-
Notifications
You must be signed in to change notification settings - Fork 5.5k
rbac: add support for upstream ip policy. #17645
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 67 commits
1045f09
f0fd31a
1adb961
dfc6845
746300d
bf98fd5
4b2afa2
5bb36ca
6896019
b8d4be4
5174905
0ee890a
296bc67
3037ac8
060c2bd
a5d607d
df99181
0d1dca1
a37818e
51c82b3
70d7234
6b02593
0a1efa8
d5c9306
8f57013
9d33975
192cc7a
f76d0c9
e07ee7d
951d9e9
bd29b9f
0bcd80c
02c40c4
a6f2ca1
bcc9c5b
469ec05
399afaa
0afea0c
770db03
344a412
fbf1add
5c7be4c
c6d4fdd
812bd25
ad0c2f5
a7d8fd4
8959fad
f152be6
ac87d9d
dee8660
d54b0f5
bc11d45
706322e
3fc48b4
2cbe65d
8eb031b
4ada7b9
3f3577d
aaed4c5
51eb89a
df959de
630be7b
fd0f2f7
82424b1
45ba98a
d3a0a01
c5d5f2a
d1e227b
6486f62
0fb4bf8
0812a31
26dae37
594f3d8
88ae18f
4104388
c027553
3c166dd
20cd653
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. | ||
|
|
||
| load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_package( | ||
| deps = [ | ||
| "//envoy/config/core/v3:pkg", | ||
| "//envoy/type/v3:pkg", | ||
| "@com_github_cncf_udpa//udpa/annotations:pkg", | ||
| ], | ||
| ) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.extensions.rbac.matchers.upstream_ip_port.v3; | ||
|
|
||
| import "envoy/config/core/v3/address.proto"; | ||
| import "envoy/type/v3/range.proto"; | ||
|
|
||
| import "udpa/annotations/status.proto"; | ||
| import "validate/validate.proto"; | ||
|
|
||
| option java_package = "io.envoyproxy.envoy.extensions.rbac.matchers.upstream_ip_port.v3"; | ||
| option java_outer_classname = "UpstreamIpPortMatcherProto"; | ||
| option java_multiple_files = true; | ||
| option (udpa.annotations.file_status).package_version_status = ACTIVE; | ||
|
|
||
| // [#protodoc-title: RBAC upstream IP matcher plugin] | ||
| // [#extension: envoy.rbac.matchers.upstream_ip_port] | ||
|
|
||
| // This is configuration for matching upstream ip (and port if provided). Port will only be matched | ||
| // if IP match is successful. | ||
| message UpstreamIpPortMatcher { | ||
| // A CIDR block that will be used to match the upstream IP. | ||
| // This matcher requires a filter in the chain to have saved the upstream address in the | ||
| // filter state before the matcher is executed by RBAC filter. The state should be saved with key | ||
| // `envoy.stream.upstream_address` (See | ||
| // :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`). | ||
| // Also, See :repo:`proxy_filter.cc< | ||
| // source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc>` for an example of a | ||
| // filter which populates the FilterState. | ||
| // Both Ipv4 and Ipv6 ranges can be matched. | ||
| config.core.v3.CidrRange upstream_ip = 1 [(validate.rules).message = {required: true}]; | ||
|
|
||
| // A port range that will be used to match the upstream port. | ||
|
mattklein123 marked this conversation as resolved.
|
||
| type.v3.Int64Range upstream_port_range = 2; | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. | ||
|
|
||
| load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_package( | ||
| deps = [ | ||
| "//envoy/type/v3:pkg", | ||
| "@com_github_cncf_udpa//udpa/annotations:pkg", | ||
| ], | ||
| ) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.extensions.rbac.matchers.upstream_port.v3; | ||
|
|
||
| import "envoy/type/v3/range.proto"; | ||
|
|
||
| import "udpa/annotations/status.proto"; | ||
| import "validate/validate.proto"; | ||
|
|
||
| option java_package = "io.envoyproxy.envoy.extensions.rbac.matchers.upstream_port.v3"; | ||
| option java_outer_classname = "UpstreamPortMatcherProto"; | ||
| option java_multiple_files = true; | ||
| option (udpa.annotations.file_status).package_version_status = ACTIVE; | ||
|
|
||
| // [#protodoc-title: RBAC upstream port range matcher plugin] | ||
| // [#extension: envoy.rbac.matchers.upstream_port] | ||
|
|
||
| // This is configuration for matching upstream port. | ||
| message UpstreamPortMatcher { | ||
| // A port range that will be used to match the upstream port. | ||
| // This matcher requires a filter in the chain to have saved the upstream address in the | ||
| // filter state before the matcher is executed by RBAC filter. The state should be saved with key | ||
| // `envoy.stream.upstream_address` (See | ||
| // :repo:`upstream_address_set.h<source/common/stream_info/upstream_address_set.h>`). | ||
| // Also, See :repo:`proxy_filter.cc< | ||
| // source/extensions/filters/http/dynamic_forward_proxy/proxy_filter.cc>` for an example of a | ||
| // filter which populates the FilterState. If the key is not found in the filter state, the | ||
| // matcher will evaluate to `false`. | ||
|
htuch marked this conversation as resolved.
