From cf3188c6da8b3638f79316e87a97abfab36cd1f2 Mon Sep 17 00:00:00 2001 From: alyssawilk Date: Tue, 18 Jun 2024 13:39:20 -0400 Subject: [PATCH] runtime: removing oauth_use_standard_max_age_value (#34687) Signed-off-by: Alyssa Wilk Signed-off-by: Neal Soni --- changelogs/current.yaml | 3 ++ source/common/runtime/runtime_features.cc | 1 - .../extensions/filters/http/oauth2/filter.cc | 7 +--- .../filters/http/oauth2/filter_test.cc | 40 ------------------- 4 files changed, 4 insertions(+), 47 deletions(-) diff --git a/changelogs/current.yaml b/changelogs/current.yaml index a733d862e644b..6ef3620a59815 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -191,6 +191,9 @@ removed_config_or_runtime: - area: tls change: | Removed ``envoy.reloadable_features.enable_intermediate_ca`` runtime flag and lagacy code paths. +- area: oauth + change: | + Removed ``envoy.reloadable_features.oauth_use_standard_max_age_value`` runtime flag and lagacy code paths. - area: http change: | Removed ``envoy.reloadable_features.use_cluster_cache_for_alt_protocols_filter`` runtime flag and lagacy code paths. diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc index ff97705bdcde6..a3da94fba541d 100644 --- a/source/common/runtime/runtime_features.cc +++ b/source/common/runtime/runtime_features.cc @@ -66,7 +66,6 @@ RUNTIME_GUARD(envoy_reloadable_features_immediate_response_use_filter_mutation_r RUNTIME_GUARD(envoy_reloadable_features_no_downgrade_to_canonical_name); RUNTIME_GUARD(envoy_reloadable_features_no_extension_lookup_by_name); RUNTIME_GUARD(envoy_reloadable_features_normalize_host_for_preresolve_dfp_dns); -RUNTIME_GUARD(envoy_reloadable_features_oauth_use_standard_max_age_value); RUNTIME_GUARD(envoy_reloadable_features_oauth_use_url_encoding); RUNTIME_GUARD(envoy_reloadable_features_original_dst_rely_on_idle_timeout); RUNTIME_GUARD(envoy_reloadable_features_proxy_status_mapping_more_core_response_flags); diff --git a/source/extensions/filters/http/oauth2/filter.cc b/source/extensions/filters/http/oauth2/filter.cc index dda635f733494..f8841ecf4619c 100644 --- a/source/extensions/filters/http/oauth2/filter.cc +++ b/source/extensions/filters/http/oauth2/filter.cc @@ -670,12 +670,7 @@ void OAuth2Filter::onRefreshAccessTokenFailure() { void OAuth2Filter::addResponseCookies(Http::ResponseHeaderMap& headers, const std::string& encoded_token) const { std::string max_age; - if (Runtime::runtimeFeatureEnabled( - "envoy.reloadable_features.oauth_use_standard_max_age_value")) { - max_age = expires_in_; - } else { - max_age = new_expires_; - } + max_age = expires_in_; // We use HTTP Only cookies. const std::string cookie_tail_http_only = fmt::format(CookieTailHttpOnlyFormatString, max_age); diff --git a/test/extensions/filters/http/oauth2/filter_test.cc b/test/extensions/filters/http/oauth2/filter_test.cc index 5c889533ee3c1..5cdbf0e18cd45 100644 --- a/test/extensions/filters/http/oauth2/filter_test.cc +++ b/test/extensions/filters/http/oauth2/filter_test.cc @@ -1793,46 +1793,6 @@ TEST_F(OAuth2Test, OAuthAccessTokenSucessWithTokensUseRefreshTokenAndNoExpClaimI std::chrono::seconds(600)); } -TEST_F(OAuth2Test, OAuthAccessTokenSucessWithTokens_oauth_use_standard_max_age_value) { - TestScopedRuntime scoped_runtime; - scoped_runtime.mergeValues({ - {"envoy.reloadable_features.oauth_use_standard_max_age_value", "false"}, - }); - - oauthHMAC = "/Dcdntz/d3PMuU4EQ4qdmxFRa3SSDds1OIoLN4TfnoM=;"; - - // Set SystemTime to a fixed point so we get consistent HMAC encodings between test runs. - test_time_.setSystemTime(SystemTime(std::chrono::seconds(0))); - - // host_ must be set, which is guaranteed (ASAN). - Http::TestRequestHeaderMapImpl request_headers{ - {Http::Headers::get().Host.get(), "traffic.example.com"}, - {Http::Headers::get().Path.get(), "/_signout"}, - {Http::Headers::get().Method.get(), Http::Headers::get().MethodValues.Get}, - }; - filter_->decodeHeaders(request_headers, false); - - // Expected response after the callback is complete. - Http::TestRequestHeaderMapImpl expected_headers{ - {Http::Headers::get().Status.get(), "302"}, - {Http::Headers::get().SetCookie.get(), - "OauthHMAC=" + oauthHMAC + "path=/;Max-Age=600;secure;HttpOnly"}, - {Http::Headers::get().SetCookie.get(), "OauthExpires=600;path=/;Max-Age=600;secure;HttpOnly"}, - {Http::Headers::get().SetCookie.get(), - "BearerToken=access_code;path=/;Max-Age=600;secure;HttpOnly"}, - {Http::Headers::get().SetCookie.get(), - "IdToken=some-id-token;path=/;Max-Age=600;secure;HttpOnly"}, - {Http::Headers::get().SetCookie.get(), - "RefreshToken=some-refresh-token;path=/;Max-Age=600;secure;HttpOnly"}, - {Http::Headers::get().Location.get(), ""}, - }; - - EXPECT_CALL(decoder_callbacks_, encodeHeaders_(HeaderMapEqualRef(&expected_headers), true)); - - filter_->onGetAccessTokenSuccess("access_code", "some-id-token", "some-refresh-token", - std::chrono::seconds(600)); -} - TEST_F(OAuth2Test, OAuthBearerTokenFlowFromHeader) { Http::TestRequestHeaderMapImpl request_headers{ {Http::Headers::get().Path.get(), "/test?role=bearer"},