envoyproxy · mattklein123 · Sep 2, 2021 · Jun 16, 2021 · Jul 2, 2021 · Jul 2, 2021
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -202,3 +202,4 @@ extensions/filters/http/oauth2 @rgs1 @derekargueta @snowp
 /contrib/rocketmq_proxy/ @aaron-ai @lizhanhui @lizan
 /contrib/mysql_proxy/ @rshriram @venilnoronha
 /contrib/postgres_proxy/ @fabriziomello @cpakulski @dio
+/contrib/sxg/ @cpapazian @rgs1 @alyssawilk
diff --git a/api/BUILD b/api/BUILD
@@ -58,6 +58,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
+        "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_broker/v3:pkg",
         "//contrib/envoy/extensions/filters/network/mysql_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg",

diff --git a/api/contrib/envoy/extensions/filters/http/sxg/v3alpha/BUILD b/api/contrib/envoy/extensions/filters/http/sxg/v3alpha/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/transport_sockets/tls/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.proto b/api/contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.proto
@@ -0,0 +1,67 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.sxg.v3alpha;
+
+import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.sxg.v3alpha";
+option java_outer_classname = "SxgProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Signed HTTP Exchange Filter]
+// SXG :ref:`configuration overview <config_http_filters_sxg>`.
+// [#extension: envoy.filters.http.sxg]
+
+// [#next-free-field: 10]
+message SXG {
+  // The SDS configuration for the public key data for the SSL certificate that will be used to sign the
+  // SXG response.
+  transport_sockets.tls.v3.SdsSecretConfig certificate = 1;
+
+  // The SDS configuration for the private key data for the SSL certificate that will be used to sign the
+  // SXG response.
+  transport_sockets.tls.v3.SdsSecretConfig private_key = 2;
+
+  // The duration for which the generated SXG package will be valid. Default is 604800s (7 days in seconds).
+  // Note that in order to account for clock skew, the timestamp will be backdated by a day. So, if duration
+  // is set to 7 days, that will be 7 days from 24 hours ago (6 days from now). Also note that while 6/7 days
+  // is appropriate for most content, if the downstream service is serving Javascript, or HTML with inline
+  // Javascript, 1 day (so, with backdated expiry, 2 days, or 172800 seconds) is more appropriate.
+  google.protobuf.Duration duration = 3;
+
+  // The SXG response payload is Merkle Integrity Content Encoding (MICE) encoded (specification is [here](https://datatracker.ietf.org/doc/html/draft-thomson-http-mice-03))
+  // This value indicates the record size in the encoded payload. The default value is 4096.
+  uint64 mi_record_size = 4;
+
+  // The URI of certificate CBOR file published. Since it is required that the certificate CBOR file
+  // be served from the same domain as the SXG document, this should be a relative URI.
+  string cbor_url = 5 [(validate.rules).string = {min_len: 1 prefix: "/"}];
+
+  // URL to retrieve validity data for signature, a CBOR map. See specification [here](https://tools.ietf.org/html/draft-yasskin-httpbis-origin-signed-exchanges-impl-00#section-3.6)
+  string validity_url = 6 [(validate.rules).string = {min_len: 1 prefix: "/"}];
+
+  // Header that will be set if it is determined that the client can accept SXG (typically `accept: application/signed-exchange;v=b3)
+  // If not set, filter will default to: `x-client-can-accept-sxg`
+  string client_can_accept_sxg_header = 7 [
+    (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false ignore_empty: true}
+  ];
+
+  // Header set by downstream service to signal that the response should be transformed to SXG If not set,
+  // filter will default to: `x-should-encode-sxg`
+  string should_encode_sxg_header = 8 [
+    (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false ignore_empty: true}
+  ];
+
+  // Headers that will be stripped from the SXG document, by listing a prefix (i.e. `x-custom-` will cause
+  // all headers prefixed by `x-custom-` to be omitted from the SXG document)
+  repeated string header_prefix_filters = 9 [
+    (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}}
+  ];
+}
diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -10,6 +10,7 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//contrib/envoy/extensions/filters/http/squash/v3:pkg",
+        "//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg",
         "//contrib/envoy/extensions/filters/network/kafka_broker/v3:pkg",
         "//contrib/envoy/extensions/filters/network/mysql_proxy/v3:pkg",
         "//contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg",

diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD
@@ -102,6 +102,24 @@ configure_make(
     tags = ["skip_on_windows"],
 )
 
