Merge branch 'master' into otel

zalando · Jan 9, 2025 · d69bea1 · d69bea1
2 parents dc33e96 + 8d4721f
commit d69bea1
Show file tree

Hide file tree

Showing 32 changed files with 461 additions and 261 deletions.
diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
@@ -1,4 +1,4 @@
-FROM gcr.io/oss-fuzz-base/base-builder-go@sha256:b3111d8c1f679c67e40b14fd839c5e1c5d0fc2b5bcb08f42c7ac9323599ce308
+FROM gcr.io/oss-fuzz-base/base-builder-go@sha256:9bf7fad8ca02443224c7518392d80c97a62b8cb0822f03aadf9193a7e27346f0
 
 COPY . $SRC/skipper
 COPY ./.clusterfuzzlite/build.sh $SRC/

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -16,6 +16,7 @@ updates:
     ignore:
       - dependency-name: "github.com/open-policy-agent/opa"
       - dependency-name: "github.com/open-policy-agent/opa-envoy-plugin"
+      - dependency-name: "github.com/envoyproxy/go-control-plane"
   - package-ecosystem: "github-actions"
     directory: "/" # For GitHub Actions, set the directory to / to check for workflow files in .github/workflows
     schedule:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
         fetch-depth: 2
 
     - name: Setup Go
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
       with:
         go-version: '^1.21'
         check-latest: true

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -20,7 +20,7 @@ jobs:
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         with:
           python-version: 3.x
-      - uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
+      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         with:
           key: ${{ github.ref }}
           path: .cache

diff --git a/.github/workflows/gh-packages.yaml b/.github/workflows/gh-packages.yaml
@@ -25,7 +25,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: '^1.21'
@@ -50,7 +50,7 @@ jobs:
         uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
@@ -13,7 +13,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: "^1.21"

diff --git a/.github/workflows/openssf-scorecard.yaml b/.github/workflows/openssf-scorecard.yaml
@@ -61,7 +61,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: SARIF file
           path: results.sarif

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: "^1.21"
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a
         with:
           # https://www.npmjs.com/package/semver#caret-ranges-123-025-004
           go-version: "^1.21"

diff --git a/docs/reference/filters.md b/docs/reference/filters.md
@@ -115,6 +115,8 @@ Example:
 route1: * -> preserveHost("true") -> "http://backend.example.org";
 ```
 
+Default `proxyPreserveHost` behavior can be configured by `-proxy-preserve-host` flag which is `false` by default.
+
 ### modRequestHeader
 
 Replace all matched regex expressions in the given header.
@@ -3359,16 +3361,26 @@ tracingTag("http.flow_id", "${request.header.X-Flow-Id}")
 
 ### tracingTagFromResponse
 
-This filter works just like [tracingTag](#tracingtag), but is applied after the request was processed. In particular, [template placeholders](#template-placeholders) referencing the response can be used in the parameters.
+This filter works just like [tracingTag](#tracingtag), but is applied after the request was processed.
+In particular, [template placeholders](#template-placeholders) referencing the response can be used in the tag value.
 
 ### tracingTagFromResponseIfStatus
 
-Example: set error tag to true in case response status code is `>= 500` and `<= 599`
+This filter works like [tracingTagFromResponse](#tracingtagfromresponse)
+but only for responses having status code from the specified range.
+
+Example: set error tag to true in case response status code is `>= 500` and `<= 599`:
 
