Extension proxy auth fails when using destination name in ArgoCD Application

[akselleirv]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

The ArgoCD extension proxy fails to authorize requests when the .spec.destination.name is set in the Application spec instead of .spec.destination.server. The expected behavior is for the extension proxy to function correctly regardless of whether the destination is specified by name or server URL.

To Reproduce

1. Start argocd with values.yaml file and port-forward server to 8080:

configs:
  secret:
    argocdServerAdminPassword: "$2a$10$mWjmCkKmoiGm1EF8FzWPS.ikz1F2S/h/1lE5R.GuyhXlYeqkhruTy" # admin
  params:
    server.enable.proxy.extension: "true"
  cm:
    extension.config: |
      extensions:
        - name: exta
          backend:
            services:
              - url: http://argocd-server-metrics.argocd.svc:8083
        - name: extb
          backend:
            services:
              - url: http://argocd-server-metrics.argocd.svc:8083
  rbac:
    "policy.csv": |
      p, admin, extensions, invoke, exta, allow
      p, admin, extensions, invoke, extb, allow
server:
  extensions:
    enabled: true
  metrics:
    enabled: true

2. Add an ArgoCD application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: helm-guestbook
  namespace: argocd
spec:
  destination:
    namespace: default
    name: in-cluster
  project: default
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: HEAD
    path: helm-guestbook
    helm:
      releaseName: helm-guestbook
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - FailOnSharedResource=true

3. Login and get the cookie from the networks tab.

4. Send a request to the extension proxy and replace the example cookie with your cookie:

curl --location --request GET 'https://localhost:8080/extensions/exta/metrics' \
--header 'Cookie: argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcmdvY2QiLCJzdWIiOiJhZG1pbjpsb2dpbiIsImV4cCI6MTcyMjYwMjA4MSwibmJmIjoxNzIyNTE1NjgxLCJpYXQiOjE3MjI1MTU2ODEsImp0aSI6IjE0MjkyMGU2LTQ1NzgtNDE4ZS1hN2EzLTQxZjY4NzBjMDFiZCJ9.ZdnolCIq3rbq5BVyRyWH1w-ercf346Nn_AgX4vOIvVc' \
--header 'argocd-project-name: default' \
--header 'argocd-application-name: argocd:helm-guestbook' \
--insecure

# outputs: "Unauthorized extension request"

5. Remove the .spec.destination.name and set the .spec.destination.server to https://kubernetes.default.svc like:

   apiVersion: argoproj.io/v1alpha1
   kind: Application
   metadata:
   name: helm-guestbook
   namespace: argocd
   spec:
   destination:
   namespace: default
   server: https://kubernetes.default.svc
   project: default
   source:
   repoURL: https://github.com/argoproj/argocd-example-apps.git
   targetRevision: HEAD
   path: helm-guestbook
   helm:
     releaseName: helm-guestbook
   syncPolicy:
   automated:
     prune: true
     selfHeal: true
   syncOptions:
   - FailOnSharedResource=true

6. Send a new request:

curl --location --request GET 'https://localhost:8080/extensions/exta/metrics' \
--header 'Cookie: argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhcmdvY2QiLCJzdWIiOiJhZG1pbjpsb2dpbiIsImV4cCI6MTcyMjYwMjA4MSwibmJmIjoxNzIyNTE1NjgxLCJpYXQiOjE3MjI1MTU2ODEsImp0aSI6IjE0MjkyMGU2LTQ1NzgtNDE4ZS1hN2EzLTQxZjY4NzBjMDFiZCJ9.ZdnolCIq3rbq5BVyRyWH1w-ercf346Nn_AgX4vOIvVc' \
--header 'argocd-project-name: default' \
--header 'argocd-application-name: argocd:helm-guestbook' \
--insecure 

And then we can see the expected metrics output which confirms that we were able to successfully use the extension proxy.

Expected behavior

Expect that the extension proxy is working when the .spec.destination.name is set in the Application, instead of the .spec.destination.server.

Version

argocd:v2.11.7

Logs

From the argocd server:

unauthorized extension request: the provided project is not allowed to access the cluster configured in the Application destination

Which points to:

• https://github.com/argoproj/argo-cd/blob/master/server/extension/extension.go#L692
• which wraps: https://github.com/argoproj/argo-cd/blob/master/server/extension/extension.go#L638

My guess is that the destination server name must be set before passing it to proj.IsDestinationPermitted?

[andrii-korotkov-verkada]

I hope the password and token from the descriptions are no longer valid.

[akselleirv]

I hope the password and token from the descriptions are no longer valid.

No, and it was only valid for an instance running locally on my machine.