+envoy_cmake_external(
+    name = "libsxg",
+    cache_entries = {
+        "CMAKE_BUILD_TYPE": "Release",
+        "SXG_BUILD_EXECUTABLES": "off",
+        "SXG_BUILD_SHARED": "off",
+        "SXG_BUILD_STATIC": "on",
+        "SXG_WITH_CERT_CHAIN": "off",
+        "RUN_TEST": "off",
+        "CMAKE_INSTALL_LIBDIR": "lib",
+        "CMAKE_TRY_COMPILE_TARGET_TYPE": "STATIC_LIBRARY",
+    },
+    lib_source = "@com_github_google_libsxg//:all",
+    static_libraries = ["libsxg.a"],
+    tags = ["skip_on_windows"],
+    deps = ["@boringssl//:ssl"],
+)
+
 envoy_cmake_external(
     name = "ares",
     cache_entries = {

diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -8,6 +8,7 @@ load("@com_google_googleapis//:repository_rules.bzl", "switched_rules_by_languag
 PPC_SKIP_TARGETS = ["envoy.filters.http.lua"]
 
 WINDOWS_SKIP_TARGETS = [
+    "envoy.filters.http.sxg",
     "envoy.tracers.dynamic_ot",
     "envoy.tracers.lightstep",
     "envoy.tracers.datadog",
@@ -134,6 +135,7 @@ def envoy_dependencies(skip_targets = []):
     _com_github_google_benchmark()
     _com_github_google_jwt_verify()
     _com_github_google_libprotobuf_mutator()
+    _com_github_google_libsxg()
     _com_github_google_tcmalloc()
     _com_github_gperftools_gperftools()
     _com_github_grpc_grpc()
@@ -312,6 +314,17 @@ def _com_github_google_libprotobuf_mutator():
         build_file = "@envoy//bazel/external:libprotobuf_mutator.BUILD",
     )
 
+def _com_github_google_libsxg():
+    external_http_archive(
+        name = "com_github_google_libsxg",
+        build_file_content = BUILD_ALL_CONTENT,
+    )
+
+    native.bind(
+        name = "libsxg",
+        actual = "@envoy//bazel/foreign_cc:libsxg",
+    )
+
 def _com_github_jbeder_yaml_cpp():
     external_http_archive(
         name = "com_github_jbeder_yaml_cpp",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -211,6 +211,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         release_date = "2020-11-13",
         use_category = ["test_only"],
     ),
+    com_github_google_libsxg = dict(
+        project_name = "libsxg",
+        project_desc = "Signed HTTP Exchange library",
+        project_url = "https://github.com/google/libsxg",
+        version = "beaa3939b76f8644f6833267e9f2462760838f18",
+        sha256 = "082bf844047a9aeec0d388283d5edc68bd22bcf4d32eb5a566654ae89956ad1f",
+        strip_prefix = "libsxg-{version}",
+        urls = ["https://github.com/google/libsxg/archive/{version}.tar.gz"],
+        use_category = ["other"],
+        extensions = ["envoy.filters.http.sxg"],
+        release_date = "2021-07-08",
+        cpe = "N/A",
+    ),
     com_github_google_tcmalloc = dict(
         project_name = "tcmalloc",
         project_desc = "Fast, multi-threaded malloc implementation",

diff --git a/contrib/contrib_build_config.bzl b/contrib/contrib_build_config.bzl
@@ -5,6 +5,7 @@ CONTRIB_EXTENSIONS = {
     #
 
     "envoy.filters.http.squash":                                "//contrib/squash/filters/http/source:config",
+    "envoy.filters.http.sxg":                                   "//contrib/sxg/filters/http/source:config",
 
