Policy: Fix auth policies with proxy redirects #37685
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
f2f4397 to
c71ab48
Compare
|
/test |
doniacld
approved these changes
Feb 18, 2025
squeed
reviewed
Feb 18, 2025
squeed
reviewed
Feb 18, 2025
squeed
reviewed
Feb 19, 2025
c71ab48 to
dbc4a52
Compare
|
/test |
4431442 to
68cba00
Compare
|
Added more testing |
|
/test |
squeed
reviewed
Feb 20, 2025
squeed
approved these changes
Feb 20, 2025
Only add a delete into ChangeState if the key was not added on the same round of 'changes'. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Proxy port with a higher precedence should be propagated to a covered entry instead of deleting it, if the covered entry has a different explicit auth type than the covering proxy redirect entry. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
When covered entries with lower proxy port priority have different explicit auth types, the proxy port (and priority) must be propagated to those entries instead of deleting them. Same applies in reverse, when adding an explicit auth entry the proxy port and priority must be propagated from a covering entry with higher priority proxy port, if any. Keep the non-auth policy handling simple by branching to authPreferredInsert early, and take care of deny & higher priority proxy port logic in the same loops with the auth propagation. This required changing 'CoveringKeysWithSameID' and 'SubsetKeysWithSameID' to also iterate keys equal to the 'newKey', so that a deny key would not be overridden by an allow key, for example. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
68cba00 to
7f3d24f
Compare
|
Fixed spelling mistake on the last commit message. |
|
/test |
17 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When covered entries with lower proxy port priority have different explicit auth types, the proxy port (and priority) must be propagated to those entries instead of deleting them. Same applies in reverse, when adding an explicit auth entry the proxy port and priority must be propagated from a covering entry with higher priority proxy port, if any.
Keep the non-auth policy handling simple by branching to authPreferredInsert early, and take care of deny & higher priority proxy port logic in the same loops with the auth propagation. This required changing 'CoveringKeysWithSameID' and 'SubsetKeysWithSameID' to also iterate keys equal to the 'newKey', so that a deny key would not be overridden by an allow key, for example.
Add a new unit test to prevent future regressions.
Fixes: #36056