-
Notifications
You must be signed in to change notification settings - Fork 5.5k
rbac: add matching range of destination ports #17356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 5 commits
c7ad00d
4a72a94
f571b4b
4d615da
33c9d44
90cacf3
af9846e
1e9c882
e545ebe
f97bdf1
a4740b4
4b99701
d51155f
bbcf5b6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -163,6 +163,19 @@ class PortMatcher : public Matcher { | |||||||||||||||||||||||||
| const uint32_t port_; | ||||||||||||||||||||||||||
| }; | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| class PortRangeMatcher : public Matcher { | ||||||||||||||||||||||||||
| public: | ||||||||||||||||||||||||||
| PortRangeMatcher(const ::envoy::type::v3::Int32Range& range) | ||||||||||||||||||||||||||
| : start_(range.start()), end_(range.end()) {} | ||||||||||||||||||||||||||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Arguably we should reject negative and OOB values here for ports.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. To validate the range of ports, we are better to add a validation rule in RBAC proto. envoy/api/envoy/config/rbac/v3/rbac.proto Lines 189 to 190 in f97bdf1
But the type In addition, envoy/api/envoy/config/listener/v3/listener_components.proto Lines 330 to 332 in f97bdf1
envoy/source/common/network/filter_matcher.h Lines 40 to 46 in f97bdf1
So I think maybe we do not have to add a check?
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, this is a limit of PGV annotations and proto typing, I don't think it can be done cleanly at the proto annotation level. I think both |
||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| bool matches(const Network::Connection&, const Envoy::Http::RequestHeaderMap&, | ||||||||||||||||||||||||||
| const StreamInfo::StreamInfo& info) const override; | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| private: | ||||||||||||||||||||||||||
| const uint32_t start_; | ||||||||||||||||||||||||||
| const uint32_t end_; | ||||||||||||||||||||||||||
| }; | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| /** | ||||||||||||||||||||||||||
| * Matches the principal name as described in the peer certificate. Uses the URI SAN first. If that | ||||||||||||||||||||||||||
| * field is not present, uses the subject instead. | ||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,6 +4,7 @@ | |
| #include "envoy/config/route/v3/route_components.pb.h" | ||
| #include "envoy/type/matcher/v3/metadata.pb.h" | ||
|
|
||
| #include "source/common/network/address_impl.h" | ||
| #include "source/common/network/utility.h" | ||
| #include "source/extensions/filters/common/expr/evaluator.h" | ||
| #include "source/extensions/filters/common/rbac/matchers.h" | ||
|
|
@@ -101,6 +102,15 @@ TEST(OrMatcher, Permission_Set) { | |
|
|
||
| checkMatcher(RBAC::OrMatcher(set), false, conn, headers, info); | ||
|
|
||
| perm = set.add_rules(); | ||
| envoy::type::v3::Int32Range range; | ||
| range.set_start(123); | ||
| range.set_end(456); | ||
| perm->mutable_destination_port_range()->set_start(123); | ||
| perm->mutable_destination_port_range()->set_end(456); | ||
|
Comment on lines
+110
to
+111
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: why not copy
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That's right. Unused variable has been removed. |
||
|
|
||
| checkMatcher(RBAC::OrMatcher(set), false, conn, headers, info); | ||
|
|
||
| perm = set.add_rules(); | ||
| perm->set_any(true); | ||
|
|
||
|
|
@@ -233,6 +243,38 @@ TEST(PortMatcher, PortMatcher) { | |
| checkMatcher(PortMatcher(456), false, conn, headers, info); | ||
| } | ||
|
|
||
| TEST(PortRangeMatcher, PortRangeMatcher) { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please add a short comment stating what the test validates.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok, comment added. |
||
| Envoy::Network::MockConnection conn; | ||
| Envoy::Http::TestRequestHeaderMapImpl headers; | ||
| NiceMock<StreamInfo::MockStreamInfo> info; | ||
| Envoy::Network::Address::InstanceConstSharedPtr addr = | ||
| Envoy::Network::Utility::parseInternetAddress("1.2.3.4", 456, false); | ||
| info.downstream_address_provider_->setLocalAddress(addr); | ||
|
|
||
| envoy::type::v3::Int32Range range; | ||
| range.set_start(123); | ||
| range.set_end(789); | ||
| checkMatcher(PortRangeMatcher(range), true, conn, headers, info); | ||
|
|
||
| range.set_start(456); | ||
| range.set_end(789); | ||
| checkMatcher(PortRangeMatcher(range), true, conn, headers, info); | ||
|
|
||
| range.set_start(123); | ||
| range.set_end(456); | ||
| checkMatcher(PortRangeMatcher(range), false, conn, headers, info); | ||
|
|
||
| range.set_start(12); | ||
| range.set_end(34); | ||
| checkMatcher(PortRangeMatcher(range), false, conn, headers, info); | ||
|
|
||
| NiceMock<StreamInfo::MockStreamInfo> info2; | ||
| Envoy::Network::Address::InstanceConstSharedPtr addr2 = | ||
| std::make_shared<const Envoy::Network::Address::PipeInstance>("test"); | ||
| info2.downstream_address_provider_->setLocalAddress(addr2); | ||
| checkMatcher(PortRangeMatcher(range), false, conn, headers, info2); | ||
| } | ||
|
|
||
| TEST(AuthenticatedMatcher, uriSanPeerCertificate) { | ||
| Envoy::Network::MockConnection conn; | ||
| auto ssl = std::make_shared<Ssl::MockConnectionInfo>(); | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.