envoyproxy · mattklein123 · Sep 29, 2021 · Jul 23, 2021 · Aug 11, 2021 · Aug 12, 2021
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -108,6 +108,7 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/common/fault @rshriram @alyssawilk
 /*/extensions/filters/http/grpc_json_transcoder @qiwzhang @lizan
 /*/extensions/filters/http/router @alyssawilk @mattklein123 @snowp
+/*/extensions/filters/common/rbac/matchers @conqerAtapple @ggreenway @alyssawilk
 /*/extensions/filters/http/grpc_web @fengli79 @lizan
 /*/extensions/filters/http/grpc_stats @kyessenov @lizan
 /*/extensions/filters/common/original_src @klarose @snowp

diff --git a/api/BUILD b/api/BUILD
@@ -201,6 +201,7 @@ proto_library(
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",
         "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
+        "//envoy/extensions/rbac/matchers/upstream_ip_port/v3:pkg",
         "//envoy/extensions/request_id/uuid/v3:pkg",
         "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",
         "//envoy/extensions/resource_monitors/injected_resource/v3:pkg",

diff --git a/api/envoy/config/rbac/v3/rbac.proto b/api/envoy/config/rbac/v3/rbac.proto
@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.config.rbac.v3;
 
 import "envoy/config/core/v3/address.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/config/route/v3/route_components.proto";
 import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/path.proto";
@@ -146,7 +147,7 @@ message Policy {
 }
 
 // Permission defines an action (or actions) that a principal can take.
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message Permission {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";
 
@@ -218,6 +219,10 @@ message Permission {
     // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
     // setup SNI.
     type.matcher.v3.StringMatcher requested_server_name = 9;
+
+    // Extension for configuring custom matchers for RBAC.
+    // [#extension-category: envoy.rbac.matchers]
+    core.v3.TypedExtensionConfig matcher = 12;
   }
 }
 

diff --git a/api/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto b/api/envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto
@@ -27,6 +27,12 @@ message FilterConfig {
   // <envoy_v3_api_field_extensions.clusters.dynamic_forward_proxy.v3.ClusterConfig.dns_cache_config>`.
   common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 1
       [(validate.rules).message = {required: true}];
+
+  // When this flag is set, the filter will add the resolved upstream address in the filter
+  // state. The state should be saved with key
+  // `envoy.stream.upstream_address` (See
+  // :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
+  bool save_upstream_address = 2;
 }
 
 // Per route Configuration for the dynamic forward proxy HTTP filter.

diff --git a/api/envoy/extensions/rbac/matchers/upstream_ip_port/v3/BUILD b/api/envoy/extensions/rbac/matchers/upstream_ip_port/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/type/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto b/api/envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto
@@ -0,0 +1,35 @@
+syntax = "proto3";
+
+package envoy.extensions.rbac.matchers.upstream_ip_port.v3;
+
+import "envoy/config/core/v3/address.proto";
+import "envoy/type/v3/range.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.rbac.matchers.upstream_ip_port.v3";
+option java_outer_classname = "UpstreamIpPortMatcherProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: RBAC upstream IP and port matcher plugin]
+// [#extension: envoy.rbac.matchers.upstream_ip_port]
+
+// This is configuration for matching upstream ip and port.
+// Note that although both fields are optional, at least one of IP or port must be supplied. If only
+// one is supplied the other is a wildcard match.
+// This matcher requires a filter in the chain to have saved the upstream address in the
+// filter state before the matcher is executed by RBAC filter. The state should be saved with key
+// `envoy.stream.upstream_address` (See
+// :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
+// Also, See :repo:`proxy_filter.cc<
+// source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc>` for an example of a
+// filter which populates the FilterState.
+message UpstreamIpPortMatcher {
+  // A CIDR block that will be used to match the upstream IP.
+  // Both Ipv4 and Ipv6 ranges can be matched.
+  config.core.v3.CidrRange upstream_ip = 1;
+
+  // A port range that will be used to match the upstream port.
+  type.v3.Int64Range upstream_port_range = 2;
+}
diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -153,6 +153,7 @@ proto_library(
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",
         "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
+        "//envoy/extensions/rbac/matchers/upstream_ip_port/v3:pkg",
         "//envoy/extensions/request_id/uuid/v3:pkg",
         "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",
         "//envoy/extensions/resource_monitors/injected_resource/v3:pkg",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -877,6 +877,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.filters.network.rbac",
             "envoy.filters.network.wasm",
             "envoy.stat_sinks.wasm",
+            "envoy.rbac.matchers.upstream_ip_port",
         ],
         release_date = "2021-06-28",
         cpe = "N/A",
@@ -899,6 +900,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.filters.network.rbac",
             "envoy.filters.network.wasm",
             "envoy.stat_sinks.wasm",
+            "envoy.rbac.matchers.upstream_ip_port",
         ],
         release_date = "2020-04-02",
         cpe = "N/A",

