Validate Headers from API Key Metadata: add configuration flag (#10117)

Co-authored-by: changelog-bot <changelog-bot> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com>
solo-io · Sep 30, 2024 · bcf0e99 · bcf0e99
1 parent 31b7218
commit bcf0e99
Show file tree

Hide file tree

Showing 9 changed files with 1,198 additions and 1,108 deletions.
diff --git a/changelog/v1.18.0-beta24/validate-apikey-data.yaml b/changelog/v1.18.0-beta24/validate-apikey-data.yaml
@@ -0,0 +1,7 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/ext-auth-service/issues/762
+    resolvesIssue: false
+    description: >-
+      Updating extauth APIKey config to add 'skipMetadataValidation', which will allow EE users to turn off data plane valdiation
+      of headers returned by the APIKey service.
diff --git a/...-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/...-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md
diff --git a/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml b/install/helm/gloo/crds/enterprise.gloo.solo.io_v1_AuthConfig.yaml
@@ -170,6 +170,8 @@ spec:
                           additionalProperties:
                             type: string
                           type: object
+                        skipMetadataValidation:
+                          type: boolean
                       type: object
                     basicAuth:
                       properties:

diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto
@@ -1166,6 +1166,11 @@ message ApiKeyAuth {
         // to the request.
         bool required = 2;
     }
+
+    // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+    // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+    // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
+    bool skip_metadata_validation = 8;
 }
 message K8sSecretApiKeyStorage {
     // Identify all valid API key secrets that match the provided label selector.<br/>
@@ -2118,6 +2123,11 @@ message ExtAuthConfig {
             K8sSecretApiKeyStorage k8s_secret_apikey_storage = 4;
             AerospikeApiKeyStorage aerospike_apikey_storage = 5;
         }
+
+    // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+    // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+    // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
+        bool skip_metadata_validation = 6;
     }
 
     message OpaAuthConfig {

diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.clone.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.clone.go
diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.equal.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.equal.go