 ```
 tracingTagFromResponseIfStatus("error", "true", 500, 599)
 ```
 
+Example: set user id tag for ratelimited requests:
+
+```
+tracingTagFromResponseIfStatus("user.id", "${request.header.X-User-Id}", 429, 429) -> clusterClientRatelimit("user-id", 10, "1m", "X-User-Id")
+```
+
 
 ### tracingSpanName
 

diff --git a/filters/auth/authclient.go b/filters/auth/authclient.go
@@ -32,6 +32,7 @@ type authClient struct {
 
 type tokeninfoClient interface {
 	getTokeninfo(token string, ctx filters.FilterContext) (map[string]any, error)
+	Close()
 }
 
 var _ tokeninfoClient = &authClient{}

diff --git a/filters/auth/grant.go b/filters/auth/grant.go
@@ -175,11 +175,7 @@ func (f *grantFilter) setupToken(token *oauth2.Token, tokeninfo map[string]inter
 
 	// By piggy-backing on the OIDC token container,
 	// we gain downstream compatibility with the oidcClaimsQuery filter.
-	ctx.StateBag()[oidcClaimsCacheKey] = tokenContainer{
-		OAuth2Token: token,
-		Subject:     subject,
-		Claims:      tokeninfo,
-	}
+	SetOIDCClaims(ctx, tokeninfo)
 
 	// Set the tokeninfo also in the tokeninfoCacheKey state bag, so we
 	// can reuse e.g. the forwardToken() filter.

diff --git a/filters/auth/grant_test.go b/filters/auth/grant_test.go
@@ -210,6 +210,7 @@ func newAuthProxy(t *testing.T, config *auth.OAuthConfig, routes []*eskip.Route,
 	fr.Register(config.NewGrantCallback())
 	fr.Register(config.NewGrantClaimsQuery())
 	fr.Register(config.NewGrantLogout())
+	fr.Register(auth.NewOIDCQueryClaimsFilter())
 
 	pc := proxytest.Config{
 		RoutingOptions: routing.Options{
@@ -331,6 +332,7 @@ func TestGrantFlow(t *testing.T) {
 	config := newGrantTestConfig(tokeninfo.URL, provider.URL)
 
 	routes := eskip.MustParse(`* -> oauthGrant()
+		-> oidcClaimsQuery("/:sub")
 		-> status(204)
 		-> setResponseHeader("Backend-Request-Cookie", "${request.header.Cookie}")
 		-> <shunt>

diff --git a/filters/auth/main_test.go b/filters/auth/main_test.go
@@ -18,11 +18,7 @@ func TestMain(m *testing.M) {
 
 func cleanupAuthClients() {
 	for _, c := range tokeninfoAuthClient {
-		if ac, ok := c.(*authClient); ok {
-			ac.Close()
-		} else if cc, ok := c.(*tokeninfoCache); ok {
-			cc.client.(*authClient).Close()
-		}
+		c.Close()
 	}
 
 	for _, c := range issuerAuthClient {

diff --git a/filters/auth/oidc_introspection.go b/filters/auth/oidc_introspection.go
@@ -42,6 +42,14 @@ func NewOIDCQueryClaimsFilter() filters.Spec {
 	}
 }
 
+// Sets OIDC claims in the state bag.
+// Intended for use with the oidcClaimsQuery filter.
+func SetOIDCClaims(ctx filters.FilterContext, claims map[string]interface{}) {
+	ctx.StateBag()[oidcClaimsCacheKey] = tokenContainer{
+		Claims: claims,
+	}
+}
+
 func (spec *oidcIntrospectionSpec) Name() string {
 	switch spec.typ {
 	case checkOIDCQueryClaims:

diff --git a/filters/auth/tokeninfo.go b/filters/auth/tokeninfo.go
@@ -12,6 +12,7 @@ import (
 	"github.com/opentracing/opentracing-go"
 	"github.com/zalando/skipper/filters"
 	"github.com/zalando/skipper/filters/annotate"
+	"github.com/zalando/skipper/metrics"
 )
 
 const (
@@ -32,9 +33,10 @@ type TokeninfoOptions struct {
 	Timeout      time.Duration
 	MaxIdleConns int
 	Tracer       opentracing.Tracer
+	Metrics      metrics.Metrics
 
 	// CacheSize configures the maximum number of cached tokens.
-	// The cache evicts least recently used items first.
+	// The cache periodically evicts random items when number of cached tokens exceeds CacheSize.
 	// Zero value disables tokeninfo cache.
 	CacheSize int
 
@@ -100,7 +102,7 @@ func (o *TokeninfoOptions) newTokeninfoClient() (tokeninfoClient, error) {
 	}
 
 	if o.CacheSize > 0 {
-		c = newTokeninfoCache(c, o.CacheSize, o.CacheTTL)
+		c = newTokeninfoCache(c, o.Metrics, o.CacheSize, o.CacheTTL)
 	}
 	return c, nil
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -32,6 +32,7 @@ type authClient struct { @@
     type tokeninfoClient interface {
     	getTokeninfo(token string, ctx filters.FilterContext) (map[string]any, error)
+    	Close()
     }
     var _ tokeninfoClient = &authClient{}
@@ Expand Down @@