Outdated
|
||
| type.v3.Int64Range upstream_port_range = 1 [(validate.rules).message = {required: true}]; | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -31,3 +31,4 @@ Extensions | |
| stat_sinks/stat_sinks | ||
| quic/quic_extensions | ||
| formatter/formatter | ||
| rbac/matchers | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| RBAC Matchers | ||
| ============= | ||
|
|
||
| .. toctree:: | ||
| :glob: | ||
| :maxdepth: 2 | ||
|
|
||
| matchers/matchers |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| RBAC Matchers | ||
| === | ||
|
|
||
| .. toctree:: | ||
| :glob: | ||
| :maxdepth: 2 | ||
|
|
||
| upstream/upstream |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| Upstream Matchers | ||
| ================= | ||
|
|
||
| .. toctree:: | ||
| :glob: | ||
| :maxdepth: 2 | ||
|
|
||
| ../../../../extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto | ||
| ../../../../extensions/rbac/matchers/upstream_port/v3/upstream_port_matcher.proto |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| #pragma once | ||
|
|
||
| #include "envoy/network/address.h" | ||
| #include "envoy/stream_info/filter_state.h" | ||
|
|
||
| #include "absl/container/flat_hash_set.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace StreamInfo { | ||
|
|
||
| /* | ||
| * A FilterState object that wraps a network address shared pointer. | ||
| */ | ||
| class UpstreamAddress : public FilterState::Object { | ||
| public: | ||
| static const std::string& key() { | ||
| CONSTRUCT_ON_FIRST_USE(std::string, "envoy.stream.upstream_address"); | ||
| } | ||
|
|
||
| Network::Address::InstanceConstSharedPtr address_; | ||
| }; | ||
|
|
||
| } // namespace StreamInfo | ||
| } // namespace Envoy |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -297,6 +297,13 @@ EXTENSIONS = { | |
| # | ||
|
|
||
| "envoy.key_value.file_based": "//source/extensions/key_value/file_based:config_lib", | ||
|
|
||
| # | ||
| # RBAC matchers | ||
| # | ||
|
|
||
| "envoy.rbac.matchers.upstream_ip_port": "//source/extensions/filters/common/rbac/matchers:upstream_ip_port_lib", | ||
| "envoy.rbac.matchers.upstream_port": "//source/extensions/filters/common/rbac/matchers:upstream_port_lib", | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think this needs to get removed? Or is this staying to match on ports only? Would it be better to just have a single matcher and allow address to be optional and if so any address will match? So basically either port, address, or both need to be set?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @mattklein123 . Please let me know if that makes sense.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't really follow. You have port optional in one of them. Why can't address be optional? Logically then shouldn't you have an address only matcher? I would remove the dedicated port matcher and just make a single matcher that requires either to be set or both.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I was hoping that we can avoid configurations where neither IP or Port are provided. Will change to combine the matchers 👍
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just reject that case in code and I think that will turn out great, thank you. |
||
| } | ||
|
|
||
| # These can be changed to ["//visibility:public"], for downstream builds which | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| #pragma once | ||
|
|
||
| #include "envoy/common/pure.h" | ||
| #include "envoy/config/typed_config.h" | ||
| #include "envoy/protobuf/message_validator.h" | ||
|
|
||
| #include "source/extensions/filters/common/rbac/matchers.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Filters { | ||
| namespace Common { | ||
| namespace RBAC { | ||
|
|
||
| // Matcher extension factory for RBAC filter. Matchers could be extended to support IP address, | ||
| // header value etc. | ||
| class MatcherExtensionFactory : public Envoy::Config::TypedFactory { | ||
| public: | ||
| /** | ||
| * Function to create Matchers from the specified config. | ||
| * @param config supplies the matcher configuration | ||
| * @return a new MatcherExtension | ||
| */ | ||
| virtual MatcherConstSharedPtr create(const Protobuf::Message& config, | ||
| ProtobufMessage::ValidationVisitor& validation_visitor) PURE; | ||
|
|
||
| // @brief the category of the matcher extension type for factory registration. | ||
| std::string category() const override { return "envoy.rbac.matchers"; } | ||
| }; | ||
|
|
||
| // Base RBAC matcher extension factory. This facilitates easy creation of matcher extension | ||
| // factories. The factory is templated by: | ||
| // M: Matcher extension implementation | ||
| // P: Protobuf definition of the matcher. | ||
| template <typename M, typename P> | ||
| class BaseMatcherExtensionFactory : public Filters::Common::RBAC::MatcherExtensionFactory { | ||
| public: | ||
| Filters::Common::RBAC::MatcherConstSharedPtr | ||
| create(const Protobuf::Message& config, | ||
| ProtobufMessage::ValidationVisitor& validation_visitor) override { | ||
| const auto& matcher_typed_config = | ||
| MessageUtil::downcastAndValidate<const envoy::config::core::v3::TypedExtensionConfig&>( | ||
| config, validation_visitor); | ||
|
Comment on lines
+41
to
+43
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Thanks @lizan .Not sure I follow. Is there an example?
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Lizan I assume MessageUtil::anyConvertAndValidate would do both?
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, but usually |
||
|
|
||
| const auto proto_message = MessageUtil::anyConvert<P>(matcher_typed_config.typed_config()); | ||
|
|
||
| return std::make_shared<M>(proto_message); | ||
| } | ||
|
|
||
| ProtobufTypes::MessagePtr createEmptyConfigProto() override { return std::make_unique<P>(); } | ||
| }; | ||
|
|
||
| } // namespace RBAC | ||
| } // namespace Common | ||
| } // namespace Filters | ||
| } // namespace Extensions | ||
| } // namespace Envoy | ||
Uh oh!
There was an error while loading. Please reload this page.