     #
     # Network filters

diff --git a/contrib/extensions_metadata.yaml b/contrib/extensions_metadata.yaml
@@ -3,6 +3,11 @@ envoy.filters.http.squash:
   - envoy.filters.http
   security_posture: requires_trusted_downstream_and_upstream
   status: stable
+envoy.filters.http.sxg:
+  categories:
+  - envoy.filters.http
+  security_posture: robust_to_untrusted_downstream
+  status: alpha
 envoy.filters.network.kafka_broker:
   categories:
   - envoy.filters.network
@@ -23,3 +28,4 @@ envoy.filters.network.postgres_proxy:
   - envoy.filters.network
   security_posture: requires_trusted_downstream_and_upstream
   status: stable
+
diff --git a/contrib/sxg/filters/http/source/BUILD b/contrib/sxg/filters/http/source/BUILD
@@ -0,0 +1,47 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_contrib_extension",
+    "envoy_cc_library",
+    "envoy_contrib_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_contrib_package()
+
+envoy_cc_library(
+    name = "sxg_lib",
+    srcs = [
+        "encoder.cc",
+        "filter.cc",
+        "filter_config.cc",
+    ],
+    hdrs = [
+        "encoder.h",
+        "filter.h",
+        "filter_config.h",
+    ],
+    external_deps = ["libsxg"],
+    deps = [
+        "//envoy/server:filter_config_interface",
+        "//source/common/config:datasource_lib",
+        "//source/common/http:codes_lib",
+        "//source/common/stats:symbol_table_lib",
+        "//source/common/stats:utility_lib",
+        "//source/extensions/filters/http/common:pass_through_filter_lib",
+        "@boringssl//:ssl",
+        "@envoy_api//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_contrib_extension(
+    name = "config",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    deps = [
+        ":sxg_lib",
+        "//envoy/registry",
+        "//source/extensions/filters/http/common:factory_base_lib",
+        "@envoy_api//contrib/envoy/extensions/filters/http/sxg/v3alpha:pkg_cc_proto",
+    ],
+)
diff --git a/contrib/sxg/filters/http/source/config.cc b/contrib/sxg/filters/http/source/config.cc
@@ -0,0 +1,71 @@
+#include "contrib/sxg/filters/http/source/config.h"
+
+#include <memory>
+#include <string>
+
+#include "envoy/registry/registry.h"
+#include "envoy/secret/secret_manager.h"
+#include "envoy/secret/secret_provider.h"
+
+#include "source/common/protobuf/utility.h"
+
+#include "contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.pb.h"
+#include "contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.pb.validate.h"
+#include "contrib/sxg/filters/http/source/encoder.h"
+#include "contrib/sxg/filters/http/source/filter.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace SXG {
+
+namespace {
+Secret::GenericSecretConfigProviderSharedPtr
+secretsProvider(const envoy::extensions::transport_sockets::tls::v3::SdsSecretConfig& config,
+                Secret::SecretManager& secret_manager,
+                Server::Configuration::TransportSocketFactoryContext& transport_socket_factory) {
+  if (config.has_sds_config()) {
+    return secret_manager.findOrCreateGenericSecretProvider(config.sds_config(), config.name(),
+                                                            transport_socket_factory);
+  } else {
+    return secret_manager.findStaticGenericSecretProvider(config.name());
+  }
+}
+} // namespace
+
+Http::FilterFactoryCb FilterFactory::createFilterFactoryFromProtoTyped(
+    const envoy::extensions::filters::http::sxg::v3alpha::SXG& proto_config,
+    const std::string& stat_prefix, Server::Configuration::FactoryContext& context) {
+  const auto& certificate = proto_config.certificate();
+  const auto& private_key = proto_config.private_key();
+
+  auto& cluster_manager = context.clusterManager();
+  auto& secret_manager = cluster_manager.clusterManagerFactory().secretManager();
+  auto& transport_socket_factory = context.getTransportSocketFactoryContext();
+  auto secret_provider_certificate =
+      secretsProvider(certificate, secret_manager, transport_socket_factory);
+  if (secret_provider_certificate == nullptr) {
+    throw EnvoyException("invalid certificate secret configuration");
+  }
+  auto secret_provider_private_key =
+      secretsProvider(private_key, secret_manager, transport_socket_factory);
+  if (secret_provider_private_key == nullptr) {
+    throw EnvoyException("invalid private_key secret configuration");
+  }
+
+  auto secret_reader = std::make_shared<SDSSecretReader>(
+      secret_provider_certificate, secret_provider_private_key, context.api());
+  auto config = std::make_shared<FilterConfig>(proto_config, context.timeSource(), secret_reader,
+                                               stat_prefix, context.scope());
+  return [config](Http::FilterChainFactoryCallbacks& callbacks) -> void {
+    const EncoderPtr encoder = std::make_unique<EncoderImpl>(config);
+    callbacks.addStreamFilter(std::make_shared<Filter>(config, encoder));
+  };
+}
+
+REGISTER_FACTORY(FilterFactory, Server::Configuration::NamedHttpFilterConfigFactory);
+
+} // namespace SXG
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy
diff --git a/contrib/sxg/filters/http/source/config.h b/contrib/sxg/filters/http/source/config.h
@@ -0,0 +1,31 @@
+#pragma once
+
+#include <string>
+
+#include "source/extensions/filters/http/common/factory_base.h"
+
+#include "contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.pb.h"
+#include "contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.pb.validate.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace HttpFilters {
+namespace SXG {
+
+class FilterFactory : public Extensions::HttpFilters::Common::FactoryBase<
+                          envoy::extensions::filters::http::sxg::v3alpha::SXG> {
+public:
+  FilterFactory() : FactoryBase("envoy.filters.http.sxg") {}
+
+private:
+  Http::FilterFactoryCb createFilterFactoryFromProtoTyped(
+      const envoy::extensions::filters::http::sxg::v3alpha::SXG& config,
+      const std::string& stats_prefix, Server::Configuration::FactoryContext& context) override;
+};
+
+DECLARE_FACTORY(FilterFactory);
+
+} // namespace SXG
+} // namespace HttpFilters
+} // namespace Extensions
+} // namespace Envoy
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ CONTRIB_EXTENSIONS = { @@
         #
         "envoy.filters.http.squash":                                "//contrib/squash/filters/http/source:config",
+        "envoy.filters.http.sxg":                                   "//contrib/sxg/filters/http/source:config",
         #
         # Network filters
@@ Expand Down @@