diff --git a/docs/root/api-v3/config/config.rst b/docs/root/api-v3/config/config.rst
@@ -32,3 +32,4 @@ Extensions
   quic/quic_extensions
   formatter/formatter
   contrib/contrib
+  rbac/matchers
diff --git a/docs/root/api-v3/config/rbac/matchers.rst b/docs/root/api-v3/config/rbac/matchers.rst
@@ -0,0 +1,8 @@
+RBAC Matchers
+=============
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  matchers/matchers
diff --git a/docs/root/api-v3/config/rbac/matchers/matchers.rst b/docs/root/api-v3/config/rbac/matchers/matchers.rst
@@ -0,0 +1,8 @@
+RBAC Matchers
+===
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  upstream/upstream
diff --git a/docs/root/api-v3/config/rbac/matchers/upstream/upstream.rst b/docs/root/api-v3/config/rbac/matchers/upstream/upstream.rst
@@ -0,0 +1,8 @@
+Upstream Matchers
+=================
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  ../../../../extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -122,6 +122,7 @@ New Features
 * matcher: added :ref:`invert <envoy_v3_api_field_type.matcher.v3.MetadataMatcher.invert>` for inverting the match result in the metadata matcher.
 * overload: add a new overload action that resets streams using a lot of memory. To enable the tracking of allocated bytes in buffers that a stream is using we need to configure the minimum threshold for tracking via:ref:`buffer_factory_config <envoy_v3_api_field_config.overload.v3.OverloadManager.buffer_factory_config>`. We have an overload action ``Envoy::Server::OverloadActionNameValues::ResetStreams`` that takes advantage of the tracking to reset the most expensive stream first.
 * rbac: added :ref:`destination_port_range <envoy_v3_api_field_config.rbac.v3.Permission.destination_port_range>` for matching range of destination ports.
+* rbac: added :ref:`matcher<envoy_v3_api_field_config.rbac.v3.Permission.matcher>` along with extension category ``extension_category_envoy.rbac.matchers`` for custom RBAC permission matchers. Added reference implementation for matchers :ref:`envoy.rbac.matchers.upstream_ip_port <extension_envoy.rbac.matchers.upstream_ip_port>`.
 * route config: added :ref:`dynamic_metadata <envoy_v3_api_field_config.route.v3.RouteMatch.dynamic_metadata>` for routing based on dynamic metadata.
 * router: added retry options predicate extensions configured via
   :ref:` <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_options_predicates>`. These

diff --git a/source/common/stream_info/BUILD b/source/common/stream_info/BUILD
@@ -49,3 +49,11 @@ envoy_cc_library(
         "//envoy/stream_info:uint32_accessor_interface",
     ],
 )
+
+envoy_cc_library(
+    name = "upstream_address_lib",
+    hdrs = ["upstream_address.h"],
+    deps = [
+        "//envoy/stream_info:filter_state_interface",
+    ],
+)
diff --git a/source/common/stream_info/upstream_address.h b/source/common/stream_info/upstream_address.h
@@ -0,0 +1,24 @@
+#pragma once
+
+#include "envoy/network/address.h"
+#include "envoy/stream_info/filter_state.h"
+
+#include "absl/container/flat_hash_set.h"
+
+namespace Envoy {
+namespace StreamInfo {
+
+/*
+ * A FilterState object that wraps a network address shared pointer.
+ */
+class UpstreamAddress : public FilterState::Object {
+public:
+  static const std::string& key() {
+    CONSTRUCT_ON_FIRST_USE(std::string, "envoy.stream.upstream_address");
+  }
+
+  Network::Address::InstanceConstSharedPtr address_;
+};
+
+} // namespace StreamInfo
+} // namespace Envoy
diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl
@@ -297,6 +297,12 @@ EXTENSIONS = {
     #
 
     "envoy.key_value.file_based":     "//source/extensions/key_value/file_based:config_lib",
+
+    #
+    # RBAC matchers
+    #
+
+    "envoy.rbac.matchers.upstream_ip_port":     "//source/extensions/filters/common/rbac/matchers:upstream_ip_port_lib",
 }
 
