@ -205,25 +208,7 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /foo
-        security:
-          oidc:
-            clientID: client1.apps.googleusercontent.com
-            clientSecret: '[redacted]'
-            cookieNameOverrides:
-              accessToken: CustomAccessTokenCookie
-              idToken: CustomIdTokenCookie
-            cookieSuffix: b0a1b740
-            hmacSecret: '[redacted]'
-            logoutPath: /bar/logout
-            name: securitypolicy/envoy-gateway/policy-for-gateway
-            provider:
-              authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth
-              tokenEndpoint: https://oauth2.googleapis.com/token
-            redirectPath: /bar/oauth2/callback
-            redirectURL: https://www.example.com/bar/oauth2/callback
-            refreshToken: true
-            scopes:
-            - openid
+        security: {}
     readyListener:
       address: 0.0.0.0
       ipFamily: IPv4

internal/gatewayapi/testdata/securitypolicy-with-oidc-deny-redirect.out.yaml

@@ -146,9 +146,10 @@ securityPolicies:
         namespace: envoy-gateway
       conditions:
       - lastTransitionTime: null
-        message: Policy has been accepted.
-        reason: Accepted
-        status: "True"
+        message: 'OIDC: Get "https://accounts.google.com/.well-known/openid-configuration":
+          context deadline exceeded (Client.Timeout exceeded while awaiting headers).'
+        reason: Invalid
+        status: "False"
         type: Accepted
       controllerName: gateway.envoyproxy.io/gatewayclass-controller
 xdsIR:
@@ -210,6 +211,8 @@ xdsIR:
             name: httproute/default/httproute-1/rule/0/backend/0
             protocol: HTTP
             weight: 1
+        directResponse:
+          statusCode: 500
         hostname: www.example.com
         isHTTP2: false
         metadata:
@@ -221,41 +224,7 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /foo
-        security:
-          oidc:
-            clientID: client1.apps.googleusercontent.com
-            clientSecret: '[redacted]'
-            cookieNameOverrides:
-              accessToken: CustomAccessTokenCookie
-              idToken: CustomIdTokenCookie
-            cookieSuffix: b0a1b740
-            denyRedirect:
-              headers:
-              - name: :path
-                type: Prefix
-                value: /api
-              - name: X-No-Redirect
-                type: RegularExpression
-                value: .*
-              - name: X-No-Redirect
-                type: Exact
-                value: foobar
-              - name: :path
-                type: Suffix
-                value: bar
-              - name: test-5
-                value: bar
-            hmacSecret: '[redacted]'
-            logoutPath: /bar/logout
-            name: securitypolicy/envoy-gateway/policy-for-gateway
-            provider:
-              authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth
-              tokenEndpoint: https://oauth2.googleapis.com/token
-            redirectPath: /bar/oauth2/callback
-            redirectURL: https://www.example.com/bar/oauth2/callback
-            refreshToken: true
-            scopes:
-            - openid
+        security: {}
     readyListener:
       address: 0.0.0.0
       ipFamily: IPv4

internal/gatewayapi/testdata/securitypolicy-with-oidc.out.yaml

@@ -222,9 +222,10 @@ securityPolicies:
         namespace: envoy-gateway
       conditions:
       - lastTransitionTime: null
-        message: Policy has been accepted.
-        reason: Accepted
-        status: "True"
+        message: 'OIDC: Get "https://accounts.google.com/.well-known/openid-configuration":
+          context deadline exceeded (Client.Timeout exceeded while awaiting headers).'
+        reason: Invalid
+        status: "False"
         type: Accepted
       - lastTransitionTime: null
         message: 'This policy is being overridden by other securityPolicies for these
@@ -346,6 +347,8 @@ xdsIR:
             name: httproute/default/httproute-2/rule/0/backend/0
             protocol: HTTP
             weight: 1
+        directResponse:
+          statusCode: 500
         hostname: www.example.com
         isHTTP2: false
         metadata:
@@ -357,26 +360,7 @@ xdsIR:
           distinct: false
           name: ""
           prefix: /bar
-        security:
-          oidc:
-            clientID: client1.apps.googleusercontent.com
-            clientSecret: '[redacted]'
-            cookieSuffix: b0a1b740
-            csrfTokenTTL: 35m0s
-            defaultRefreshTokenTTL: 24h0m0s
-            defaultTokenTTL: 30m0s
-            forwardAccessToken: true
-            hmacSecret: '[redacted]'
-            logoutPath: /bar/logout
-            name: securitypolicy/envoy-gateway/policy-for-gateway
-            provider:
-              authorizationEndpoint: https://accounts.google.com/o/oauth2/v2/auth
-              tokenEndpoint: https://oauth2.googleapis.com/token
-            redirectPath: /bar/oauth2/callback
-            redirectURL: https://www.example.com/bar/oauth2/callback
-            refreshToken: true
-            scopes:
-            - openid
+        security: {}
     readyListener:
       address: 0.0.0.0
       ipFamily: IPv4