3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-06 04:42:56 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/internal/log/authorize.go
Caleb Doxsey 7a6d7c5a3c
config: use stable route ids for authorize matching and order xds responses (#5618) 
## Summary
Update the `RouteID` to use the `policy.ID` if it is set. This makes it
so that updated routes use a stable identifier between updates so if the
envoy control plane is updated before the authorize service's internal
definitions (or vice-versa) the authorize service will still be able to
match the route.

The current behavior results in a 404 if envoy passes the old route id.
The new behavior will result in inconsistency, but it should be quickly
remedied. To help with debugging 4 new fields were added to the
authorize check log. The `route-id` and `route-checksum` as the
authorize sees it and the `envoy-route-id` and `envoy-route-checksum` as
envoy sees it.

I also updated the way we send updates to envoy to try and model their
recommended approach:

> In general, to avoid traffic drop, sequencing of updates should follow
a make before break model, wherein:
> 
> - CDS updates (if any) must always be pushed first.
> - EDS updates (if any) must arrive after CDS updates for the
respective clusters.
> - LDS updates must arrive after corresponding CDS/EDS updates.
> - RDS updates related to the newly added listeners must arrive after
CDS/EDS/LDS updates.
> - VHDS updates (if any) related to the newly added RouteConfigurations
must arrive after RDS updates.
> - Stale CDS clusters and related EDS endpoints (ones no longer being
referenced) can then be removed.

This should help avoid 404s when configuration is being updated.

## Related issues
-
[ENG-2386](https://linear.app/pomerium/issue/ENG-2386/large-number-of-routes-leads-to-404s-and-slowness)

## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-19 10:52:15 -06:00

99 lines
3.9 KiB
Go
Raw Blame History

package log
import (
"errors"
"fmt"
)
// An AuthorizeLogField is a field in the authorize logs.
type AuthorizeLogField string
// known authorize log fields
const (
AuthorizeLogFieldCheckRequestID AuthorizeLogField = "check-request-id"
AuthorizeLogFieldEmail AuthorizeLogField = "email"
AuthorizeLogFieldEnvoyRouteChecksum AuthorizeLogField = "envoy-route-checksum"
AuthorizeLogFieldEnvoyRouteID AuthorizeLogField = "envoy-route-id"
AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName)
AuthorizeLogFieldHost AuthorizeLogField = "host"
AuthorizeLogFieldIDToken AuthorizeLogField = "id-token"
AuthorizeLogFieldIDTokenClaims AuthorizeLogField = "id-token-claims"
AuthorizeLogFieldImpersonateEmail AuthorizeLogField = "impersonate-email"
AuthorizeLogFieldImpersonateSessionID AuthorizeLogField = "impersonate-session-id"
AuthorizeLogFieldImpersonateUserID AuthorizeLogField = "impersonate-user-id"
AuthorizeLogFieldIP AuthorizeLogField = "ip"
AuthorizeLogFieldMethod AuthorizeLogField = "method"
AuthorizeLogFieldPath AuthorizeLogField = "path"
AuthorizeLogFieldQuery AuthorizeLogField = "query"
AuthorizeLogFieldRemovedGroupsCount AuthorizeLogField = "removed-groups-count"
AuthorizeLogFieldRequestID AuthorizeLogField = "request-id"
AuthorizeLogFieldRouteChecksum AuthorizeLogField = "route-checksum"
AuthorizeLogFieldRouteID AuthorizeLogField = "route-id"
AuthorizeLogFieldServiceAccountID AuthorizeLogField = "service-account-id"
AuthorizeLogFieldSessionID AuthorizeLogField = "session-id"
AuthorizeLogFieldUser AuthorizeLogField = "user"
)
// DefaultAuthorizeLogFields are the fields to log by default.
var DefaultAuthorizeLogFields = []AuthorizeLogField{
AuthorizeLogFieldRequestID,
AuthorizeLogFieldCheckRequestID,
AuthorizeLogFieldMethod,
AuthorizeLogFieldPath,
AuthorizeLogFieldHost,
AuthorizeLogFieldIP,
AuthorizeLogFieldSessionID,
AuthorizeLogFieldImpersonateSessionID,
AuthorizeLogFieldImpersonateUserID,
AuthorizeLogFieldImpersonateEmail,
AuthorizeLogFieldRemovedGroupsCount,
AuthorizeLogFieldServiceAccountID,
AuthorizeLogFieldUser,
AuthorizeLogFieldEmail,
AuthorizeLogFieldEnvoyRouteChecksum,
AuthorizeLogFieldEnvoyRouteID,
AuthorizeLogFieldRouteChecksum,
AuthorizeLogFieldRouteID,
}
// ErrUnknownAuthorizeLogField indicates that an authorize log field is unknown.
var ErrUnknownAuthorizeLogField = errors.New("unknown authorize log field")
var authorizeLogFieldLookup = map[AuthorizeLogField]struct{}{
AuthorizeLogFieldCheckRequestID: {},
AuthorizeLogFieldEmail: {},
AuthorizeLogFieldEnvoyRouteChecksum: {},
AuthorizeLogFieldEnvoyRouteID: {},
AuthorizeLogFieldHeaders: {},
AuthorizeLogFieldHost: {},
AuthorizeLogFieldIDToken: {},
AuthorizeLogFieldIDTokenClaims: {},
AuthorizeLogFieldImpersonateEmail: {},
AuthorizeLogFieldImpersonateSessionID: {},
AuthorizeLogFieldImpersonateUserID: {},
AuthorizeLogFieldIP: {},
AuthorizeLogFieldMethod: {},
AuthorizeLogFieldPath: {},
AuthorizeLogFieldQuery: {},
AuthorizeLogFieldRemovedGroupsCount: {},
AuthorizeLogFieldRequestID: {},
AuthorizeLogFieldRouteChecksum: {},
AuthorizeLogFieldRouteID: {},
AuthorizeLogFieldServiceAccountID: {},
AuthorizeLogFieldSessionID: {},
AuthorizeLogFieldUser: {},
}
// Validate returns an error if the authorize log field is invalid.
func (field AuthorizeLogField) Validate() error {
if _, ok := GetHeaderField(field); ok {
return nil
}
_, ok := authorizeLogFieldLookup[field]
if !ok {
return fmt.Errorf("%w: %s", ErrUnknownAuthorizeLogField, field)
}
return nil
}
Reference in a new issue View git blame Copy permalink