 # These can be changed to ["//visibility:public"], for  downstream builds which

diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml
@@ -704,3 +704,8 @@ envoy.key_value.file_based:
   - envoy.common.key_value
   security_posture: data_plane_agnostic
   status: alpha
+envoy.rbac.matchers.upstream_ip_port:
+  categories:
+  - envoy.rbac.matchers
+  security_posture: unknown
+  status: alpha
diff --git a/source/extensions/filters/common/rbac/BUILD b/source/extensions/filters/common/rbac/BUILD
@@ -22,13 +22,17 @@ envoy_cc_library(
 envoy_cc_library(
     name = "matchers_lib",
     srcs = ["matchers.cc"],
-    hdrs = ["matchers.h"],
+    hdrs = [
+        "matcher_extension.h",
+        "matchers.h",
+    ],
     external_deps = ["abseil_optional"],
     deps = [
         "//envoy/http:header_map_interface",
         "//envoy/network:connection_interface",
         "//source/common/common:assert_lib",
         "//source/common/common:matchers_lib",
+        "//source/common/config:utility_lib",
         "//source/common/http:header_utility_lib",
         "//source/common/network:cidr_range_lib",
         "//source/extensions/filters/common/expr:evaluator_lib",

diff --git a/source/extensions/filters/common/rbac/engine_impl.cc b/source/extensions/filters/common/rbac/engine_impl.cc
@@ -11,7 +11,8 @@ namespace Common {
 namespace RBAC {
 
 RoleBasedAccessControlEngineImpl::RoleBasedAccessControlEngineImpl(
-    const envoy::config::rbac::v3::RBAC& rules, const EnforcementMode mode)
+    const envoy::config::rbac::v3::RBAC& rules,
+    ProtobufMessage::ValidationVisitor& validation_visitor, const EnforcementMode mode)
     : action_(rules.action()), mode_(mode) {
   // guard expression builder by presence of a condition in policies
   for (const auto& policy : rules.policies()) {
@@ -22,7 +23,8 @@ RoleBasedAccessControlEngineImpl::RoleBasedAccessControlEngineImpl(
   }
 
   for (const auto& policy : rules.policies()) {
-    policies_.emplace(policy.first, std::make_unique<PolicyMatcher>(policy.second, builder_.get()));
+    policies_.emplace(policy.first, std::make_unique<PolicyMatcher>(policy.second, builder_.get(),
+                                                                    validation_visitor));
   }
 }
 

diff --git a/source/extensions/filters/common/rbac/engine_impl.h b/source/extensions/filters/common/rbac/engine_impl.h
@@ -28,6 +28,7 @@ enum class EnforcementMode { Enforced, Shadow };
 class RoleBasedAccessControlEngineImpl : public RoleBasedAccessControlEngine, NonCopyable {
 public:
   RoleBasedAccessControlEngineImpl(const envoy::config::rbac::v3::RBAC& rules,
+                                   ProtobufMessage::ValidationVisitor& validation_visitor,
                                    const EnforcementMode mode = EnforcementMode::Enforced);
 
   bool handleAction(const Network::Connection& connection,

diff --git a/source/extensions/filters/common/rbac/matcher_extension.h b/source/extensions/filters/common/rbac/matcher_extension.h
@@ -0,0 +1,57 @@
+#pragma once
+
+#include "envoy/common/pure.h"
+#include "envoy/config/typed_config.h"
+#include "envoy/protobuf/message_validator.h"
+
+#include "source/extensions/filters/common/rbac/matchers.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace Filters {
+namespace Common {
+namespace RBAC {
+
+// Matcher extension factory for RBAC filter. Matchers could be extended to support IP address,
+// header value etc.
+class MatcherExtensionFactory : public Envoy::Config::TypedFactory {
+public:
+  /**
+   * Function to create Matchers from the specified config.
+   * @param config supplies the matcher configuration
+   * @return a new MatcherExtension
+   */
+  virtual MatcherConstSharedPtr create(const Protobuf::Message& config,
+                                       ProtobufMessage::ValidationVisitor& validation_visitor) PURE;
+
+  // @brief the category of the matcher extension type for factory registration.
+  std::string category() const override { return "envoy.rbac.matchers"; }
+};
+
+// Base RBAC matcher extension factory. This facilitates easy creation of matcher extension
+// factories. The factory is templated by:
+//  M: Matcher extension implementation
+//  P: Protobuf definition of the matcher.
+template <typename M, typename P>
+class BaseMatcherExtensionFactory : public Filters::Common::RBAC::MatcherExtensionFactory {
+public:
+  Filters::Common::RBAC::MatcherConstSharedPtr
+  create(const Protobuf::Message& config,
+         ProtobufMessage::ValidationVisitor& validation_visitor) override {
+    const auto& matcher_typed_config =
+        MessageUtil::downcastAndValidate<const envoy::config::core::v3::TypedExtensionConfig&>(
+            config, validation_visitor);
+
+    const auto proto_message = MessageUtil::anyConvert<P>(matcher_typed_config.typed_config());
+
+    return std::make_shared<M>(proto_message);
+  }
+
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique<P>(); }
+};
+
+} // namespace RBAC
+} // namespace Common
+} // namespace Filters
+} // namespace Extensions
+} // namespace Envoy